Supplemental Document : BIG-IP 15.0.1 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.1

BIG-IP FPS

  • 15.0.1

BIG-IP AFM

  • 15.0.1

BIG-IP Analytics

  • 15.0.1

BIG-IP PEM

  • 15.0.1

BIG-IP ASM

  • 15.0.1

BIG-IP Link Controller

  • 15.0.1

BIG-IP APM

  • 15.0.1

BIG-IP LTM

  • 15.0.1

BIG-IP Release Information

Version: 15.0.1
Build: 11.0

Known Issues in BIG-IP v15.0.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
794413-1 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471
796469-3 CVE-2019-6649 K05123525 ConfigSync Hardening
797885-1 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-1 CVE-2019-6649 K05123525 ConfigSync Hardening
799617-1 CVE-2019-6649 K05123525 ConfigSync Hardening
807477-1 CVE-2019-6650 K04280042 ConfigSync Hardening
810557-1 CVE-2019-6649 K05123525 ASM ConfigSync Hardening
809377-1 CVE-2019-6649 K05123525 AFM ConfigSync Hardening


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
808129-2 2-Critical   Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
811333-5 3-Major   Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile


Performance Fixes

ID Number Severity Solution Article(s) Description
777937-1 1-Blocking   AWS ENA: packet drops due to bad checksum


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
744937-2 3-Major K00724442 Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
753485-3 3-Major   AVR global settings are being overridden by HA peers


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
793937-2 2-Critical   Management Port Hardening
757306-1 2-Critical   SNMP MIBS for AFM NAT do not yet exist


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
808849 3-Major   Can't load keyword definition (ips-inspection-compliance.subscription) on upgrade from v14.1.0.5 to v15.0.0

 

Cumulative fix details for BIG-IP v15.0.1 that are included in this release

811333-5 : Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails and the following error is present in /var/log/ltm log:

01070312:3: Invalid keyword 'sslv2' in ciphers list for profile /Common/serverssl-insecure-compatible
Unexpected Error: Loading configuration process failed.

Conditions:
-- BIG-IP system with SSLv2 as ciphers option in SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.

Impact:
The config is not loaded, and upgrade fails.

Workaround:
If you are encountering this after upgrading, run the following commands from the bash prompt:

1. Backup the configuration:
#cp /config/bigip.conf /config/bigip_backup.conf

2. List the occurrences of 'sslv2' in the bigip.conf:
#more bigip.conf | grep -i sslv2

3. Remove the SSLv2 references:
#sed -i "s/\!SSLv2://g" /config/bigip.conf

4. Check to ensure there are no 'sslv2' references:
#more bigip.conf | grep -i sslv2

5. Verify the configuration:
#tmsh load sys config verify

6. Try loading the configuration:
#tmsh load sys config

Fix:
SSLv2 validation is removed from the configuration and upgrade succeeds.


810557-1 : ASM ConfigSync Hardening

Solution Article: K05123525


809377-1 : AFM ConfigSync Hardening

Solution Article: K05123525


808849 : Can't load keyword definition (ips-inspection-compliance.subscription) on upgrade from v14.1.0.5 to v15.0.0

Component: Protocol Inspection

Symptoms:
Upgrade fails from v14.1.0.5 to v15.0.0:

Can't load keyword definition (ips-inspection-compliance.subscription) can't find parse node (ips::inspection::compl::subscription).

Conditions:
Upgrading from v14.1.0.5 to v15.0.0.

Impact:
Upgrade fails.

Workaround:
None.

Fix:
You can now upgrade from v14.1.0.5 to 15.0.1 or later.


808129-2 : Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.

Component: TMOS

Symptoms:
BIG-IP 14.1.0.3 on AWS license does not complete from BIG-IQ.

Conditions:
-- Using BIG-IQ.
-- Attempting to license BIG-IP 14.1.0.3 on AWS.

Impact:
Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.

Workaround:
Restart restjavad on the BIG-IP system.

Fix:
Can now use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.


807477-1 : ConfigSync Hardening

Solution Article: K04280042


799617-1 : ConfigSync Hardening

Solution Article: K05123525


799589-1 : ConfigSync Hardening

Solution Article: K05123525


797885-1 : ConfigSync Hardening

Solution Article: K05123525


796469-3 : ConfigSync Hardening

Solution Article: K05123525


794413-1 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


793937-2 : Management Port Hardening

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, network protections on the management port do not follow current best practices.

Conditions:
Under certain conditions, network protections on the management port do not follow current best practices.

Impact:
Network protections on the management port do not follow current best practices.

Workaround:
None.

Fix:
Network protections on the management port now follow current best practices.


777937-1 : AWS ENA: packet drops due to bad checksum

Component: Performance

Symptoms:
-- Lower throughput and tps.
-- High availability (HA) heartbeat is getting dropped, resulting in an active-active configuration.

Conditions:
AWS Elastic Network Adapter (ENA) NIC is in use.

Impact:
Performance degradation and invalid HA configuration.

Workaround:
On the BIG-IP system, turn off checksum offloading in on TX as follows:

modify sys db tm.tcpudptxchecksum value Software-only

Important: This workaround negatively affects NICs other than ENA. Therefore, the workaround is recommended exclusively when ENA is the only dataplane NICs in use in the BIG-IP system.

Fix:
AWS ENA: no packet drops due to bad checksum.


757306-1 : SNMP MIBS for AFM NAT do not yet exist

Component: Advanced Firewall Manager

Symptoms:
SNMP MIBS for AFM NAT do not yet exist.

Conditions:
This occurs in normal operation.

Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.

Workaround:
None.


753485-3 : AVR global settings are being overridden by HA peers

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).

Conditions:
Configuring HA for systems connected to BIG-IQ.

Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:

-- They incorrectly identify themselves to BIG-IQ.
-- They report to the wrong DCD.
-- They report to DCD even if they are not configured to report at all.
-- The do not report at all even if they are configured to report.

Workaround:
None.

Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.


744937-2 : Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP does not know what resource records some external zone holds at the time the BIG-IP is responding to some dnssec query that asked for some record type at some owner name.
If the resource record type does not exist, then as part of the response, the BIG-IP generates an NSEC3 record (to authenticate denial of existence along with RRSIG) containing a types bitmap that is supposed to have the available RRs at the owner name.
With some new feature supported in BIND 9.12 (RFC 8198) called Aggressive use of Negative Cache, that negative response with the inaccurate types bitmap is cached which can then be re-used to show that some resource records do not exist but are in fact available at the owner name.

Conditions:
A query comes in for a zone that is not hosted on the BIG-IP where the BIG-IP is only responsible for DNSSEC signing.

Impact:
Validating resolvers implementing Aggressive Use of DNSSEC-Validated Cache may respond with NODATA for an existing resource record.

Workaround:
N/A



Known Issues in BIG-IP v15.0.x


TMOS Issues

ID Number Severity Solution Article(s) Description
809553-2 1-Blocking   ONAP Licensing - Cipher negotiation fails
778317-2 1-Blocking   IKEv2 HA after Standby restart has race condition with config startup
754989-2 1-Blocking   iControl REST API adds unnecessary escape character (\) to URL if the URL contains a wildcard character
810593-1 2-Critical   Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade
806093-2 2-Critical   Unwanted LDAP referrals slow or prevent administrative login
805417-2 2-Critical   Unable to enable LDAP system auth profile debug logging
797221-2 2-Critical   BCM daemon can be killed by watchdog timeout during blade-to-blade failover
796113-1 2-Critical   Unable to load 14.1.0 config on 15.0.0 for a virtual server using a port/address list
793045-1 2-Critical   File descriptor leak in net-snmpd while reading /shared/db/cluster.conf
792285-1 2-Critical   TMM crashes if the queuing message to all HSL pool members fails
789993-2 2-Critical   Failure when upgrading to 15.0.0 with config move and static management-ip.
789169-1 2-Critical   Unable to create virtual servers with port-lists from the GUI
780817-6 2-Critical   TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
780437-1 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777993-1 2-Critical   Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
777389-2 2-Critical   In a corner case, for PostgreSQL monitor MCP process restarts
775897-2 2-Critical   High Availability failover restarts tmipsecd when tmm connections are closed
774361-4 2-Critical   IPsec High Availability sync during multiple failover via RFC6311 messages
769817-2 2-Critical   BFD fails to propagate sessions state change during blade restart
769581-2 2-Critical   Timeout when sending many large requests iControl Rest requests
769341-2 2-Critical   HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs
769169-4 2-Critical   BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
767877-4 2-Critical   TMM core with Bandwidth Control on flows egressing on a VLAN group
767013-2 2-Critical   Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
762385-2 2-Critical   After upgrade to 14.1 wrong remote-role assigned using LDAP authentication
762205-3 2-Critical   IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
760164 2-Critical   BIG-IP VE Compression Offload HA action requires modification of db variable
757722-3 2-Critical   Unknown notify message types unsupported in IKEv2
756402-3 2-Critical   Re-transmitted IPsec packets can have garbled contents
755716-2 2-Critical   IPsec connection can fail if connflow expiration happens before IKE encryption
751924-1 2-Critical   TSO packet bit fails IPsec during ESP encryption
749249-3 2-Critical   IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
747203-1 2-Critical   Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
746464-7 2-Critical   MCPD sync errors and restart after multiple modifications to file object in chassis
811053-1 3-Major   REBOOT REQUIRED prompt appears after failover and clsh reboot
810957-1 3-Major   Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
810613-1 3-Major   GUI Login History hides informative message about max number of lines exceeded
809657-1 3-Major   HA Group score not computed correctly for an unmonitored pool when mcpd starts
808277-5 3-Major   Root's crontab file may become empty
806881-1 3-Major   Loading the configuration may not set the virtual server enabled status correctly
804477-5 3-Major   Log HSB registers when parts of the device becomes unresponsive
803833-5 3-Major   On Upgrade or UCS Restore Decryption of the sym-unit-key Field for vCMP Guest Fails
803457-1 3-Major   SNMP custom stats cannot access iStats
802685-1 3-Major   Unable to configure performance HTTP virtual server via GUI
800185-5 3-Major   Saving large config into UCS may fail
797609-1 3-Major   Creating or modifying some virtual servers to use an address or port list may result in a warning message
795685-1 3-Major   Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
794501-1 3-Major   Duplicate if_indexes and OIDs between interfaces and tunnels
793121-4 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
791365-1 3-Major   Bad encryption password error on UCS save
791061-1 3-Major   Config load in /Common removes routing protocols from other partitions
788949-2 3-Major   MySQL Password Initialization Loses Already Written Password
788645-1 3-Major   BGP does not function on static interfaces with vlan names longer than 16 characters.
788557-6 3-Major   BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
784733-4 3-Major   GUI LTM Stats page freezes for large number of pools
783293-2 3-Major   Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window
783113-5 3-Major   BGP sessions remain down upon new primary slot election
782613-6 3-Major   Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
781733-1 3-Major   SNMPv3 user name configuration allows illegal names to be entered
778125-2 3-Major   LDAP remote authentication passwords are limited to fewer than 64 bytes
778041-2 3-Major   tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
777261-5 3-Major   When SNMP cannot locate a file it logs messages repeatedly
776489-1 3-Major   Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
775733-3 3-Major   /etc/qkview_obfuscate.conf not synced across blades
773577-1 3-Major   SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
773333-1 3-Major   IPsec CLI help missing encryption algorithm descriptions
772497-6 3-Major   When BIG-IP is configured to use a proxy server, updatecheck fails
769029-4 3-Major   Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
767737-1 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
767305-1 3-Major   If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
766329-1 3-Major   SCTP connections do not reflect some SCTP profile settings
764873-1 3-Major   An accelerated flow transmits packets to a dated, down pool member.
762073-4 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
761993-1 3-Major   The nsm process may crash if it detects a nexthop mismatch
761321-1 3-Major   'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not
760680-2 3-Major   TMSH may utilize 100% CPU (single core) when set to be a process group leader and SSH session is closed.
760468 3-Major   Configuring a route-domain causes diskmonitor error in logs
760439-5 3-Major   After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
759654-3 3-Major   LDAP remote authentication with remote roles and user-template failing
759499-1 3-Major   Upgrade from version 12.1.3.7 to version 14.1.0 failing with error
759258-1 3-Major   Instances shows incorrect pools if the same members are used in other pools
758387-1 3-Major   BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
757519-2 3-Major   Unable to login using LDAP authentication
754691-2 3-Major   During failover, an OSPF routing daemon may crash.
754335-2 3-Major   Install ISO does not boot on BIG-IP VE
753860-4 3-Major   Virtual server config changes causing incorrect route injection.
751581-4 3-Major   REST API Timeout while queriying large number of persistence profiles
751021-5 3-Major   One or more TMM instances may be left without dynamic routes.
743803-6 3-Major   IKEv2 potential double free of object when async request queueing fails
738943-2 3-Major   imish command hangs when ospfd is enabled
724109-1 3-Major   Manual config-sync fails after pool with FQDN pool members is deleted
718405-4 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
718108-4 3-Major   It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts
715379-4 3-Major   IKEv2 accepts asn1dn for peers-id only as file path of certificate file
703090-2 3-Major   With many iApps configured, scriptd may fail to start
677683 3-Major   Unexpected LOP reset
671372-6 3-Major K01930721 When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
601220-2 3-Major   Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
569859-6 3-Major   Password policy enforcement for root user when mcpd is not available
291256-1 3-Major   Changing 'Minimum Length' and 'Required Characters' might result in an error
805325-4 4-Minor   tmsh help text contains a reference to bigpipe, which is no longer supported
803157-2 4-Minor   LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
795429-4 4-Minor   Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
776393-1 4-Minor   Memory leak in restjavad causing restjavad to restart frequently with OOM
776073-2 4-Minor   OOM killer killing tmmin system low memory condition as process OOM score is high
774617-2 4-Minor   SNMP daemon reports integer truncation error for values greater than 32 bits
759993-1 4-Minor   'License verification failed' errors occur when changing license
759606-1 4-Minor   REST error message is logged every five minutes on vCMP Guest
755018-1 4-Minor   Traffic processing may be stopped on VE trunk after tmm restart
724994-5 4-Minor   API requests with 'expandSubcollections=true' are very slow
591732-6 4-Minor   Local password policy not enforced when auth source is set to a remote type.
769145-1 5-Cosmetic   Syncookie threshold warning is logged when the threshold is disabled
761621-1 5-Cosmetic   Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
803845 2-Critical   When in HA, the Standby DDos Hybrid Defender is forwarding traffic causing a loop and subsequent network shutdown
791057-2 2-Critical   Mcp crashes during config sync when traffic matching criteria is used
788813 2-Critical   TMM crash when deleting virtual-wire config
759968-4 2-Critical   Distinct vCMP guests are able to cluster with each other.
726900-2 2-Critical   Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
663925-2 2-Critical   Virtual server state not updated with pool- or node-based connection limiting
474797-3 2-Critical   Nitrox crypto hardware may attempt soft reset while currently resetting
805017-1 3-Major   DB monitor marks pool member down if no send/recv strings are configured
803109-1 3-Major   Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows
801497 3-Major   Virtual wire with LACP pinning to one link in trunk.
798105-2 3-Major   Node Connection Limit Not Honored
797977-2 3-Major   Self-IP traffic does not preserve the TTL from the Linux host
796993-5 3-Major   Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
795933-1 3-Major   A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
795501-4 3-Major   Possible SSL crash during config sync
795261-1 3-Major   LTM policy does not properly evaluate condition when an operand is missing
795025-1 3-Major   Ssl_outerrecordtls1_0 config option is not honored
794505-4 3-Major   OSPFv3 IPv4 address family route-map filtering does not work
793669-2 3-Major   FQDN ephemeral pool members on HA pair doesn't get properly synced of the new session value
790845-3 3-Major   An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
790205-4 3-Major   Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
788741-1 3-Major   TMM cores in the MQTT proxy under rare conditions
787853-1 3-Major   BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
786517-4 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
785481-1 3-Major   A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
784565-1 3-Major   VLAN groups are incompatible with fast-forwarded flows
783617-2 3-Major   Virtual Server resets connections when all pool members are marked disabled
783145-5 3-Major   Pool gets disabled when one of its pool member with monitor session is disabled
781849-1 3-Major   On-Demand Certificate Authentication agent for Per-Request Policy does not work with multiple Client SSL profiles that have the 'Default SSL Profile for SNI' option disabled and assigned to a single Virtual Server
781041-2 3-Major   SIP monitor in non default route domain is not working.
779137-1 3-Major   Using a source address list for a virtual server does not preserve the destination address prefix
778517-3 3-Major   Large number of in-TMM monitors results in delayed processing
778501 3-Major   LB_FAILED does not fire on failure of HTTP/2 server connection establishment
776229-1 3-Major   iRule 'pool' command no longer accepts pool members with ports that have a value of zero
773821-2 3-Major   Certain plaintext traffic may cause SSLO to hang
773421-4 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
773229-1 3-Major   Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances
770477-1 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
769801-2 3-Major   Internal tmm UDP filter does not set checksum
767217-1 3-Major   Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-2 3-Major   RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
765517-2 3-Major   Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN
763093-4 3-Major   LRO packets are not taken into account for ifc_stats (VLAN stats)
760050-1 3-Major   cwnd warning message in log
758992-3 3-Major   The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
757029-1 3-Major   Ephemeral pool members may not be created after config load or reboot
756313-1 3-Major   SSL monitor continues to mark pool member down after restoring services
755791-1 3-Major   UDP monitor not behaving properly on different ICMP reject codes.
755727-1 3-Major   Ephemeral pool members not created after DNS flap and address record changes
754525-2 3-Major   Disabled virtual server accepts and serves traffic after restart
747131-2 3-Major   ARP table may not be updated properly by some TMMs
726176-1 3-Major   platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
718790-4 3-Major   Traffic does not forward to fallback host when all pool members are marked down
714502-1 3-Major   bigd restarts after loading a UCS for the first time
709381-3 3-Major   iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
505037-6 3-Major K01993279 Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
806085-1 4-Minor   In-TMM MQTT monitor is not working as expected
802721-3 4-Minor   Virtual Server iRule does not match an External Data Group key that's 128 characters long
801705-5 4-Minor   When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
791337-2 4-Minor   Traffic matching criteria fails when using shared port-list with virtual servers
774261-2 4-Minor   PVA client-side current connections stat does not decrease properly
773253-4 4-Minor   The BIG-IP may send VLAN failsafe probes from a disabled blade
772297-1 4-Minor   LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
769309-1 4-Minor   DB monitor reconnects to server on every probe when count = 0
747628-7 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
675911-7 4-Minor K13272442 Different sections of the WebUI can report incorrect CPU utilization


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
788465-1 2-Critical   DNS cache idx synced across HA group could cause tmm crash
783125-1 2-Critical   iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
803645-4 3-Major   GTMD daemon crashes
800265-3 3-Major   Undefined subroutine in bigip_add_appliance_helper message
789421-3 3-Major   Resource-administrator cannot create GTM server object through GUI
783849-1 3-Major   DNSSEC Key Generations are not imported to secondary FIPS card
779793-1 3-Major   [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
779769-1 3-Major   [LC] [GUI] destination cannot be modified for bigip-link monitors
778365-3 3-Major   dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
774481-1 3-Major   DNS Virtual Server creation problem with Dependency List
774225-4 3-Major   mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
772233-2 3-Major   IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
769385-2 3-Major   GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
760615-1 3-Major   Virtual Server discovery may not work after a GTM device is removed from the sync group
746223-2 3-Major   DNSSEC: Initial Key Generations may take up to 5 seconds to appear when a new DNSSEC Key is created
665117-6 3-Major K33318158 DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
790113-1 4-Minor   Cannot remove all wide IPs from GTM distributed application via iControl REST
775801-1 4-Minor   [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
744280-4 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
790349-3 2-Critical   merged crash with a core file
809125-1 3-Major   CSRF false positive
793149-4 3-Major   Adding the Strict-transport-Policy header to internal responses
792569-1 3-Major   Security URL name created from swagger file starts with double '/'
792341-1 3-Major   Google Analytics shows incorrect stats.
786913-1 3-Major   Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7
781637-1 3-Major   ASM brute force counts unnecessary failed logins for NTLM
781605-4 3-Major   Fix RFC issue with the multipart parser
781069-1 3-Major   Bot Defense challenge blocks requests with long Referer headers
781021-1 3-Major   ASM modifies cookie header causing it to be non-compliant with RFC6265
773553-1 3-Major   ASM JSON parser false positive.
769997 3-Major   ASM removes double quotation characters on cookies
769981-1 3-Major   bd crashes in a specific scenario
764373-4 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
727107-5 3-Major   Request Logs are not stored locally due to shmem pipe blockage
795769-4 4-Minor   Incorrect value of Systems in system-supplied signature sets
772473-4 4-Minor   Request reconstruct issue after challenge
765413-3 4-Minor   ASM cluster syncs caused by PB ignored suggestions updates
761088-2 4-Minor   Remove policy editing restriction in the GUI while auto-detect language is set
756998-2 4-Minor   DoSL7 Record Traffic feature is not recording traffic
769061-1 5-Cosmetic   Improved details for learning suggestions to enable violation/sub-violation


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
756102-1 2-Critical   TMM can crash with core on ABORT signal due to non-responsive AVR code
781581-2 3-Major   Monpd uses excessive memory on requests for network_log data
771025-4 3-Major   AVR send domain names as an aggregate
760356-1 3-Major   Users with Application Security Administrator role cannot delete Scheduled Reports
759135-1 3-Major   AVR report limits should be editable, not just hardcoded 1000 transactions
788269-4 4-Minor   Adding toggle to disable AVR widgets on device-groups


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
811145-1 2-Critical   VMware View resources with SAML SSO are not working
797541-2 2-Critical K05115516 NTLM Auth may fail when user's information contains SIDS array
789085-4 2-Critical   When executing the ACCESS::session iRule command under a serverside event, tmm may crash
784989-1 2-Critical   TMM may crash with panic message: Assertion 'cookie name exists' failed
783233-3 2-Critical   OAuth puts quotation marks around claim values that are not string type
777173-1 2-Critical   Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
803825-2 3-Major   WebSSO does not support large NTLM target info length
798261-1 3-Major   APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
788417-1 3-Major   Remote Desktop client on macOS may show resource auth token on credentials prompt
786173-2 3-Major   UI becomes unresponsive when accessing Access active session information
783817-1 3-Major   UI becomes unresponsive when accessing Access active session information
782569-2 3-Major   SWG limited session limits on SSLO deployments
775621-1 3-Major   urldb memory grows past the expected ~3.5GB
774633-1 3-Major   Memory leak in tmm when session db variables are not cleaned up
774301-5 3-Major   Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
774213-2 3-Major   SWG session limits on SSLO deployments
768025-3 3-Major   SAML requests/responses fail with "failed to find certificate"
766577-1 3-Major   APMD fails to send response to client and it already closed connection.
761303-1 3-Major   Upgrade of standby BIG-IP system results in empty Local Database
759392-1 3-Major   HTTP_REQUEST iRule event triggered for internal APM request
758764-1 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
757782-2 3-Major   OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
757781-4 3-Major   Portal Access: cookie exchange may be broken sometimes
697590-1 3-Major   APM iRule ACCESS::session remove fails outside of Access events


Service Provider Issues

ID Number Severity Solution Article(s) Description
811105-2 2-Critical   MRF SIP-ALG drops SIP 183 and 200 OK messages
781725-1 2-Critical   BIG-IP systems might not complete a short ICAP request with a body beyond the preview
766405-1 2-Critical   MRF SIP ALG with SNAT: Fix for potential crash on next-active device
811745-1 3-Major   Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
804313-1 3-Major   MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
790949-1 3-Major   MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
782353-5 3-Major   SIP MRF via header shows TCP Transport when TLS is enabled
763157-1 3-Major   MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
761685-2 3-Major   Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
760370-1 3-Major   MRF SIP ALG with SNAT: Next active ingress queue filling
759370-3 3-Major   FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.
759077-1 3-Major   MRF SIP filter queue sizes not configurable
748355-3 3-Major   MRF SIP curr_pending_calls statistic can show negative values.
788513-1 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
786565-1 4-Minor   MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded
760930-3 4-Minor   MRF SIP ALG with SNAT: Added additional details to log events


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
811157-1 3-Major   Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
808889-1 3-Major   DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold
793217-1 3-Major   HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
791361-2 3-Major   Configured management port rules can be lost after loading UCS file and rebooting
781425-1 3-Major   Firewall rule list configuration causes config load failure
780837-2 3-Major   Firewall rule list configuration causes config load failure
771173-4 3-Major   FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.
761345-4 3-Major   Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
761234-1 3-Major   Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached
760355-2 4-Minor   Firewall rule to block ICMP/DHCP from 'required' to 'default'


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
783289-4 3-Major   PEM actions not applied in VE bigTCP.
741213-1 3-Major   Modifying disabled PEM policy causes coredump


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
787601-1 3-Major   Unable to add 'Enforce' parameter if already configured in different URL
783565-1 3-Major   Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP
775013-1 3-Major   TIME EXCEEDED alert has insufficient data for analysis


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
803477-3 3-Major   BaDoS State file load failure when signature protection is off


iApp Technology Issues

ID Number Severity Solution Article(s) Description
802189-1 4-Minor   iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
737558 2-Critical   Protocol Inspection user interface elements are active but do not work
778225-2 3-Major   vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
760740 4-Minor   Mysql error is displayed when saving UCS configuration on BIG-IP system with only LTM provisioned

 

Known Issue details for BIG-IP v15.0.x

811745-1 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.


811157-1 : Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself

Component: Advanced Firewall Manager

Symptoms:
"Global Staged Default Action" message is logged into the firewall log for ICMP traffic targeted to Self-IP or Virtual Server destination address, even though this traffic can never be affected by Global Default Actions.

The "Global Staged Default Action" counter is also incremented.

Conditions:
Logging is enabled for Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "enabled" (this sys db has value "disabled" by default).

There are no special conditions for the "Global Staged Default Action" counter increment.

Impact:
Misleading messages are logged into the firewall log.
The "Global Staged Default Action" counter is incorrectly incremented.

The traffic itself is not affected and there are no other negative effects except the incorrect log message and counter update.

Workaround:
There is no workaround regarding the "Global Staged Default Action" counter increment.

For preventing the misleading log message disable logging of Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "disabled".


811145-1 : VMware View resources with SAML SSO are not working

Component: Access Policy Manager

Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.

Conditions:
VMware View resource is configured with SAML SSO method.

Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.

Workaround:
None.


811105-2 : MRF SIP-ALG drops SIP 183 and 200 OK messages

Component: Service Provider

Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.

Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address

Impact:
SIP calls are unable to establish media connections.

Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"


811053-1 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.


810957-1 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core

Component: TMOS

Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.

Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.

Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.

Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:

tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>


810613-1 : GUI Login History hides informative message about max number of lines exceeded

Component: TMOS

Symptoms:
When there are more than 10000 lines in /var/log/secure* files, visiting System :: Logins :: [History|Summary] in the GUI shows 'No Entries' instead of the actual error message about the large number of lines.

Conditions:
If there are more than 10000 lines in /var/log/secure* files.

Impact:
GUI displays 'No Entries' instead of the actual error message.

Workaround:
-- Via the CLI by specifying the number of lines:
tmsh show sys log security lines 15000 | less
-- Delete the large amount of secure files from /var/log/.


810593-1 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
VCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5 and all intervening versions up to, but not including, v13.1.3.

Impact:
VCMP guests at state 'INOPERATIVE' and do not pass traffic.

Workaround:
None.


809657-1 : HA Group score not computed correctly for an unmonitored pool when mcpd starts

Component: TMOS

Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) froup do not contribute to the HA froup's score.

Conditions:
- HA froup configured with at least one pool.
- At least one of the pools assigned to the HA group is not using monitoring.
- mcpd is starting up (due to bigstart restart, or a reboot, etc.).

Impact:
Incorrect HA Group score.

Workaround:
Remove the unmonitored pools from the HA froup and re-add them.


809553-2 : ONAP Licensing - Cipher negotiation fails

Component: TMOS

Symptoms:
Cipher negotiation fails between the BIG-IP and a third-party license server.

Conditions:
This occurs when BIG-IP is deployed in a custom ONAP environment that uses a third-party license server.

Impact:
TLS negotiation fails.

Workaround:
Change the order of ciphers.
Enable only ECDHE ciphers.


809125-1 : CSRF false positive

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm


808889-1 : DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold

Component: Advanced Firewall Manager

Symptoms:
Incorrect hw_offload status for DoS vector or signature in tmctl dos_stat after the attack has stopped.

Conditions:
BIG-IP system with DoS-accelerated vectors support (SPVA support).

Impact:
DoS vector/signature stays hardware-accelerated.

Workaround:
After attack, change the state for DoS vector/signature to detect-only. Then return vector state to mitigate.


808277-5 : Root's crontab file may become empty

Component: TMOS

Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.

Conditions:
Low disk space on the /var filesystem.

Impact:
System and user entries in root's crontab file stop executing.

Workaround:
None.


806881-1 : Loading the configuration may not set the virtual server enabled status correctly

Component: TMOS

Symptoms:
When loading the configuration, if the virtual address is disabled but the virtual server is enabled, the virtual server may still pass traffic.

Conditions:
-- Loading the configuration.
-- A virtual server's virtual address is disabled.

Impact:
Virtual servers unexpectedly process traffic.

Workaround:
Manually re-enable and disable the virtual address.


806093-2 : Unwanted LDAP referrals slow or prevent administrative login

Component: TMOS

Symptoms:
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.

Conditions:
-- LDAP/Active Directory "system-auth" authentication configured.
-- The Active Directory enables LDAP referrals (the default).
-- There are a large number of Active Directory servers in the enterprise or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).

Impact:
BIG-IP may accept LDAP referrals that it is unable to process, resulting in authentication timeouts/failures.

Workaround:
To temporarily disable the referrals, edit one of the configuration files /etc/nslcd.conf or /config/bigip/auth/pam.d/ldap/system-auth.conf, and add the following line:

"referrals no"

Note: This change is not persistent and will be lost whenever MCPD re-loads the configuration, or when other changes are made to system-auth configuration values.


806085-1 : In-TMM MQTT monitor is not working as expected

Component: Local Traffic Manager

Symptoms:
The monitoring probes are not being sent out to the network. Regardless of the monitor config and sys db variable.

Conditions:
Configuring the in-TMM MQTT monitor.

Impact:
Pool members with attached MQTT monitor state is incorrectly shown as DOWN.

Workaround:
None.


805417-2 : Unable to enable LDAP system auth profile debug logging

Component: TMOS

Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.

Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.

Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but here is no impact to normal system operation.

Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option:

systemctl stop nslcd
nslcd -d

Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.


When done, restart nslcd:
systemctl start nslcd


805325-4 : tmsh help text contains a reference to bigpipe, which is no longer supported

Component: TMOS

Symptoms:
The 'sys httpd ssl-certkeyfile' tmsh help text contains a reference to bigpipe, which is no longer supported.

Conditions:
Viewing tmsh help for 'sys httpd ssl-certkeyfile'.

Impact:
Incorrect reference to bigpipe.

Workaround:
You can use the following command sequence to change the key:
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }


805017-1 : DB monitor marks pool member down if no send/recv strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.

Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).


804477-5 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.


804313-1 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None


803845 : When in HA, the Standby DDos Hybrid Defender is forwarding traffic causing a loop and subsequent network shutdown

Component: Local Traffic Manager

Symptoms:
Standby is passing traffic when a virtual wire is configured.

Conditions:
Virtual wire configured in high availability (HA).

Impact:
Standby device is forwarding traffic traffic when it should not, causing a loop and subsequent network shutdown.

Workaround:
None.


803833-5 : On Upgrade or UCS Restore Decryption of the sym-unit-key Field for vCMP Guest Fails

Component: TMOS

Symptoms:
An upgrade or UCS restore fails with an error message:

err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.

Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.

Impact:
The upgrade or UCS restore fails with an MCPD error.

Workaround:
Comment out the sym-unit-key field and load the configuration.


803825-2 : WebSSO does not support large NTLM target info length

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.


803645-4 : GTMD daemon crashes

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.

Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.

Impact:
The gtmd process restarts and produces a core file.

Workaround:
None.


803477-3 : BaDoS State file load failure when signature protection is off

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.

Conditions:
Restart of admd when signature protection is off.

Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.

Workaround:
Turn on signatures detection.


803457-1 : SNMP custom stats cannot access iStats

Component: TMOS

Symptoms:
While doing an snmpwalk, you encounter the following error:

-- tcl callback Default return string: istats: tmstat_open_read: open: /var/tmstat/istats: Permission denied.
-- istats: tmstat_read: open: /var/tmstat/istats: Permission denied.
-- ERROR opening iStats read segment '/var/tmstat/istats': Permission denied.

Conditions:
This occurs when using SNMP to access iStats.

Impact:
iStats cannot be accessed through SNMP and generates an error.

Workaround:
None.


803157-2 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots

Component: TMOS

Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.

Conditions:
Reboot the BIG-IP system.

Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.

Workaround:
None.


803109-1 : Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows

Component: Local Traffic Manager

Symptoms:
Source-port preserve-strict and OneConnect may result in zombie forwarding flows.

Conditions:
-- Source-port is set to preserve-strict.
-- OneConnect configured.

Impact:
Zombie forwarding flows. Over time, the the current allocation count grows and does not return to its prior level when traffic stops.

Workaround:
None.


802721-3 : Virtual Server iRule does not match an External Data Group key that's 128 characters long

Component: Local Traffic Manager

Symptoms:
Virtual server iRule does not match an External Data Group key that is 128 characters long.

Conditions:
-- A string type External Data Group with a key/value pair whose key is 128 characters long.

-- An iRule using [class match] to get the value from the Data Group.

Impact:
The call to [class match] returns an empty string ("").

Workaround:
None.


802685-1 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }


802189-1 : iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported

Component: iApp Technology

Symptoms:
With the Manager role, when calling 'package require <PKG>' in an iApp template, following exception occurs:

Error parsing template:can't eval proc: "script::run" invalid command name "file" while executing "file join $dir $f".

Conditions:
Users can not use Manager Role when importing iApps that contain a 'package require' call.

Impact:
Cannot use Manager Role when importing iApps that contain a 'package require' call.

Workaround:
Use the Admin role to import new templates.


801705-5 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.


801497 : Virtual wire with LACP pinning to one link in trunk.

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.


800265-3 : Undefined subroutine in bigip_add_appliance_helper message

Component: Global Traffic Manager (DNS)

Symptoms:
When using the -a switch with bigip_add (which instructs bigip_add to use bigip_add_appliance_helper), the script terminates with an error:
   Undefined subroutine &gtm_env::get_unique_certs called at /usr/local/bin/bigip_add_appliance_helper line 113.

Conditions:
Use the bigip_add script with the -a switch in appliance mode.

Impact:
bigip_add fails in appliance mode, reporting an error message.

Workaround:
None.


800185-5 : Saving large config into UCS may fail

Component: TMOS

Symptoms:
When saving a very large config into UCS file, you encounter an error:

# tmsh save /sys ucs my_ucs
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

Conditions:
Large BIG-IP configuration (e.g., 500 MB, or 8 million lines of text).

Impact:
The operation might consume as much as 1 GB of RAM, so the UCS may not get saved correctly.

Workaround:
None.


798261-1 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server

Component: Access Policy Manager

Symptoms:
The following logs showed up in APM log and user session was terminated.

Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.

The SET command failed because it incorrectly attempted to create session variable in all traffic groups.

Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.

Impact:
User sessions will be terminated

Workaround:
Disable virtual address spanning.


798105-2 : Node Connection Limit Not Honored

Component: Local Traffic Manager

Symptoms:
Connection limits on nodes are not honored.

Conditions:
A node with connection limits set.

Impact:
More traffic will pass to the node than the limit is supposed to allow.

Workaround:
Modify the node's limit after the node is created and it will start honoring the limit.


797977-2 : Self-IP traffic does not preserve the TTL from the Linux host

Component: Local Traffic Manager

Symptoms:
The Egress traffic from TMM has IP TTL set to 255 instead of keeping the TTL from the Linux host.

Conditions:
IP/IPv6 TTL for host traffic.

Impact:
Tools like traceroute do not work because Linux host rejects the packets.

Workaround:
Adjust TTL verification restrictions


797609-1 : Creating or modifying some virtual servers to use an address or port list may result in a warning message

Component: TMOS

Symptoms:
Creating or modifying a virtual server with TCP or UDP profiles to use an address or port list may result in an error similar to:

01070096:3: Virtual server /Common/vs lists profiles incompatible with its protocol.

Conditions:
-- Configure virtual server using a TCP or UDP profile.
-- Attempt to attach an address or port list to the virtual server.

Impact:
Unable to configure a virtual server to use an address or port list.

Workaround:
Create a traffic-matching-criteria object manually, and associated it with the virtual server.

Note: The protocol of the traffic-matching-criteria object must match that of the virtual server.


797541-2 : NTLM Auth may fail when user's information contains SIDS array

Solution Article: K05115516

Component: Access Policy Manager

Symptoms:
NTLM authentication fails when the authentication response contains a nonempty sid_and_attributes array. This will most likely occur when a user is a member of universal groups from a trusted domain.

Conditions:
- NTLM front-end authentication is configured.
- The authentication response contains nonempty sid_and_attributes array (most likely user is a member of universal groups from trusted domain)

Impact:
Users are unable to log in through the BIG-IP.

Warning messages similar to the following can be found in /var/log/apm logfile:

warning eca[11436]: 01620002:4: [Common] 192.168.0.1:60294 Authentication with configuration (/Common/server1.testsite.com) result: user01@USER01 (WORKSTATION): Fail (UNEXP_006C0065)

warning nlad[11472]: 01620000:4: <0x2b4d27397700> client[46]: DC[172.29.67.112]: schannel[0]: authentication failed for user 'user01', return code: 0x006c0065

NOTE: the return code is not necessary 0x006c0065 or 0x00000007. It can be any value. However, the larger the size of SIDS and Attributes array. The more likely the error value will be 0x00000007

Workaround:
None.


797221-2 : BCM daemon can be killed by watchdog timeout during blade-to-blade failover

Component: TMOS

Symptoms:
The BCM daemon deletes entries from tables during blade to blade failover. If tables are very large, the entry-by-entry deletion may take too long, such that the daemon is restarted by the watchdog timeout.

Conditions:
Very large L2 tables during blade-to-blade failover.

Impact:
There is a BCM core file on the primary blade after the failover.

Workaround:
None.


796993-5 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
- Create a pool with fqdn node as it pool members
- Apply monitor to it
- Monitor marks the pool member up/down based on reachability

Impact:
- Status message is not updated in /var/log/ltm logs.
- There is no functional impact.


796113-1 : Unable to load 14.1.0 config on 15.0.0 for a virtual server using a port/address list

Component: TMOS

Symptoms:
If there is a Virtual server configured with port/address list on v14.1.0 and try to load the same config into v15.0.0 it will fail with the following error

01070096:3: Virtual server %s profiles incompatible with its protocol.

Conditions:
Create a virtual server with port/address list and load the configuration on to v15.0.0.

Impact:
Config loading failing.


795933-1 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations

Component: Local Traffic Manager

Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.

Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.

Impact:
Incorrect stats.


795769-4 : Incorrect value of Systems in system-supplied signature sets

Component: Application Security Manager

Symptoms:
In properties of system-supplied Attack Signature Sets, the field "Systems" is always displayed with value All.

For example, for Generic Detection Signatures the "Systems" field should be: System Independent, General Database, Various systems

Instead, "Systems" is set to "All".

Conditions:
Only for system-supplied signature sets, while user-defined signatures sets are displayed with correctly assigned Systems.

Impact:
Misleading value of Systems

Workaround:
N/A


795685-1 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer

Component: TMOS

Symptoms:
If BIG IP receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on BIG IP is causing the bgpd crash (show ip bgp neighbor).

Conditions:
Receive a BGP notification for OUT_OF_RESOURCES from its BGP peer and then try to display the BGP peer information.

Impact:
bgdp crashes


795501-4 : Possible SSL crash during config sync

Component: Local Traffic Manager

Symptoms:
During config sync, it's possible that cipher group processing will crash.

Conditions:
-- SSL is configured.
-- Config sync is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


795429-4 : Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.

Component: TMOS

Symptoms:
An unrelated iControl REST transaction error message is returned when committing an iControl REST transaction that does not contain any tasks:

Error: Missing transaction ID for this call.

Conditions:
-- Committing an iControl REST transaction.
-- The task does not contain any tasks within 120 seconds of creating the transaction.

Impact:
Unrelated error message can be confusing and increase troubleshooting time.

Workaround:
None.


795261-1 : LTM policy does not properly evaluate condition when an operand is missing

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.

Conditions:
-- A virtual server is configured with an LTM policy.
-- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }).
-- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).

Impact:
The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.

Workaround:
You can use either workaround:

-- Convert rules into a 'positive' (lacking of negative matching type) whenever possible.

-- Use iRules instead of a policy (might impact performance).


795025-1 : Ssl_outerrecordtls1_0 config option is not honored

Component: Local Traffic Manager

Symptoms:
Support for the Ssl_outerrecordtls1_0 config option was intentionally removed starting 14.1.0.1. The value TRUE is assumed irrespective of the actual configured value.

Conditions:
This occurs in normal operation.

Impact:
This option must be set to FALSE for the BIG-IP system to be able to communicate with a few non-compliant SSL servers. Communication with such servers fails otherwise.

Workaround:
None.


794505-4 : OSPFv3 IPv4 address family route-map filtering does not work

Component: Local Traffic Manager

Symptoms:
Filtering IPv4 routes using route-map does not work. All the IPv4 redistributed routes fail to redistribute if the route-map is attached to the OSPFv3 IPv4 address-family.

Conditions:
1. Configure two OSPF sessions, one for the IPv4 address-family and the other for the IPv6 address family.
2. Redistribute kernel routes.
3. Check routes are propagated.
4. Add a route map to allow any IPv4 kernel route matching IP address.

Impact:
All routes fail to propagate and show that the IPv6 OSPF database external is empty. All IPv4 routes are blocked to redistribute instead of the routes mentioned in the route-map/prefix-list.

Workaround:
None.


794501-1 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: HA daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: HA daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: HA proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.


793669-2 : FQDN ephemeral pool members on HA pair doesn't get properly synced of the new session value

Component: Local Traffic Manager

Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.

Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover

Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.

Workaround:
None.


793217-1 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation

Component: Advanced Firewall Manager

Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.

Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.

Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.

Workaround:
Configure the rate-limit to be 10% more than what is desired.


793149-4 : Adding the Strict-transport-Policy header to internal responses

Component: Application Security Manager

Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.

Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.

Impact:
Responses arrives to the browser without the Strict-transport-Policy header.

Workaround:
Create an iRule to add the header to the response.


793121-4 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.


793045-1 : File descriptor leak in net-snmpd while reading /shared/db/cluster.conf

Component: TMOS

Symptoms:
Net-snmpd is leaking the file descriptors during the SNMP traps add/delete via tmsh.

Observe that the file descriptors used by snmpd increase using 'ls -l /proc/$(pidof snmpd)/fd'

Following error is logging into /var/log/daemon.log
err snmpd[5160]: /proc/stat: Too many open files

Conditions:
Perform add/delete on SNMP traps via tmsh.

Impact:
Failure of snmpd operations on BIG-IP systems.

Workaround:
None.


792569-1 : Security URL name created from swagger file starts with double '/'

Component: Application Security Manager

Symptoms:
Open API Security policy created from swagger file has URLs with double forward slash '/' at URL name when 'basePath' has the '/' character at the end of the value.

Conditions:
The 'basePath' entry value in a swagger file has a '/' character at the end.

Impact:
Security policy URL has wrong name.

Workaround:
None.


792341-1 : Google Analytics shows incorrect stats.

Component: Application Security Manager

Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).

Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.

Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.


792285-1 : TMM crashes if the queuing message to all HSL pool members fails

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.


791365-1 : Bad encryption password error on UCS save

Component: TMOS

Symptoms:
When a user with the admin role attempts to save a UCS with a passphrase, the following error is encountered:

[resource-admin@inetgtm1dev:Active:Standalone] ucs # tmsh save sys ucs /var/local/ucs/test-ucs passphrase password
Saving active configuration...
Error: Bad encryption password. <=========
Operation aborted.
/var/tmp/configsync.spec: Error creating package

WARNING:There are error(s) during saving.
        Not everything was saved.
        Be very careful when using this saved file!

Error creating package
Error during config save.
Unexpected Error: UCS saving process failed.

Conditions:
1) Log into the BIG-IP system as a user with admin role that has Advanced Shell access.
2) Attempt to create a UCS with a passphrase.

Impact:
Unable to save UCS with a passphrase.

Workaround:
This affects users logged in with the Admin role; you will be able to create a UCS with a passphrase while logged in as either the root user or as a user with the resource-admin role.


791361-2 : Configured management port rules can be lost after loading UCS file and rebooting

Component: Advanced Firewall Manager

Symptoms:
Configured management port rules are missing after loading a UCS file that adds the management-ip to the failover network, and subsequently rebooting.

Conditions:
-- Load a UCS file that adds the management-ip to the failover network.
-- Reboot.

Impact:
Management port rules can be lost. This can prevent normal operation of high availability (HA) configurations.

Workaround:
There is no workaround at this time.


791337-2 : Traffic matching criteria fails when using shared port-list with virtual servers

Component: Local Traffic Manager

Symptoms:
The system reports an error:

01b90011:3: Virtual Server /Common/vs1's Traffic Matching Criteria /Common/vs1_tmc_obj illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs2 destination address, source address, service port.

Conditions:
-- Creating virtual servers with shared object port-list.
-- Using the same port in another virtual server with different protocol with overlapping sources and destination IP address.

Impact:
Config validation failure prevents configuration changes.

Workaround:
Use different IP addresses and ports.


791061-1 : Config load in /Common removes routing protocols from other partitions

Component: TMOS

Symptoms:
While loading the /Common partition, config routing protocols on other partition route-domains will be removed.

Conditions:
-- Configure route-domains on other partitions with routing-protocols.
-- Load the /Common partition config alone.

Impact:
Routing protocols config from other partitions are removed.

Workaround:
Reload the config with the command:
load sys config partitions all


791057-2 : Mcp crashes during config sync when traffic matching criteria is used

Component: Local Traffic Manager

Symptoms:
Mcp crashes.

Conditions:
The specific root cause is unknown, although the crash is related to the use of traffic matching criteria, and the crash happens during config sync operations.

Impact:
System reboots and traffic processing halts while the process restarts.

Workaround:
None.


790949-1 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.

Component: Service Provider

Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.

For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.

Some documented and actual default values have changed across releases.

Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.

Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.

Impact:
Depending on the protocol, the limits might not take effect as configured.

Incorrect documentation and/or lack of validation could lead to configuring an invalid value.

Workaround:
None.


790845-3 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.


790349-3 : merged crash with a core file

Component: Application Security Manager

Symptoms:
merged crash and restart.

Conditions:
A tmstat sync operation is occurring in the background.

Impact:
Statistical data is not available for system utilities/graphs while merged restarted. There is no other impact beside the appearance of the core file.

Workaround:
None.


790205-4 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.


790113-1 : Cannot remove all wide IPs from GTM distributed application via iControl REST

Component: Global Traffic Manager (DNS)

Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:

modify gtm distributed-app da1 wideips delete { all }

There is no equivalent iControl REST operation to do this.

Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.

Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.

Workaround:
You can use one of the following workarounds:

-- Use the WebUI.

-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }

-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash


789993-2 : Failure when upgrading to 15.0.0 with config move and static management-ip.

Component: TMOS

Symptoms:
Upgrade to 15.0.0 from earlier version fails.

Conditions:
This happens when upgrading to 15.0.0 from earlier versions with static management-ip (dhclient.mgmt set to disabled).

Impact:
As the config move fails, the Management IP address might not be correct on the newly installed 15.0.0 device.

Workaround:
Keep DHCP enabled before upgrading or reset the management-ip after upgrade.


789421-3 : Resource-administrator cannot create GTM server object through GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.

Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.

Impact:
Unable to create GTM server object via the GUI.

Workaround:
Use tmsh or iControl/REST.


789169-1 : Unable to create virtual servers with port-lists from the GUI

Component: TMOS

Symptoms:
Using the GUI to create a virtual server with a port-list or address-list fails with the following error:

01070096:3: Virtual server <virtual server name> lists profiles incompatible with its protocol.

Conditions:
- The virtual server is created with an ip-protocol set to a value other than 'any'.

- A port-list or address-list is used.

Impact:
Virtual server creation fails.

Workaround:
Create the configuration in tmsh.

1. Create an LTM traffic-matching-criteria object to define the port-list and/or address list. The protocol on the traffic-matching-criteria must be set to the protocol that the virtual server will use.

2. Create the LTM virtual server, and set the traffic-matching-criteria to the name of the traffic-matching-criteria object.


789085-4 : When executing the ACCESS::session iRule command under a serverside event, tmm may crash

Component: Access Policy Manager

Symptoms:
Executing the ACCESS::session iRule command inside a serverside event, e.g., SERVER_CONNECTED, may cause tmm to crash.

Conditions:
ACCESS::session iRule command invoked under a serverside event, for example:

when SERVER_CONNECTED {
 log local0. "[ACCESS::session data get session.user.sessionid]"
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


788949-2 : MySQL Password Initialization Loses Already Written Password

Component: TMOS

Symptoms:
In some cases, the MySQL root password initialization is not complete. A re-attempt to restart MySQL fails.

Conditions:
-- MySQL startup script is interrupted.
-- Setting the root password fails.

Impact:
Processes may fail to connect to MySQL server.

Workaround:
None.


788813 : TMM crash when deleting virtual-wire config

Component: Local Traffic Manager

Symptoms:
Tmm crashes.

Conditions:
This can occur when deleting a virtual-wire config

Impact:
Traffic disrupted while tmm restarts.


788741-1 : TMM cores in the MQTT proxy under rare conditions

Component: Local Traffic Manager

Symptoms:
TMM may core in the MQTT proxy under unknown conditions.

Conditions:
-- MQTT proxy in use.
-- It is not known what other conditions are required to cause this issue.

Impact:
TMM cores. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.


788645-1 : BGP does not function on static interfaces with vlan names longer than 16 characters.

Component: TMOS

Symptoms:
If a VLAN, VLAN group, or tunnel has a name with more than 15 characters, BGP does not function properly on that interface.

Conditions:
-- BGP Dynamic routing in use.
-- Interface name greater than 15 characters.

Impact:
BGP Dynamic Routing is not working.

Workaround:
1. Rename the interface using 15 or fewer characters.
2. Remove Static Binding and Bind to all interfaces.


788557-6 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.


In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.


788513-1 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.


788465-1 : DNS cache idx synced across HA group could cause tmm crash

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache idx conflicts and tmm crash.

Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.

Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.

Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm


788417-1 : Remote Desktop client on macOS may show resource auth token on credentials prompt

Component: Access Policy Manager

Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.

This behavior is observed only with Remote Desktop Client v10.x for macOS.

Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.

Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Workaround:
Apply the following iRule:

Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.

when HTTP_RESPONSE_RELEASE {
    catch {
        set locationUri [HTTP::header Location]
        if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
                $locationUri contains "username=s:f5_apm"} {
            HTTP::header Location \
                [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
        }
    }
}


788269-4 : Adding toggle to disable AVR widgets on device-groups

Component: Application Visibility and Reporting

Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.

It occurs more frequently when manual config sync is enabled.

It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.

Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.

Impact:
Devices go into a non-synced state.

Workaround:
None.


787853-1 : BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
1. Create two virtual servers with multiple nodes. Set ICMP echo as all or selective/all.
2. Ping from client to virtual address.
3. Bring down nodes.
4. ping fails from client to virtual address as expected
5. Bring up nodes and make sure all virtual servers are online.
6. Start ping from client to virtual address.

Impact:
The BIG-IP system might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP system may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP system might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
Update virtual address ICMP setting to any or selective/any.


787601-1 : Unable to add 'Enforce' parameter if already configured in different URL

Component: Fraud Protection Services

Symptoms:
If two or more URLs are configured with 'Application Type = Mobile', is is not possible to add the 'Enforce' parameter to more than one URL.

Also, the 'Mobile Encryption Parameter' option is automatically checked if already checked in another URL.

Conditions:
1. License FPS and MobileSafe.
2. Add two or more URLs with 'Application Type = Mobile'.

Impact:
Data sent from MobileSafe SDK may not be encrypted.

Workaround:
Use TMSH to configure these settings.


786913-1 : Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7

Component: Application Security Manager

Symptoms:
Upgrade fails when upgrading from 13.0.x or under if the config includes an LTM Policy (CPM) which modifies a DoS Application Profile.

Conditions:
-- LTM Policy is configured to specify a DoSL7 profile name.
-- Upgrade is from version 13.0.x or earlier.

Impact:
Upgrade failure.

Workaround:
1. Manually edit the /config/bigip.conf file, and place all of the 'security dos profile' objects before any 'ltm policy' objects.
2. Load the config.


786565-1 : MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded

Component: Service Provider

Symptoms:
When a message is created using the GENERICMESSAGE::message create iRule command during the CLIENT_DATA event, if the TCP payload buffer is not cleared before the event completes, the data in the payload buffer is forwarded to the generic message filter disrupting its statemachine.

Conditions:
-- A message is created using GENERICMESSAGE::message create iRule command during CLIENT_DATA event.
-- TCP payload buffer is not cleared before the event completes.

Impact:
The data in the payload buffer is forwarded to the generic message filter disrupting its statemachine. Subsequent messages are not forwarded.

Workaround:
To fix the problem, add the following to CLIENT_DATA:
TCP::payload replace 0 [TCP::payload length] ""


786517-4 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.


786173-2 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in the GUI becoming unresponsive. The Access :: Overview :: Active Sessions page in the Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.


785481-1 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached

Component: Local Traffic Manager

Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.

Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.

Impact:
Reset packets are not sent back to clients when they should be.

Workaround:
None.


784989-1 : TMM may crash with panic message: Assertion 'cookie name exists' failed

Component: Access Policy Manager

Symptoms:
TMM crashes with SIGFPE panic

panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.

Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.


784733-4 : GUI LTM Stats page freezes for large number of pools

Component: TMOS

Symptoms:
When a configuration has approximately 5400 pools and 40,000 pool members, navigating to the GUI page to look at stats for all or one pool, the GUI page may freeze indefinitely.

Conditions:
Configurations with large number of pools and pool members, e.g., 5400 pools and/or 40,000 pool members.

Impact:
Cannot view pool or pool member stats in GUI.

Workaround:
Use iControl REST or TMSH to retrieve stats for such a large number of pools or pool members.


784565-1 : VLAN groups are incompatible with fast-forwarded flows

Component: Local Traffic Manager

Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.

Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.

Impact:
Some connections may fail.

Workaround:
None.


783849-1 : DNSSEC Key Generations are not imported to secondary FIPS card

Component: Global Traffic Manager (DNS)

Symptoms:
When new DNSSEC Key Generations are generated by FIPS card, the Generation is not imported to secondary FIPS card.

Conditions:
BIG-IP has a GTM sync group with FIPS cards in sync. New DNSSEC Key Generation is created.

Impact:
New DNSSEC Key Generation is not imported to secondary FIPS card, but the generation is synced within GTM sync group.

Workaround:
N/A


783817-1 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

The following error messages shows up in TMM log:

-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.


783617-2 : Virtual Server resets connections when all pool members are marked disabled

Component: Local Traffic Manager

Symptoms:
The BIG-IP system immediately responds with a RST against a SYN when all pool members are marked disabled by a monitor.

Conditions:
All the pool members are marked disabled by a monitor or administratively.

Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.

Workaround:
None.


783565-1 : Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP

Component: Fraud Protection Services

Symptoms:
Upgrade support for DB variable to attach AJAX payload to vToken cookie sets 'send in alerts' flag configured on parameters without checking whether automatic transaction detection is turned on on the URL.

Conditions:
-- BIG-IP version 13.1.x or 14.0.x
-- A protected URL is configured with automatic transaction detection turned off.
-- A parameter on that URL is configured with all flags turned off.
-- The DB variable antifraud.internalconfig.flag1 is set to 'enabled' value.
-- Upgrade to 13.1.x or later (with load config) started.

Impact:
After upgrade, the configuration fails to load due to an error during schema change validation

Workaround:
-- Set the DB variable antifraud.internalconfig.flag1 value to 'disabled' before the upgrade.
-- Configure 'send in alerts' flag on the parameters manually.


783293-2 : Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window

Component: TMOS

Symptoms:
If you try to enter any of these three characters: < > & (greater than, less than, ampersand) into GUI Preference page or TMSH sys global-settings configuration, they are displayed as escape chars in the GUI window correspondingly as: &lt; &gt; &amp;.

Conditions:
Entering one of these three characters into GUI banner text settings: < > &.

Impact:
At GUI Logon page, the page displays with the following characters: &lt; &gt; &amp; instead of the specified characters: < > &.

Workaround:
None.


783289-4 : PEM actions not applied in VE bigTCP.

Component: Policy Enforcement Manager

Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.

Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.

Impact:
PEM policies do not get applied.

Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).


783233-3 : OAuth puts quotation marks around claim values that are not string type

Component: Access Policy Manager

Symptoms:
When you define a claim to use with OAuth, and the claim-type setting is set to something other than String, the claim value is treated as a string anyway and encapsulated in quotation marks.

Conditions:
-- OAuth is configured.
-- The oauth claim value being used is not of type string (i.e. array, or boolean, or number)

Impact:
The claim value is encapsulated in quotation marks and processed as a string.

Workaround:
None.


783145-5 : Pool gets disabled when one of its pool member with monitor session is disabled

Component: Local Traffic Manager

Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.

Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.

Impact:
The pool status for the entire pool is marked disabled-by-parent.

Workaround:
None.


783125-1 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
    https://clouddocs.f5.com/api/irules/DNS__drop.html
    https://clouddocs.f5.com/api/irules/UDP__drop.html


783113-5 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted


782613-6 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp

Component: TMOS

Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.

Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.

Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.

Workaround:
None.


782569-2 : SWG limited session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG limited session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections that use custom category lookup (beyond the SWG limited session limit).

Impact:
SSLO fails to connect when the SWG limited session limit is reached.

Workaround:
None.


782353-5 : SIP MRF via header shows TCP Transport when TLS is enabled

Component: Service Provider

Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.

Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.

Impact:
The via header is not correct and violates the SIP RFC.

Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:

when SIP_REQUEST_SEND {
    if { [clientside] } {
        SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0

    }
}


781849-1 : On-Demand Certificate Authentication agent for Per-Request Policy does not work with multiple Client SSL profiles that have the 'Default SSL Profile for SNI' option disabled and assigned to a single Virtual Server

Component: Local Traffic Manager

Symptoms:
After the client certificate has been provided, the browser waits for a response within a few minutes and then displays the error 'Page cannot be displayed'. At the same time you can watch the following informational messages in the /var/log/apm events log file:
info tmm[12245]: 01870000:6: /Common/app1.example.com:Common:dd1d4e4f: Executed agent (/Common/app1.example.com_On-Demand-CRLDP_ondemand_cert_auth_act_ondemand_cert_auth_ag) with return status (Need more data)

Conditions:
BIG-IP system is configured as Identity Aware Application Proxy for multiple application access, that may require On-Demand Client Certificate Authentication by using different Client SSL profiles.

The following is a sample scenario:

-- There are 3 web-application (app1.example.com, app2.example.com, app3.example.com) that are located behind the BIG-IP system configured as Identity Aware Application Proxy (by means of using Per-Request Access policy).
-- app1.example.com and app2.example.com are configured to require On-Demand Client Certificate Authentication as primary authentication method.
-- Each application requires a separate Client SSL profile with separate Client Authentication options specified.
-- Client SSL profile for app1.example.com application has 'Default for SNI' option enabled.

In this case, all authentication requests to app2.example.com fail, even if a trusted certificate is provided.

Impact:
On-Demand Certificate Authentication fail, even if a trusted client certificate is provided.

Workaround:
Use a single Client SSL profile with a single certificate, where the Subject Alternative Name extension lists fully qualified domain names of all applications, protected by Identity Aware Application Proxy.


781733-1 : SNMPv3 user name configuration allows illegal names to be entered

Component: TMOS

Symptoms:
The validation of SNMPv3 user names is not strict, and allows users of both the GUI and TMSH to enter badly formed user names. When the SNMP daemon reads these user names from the snmpd.conf file, validation rejects the names.

Conditions:
Poorly formed SNMPv3 user names can be entered into configuration, for example, names with embedded spaces.

Impact:
The user names are not accepted by the SNMP daemon when it reads the configuration from the snmpd.conf file.

Workaround:
Use alphanumeric characters for SNMPv3 user names, and do not include embedded spaces in the names.


781725-1 : BIG-IP systems might not complete a short ICAP request with a body beyond the preview

Component: Service Provider

Symptoms:
An ICAP request (REQMOD or RESPMOD) body goes out to the ICAP server as far as a preview. If the server responds 100-continue, only a single chunk of the remaining payload might be sent to the server. Eventually the connection times out.

Conditions:
-- An ICAP profile is configured with a preview.
-- The HTTP request or response to be modified has a body that is more than one chunk longer than the preview length, yet short enough to be completely buffered in BIG-IP system before the preview is sent to the ICAP server.
-- The ICAP server responds with 100-continue.

Impact:
Only the first chunk of payload is sent after the preview, and eventually the connection times out.

Workaround:
None.


781637-1 : ASM brute force counts unnecessary failed logins for NTLM

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings


781605-4 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
false positive or false negative attack signature match on multipart payload.

Conditions:
very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A


781581-2 : Monpd uses excessive memory on requests for network_log data

Component: Application Visibility and Reporting

Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:

err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child

Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.

Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.

Workaround:
None.


781425-1 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' has a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

-- BBN-RCC-MON
-- NVP-II
-- DCN-MEAS
-- OSPFIGP
-- CRUDP

Impact:
The system fails to load the configuration.

Workaround:
Manually edit the configuration file: /config/bigip_base.conf

1. Replace the ip-protocol name from rule-list configuration:

-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.

2. Save the file.
3. Issue the command:
 tmsh load sys config.

The configuration now loads without syntax errors.


781069-1 : Bot Defense challenge blocks requests with long Referer headers

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.


781041-2 : SIP monitor in non default route domain is not working.

Component: Local Traffic Manager

Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available.

Conditions:
SIP pool members in non default route domain.

Impact:
SIP service unavailable.


781021-1 : ASM modifies cookie header causing it to be non-compliant with RFC6265

Component: Application Security Manager

Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
1. No space after the semicolon
2. A cookie with no value is sent without the equals sign

Conditions:
-- ASM Security Policy is used
-- Request includes an ASM cookie

Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false


780837-2 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' reports a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

Note: You can see the mismatched protocol names in the /etc/protocols listing file (column 1 and column 3 differ):

bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
ospf 89 OSPFIGP # Open Shortest Path First IGP
crdup 127 CRUDP # Combat Radio User Datagram

Impact:
The system fails to load the configuration.

Workaround:
Manually edit the configuration file: /config/bigip_base.conf

1. Replace the ip-protocol name from rule-list configuration:

-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.

2. Save the file.
3. Issue the command:
 tmsh load sys config.

The configuration now loads without syntax errors.


780817-6 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

  + VIPRION B4300, B4340, and B44xx blades.
  + BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.


780437-1 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


779793-1 : [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor

Component: Global Traffic Manager (DNS)

Symptoms:
Using BIG-IP Link Controller (LC), every 10 seconds, the system logs messages similar to the following example:
-- err mcpd[5570]: 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec.
-- err mcpd[5570]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6681134264373087063 /Common/ELC002.kbn.mlit.go.jp 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec..

Conditions:
-- A bigip_link monitor with destination * written in bigip_gtm.conf.
-- That monitor is associated with a link.
-- The following command is run on one of the sync group peers:
tmsh load /sys config gtm-only.

Impact:
LC system failing to load configuration.

Workaround:
Run this command on the LC system that is logging the error message:
tmsh load /sys config gtm-only


779769-1 : [LC] [GUI] destination cannot be modified for bigip-link monitors

Component: Global Traffic Manager (DNS)

Symptoms:
The 'destination' for BIG-IP Link Controller (LC) bigip_link monitor cannot be modified through GUI.

Conditions:
Using the LC bigip_link monitor in the GUI.

Impact:
Cannot change 'destination' for LC bigip_link monitor through GUI.

Workaround:
Use tmsh.


779137-1 : Using a source address list for a virtual server does not preserve the destination address prefix

Component: Local Traffic Manager

Symptoms:
Configuring a network virtual server with a source address list causes the system to treat the virtual server as a host.

Conditions:
-- Configure a source address list on the virtual server.
-- Configure a network address for the destination of the virtual server (not an address list).

Impact:
Traffic does not flow to the virtual server as expected.

Workaround:
None.


778517-3 : Large number of in-TMM monitors results in delayed processing

Component: Local Traffic Manager

Symptoms:
Delayed monitor update; e.g., monitor may continue to run after removed from pool / member / node. Duplicate monitor instances may be created to a server after associating a monitor.

Conditions:
A large number of in-TMM monitors.

Impact:
Monitor target may appear down when responding correctly.
Monitor may continue to run after removed from pool / member / node.
Increased monitoring load on server.

Workaround:
Disable in-tmm monitors.


778501 : LB_FAILED does not fire on failure of HTTP/2 server connection establishment

Component: Local Traffic Manager

Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule.

Conditions:
- iRule with LB_FAILED event
- server connection establishment fails

Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted.

Workaround:
No workaround available.


778365-3 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service

Component: Global Traffic Manager (DNS)

Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.

Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.

Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.


778317-2 : IKEv2 HA after Standby restart has race condition with config startup

Component: TMOS

Symptoms:
A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.

Conditions:
The loss of mirrored SAs requires this sequence of events:
-- A system becomes standby after failover; then is restarted.
-- During restart, HA manages to run before IPsec configuration.
-- SAs unsupported by current config are lost despite mirroring.
-- After another failover, the newly active system is missing SAs.

Impact:
A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system.

The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.

Workaround:
None.


778225-2 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host

Component: Protocol Inspection

Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.

Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).

Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.

Workaround:
Install the hitless upgrade IM package manually.


778125-2 : LDAP remote authentication passwords are limited to fewer than 64 bytes

Component: TMOS

Symptoms:
The LDAP remote authentication password is limited to fewer than 64 bytes.

Conditions:
Configured for remote authentication with a password is longer than or equal to 64 bytes.

Impact:
Unable to login as remote-user with long password.

Workaround:
Set password that is shorter than 64 bytes.


778041-2 : tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)

Component: TMOS

Symptoms:
When tcpdump is invoked with the epva option on a non-epva platform (BIG-IP Virtual Edition (VE), for example), it fails with an unclear message

errbuf:DPT Provider fatal error. Provider:ePVA Provider. No valid arguments.

Conditions:
-- Using a non-epva platform such as VE.
-- Calling the epva option:
  + Directly:
tcpdump -i 0.0 --f5 epva
  + Indirectly using 'all' (which includes epva):
tcpdump -i 0.0 --f5 all

Impact:
Unclear message does not give clear indication what the issue is, or how to get tcpdump to run with the 'all' option on non-epva platforms

Workaround:
Do not use the explicit epva option on non-epva platforms (it does not work anyway, as there is no epva debug information on those platforms).

Instead of 'all', explicitly specify other, non-epva providers on such platforms, for example, specifying 'noise' and 'ssl' providers:
tcpdump -i 0.0 --f5 n,ssl


777993-1 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same

Component: TMOS

Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.

Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.

Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.

Workaround:
None.


777389-2 : In a corner case, for PostgreSQL monitor MCP process restarts

Component: TMOS

Symptoms:
MCP expects a monitoring response from SQL server and starts polling for data continuously, resulting in infinite loop.

Conditions:
In one of the corner cases of SQL monitoring, MCP expects to read monitoring data from the PostgreSQL server, but there is no data available to read

Impact:
The system goes into an infinite loop and skips the heartbeat report, resulting in its restart. During MCP restart (typically, fewer than 10 seconds), the BIG-IP administrator will not be able to make CRUD operations on the BIG-IP system.

Workaround:
None.


777261-5 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.


777173-1 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error

Component: Access Policy Manager

Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed

This is result of a license check added for HTTP header transformation.

Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp

Impact:
Administrator is not able to use the iApp to configure Citrix vdi access

Workaround:
Adding LTM module license will resolve the error.


776489-1 : Remote authentication attempts to resolve only LDAP host against the first three name servers configured.

Component: TMOS

Symptoms:
'Login failed' is displayed on the BIG-IP system's login screen.

Conditions:
-- Remote authentication is enabled.
-- There are more than three name servers configured.

Impact:
Admins may not be able to log into the BIG-IP GUI with their admin user account if the first 3 configured DNS name servers are not reachable.

Workaround:
None.


776393-1 : Memory leak in restjavad causing restjavad to restart frequently with OOM

Component: TMOS

Symptoms:
Restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.

Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory. This is two-step process.

1. Update memory allocated to restjavad using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.

2. Run the following two commands, in sequence:
   tmsh modify sys db restjavad.useextramb value true
   bigstart restart restjavad


776229-1 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.


776073-2 : OOM killer killing tmmin system low memory condition as process OOM score is high

Component: TMOS

Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.

Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.

echo "-500" > /proc/<pid_of_tmm>/oom_score_adj


775897-2 : High Availability failover restarts tmipsecd when tmm connections are closed

Component: TMOS

Symptoms:
All security associations (SAs) can be deleted when tmipsecd restarts as a result of closing tmm connections during failover from active to standby.

Conditions:
When failover happens for high availability (HA), tmipsecd aims to close tmm connections when on standby, because tmm must connect instead to the daemon running in the active system. But a side effect of this restarts tmipsecd, resulting in deletion of all SAs when tmipsecd came back up.

Impact:
tmipsecd restarts. All IPsec tunnels experience an interruption of service until new SAs are negotiated.

Workaround:
None.


775801-1 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener

Component: Global Traffic Manager (DNS)

Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.

Conditions:
Creating GTM listener using the GUI.

Impact:
'Route Advertisement' is not enabled.

Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.


775733-3 : /etc/qkview_obfuscate.conf not synced across blades

Component: TMOS

Symptoms:
By default, sensitive data, such as SSL keys, are excluded from QKView files. However, in some cases you may want to include sensitive information in the QKView file, so it must be obfuscated it for security purposes. (Note: For information on how to configure this feature, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.)

In high availability (HA) configurations, the /etc/qkview_obfuscate.conf file is not copied to secondary blades on chassis platforms during sync operations.

Conditions:
-- Run qkview.
-- Upload qkview file to iHealth.

Impact:
Potentially sensitive information could be uploaded to iHealth or F5 Support. This occurs because qkview acts differently if there is an obfuscate.conf on the active by automatically gathering the same information on the blades, but not obfuscating that sensitive data.

Workaround:
Manually copy /etc/qkview_obfuscate.conf to all blades.

Note: Do not upload sensitive data to iHealth or F5 Support. If you are obfuscating data, make sure to complete this step for every blade.


775621-1 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.


775013-1 : TIME EXCEEDED alert has insufficient data for analysis

Component: Fraud Protection Services

Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.

Conditions:
Viewing alert logs for time-exceeded messages.

Impact:
Makes troubleshooting and/or analysis difficult.

Workaround:
None.


774633-1 : Memory leak in tmm when session db variables are not cleaned up

Component: Access Policy Manager

Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.

Conditions:
SSLO setup with a service connector that fails.

Impact:
tmm eventually runs out of memory and generates a core file.

Workaround:
None.


774617-2 : SNMP daemon reports integer truncation error for values greater than 32 bits

Component: TMOS

Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.

Conditions:
Values greater than 32 bits sent to SNMP.

Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:

err snmpd[20680]: truncating integer value > 32 bits

Workaround:
No current workaround.


774481-1 : DNS Virtual Server creation problem with Dependency List

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.

Workaround:
You can use either of the following workarounds:

-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.


774361-4 : IPsec High Availability sync during multiple failover via RFC6311 messages

Component: TMOS

Symptoms:
After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.

Conditions:
When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.

Impact:
IPsec tunnels experience a temporary outage until new security associations are negotiated.

Workaround:
No workaround is known at this time.


774301-5 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:

err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.

-- This is also applicable to any SAML requests/responses that are signed:
   a) SAML Authentication Request
   b) SAML Assertion
   c) SAML Artifact Response
   e) SAML SLO Request/Response

Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.

Workaround:
None.


774261-2 : PVA client-side current connections stat does not decrease properly

Component: Local Traffic Manager

Symptoms:
When FTP is used with bigproto, the PVA client-side current connections stat does not decrease after connections are closed.

Conditions:
-- Use an FTP virtual server.
-- End user clients connect to the virtual server.

Impact:
An incorrect stat for client-side current connections will be reported for 'tmsh show sys pva-traffic global' and 'tmctl pva_stat'.

Example:

config # tmsh show sys pva-traffic global

-------------------------------------------------
Sys::PVA
-------------------------------------------------
PVA Traffic ClientSide ServerSide
  Bits In 23.6K 219.7K
  Bits Out 219.7K 23.6K
  Packets In 40 335
  Packets Out 335 40
  Current Connections 295 0 <-----
  Maximum Connections 296 8
  Total Connections 335 40

Miscellaneous
  Cur PVA Assist Conns 0
  Tot PVA Assist Conns 335
  HW Syncookies Generated 0
  HW Syncookies Detected 0

config # tmsh show sys conn all-properties

Really display 1000 connections? (y/n) y
Sys::Connections
Total records returned: 0 <--------- No connections; this is the correct state.

Workaround:
This issue does not occur when 'inherit parent profile' is enabled on the FTP profile used by the virtual server.


774225-4 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting

Component: Global Traffic Manager (DNS)

Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).

Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.

Impact:
mcpd is in a restart loop.

Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).

# tmsh modify gtm global-settings general peer-leader <gtm-server-name>


After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none


If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:

# tmsh modify gtm global-settings general peer-leader GTM2


After reboot, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none


774213-2 : SWG session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).

Impact:
SSLO fails to connect when the SWG session limit is reached.

Workaround:
None.


773821-2 : Certain plaintext traffic may cause SSLO to hang

Component: Local Traffic Manager

Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.

Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.

Impact:
SSLO hangs, unable to bypass traffic.

Workaround:
None.


773577-1 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted

Component: TMOS

Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.

Conditions:
security-name is the same as an SNMPv3 username.

Impact:
SNMP traps cannot be decoded

Workaround:
Delete or rename user.


773553-1 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.


773421-4 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.


773333-1 : IPsec CLI help missing encryption algorithm descriptions

Component: TMOS

Symptoms:
Encryption algorithms against IPsec help are not listed in the CLI.

Conditions:
LTM licensed on the BIG-IP.

Impact:
Unable to view the help.

Workaround:
None. The actual command line help should be:

(/Common)(tmos)# create net ipsec ike-peer test version add { v2 } phase1-encrypt-algorithm ?

Specifies the encryption algorithm used for the isakmp phase 1 negotiation. This directive must be defined. Possible value is one of following:
3des, aes128, aes192, aes256, blowfish, camellia, cast128, des

Note: The values blowfish, cast128, and camellia are v1 only.


773253-4 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.


773229-1 : Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances

Component: Local Traffic Manager

Symptoms:
If a virtual server starts with a FastL4 profile with an idle_timeout of zero, and this profile is then replaced with one that has a non-zero idle_timeout, it can cause traffic to fail with a 'No flow found for ACK' error in the RST packet (if DB variable tm.rstcause.pkt is enabled) or logged (if DB variable tm.rstcause.log is enabled).

Conditions:
-- There is a virtual server configured with a FastL4 profile with an idle-timeout setting of zero ('immediate').
-- The FastL4 profile is replaced with one that has a non-zero idle-timeout setting.

Impact:
Traffic no longer passes through the virtual server properly.

Workaround:
To avoid this issue, if you need to change the FastL4 profile in this manner, delete and recreate the entire virtual server rather than replace the profile.

Impact of workaround: This results in a traffic disruption for that virtual server.

If the issue has already occurred, the only way to recover is to restart TMM

Impact of workaround: This also results in a traffic disruption, this time a general one.


772497-6 : When BIG-IP is configured to use a proxy server, updatecheck fails

Component: TMOS

Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.

Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.

Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.

Workaround:
You can use either of the following workarounds:

I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:

1. Locate the following section in the script:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
     SSL_hostname => $service_name,

2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,


II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
 # sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck


772473-4 : Request reconstruct issue after challenge

Component: Application Security Manager

Symptoms:
False positive on Content-Type header in GET request.

Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.

Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.

Workaround:
There is no workaround at this time.


772297-1 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.

Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.


772233-2 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Component: Global Traffic Manager (DNS)

Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.

The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.

Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.

Impact:
RTT metric is not set at all.

Workaround:
Use collection protocols - ICMP instead.


771173-4 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>


771025-4 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.


770477-1 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.


769997 : ASM removes double quotation characters on cookies

Component: Application Security Manager

Symptoms:
ASM removes the double quotation characters on the cookie.

Conditions:
Cookie sent that contains double quotation marks.

Impact:
The server returns error as the cookie is changed by ASM.

Workaround:
Set asm.strip_asm_cookies to false using the following command:

tmsh modify sys db asm.strip_asm_cookies value false


769981-1 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803


769817-2 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.


769801-2 : Internal tmm UDP filter does not set checksum

Component: Local Traffic Manager

Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.

Conditions:
-- An internal tmm UDP filter is in use.

Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.

Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:

no_cksum 0


769581-2 : Timeout when sending many large requests iControl Rest requests

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
  https://<$IP_address>/mgmt/shared/appsvcs/declare \
  -H 'Content-Type: application/json' \
  -d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
  https://<$IP_address>/mgmt/shared/appsvcs/task \
  -H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
  https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.


769385-2 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message

Component: Global Traffic Manager (DNS)

Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:

err mcpd[7649]: error: crypto codec New token is smaller with added values.

Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.

Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.

Workaround:
None.


769341-2 : HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs

Component: TMOS

Symptoms:
High availability (HA) failover from active to next-active device should delete existing IKEv1 SAs because the IKEv1 racoon daemon terminates on standby. But it should not also delete the IKEv2 SAs at the same time, and it does.

Conditions:
This occurs during failover.

Impact:
The deletes IKEv2 SAs mirrored for HA. In the event of rapid failover and failback, this issue might result in missing SAs on the active device.

Workaround:
None.


769309-1 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.


769169-4 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring

Component: TMOS

Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.

Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.

Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.

Lot of process terminated/re-created messages in restjavad logs.

Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.


769145-1 : Syncookie threshold warning is logged when the threshold is disabled

Component: TMOS

Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:

warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0

Conditions:
Setting connection.syncookies.threshold to zero.

Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.

Workaround:
None.


769061-1 : Improved details for learning suggestions to enable violation/sub-violation

Component: Application Security Manager

Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.

Conditions:
There are learning suggestions to enable violations/sub-violation in the policy

Impact:
Misleading suggestion details.

Workaround:
None.


769029-4 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh

Component: TMOS

Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.

During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.

Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.

Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:

01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.

After some time this /var/system/tmp/tmsh permission is updated automatically.

Workaround:
So that the script does not remove tmsh directory, but deletes 1-day old tmp files under /var/system/tmp/tmsh, update the last line of /etc/cron.daily/tmpwatch as follows:

tmpwatch --nodirs 1d /var/system/tmp


768025-3 : SAML requests/responses fail with "failed to find certificate"

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.

Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.

-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.

-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.


767877-4 : TMM core with Bandwidth Control on flows egressing on a VLAN group

Component: TMOS

Symptoms:
TMM cores during operation.

Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group

Impact:
Traffic disrupted while tmm restarts.


767737-1 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.


767305-1 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried

Component: TMOS

Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:

No Such Instance currently exists at this OID

The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.

Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.

Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.

Workaround:
Restart all services together, i.e., running the command: bigstart restart.

Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.

If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:

bigstart restart


767217-1 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.


767013-2 : Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150 and B2250 blades. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.


766593-2 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20

Component: Local Traffic Manager

Symptoms:
RESOLVE::lookup returns empty string.

Conditions:
Input bytes array is at length of 4, 16, or 20.

For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]

Impact:
RESOLVE::lookup returns empty string.

Workaround:
Use lindex 0 to get the first element of the array.

For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]


766577-1 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.


766405-1 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.


766329-1 : SCTP connections do not reflect some SCTP profile settings

Component: TMOS

Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:

  -- The in-streams setting alters both the in-streams parameter and the tx-chunks parameter.
  -- The out-streams setting alters both the out-streams parameter and the rx-chunks parameter.
  -- The tx-chunks setting has no effect.
  -- The rx-chunks setting has no effect.

Conditions:
An SCTP virtual server is configured.

Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.

Workaround:
None.


765517-2 : Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN

Component: Local Traffic Manager

Symptoms:
When two virtual servers are created and they have same address list but different incoming VLANs, Traffic Match Criteria validation fails.

Conditions:
Create 2 virtual servers and they have same address list but different incoming VLANs.

Impact:
System validation fails.

Workaround:
Use non-overlapping address lists.


765413-3 : ASM cluster syncs caused by PB ignored suggestions updates

Component: Application Security Manager

Symptoms:
Frequent syncs occurring within an ASM device group.

Conditions:
Several (updating) suggestions are marked 'ignored'.

Impact:
Syncs appear in the logs (no actual performance degradation).

Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).

-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)


764873-1 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only


764373-4 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.


763157-1 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped

Component: Service Provider

Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.

Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.

Impact:
The inbound request will be dropped.

Workaround:
None.


763093-4 : LRO packets are not taken into account for ifc_stats (VLAN stats)

Component: Local Traffic Manager

Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.

Conditions:
LRO is enabled and used for incoming packets.

Impact:
ifc_stats are incorrect for incoming octets and packets.

Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm


762385-2 : After upgrade to 14.1 wrong remote-role assigned using LDAP authentication

Component: TMOS

Symptoms:
When multiple attributes in a list match multiple roles, the wrong role may be assigned. Alternatively, authentication may fail when check-roles-group is disabled.

Conditions:
LDAP server replies with a list of attributes (e.g., list of memberOf) where more than one match existing role.

Impact:
BIG-IP assigns the user to the last attribute in the list that matches a role yielding more restrictive set of permissions.
Authentication may fail when check-roles-group is disabled.


762205-3 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
  [I] [PROTO_ERR]: unexpected critical payload (type 43)
  Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.


762073-4 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.


761993-1 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.


761685-2 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set

Component: Service Provider

Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.

Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.

Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.

Workaround:
None.


761621-1 : Ephemeral FQDN pool members in Partition shown as Common under Local Traffic > Pools > "Members"

Component: TMOS

Symptoms:
When Ephemeral FQDL pool members exist in non-Common partition, they are shown to be in the /Common partition on the Local Traffic : Pools : Members page. In the statistics view of the same object, they are shown appropriately with their non-Common partition.

Conditions:
-- Ephemeral FQDL pool members exist in a non-Common partition.
-- View the FQDL pool members on Local Traffic : Pools : Members page.

Impact:
No impact to configuration, however, the display is confusing and shows contradictory partition information.

Workaround:
None.


761345-4 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.


761321-1 : 'Connection Rate Limit' is hidden, but 'Connection Rate Limit Mode' is not

Component: TMOS

Symptoms:
'Connection Rate Limit' setting is hidden when it is appropriate to do so. However, the 'Connection Rate Limit Mode' setting is still visible, even when 'Connection Rate Limit' is hidden.

Conditions:
1. Create a Virtual Server with type Standard.
2. Click Configuration 'Advanced'.
3. Enter values for 'Connection Rate Limit" and "Connection Rate Limit Mode'.
4. Save the configuration.
5. Change the virtual server type to Forwarding (Layer 2).

Impact:
'Connection Rate Limit' is hidden -- which it should be, but 'Connection Rate Limit Mode' is not -- which it should be as well. Although 'Connection Rate Limit Mode' is available, the system ignores any setting specified.

Workaround:
Do not configure 'Connection Rate Limit Mode', as it has no effect.


761303-1 : Upgrade of standby BIG-IP system results in empty Local Database

Component: Access Policy Manager

Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.

Conditions:
This happens on standby device in a high availability (HA) setup.

Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.

Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, do the following:

1. Reboot.
2. Switch to a new installation volume.
3. Force stop the localdbmgr process:
bigstart stop localdbmgr
4. Wait at least 15 minutes.
5. Restart the localdbmgr:
bigstart restart localdbmgr


761234-1 : Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached

Component: Advanced Firewall Manager

Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.

Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.

Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.

Workaround:
None.


761088-2 : Remove policy editing restriction in the GUI while auto-detect language is set

Component: Application Security Manager

Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.

Conditions:
Create a new policy and set the language to auto-detect.

Impact:
While policy language was set to auto-detect, the policy editing was not allowed.

Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.


760930-3 : MRF SIP ALG with SNAT: Added additional details to log events

Component: Service Provider

Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.

Conditions:
debug log events for temporary subscriber registration creation and deletion.

Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.

Workaround:
None.


760740 : Mysql error is displayed when saving UCS configuration on BIG-IP system with only LTM provisioned

Component: Protocol Inspection

Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySql database. Because BIG-IP systems with only LTM provisioning (i.e., without AFM licensed) do not have the MySql server running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:

Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.

Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system is provisioned with LTM only.

Impact:
The error message is cosmetic and has no impact on the UCS save process.

Workaround:
None.


760680-2 : TMSH may utilize 100% CPU (single core) when set to be a process group leader and SSH session is closed.

Component: TMOS

Symptoms:
TMSH does not correctly handle absence of input stream after closing interactive SSH session and remains active in an infinite loop using 100% CPU.

Conditions:
If TMSH is a process group leader, it will not be killed when the parent shell is terminated upon SSH session close.

This is a rare case, as TMSH must be deliberately promoted to a process group leader, e.g., with the 'setsid' command.
Usually the shell process is a group leader and, when it is terminated upon SSH session close, it kills its child processes, including TMSH.

Impact:
One CPU core is utilized to 100% by the TMSH process.

Workaround:
TMSH should not be intentionally promoted to a process group leader.

You can safely kill abandoned TMSH processes using the command:
killall tmsh


760615-1 : Virtual Server discovery may not work after a GTM device is removed from the sync group

Component: Global Traffic Manager (DNS)

Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.

Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.

-- Those devices remain present in the GTM configuration as 'gtm server' objects.

-- iQuery is connected to those members.

Impact:
Virtual servers are not discovered or added automatically.

Workaround:
You can use either of the following workarounds:

-- Manually add the desired GTM server virtual servers.

-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.


760468 : Configuring a route-domain causes diskmonitor error in logs

Component: TMOS

Symptoms:
Configuring a non-default route-domain results in a diskmonitor error in logs:

warning diskmonitor[14972]: 011d0002:4: Skipping net:[4026532306]. Stat returned message: /usr/bin/stat: cannot read file system information for net:[4026532306]: No such file or directory.

Conditions:
-- Install or upgrade to v14.1.0 or v15.0.0.
-- Non-default route-domain configured on VLAN.

Impact:
There is no functional impact. The message logged does not indicate functional issues.

Workaround:
None.


760439-5 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.


760370-1 : MRF SIP ALG with SNAT: Next active ingress queue filling

Component: Service Provider

Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.

Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.

Impact:
Mirroring state is lost for the connection.

Workaround:
None.


760356-1 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.


760355-2 : Firewall rule to block ICMP/DHCP from 'required' to 'default'

Component: Advanced Firewall Manager

Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP


760164 : BIG-IP VE Compression Offload HA action requires modification of db variable

Component: TMOS

Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.

Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.

Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.

Workaround:
Disable the pfmand by running the following commands:
    tmsh modify sys db pfmand.healthstatus value disable
    tmsh save sys config

The configured HA action will now occur when a compression offload device hangs.

Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.


760050-1 : cwnd warning message in log

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: cwnd too low.

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.


759993-1 : 'License verification failed' errors occur when changing license

Component: TMOS

Symptoms:
The /var/log/ltm contains license processing errors upon license validation failure whenever a significant license event happens (such as a license change). However the system 'corrects' itself if a valid license exists, so no further log messages will be produced.

Conditions:
Whenever a significant license event happens, the internal state wipes the previous license representation, which causes some modules to report the license has failed verification.

Impact:
When a license change occurs, the system logs messages similar to the following:

-- err mcpd[11745]: 01180010:3: [license processing][error]: license verification failed.
-- err mcpd[11745]: 01180010:3: [license processing][error]: invalid input for license parsing.

If you have a valid license, there is no functional impact to the product, and you can safely ignore these messages.

Workaround:
None.


759968-4 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
--Distinct vCMP guests are able to cluster with each other.

--Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200

Look at the "rebroad_mac" field.

Conditions:
--It is not yet clear under what circumstances the issue occurs.

--One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate "rebroad_mac" on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
--Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

Note: This command should be issued on the guest acting as primary since config changes are only allowed on cluster primary.


759654-3 : LDAP remote authentication with remote roles and user-template failing

Component: TMOS

Symptoms:
The directory server that performs authentication requests refuses a query for authorization (user attributes), which prevents the BIG-IP user from logging on with remote authentication.

BAD_NAME errors are usually present in LDAP communication.

Conditions:
-- Configure LDAP remote authentication with remote roles and a user template.
-- As a remote user, attempt to logon.

Impact:
The query request sent to the directory server is refused because the password is not included in the request, and the server does not accept an anonymous bind request. The refused request prevents a lookup of the user account attributes on the directory server. As a result, the BIG-IP user cannot logon.

Workaround:
Remove user-template. bind-dn must be used to authenticate against LDAP server.


759606-1 : REST error message is logged every five minutes on vCMP Guest

Component: TMOS

Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:

Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}

Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.

Impact:
There is stale stat information for vCMP guests running on secondary slots.

Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:

sys log-config filter Filter_RestError {
    level info
    message-id 01810007
    source guestagentd
}


759499-1 : Upgrade from version 12.1.3.7 to version 14.1.0 failing with error

Component: TMOS

Symptoms:
Upgrade from version 12.1.3.7 to version 14.1.0 fails. Running 'tmsh show sys software' shows the following message:
 failed (Could not access configuration source; sda,n)

Conditions:
1. Install BIG-IP version 12.1.3.7 in new volume.
2. From 12.1.3.7, try to install 14.1.0 in new volume.

Impact:
Upgrade fails.

Workaround:
To work around this issue, delete the 14.1.0 volume and try the installation again.

The second installation of 14.1.0 succeeds in this scenario.


759392-1 : HTTP_REQUEST iRule event triggered for internal APM request

Component: Access Policy Manager

Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.

Conditions:
Customized logo in Access Profile

Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.

Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).


759370-3 : FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.

Component: Service Provider

Symptoms:
FIX message has successfully parsed header part (iRule event FIX_HEADER triggered), but is eventually discarded as incomplete (no iRule event FIX_MESSAGE).

Conditions:
FIX message fragmented between body part and the trailer (tag 10).

Impact:
FIX protocol messages are not forwarded.

Workaround:
Assure FIX protocol packet size does not exceed MTU value.


759258-1 : Instances shows incorrect pools if the same members are used in other pools

Component: TMOS

Symptoms:
Monitor 'Instances' tab shows incorrect pools if the same members are used in other pools.

Conditions:
Steps to Reproduce:

1. Create custom monitor or use system default.
2. Assign that monitor to a test pool.
3. Navigate to Local Traffic :: Monitors, click the test monitor, then select the Instances tab.

Impact:
The test pool is displayed, as well any other pools that use the same member or members (but with other monitors assigned).

Workaround:
None.


759135-1 : AVR report limits should be editable, not just hardcoded 1000 transactions

Component: Application Visibility and Reporting

Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.

Conditions:
Using AVR reports for more than 1000 transactions.

Impact:
Unable to create reports with more than 1000 rows.

Workaround:
None.


759077-1 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.


758992-3 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.


758764-1 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.


758387-1 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it

Component: TMOS

Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.

Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.

Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.

Workaround:
None.


757782-2 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default

Component: Access Policy Manager

Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server.

Conditions:
-- OAuth Authorization Server is configured to return JWT access token.
-- Subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'.

Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depends on the value of 'sub' claim, then that functionality does not work.

Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as the following:
session.logon.last.logonname.


757781-4 : Portal Access: cookie exchange may be broken sometimes

Component: Access Policy Manager

Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.

Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.

Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.

Workaround:
None.


757722-3 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.


757519-2 : Unable to login using LDAP authentication

Component: TMOS

Symptoms:
User cannot login using remote LDAP authentication. This occurs because LDAP with user-template uses user-template username as DN for search.

Conditions:
LDAP authentication configuration includes user-template, which is not a valid DN.

Impact:
Remote LDAP authentication users are unable to login.

Workaround:
You can use either of the following workarounds:

-- Create a specific user for bind by configuring bind-dn and bind-pw and remove user-template.

-- Switch to local authentication.


757029-1 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.


756998-2 : DoSL7 Record Traffic feature is not recording traffic

Component: Application Security Manager

Symptoms:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile does not record traffic during attacks: TCP Dump files are not being created in the /shared/dosl7/tcpdumps/ directory as expected.

Conditions:
-- Enabling 'Record Traffic During Attacks' in the DoS Application Profile.
-- DoSL7 Attacks are detected.

Impact:
Attack traffic is not being recorded as expected.

Workaround:
None.


756402-3 : Re-transmitted IPsec packets can have garbled contents

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.


756313-1 : SSL monitor continues to mark pool member down after restoring services

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
To restore the state of the member, remove it, and add it back to the pool.


756102-1 : TMM can crash with core on ABORT signal due to non-responsive AVR code

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.

Conditions:
Non-responsive AVR code. No other special conditions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


755791-1 : UDP monitor not behaving properly on different ICMP reject codes.

Component: Local Traffic Manager

Symptoms:
Unexpected or improper pool/node member status.

Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.

Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.

Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.


755727-1 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755716-2 : IPsec connection can fail if connflow expiration happens before IKE encryption

Component: TMOS

Symptoms:
IKEv2 negotiation fails, and tmm log shows the following error:

notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context

Conditions:
Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.

Impact:
IKE Negotiation fails, so an SA cannot be established.

Workaround:
None.


755018-1 : Traffic processing may be stopped on VE trunk after tmm restart

Component: TMOS

Symptoms:
Trunk interface members might be missing from tmm after tmm restart on BIG-IP Virtual Edition (VE).

Conditions:
-- Using trunks on VE.
-- tmm restarts.

Impact:
No traffic processing after tmm restart.

Workaround:
Remove the interfaces from the trunk and re-add them:
    # tmsh modify net trunk <trunk name> interfaces none
    # tmsh modify net trunk <trunk name> interfaces add { <interface1> <interface2> }


754989-2 : iControl REST API adds unnecessary escape character (\) to URL if the URL contains a wildcard character

Component: TMOS

Symptoms:
iControl REST API adds unnecessary escaping to URL if it contains a wildcard character.

Conditions:
-- Creating configuration using iControl REST API.
-- Configuration includes a URL containing wildcard character.

Impact:
iControl REST API adds unnecessary escape character (\) to URL. The resulting configuration may not be interpreted correctly by the data plane because the request URL does not match with the configuration.

-- One specific example:
# restcurl -u admin:<password> -d '{"name":"/vdesk/test*","type":"wildcard"}' "https://host.mgmt.siterequest.com/mgmt/tm/security/anti-fraud/profile/fps_logonpage_wildcard/urls"

-- Results in this:
urls {
        /vdesk/test\\* {
            priority 2
            type wildcard
        }
    }

-- Instead of the expected:
urls {
        /vdesk/test* {
            priority 2
            type wildcard
        }
    }

Workaround:
Use TMSH to add the configuration.


754691-2 : During failover, an OSPF routing daemon may crash.

Component: TMOS

Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.

Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any

2) OSPF router with this access-list:
router ospf 1
 ospf router-id 10.14.0.11
 bfd all-interfaces
 network 10.14.0.0/16 area 0.0.0.1
 distribute-list 199 in
!

-- The device with this configuration is in the standby state.
-- A failover occurs.

Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.

Workaround:
None.


754525-2 : Disabled virtual server accepts and serves traffic after restart

Component: Local Traffic Manager

Symptoms:
Disabled virtual servers accept traffic after being upgraded to an affected version, or after restarting.

Conditions:
1. A virtual server is configured on pre-v14.1.0.
2. Disable the virtual server.
3. Either upgrade to an affected version, or restart the system.

Impact:
The virtual server remains 'Disabled', but it accepts and processes traffic.

Workaround:
To correct the behavior, manually enable/disable the virtual server.


754335-2 : Install ISO does not boot on BIG-IP VE

Component: TMOS

Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).

Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.

Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.

Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.


753860-4 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.


751924-1 : TSO packet bit fails IPsec during ESP encryption

Component: TMOS

Symptoms:
Internal error when an unexpected packet bit for TCP segment offload manages to reach crypto code for ESP in IPsec, when this is not expected.

Conditions:
Traffic passing through ESP encapsulation for an IPsec tunnel when the TSO bit (for TcpSegmentationOffload) is set on the packet involved.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


751581-4 : REST API Timeout while queriying large number of persistence profiles

Component: TMOS

Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP

Conditions:
When BIG-IP has large number of persistence profiles.

Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.

Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.

Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.

"iControl ® REST supports pagination options for large collections.


751021-5 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.


749249-3 : IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP

Component: TMOS

Symptoms:
IPsec tunnels fail to establish and CPUs go to 100%.

Conditions:
- IPsec tunnels configured.
- System has multiple blades.

Impact:
The CPU exhaustion may cause system instability.

The tmm logs may contain large numbers of messages similar to the following:

-- notice SA is not in LARVAL state when receives PFKEY UPDATE: src=50.1.1.53 dst=40.1.1.50 spi=0xc9cd688 proto=0x32 dir=0x1:IN reqid=0.0:0:0x10c81 state=1

Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.


748355-3 : MRF SIP curr_pending_calls statistic can show negative values.

Component: Service Provider

Symptoms:
Certain irregular SIP message patterns may produce an erroneous curr_pending_calls value that can drop below zero and underflow.

Conditions:
Uncommon message flows like re-transmitted INVITE or OK responses can trigger the issue, which may be brought about at times by lost packets when using UDP.

Impact:
SIP curr_pending_calls may show incorrect values.


747628-7 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.

Conditions:
-- The server side allows timestamps and the client side does not negotiate them.

-- The client-side MTU is lower than the server-side MTU.

-- There is no ICMP message on the client-side connection.

Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).

Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.


747203-1 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Component: TMOS

Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Impact:
NATT/ESP tunnel flows can end with a RST reset.

Workaround:
None.


747131-2 : ARP table may not be updated properly by some TMMs

Component: Local Traffic Manager

Symptoms:
When receiving ARP request coming from the client, some TMMs may not update the ARP table properly, leading to connectivity failures.

Conditions:
- BIG-IP with autolasthop disabled.
- Client blocking ARP responses.
- BIG-IP relies only on ARP requests coming from the client for sending the traffic back.

Impact:
This will have no impact in most of configurations, since BIG-IP will perform it's own resolution for client's MAC addresses.

In a case where client is not responding to ARP probes sent by Big-IP, the problem may lead to connectivity failures for particular clients.

Workaround:
Configure static ARP entries OR enable autolasthop.


746464-7 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


746223-2 : DNSSEC: Initial Key Generations may take up to 5 seconds to appear when a new DNSSEC Key is created

Component: Global Traffic Manager (DNS)

Symptoms:
Initial Key Generations may take up to 5 seconds to appear when a new DNSSEC Key is created.

Conditions:
The user creates a new DNSSEC Key.

Impact:
The initial DNSSEC Key Generation may take up to 5 seconds to appear in the configuration

Workaround:
There is no workaround at this time.


744280-4 : Enabling or disabling a Distributed Application results in a small memory leak

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.


743803-6 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


741213-1 : Modifying disabled PEM policy causes coredump

Component: Policy Enforcement Manager

Symptoms:
TMM undergoes core dump after a disabled policy has a new rule added.

Conditions:
-- Add a rule to disabled PEM policy.
-- Enable the PEM policy, and this policy is applied by PCRF.
-- Traffic is generated for this subscriber.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Modify a PEM policy only when the policy is enabled.


738943-2 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon


737558 : Protocol Inspection user interface elements are active but do not work

Component: Protocol Inspection

Symptoms:
Protocol Inspection (PI) user interface options are present, but are not applied to traffic.

Protocol Inspection (PI) now requires the presence of either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license does not activate the PI features. The Configuration Utility still allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied.

Conditions:
-- AFM licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).

-- PI profile configured and applied to a virtual server or referenced in a firewall rule in an active firewall policy.

Impact:
If you previously had Protocol Inspection configured without the add-on license installed, the features are no longer applied to traffic until the add-on license is obtained. However, the GUI options remain active.

Workaround:
None.


727107-5 : Request Logs are not stored locally due to shmem pipe blockage

Component: Application Security Manager

Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:

----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.

Messages similar to the following appear in pabnagd.log:

Conditions:
Request Logs are not stored locally due to shmem pipe blockage.

Impact:
Event logs stop logging locally.

Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd


726900-2 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters

Component: Local Traffic Manager

Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.

Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.

Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.

Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.


726176-1 : platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Component: Local Traffic Manager

Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.


724994-5 : API requests with 'expandSubcollections=true' are very slow

Component: TMOS

Symptoms:
Submitting an iControl REST query using the option 'expandedSubcollections=true' takes significantly longer to return than one without that option. For example, the command 'https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true' takes significantly longer than the command 'https://localhost/mgmt/tm/ltm/virtual'.

Conditions:
Submitting a query using expandedSubcollections=true.

Impact:
The response takes significantly longer to return

Workaround:
The additional processing time occurs because the 'expandedSubCollections' parameter fetches all the related associated elements. You can use the following alternative to retrieve the virtual configuration:

1. Run the following query:
GET mgmt/tm/ltm/virtual

2. Obtain the list of virtual servers by:
   2a. parsing either the selfLink or the fullPath properties in the response items array, where the response is from step 1.
   2b. writing an iControlLX worker that does this.

Note: Writing a worker abstracts the parsing logic into a user-defined endpoint. It provides API access to the data.

3. Iterate over the virtual servers querying each with the option 'expandSubcollections=true'.


724109-1 : Manual config-sync fails after pool with FQDN pool members is deleted

Component: TMOS

Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.

Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually

Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP

Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.

Workaround:
The workaround for this issue is to use auto-sync.


718790-4 : Traffic does not forward to fallback host when all pool members are marked down

Component: Local Traffic Manager

Symptoms:
Traffic does not get forwarded to fallback hosts.

Conditions:
-- HTTP Profile configured with Fallback Host.
-- All the pool members are marked administrative down.

Impact:
Traffic does not get forwarded.

Workaround:
Pick a monitor working properly for the pool.


718405-4 : RSA signature PAYLOAD_AUTH mismatch with certificates

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.


718108-4 : It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts

Component: TMOS

Symptoms:
When trying to create a diagnostic core file of the icrd_child process (for example, using the command: kill -6 <PID>), the process restarts but does not create a core file.

Conditions:
iControl REST requests are sent to the BIG-IP system using non-administrative (or resource admin) user accounts.

Impact:
This issue may hinder F5 Support efforts to diagnose memory leaks or other issues affecting the icrd_child process.

Workaround:
There are two workarounds for this issue.

Workaround #1:
The problem can be avoided by making calls to iControl REST using only User IDs that have the 'Admin' or 'Resource Admin' roles.

Note: If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', the 'restjavad' process must be restarted before core files can be created for icrd_child processes.

Workaround #2:
If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', and a core file is needed for a currently running icrd_child process, running the following two commands in the Advanced Shell (aka bash) creates the core file.

1: "echo 2 > /proc/sys/fs/suid_dumpable"
2: "pkill -6 icrd_child"

Note: The commands are shown inside quotation marks but do not include the quotations marks.


715379-4 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file

Component: TMOS

Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.

Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.

Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.

Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.


714502-1 : bigd restarts after loading a UCS for the first time

Component: Local Traffic Manager

Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.

Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check

Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.

Workaround:
System runs as expected after the bigd restart, and the user need not take any action.


709381-3 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.

Component: Local Traffic Manager

Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:

err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"

Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.

It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.

Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.

Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.


703090-2 : With many iApps configured, scriptd may fail to start

Component: TMOS

Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:

"script has exceeded its time to live, terminating the script"

Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.

Impact:
The error message will show up, and some instances of the script will not run.

Workaround:
Restarting scriptd will resolve the issue.


697590-1 : APM iRule ACCESS::session remove fails outside of Access events

Component: Access Policy Manager

Symptoms:
ACCESS::session remove fails

Conditions:
iRule calling ACCESS::session remove outside of Access events.

Impact:
APM iRule ACCESS::session remove fails to remove session

Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.


677683 : Unexpected LOP reset

Component: TMOS

Symptoms:
These symptoms can be seen on BIG-IP B2100 and B2150 blades.

When the AOM resets itself unexpectedly, these types of symptoms can be observed:

-- LED alarm light may be red.

-- Messages may be logged to /var/log/ltm.

Examples of typical messages:
-- warning chmand[6890]: 012a0004:4: getLopReg Dev error: LopDev: sendLopCmd: Lopd status: 2 packet: action=1 obj_id=67 sub_obj=0 slot_id=ff result=0 len=3 crc=0 payload=28 8 4 (error code:0x0)

-- err chmand[6890]: 012a0003:3: GET_STAT failure (status=0x2) page=0x28 reg=0x8 : File mgmtif/BourneMgmtIfSvc.cpp Line 282

-- notice chmand[6890]: 012a0005:5: Tmstat::updateMgmtIf: Lop error

-- warning chmand[6890]: 012a0004:4: getLopReg Dev error: LopDev: sendLopCmd: Lopd status: 2 packet: action=1 obj_id=67 sub_obj=0 slot_id=ff result=0 len=3 crc=0 payload=1 0 2 (error code:0x0)

-- err chmand[6890]: 012a0003:3: GET_MEDIA failure (status=0x2) page=0x1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 376

Conditions:
This may occur on BIG-IP B2100 and B2150 blades.

Additional conditions under which this occurs are not well understood.

Impact:
These errors are effectively benign:

-- The watchdog/reset feature of the AOM controller provides resilience to recover from unexpected fault conditions.

-- The AOM re-initializes and comes back to proper operating state in the system.

-- Production traffic is not affected.

Workaround:
There is no workaround.


675911-7 : Different sections of the WebUI can report incorrect CPU utilization

Solution Article: K13272442

Component: Local Traffic Manager

Symptoms:
The following sections of the WebUI can report incorrect (i.e. higher than expected) CPU utilization:

- The "download history" option found in the Flash dashboard

- Statistics › Performance › Traffic Report (section introduced in version 12.1.0)

Values such as 33%, 66% and 99% may appear in these sections despite the system being potentially completely idle.

Conditions:
HT-Split is enabled (this is the default for platforms that support it).

Impact:
Incorrect CPU utilization is reported by multiple sections of the WebUI, which can confuse BIG-IP Administrators and cause unnecessary alarm.

Workaround:
You can obtain CPU history through various other means. One way is to use the sar utility.

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

Live CPU utilization also can be obtained through various other means. Including: the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.


671372-6 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Solution Article: K01930721

Component: TMOS

Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.

Impact:
The pool will be created but the members will not be modified.

Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.


665117-6 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping

Solution Article: K33318158

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Server status flapping from red-green-red.

Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.

Impact:
Server status flaps from red to green and back.

Workaround:
Check Transparent for these monitors.


663925-2 : Virtual server state not updated with pool- or node-based connection limiting

Component: Local Traffic Manager

Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.

Conditions:
The connection count reaches the configured connection limit.

Impact:
Virtual server is not automatically disabled when connection limit is reached and does not return from the unavailable state after connections decrease.

Workaround:
None.


601220-2 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade

Component: TMOS

Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.

Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs.

Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.

Note: This is not an F5-specific problem. It occurs on every stack switch hardware under these conditions.

Workaround:
There is no workaround.


591732-6 : Local password policy not enforced when auth source is set to a remote type.

Component: TMOS

Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.

2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None.


569859-6 : Password policy enforcement for root user when mcpd is not available

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.

Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.

Impact:
Root password may be set to a string that does not comply with the current password policy.

Workaround:
None.


505037-6 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop

Solution Article: K01993279

Component: Local Traffic Manager

Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.

Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.

Impact:
Secondary in a restart loop.

Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.


474797-3 : Nitrox crypto hardware may attempt soft reset while currently resetting

Component: Local Traffic Manager

Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.

Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.

Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.

Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.

To disable hardware-based crypto acceleration issue the following command:

tmsh modify sys db tmm.ssl.cn.shunt value disable

Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.


291256-1 : Changing 'Minimum Length' and 'Required Characters' might result in an error

Component: TMOS

Symptoms:
When setting a value for the password policy attribute 'Minimum Length', and setting 'Required Characters' 'Numeric', 'Uppercase', 'Lowercase', and 'Other' to values whose sum is greater than 'Minimum Length' the system does not save changes, and instead reports an error:

err mcpd[1647]: 01070903:3: Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'

Conditions:
-- Change the value of 'Minimum Length'.
-- Change the values in 'Required Characters' ('Numeric', 'Uppercase', 'Lowercase', and 'Other').
-- The sum of the values from 'Required Characters' is a greater than 'Minimum Length' value before you changed it.

Here is an example:
1. From the default of '6', change 'Minimum Length' to 10.
2. At the same time, change each of the 'Required Characters' options ('Numeric', 'Uppercase', 'Lowercase', and 'Other') to '2', for a total of 8.
3. Click Update.

(These values should be work because the value in 'Minimum Length' (10) is greater than the sum of the values in 'Required Characters' (8).)

Impact:
The changes are not saved, and an error is posted:
Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'.

Workaround:
You can use either of the following workarounds:

-- To workaround this using the GUI, set 'Minimum Length' and 'Required Characters' separately (i.e., specify 'Minimum Length' and click Update, and then specify 'Required Characters' and click Update).

-- Use tmsh instead of the GUI.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************