Supplemental Document : BIG-IP 15.1.0.3 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.0

BIG-IP Analytics

  • 15.1.0

BIG-IP LTM

  • 15.1.0

BIG-IP Link Controller

  • 15.1.0

BIG-IP AFM

  • 15.1.0

BIG-IP PEM

  • 15.1.0

BIG-IP FPS

  • 15.1.0

BIG-IP DNS

  • 15.1.0

BIG-IP ASM

  • 15.1.0

BIG-IP Release Information

Version: 15.1.0.3
Build: 12.0

Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Known Issues in BIG-IP v15.1.x

Functional Change Fixes

ID Number Severity Solution Article(s) Description
889505 3-Major   Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available
888569 3-Major   Added PBA stats for total number of free PBAs, and percent free PBAs


TMOS Fixes

ID Number Severity Solution Article(s) Description
795649-5 3-Major   Loading UCS from one iSeries model to another causes FPGA to fail to load


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
883513-1 3-Major   Support for QUIC and HTTP/3 draft-27
828601-1 3-Major   IPv6 Management route is preferred over IPv6 tmm route
758599-3 3-Major   IPv6 Management route is preferred over IPv6 tmm route


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
846713-1 2-Critical   Gtm_add does not restart named


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
903905-2 2-Critical   Default configuration of security mechanism causes memory leak in TMM
889477-1 2-Critical   Modern customization does not enforce validation at password changing



Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
871633-1 CVE-2020-5859 K61367237 TMM may crash while processing HTTP/3 traffic
846917-1 CVE-2019-10744 K47105354 lodash Vulnerability: CVE-2019-10744
846365-1 CVE-2020-5878 K35750231 TMM may crash while processing IP traffic
830401-1 CVE-2020-5877 K54200228 TMM may crash while processing TCP traffic with iRules
819197-2 CVE-2019-13135 K20336394 BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-1 CVE-2019-13136 K03512441 BIGIP: CVE-2019-13136 ImageMagick vulnerability
636400 CVE-2019-6665 K26462555 CPB (BIG-IP->BIGIQ log node) Hardening
873469-2 CVE-2020-5889 K24415506 APM Portal Access: Base URL may be set to incorrectly
864109-1 CVE-2020-5889 K24415506 APM Portal Access: Base URL may be set to incorrectly
838881-1 CVE-2020-5853 K73183618 APM Portal Access Vulnerability: CVE-2020-5853
832021-3 CVE-2020-5888 K73274382 Port lockdown settings may not be enforced as configured
832017-3 CVE-2020-5887 K10251014 Port lockdown settings may not be enforced as configured
829121-1 CVE-2020-5886 K65720640 State mirroring default does not require TLS
829117-1 CVE-2020-5885 K17663061 State mirroring default does not require TLS
789921-5 CVE-2020-5881 K03386032 TMM may restart while processing VLAN traffic
868097-3 CVE-2020-5891 K58494243 TMM may crash while processing HTTP/2 traffic
846157-1 CVE-2020-5862 K01054113 TMM may crash while processing traffic on AWS
823893-7 CVE-2020-5890 K03318649 Qkview may fail to completely sanitize LDAP bind credentials


Functional Change Fixes

ID Number Severity Solution Article(s) Description
870389-3 3-Major   Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
858229-5 3-Major   XML with sensitive data gets to the ICAP server


TMOS Fixes

ID Number Severity Solution Article(s) Description
854493-5 2-Critical   Kernel page allocation failures messages in kern.log
841953-7 2-Critical   A tunnel can be expired when going offline, causing tmm crash
841333-7 2-Critical   TMM may crash when tunnel used after returning from offline
817709-3 2-Critical   IPsec: TMM cored with SIGFPE in racoon2
811701-3 2-Critical   AWS instance using xnet driver not receiving packets on an interface.
811149-2 2-Critical   Remote users are unable to authenticate via serial console.
866925-5 3-Major   The TMM pages used and available can be viewed in the F5 system stats MIB
865225-1 3-Major   Finisar QSFP28 OPT-0039 modules may not work properly in i15000 and i15800 platforms
852001-1 3-Major   High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
830717 3-Major   Appdata logical volume cannot be resized for some cloud images
829317-5 3-Major   Memory leak observed when running ICRD child
828873-3 3-Major   Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
812981-6 3-Major   MCPD: memory leak on standby BIG-IP device
802281-3 3-Major   Gossip shows active even when devices are missing
793121-5 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
742628-1 3-Major K53843889 Tmsh session initiation adds increased control plane pressure
605675-6 3-Major   Sync requests can be generated faster than they can be handled
831293-5 4-Minor   SNMP address-related GET requests slow to respond.
755317-3 4-Minor   /var/log logical volume may run out of space due to agetty error message in /var/log/secure
722230-1 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
860881-3 2-Critical   TMM can crash when handling a compressed response from HTTP server
839401-1 2-Critical   Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
879025-2 3-Major   When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions
872965-1 3-Major   HTTP/3 does not support draft-25
862597-7 3-Major   Improve MPTCP's SYN/ACK retransmission handling
853613-4 3-Major   Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
852873-2 3-Major   Proprietary Multicast PVST+ packets are forwarded instead of dropped
852861-1 3-Major   TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario
851445-1 3-Major   QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams
850973-1 3-Major   Improve QUIC goodput for lossy links
850933-1 3-Major   Improve QUIC rate pacing functionality
847325-3 3-Major   Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.
818853-1 3-Major   Duplicate MAC entries in FDB
809597-5 3-Major   Memory leak observed when running ICRD child
714372-5 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
705112-6 3-Major   DHCP server flows are not re-established after expiration
859113-1 4-Minor   Using "reject" iRules command inside "after" may causes core
839245-3 4-Minor   IPother profile with SNAT sets egress TTL to 255
824365-5 4-Minor   Need informative messages for HTTP iRule runtime validation errors
822025 4-Minor   HTTP response not forwarded to client during an early response


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
760471-1 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
858025-1 2-Critical   Proactive Bot Defense does not validate redirected paths
852437-3 2-Critical K25037027 Overly aggressive file cleanup causes failed ASU installation
846073-1 2-Critical   Installation of browser challenges fails through Live Update
850673-1 3-Major   BD sends bad acks to the bd_agent for configuration
842161-1 3-Major   Installation of Browser Challenges fails in 15.1.0
793017-3 3-Major   Files left behind by failed Attack Signature updates are not cleaned
778261-2 3-Major   CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate
681010-4 3-Major K33572148 'Referer' is not masked when 'Query String' contains sensitive parameter


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
838709-4 2-Critical   Enabling DoS stats also enables page-load-time
870957-4 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
863161-1 3-Major   Scheduled reports are sent via TLS even if configured as non encrypted
835381-3 3-Major   HTTP custom analytics profile 'not found' when default profile is modified
830073-2 3-Major   AVRD may core when restarting due to data collection device connection timeout
787677-5 3-Major   AVRD stays at 100% CPU constantly on some systems
865053-3 4-Minor   AVRD core due to a try to load vip lookup when AVRD is down
863069-1 4-Minor   Avrmail timeout is too small


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
876393-1 2-Critical   General database error while creating Access Profile via the GUI
871761-1 2-Critical   Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
871653-1 2-Critical   Access Policy cannot be created with 'modern' customization
866685-1 3-Major   Empty HSTS headers when HSTS mode for HTTP profile is disabled
866161-1 3-Major   Client port reuse causes RST when the security service attempts server connection reuse.
853325-1 3-Major   TMM Crash while parsing form parameters by SSO.
852313-4 3-Major   VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
850277-1 3-Major   Memory leak when using OAuth
844781-3 3-Major   [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
844685-1 3-Major   Per-request policy is not exported if it contains HTTP Connector Agent
844573-1 3-Major   Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
844281-3 3-Major   [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
835309-1 3-Major   Some strings on BIG-IP APM Server pages are not localized
832881-1 3-Major   F5 Endpoint Inspection helper app is not updated
832569-3 3-Major   APM end-user connection reset
831781-4 3-Major   AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
803825-5 3-Major   WebSSO does not support large NTLM target info length
761303-5 3-Major   Upgrade of standby BIG-IP system results in empty Local Database
744407-1 3-Major   While the client has been closed, iRule function should not try to check on a closed session
706782-5 3-Major   Inefficient APM processing in large configurations.


Service Provider Fixes

ID Number Severity Solution Article(s) Description
853545-1 3-Major   MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
842625-5 3-Major   SIP message routing remembers a 'no connection' failure state forever
840821-1 3-Major   SCTP Multihoming not working within MRF Transport-config connections
825013-1 3-Major   GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
803809-4 3-Major   SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
859721-1 4-Minor   Using GENERICMESSAGE create together with reject inside periodic after may cause core
836357-5 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2



Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
834853 3-Major   Azure walinuxagent has been updated to v2.2.42


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
862557-1 3-Major   Client-ssl profiles derived from clientssl-quic fail validation

 

Cumulative fix details for BIG-IP v15.1.0.3 that are included in this release

903905-2 : Default configuration of security mechanism causes memory leak in TMM

Component: Access Policy Manager

Symptoms:
Over time, memory is allocated by the TMM processes for use as 'xdata' buffers, yet this memory is never de-allocated; it is leaked and becomes unusable. Eventually a disruption of service occurs.

Conditions:
-- The BIG-IP system has been running for 8 weeks or longer without a system restart.

-- The BIG-IP system's internal risk-policy subsystem (used by the security feature modules) has not been configured to communicate with an external risk-policy server.

-- In a vCMP configuration, the BIG-IP 'host' instance is always susceptible, since no security features can be configured in its context.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Default configuration of security mechanism no longer causes memory leak in TMM.


889505 : Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available

Component: Advanced Firewall Manager

Symptoms:
Several SNMP OIDs need to be added to provide the total number of port block allocations (PBAs) and the percentage of PBAs that are available.

Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.

Impact:
Need to manually calculate the values.

Workaround:
Make manual calculations from the current stats or configuration.

Fix:
-- Can now directly gather the total number of PBA and percentage of ports available.

There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.

Behavior Change:
The following new MIBs are now available:

F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatPercentFreePortBlocksSnmp

F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaPercentFreePortBlocksSnmp


889477-1 : Modern customization does not enforce validation at password changing

Component: Access Policy Manager

Symptoms:
You can change the password even if there are different values in the fields 'New Password' and 'Confirm Password' or if 'Confirm Password' is empty.

Conditions:
-- Access Policy with 'Modern' customization.
-- Configure an access policy with 'Logon Page' and 'AD Auth' agents.
-- When forced to change passwords, type different values in 'New Password' and 'Confirm Password', or leave 'Confirm Password' empty.

Impact:
The system allows the password change, even though the 'New Password' and 'Confirm Password' do not match.

Workaround:
None.


888569 : Added PBA stats for total number of free PBAs, and percent free PBAs

Component: Advanced Firewall Manager

Symptoms:
There are several port block allocation (PBA) statistics that need to be added.

Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.

Impact:
Need to manually calculate the values.

Workaround:
Make manual calculations from the current stats or configuration.

Fix:
The first and second item described are available using the 'tmsh show' command, and the third item is available in the tmstat tables (e.g., reported in response to the command 'tmctl lsn_pool_pba_stat' as total_port_blocks).

-- Total number of port blocks available:
The total amount of port blocks available according to the PBA configuration. For example, if you have 3 IP addresses for NAT pool/source translation and blocks of 128 ports, and ports from 1024 to 65535, then this stat indicates that you have a total of 1509 port blocks. This number is the result of (64511 (ports available) / 128 (ports per block)) * 3 (number of IP addresses)).

-- Percentage of port available (percentage is available in TMSH only):
Using the same example, where there are 1509 total blocks and currently are assigned 600 blocks, then there are 909 blocks free. This stat show that are 60.23% of ports available. (100*free ports / total ports).

-- Directly gather the values.
There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.

Behavior Change:
The following new tmstat value is now available, in both 'tmctl fw_lsn_pool_pba_stat' and 'tmctl lsn_pool_pba_stat:

    total_port_blocks

The relevant TMSH show commands have been updated to include these new values:

-- Total Port Blocks
-- Percent Free Port Blocks


883513-1 : Support for QUIC and HTTP/3 draft-27

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-24 and draft-25. IETF released draft-27 in February 2020, and major browser vendors have announced they intend to widely deploy support for it, unlike previous drafts.

Conditions:
Browser requests draft-27.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-27. (The QUIC community skipped draft-26), has deleted draft-24 support from the implementation, and deprecates support for draft-25.


879025-2 : When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions

Component: Local Traffic Manager

Symptoms:
When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions as expected. TLS traffic is encrypted as expected but under certain conditions certificate authentication restrictions are not enforced

Conditions:
-Server-side SSL profile.
-Certificate chain validation enabled.

Impact:
LTM may not enforce TLS certificate chain restrictions as expected.

Workaround:
None.

Fix:
LTM now processes server-side TLS traffic as expected.


876393-1 : General database error while creating Access Profile via the GUI

Component: Access Policy Manager

Symptoms:
While trying to create an Access profile, the GUI reports a general database error. There are errors in /var/log/tomcat:

profiles.ProfileUtils$SettingsHandler:error - java.sql.SQLException: Column not found: SOURCE in statement [INSERT into
profile_access

Conditions:
This occurs when you try to create an Access Profile of type SSO from the GUI.

Impact:
You are unable to create the profile using the GUI.

Workaround:
You can create the Access Profile using TMSH.

tmsh create access access_test_sso type sso accept-languages add { en } sso-name sso_test1

Fix:
Access Profile of type SSO can now be created and edited from the GUI.


873469-2 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506


872965-1 : HTTP/3 does not support draft-25

Component: Local Traffic Manager

Symptoms:
Clients attempting to connect with QUIC version 25 and ALPN h3-25 are unable to connect.

Conditions:
An end user client attempts to connect using QUIC version 25 and ALPN h3-25.

Impact:
Attempts to use HTTP/3 with some clients may fail.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-24 and draft-25.


871761-1 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.


871653-1 : Access Policy cannot be created with 'modern' customization

Component: Access Policy Manager

Symptoms:
Per-Request Policy (PRP) Access Policy with Customization Type set to Modern cannot be created due to internal error.

Conditions:
Creating a PRP Access Policy with Customization Type set to Modern.

Impact:
Administrator cannot use modern customization.

Workaround:
1. In bigip.conf find the following line:

     apm policy customization-source /Common/standard { }

2. Add the following line:

     apm policy customization-source /Common/modern { }

3. Save the changes.

4. Load the config:

     tmsh load sys config

Fix:
Now modern customization can be used for any Access Policy.


871633-1 : TMM may crash while processing HTTP/3 traffic

Solution Article: K61367237


870957-4 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.


870389-3 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images

Component: TMOS

Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.

Conditions:
This applies to deployments that use declarative onboarding for configuration.

Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.

Workaround:
The workaround is to manually extend the /var logical volume.

For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.

Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.

Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.


868097-3 : TMM may crash while processing HTTP/2 traffic

Solution Article: K58494243


866925-5 : The TMM pages used and available can be viewed in the F5 system stats MIB

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.


866685-1 : Empty HSTS headers when HSTS mode for HTTP profile is disabled

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.

Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.

Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:

when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
        HTTP::header remove "Strict-Transport-Security"
    }
}

Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.


866161-1 : Client port reuse causes RST when the security service attempts server connection reuse.

Component: Access Policy Manager

Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.

Conditions:
-- Service profile is attached to virtual server.
   or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.


865225-1 : Finisar QSFP28 OPT-0039 modules may not work properly in i15000 and i15800 platforms

Component: TMOS

Symptoms:
The tuning values programmed in the switch are not correct for Finisar OPT-0039 QSFP28 modules.

Conditions:
-- Using Finisar OPT-0039 QSFP28 modules.
-- Running on i15000 and i15800 platforms.

Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.

Impact:
You might see traffic drop.

Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.

Workaround:
None.


865053-3 : AVRD core due to a try to load vip lookup when AVRD is down

Component: Application Visibility and Reporting

Symptoms:
AVRD cores during startup.

Conditions:
Avrd receives a SIGTERM while it is starting.

Impact:
This can lead to an AVRD core.

Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.


864109-1 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506


863161-1 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.


863069-1 : Avrmail timeout is too small

Component: Application Visibility and Reporting

Symptoms:
AVR report mailer times out prematurely and reports errors:

AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.

Conditions:
Configure reports, which will be sent to e-mail

Impact:
Error response from SMTP server, and the report is not sent

Workaround:
Increase timeout in avrmail.php via bash commands

Fix:
The timeout was increased in avrmail.php


862597-7 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.


862557-1 : Client-ssl profiles derived from clientssl-quic fail validation

Component: Local Traffic Manager

Symptoms:
After configuring a clientssl-quic profile, you get a validation error:

01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/clientssl-f5quic-udp).

Conditions:
This can occur when using the clientssl-quic built-in profile to build a profile that can serve HTTP/3 over QUIC.

Impact:
You are unable to configure a clientssl profile to work with HTTP/3 + QUIC that is also customized to serve the right certificate, etc.

Workaround:
Modify the clientssl-quic profile to have the following properties:
    cipher-group quic
    ciphers none
This requires the following additional config objects:
ltm cipher group quic {
    allow {
        quic { }
    }
}
ltm cipher rule quic {
    cipher TLS13-AES128-GCM-SHA256,TLS13-AES256-GCM-SHA384
    description "Ciphers usable by QUIC"
}

Fix:
Update the built-in configuration to pass validation.


860881-3 : TMM can crash when handling a compressed response from HTTP server

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.


859721-1 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core


859113-1 : Using "reject" iRules command inside "after" may causes core

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using "reject" iRules command inside "after" no longer cause core.


858229-5 : XML with sensitive data gets to the ICAP server

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.


858025-1 : Proactive Bot Defense does not validate redirected paths

Component: Application Security Manager

Symptoms:
Under certain conditions, Proactive Bot Defense may redirect clients to an unvalidated path.

Conditions:
-Proactive Bot Defense enabled.

Impact:
Clients may be redirected to an unvalidated path.

Workaround:
None.

Fix:
Proactive Bot Defense now validates redirected paths as expected.


854493-5 : Kernel page allocation failures messages in kern.log

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.


853613-4 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.

Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.


853545-1 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.

Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.


853325-1 : TMM Crash while parsing form parameters by SSO.

Component: Access Policy Manager

Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.

Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.

Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.

Workaround:
Do not use Passthrough mode with SSO.

Fix:
TMM does not crash when Passthrough mode is enabled in SSO, and SSO receives any valid form in a response.


852873-2 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Component: Local Traffic Manager

Symptoms:
Since BIG-IP does not recognize proprietary multicast MACs like PVST+ (01:00:0c:cc:cc:cd) & STP (01:80:c2:00:00:00) when STP is disabled it won't be able to drop those frames. Instead it would treat those as L2 multicast frames and forward between 2 interfaces.

Conditions:
STP disabled
All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC will be forwarded instead of discarded even though when STP is disabled

Workaround:
Not available

Fix:
Traffic with Destination MAC as PVST+(01:00:0c:cc:cc:cd) or STP (01:80:c2:00:00:00)is sent to BIG-IP, egress traffic is monitored to check such that MAC is dropped when either or both db variables bcm56xxd.rules.badpdu_drop, bcm56xxd.rules.lldp_drop is enabled and vice-versa


852861-1 : TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario

Component: Local Traffic Manager

Symptoms:
TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL and httprouter profiles.
-- 0-RTT connection resumption in progress.

Impact:
TMM cores intermittently.

Workaround:
No workaround.

Fix:
Defer sending of early keys from SSL to QUIC. This results in delaying of ingress decryption. HTTP/3 is initialized before receiving decrypted data.


852437-3 : Overly aggressive file cleanup causes failed ASU installation

Solution Article: K25037027

Component: Application Security Manager

Symptoms:
Directory cleanup for for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.

Conditions:
An ASU runs at the same time as the file cleanup task.

Impact:
The ASU fails to complete successfully.

Workaround:
The default clean interval is 300 seconds (5 minutes).

1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles

2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles

3. Upgrade the ASU immediately.


If 5 minutes is not enough, you can increase the clean interval.

1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:

From:
[CleanFiles]
Interval=300

To:
[CleanFiles]
Interval=3000

Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.

2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>

3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles

4. Install the ASU; the temp files can stay in the folder for 50 minutes.

5. After the ASU is installed, change the interval back to 300 and restart asmcrond.

6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log

Fix:
The directory cleanup does not clean up files that are being actively used for an installation.


852313-4 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.

Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.


852001-1 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously

Component: TMOS

Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.

Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.

Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.

Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.

Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.


851445-1 : QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams

Component: Local Traffic Manager

Symptoms:
QUIC profile has a field for maximum uni-streams. This represents the number of concurrent uni-streams that the peer can create. If HTTP/3 is also configured on the virtual, then the value for uni-streams should ne >=3. The peer should be able to create at least 3 uni-streams, for control, encoder and decoder.

Conditions:
QUIC, HTTP/3, SSL and httprouter profiles are configured on the virtual. QUIC client tries to establish a connection with Big-IP. HTTP/3 is negotiated in ALPN.

Impact:
If fewer than 3 max uni-streams are configured, HTTP/3 transactions will not be successful.

Workaround:
Configure correct value of max uni-streams in QUIC profile.

Fix:
Validation added to prevent a value of less than 3 to be configured when HTTP/3 is also on the virtual.


850973-1 : Improve QUIC goodput for lossy links

Component: Local Traffic Manager

Symptoms:
QUIC gets lower goodput compared to TCP when tested on lossy links.

Conditions:
The tested links are lossy (e.g, 0.1% loss probability).

Impact:
QUIC completes the data transfer in longer time.

Workaround:
N/A

Fix:
QUIC achieves similar or better goodput compared to TCP on lossy links.


850933-1 : Improve QUIC rate pacing functionality

Component: Local Traffic Manager

Symptoms:
QUIC rate pacing becomes dis-functional under some conditions.

Conditions:
- QUIC rate pacing is in use.
- Packet size becomes slightly larger than available rate pacing bytes.

Impact:
QUIC rate pacing becomes noneffective which leads to sending data more bursty.

Workaround:
N/A

Fix:
QUIC rate pacing does not become dis-functional under some conditions anymore.


850673-1 : BD sends bad acks to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
The bd_agents stops sending configuration in the middle of startup or a configuration change.
The policy maybe incomplete in the bd causing a wrong enforcement.

Conditions:
This is a rare issue and the exact conditions that trigger it are unknown.

Impact:
Bd_agent hangs or restarts which may cause a complete asm restart (and failover).
A partial policy may exist in bd causing improper enforcement.

Workaround:
Export and import the policy in case the policy is enforced incorrectly and un-assigning / re-assigning does not help.

Fix:
Fixed inconsistency scenario between bd and bd_agent.


850277-1 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.


847325-3 : Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.

Component: Local Traffic Manager

Symptoms:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions

Conditions:
A oneconnect profile is combined with certain persist profiles on a virtual server.

The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

The persistence types that are affected are
Source Address (but not hash-algorithm carp)
Destination Address (but not hash-algorithm carp)
Universal
Cookie (only cookie hash)
Host
SSL session
SIP
Hash (but not hash-algorithm carp)

Impact:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions


846917-1 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354


846713-1 : Gtm_add does not restart named

Component: Global Traffic Manager (DNS)

Symptoms:
Running gtm_add failed to restart the named daemon.

Conditions:
Run gtm_add to completion.

Impact:
Named is not restarted. No BIND functionality.

Workaround:
Restart named:
bigstart start named

Fix:
Fixed an issue preventing 'named' from restarting after running the gtm_add script.


846365-1 : TMM may crash while processing IP traffic

Solution Article: K35750231


846157-1 : TMM may crash while processing traffic on AWS

Solution Article: K01054113


846073-1 : Installation of browser challenges fails through Live Update

Component: Application Security Manager

Symptoms:
Live Update of Browser Challenges fails installation.

Live Update provides an interface on the F5 Downloads site to manually install or configure automatic installation of various updates to BIG-IP ASM components, including ASM Attack Signatures, Server Technologies, Browser Challenges, and others.

Conditions:
-- From the F5 Downloads side, select a software version.
-- Click BrowserChallengesUpdates.
-- Attempt to download and install Download BrowserChallenges<version_number>.im.

Note: Browser Challenges perform browser verification, device and bot identification, and proactive bot defense.

Impact:
Browser Challenges update file cannot be installed.

Workaround:
None.

Fix:
Browser Challenges update file can now be installed via Live Update.


844781-3 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection

Component: Access Policy Manager

Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.

Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384

Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.

Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/

Fix:
Fixed an issue with an SELinux policy blocking Portal Access from processing web applications traces.


844685-1 : Per-request policy is not exported if it contains HTTP Connector Agent

Component: Access Policy Manager

Symptoms:
Per-request policy cannot be exported if it contains an HTTP Connector agent.

Conditions:
-- Create a Per Request Policy.
-- In the sub-routine section, create a new sub-routine and
   attach HTTP Connector to that sub-routine.
-- After the policy creation is done, export the policy.

Impact:
Per-request policy cannot be exported and reports an error.

Workaround:
None.

Fix:
Create a valid HTTP Connector agent in tmsh and the per request policy gets exported as expected.


844573-1 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.

Component: Access Policy Manager

Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.

Conditions:
This is encountered when this message is logged by mcpd.

Impact:
Log message cannot be grouped with messages at the correct log level.

Workaround:
None.


844281-3 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.

Component: Access Policy Manager

Symptoms:
Java applets are not patched when accessed through APM Portal Access.

/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.

/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.

Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.

Impact:
Java applets cannot be patched by APM Portal Access rewriter.

Workaround:
None.

Fix:
Fixed an issue with SELinux policy blocking Portal Access code from reading Java Patcher certificates.


842625-5 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.


842161-1 : Installation of Browser Challenges fails in 15.1.0

Component: Application Security Manager

Symptoms:
Browser Challenges default installation fails in 15.1.0 after upgrade or resetting back to default.

BIG-IP software v15.1.0 ships with a BrowserChallenges_20191121_043810.im file that does not have a proper encryption, and when trying to install the file via the Live Update page the following error occurs:

gpg: WARNING: unsafe ownership on homedir `/ts/share/negsig/gpg_asm_sigfile_installer'
gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20
      "asm_sigfile_installer"
gpg: Signature made Thu 21 Nov 2019 02:38:10 PM IST using RSA key ID BC67BA01
gpg: Can't check signature: No public key

Conditions:
Live Update file BrowserChallenges_20191121_043810.im has a different status than 'Currently Installed'.

Impact:
If the file 'BrowserChallenges_20191121_043810.im ' is the newest file then upgrade is not applicable.

Workaround:
None

Fix:
Browser Challenges update file can now be installed via Live Update.


841953-7 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes under these conditions.


841333-7 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


840821-1 : SCTP Multihoming not working within MRF Transport-config connections

Component: Service Provider

Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.

Conditions:
Usage of SCTP multi-homing with a MRF transport-config.

Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
THe system is now able to create outgoing SCTP multihoming connections using a transport-config to define the connection.


839401-1 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.

Fix:
GARPs are sent out as expected.


839245-3 : IPother profile with SNAT sets egress TTL to 255

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.

Fix:
TTL is now decremented by 1 on forwarded packets.


838881-1 : APM Portal Access Vulnerability: CVE-2020-5853

Solution Article: K73183618


838709-4 : Enabling DoS stats also enables page-load-time

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.


836357-5 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.


835381-3 : HTTP custom analytics profile 'not found' when default profile is modified

Component: Application Visibility and Reporting

Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:

-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.

Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.

Impact:
Loading configuration might fail.

Workaround:
None.

Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.


835309-1 : Some strings on BIG-IP APM Server pages are not localized

Component: Access Policy Manager

Symptoms:
Some text in APM Server pages, such as the logout page, are presented in English even when using a different language.

Conditions:
Use APM with a localized language, and certain strings for pages like logout, Webtop, or EPS, would still be in English.

Impact:
Some strings are displayed in English instead of localized language.

Workaround:
None.

Fix:
BIG-IP APM Server pages have been updated to include translations for all the affected strings.


834853 : Azure walinuxagent has been updated to v2.2.42

Component: TMOS

Symptoms:
Some onboarding features are not available in the current version of walinuxagent.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.42


832881-1 : F5 Endpoint Inspection helper app is not updated

Component: Access Policy Manager

Symptoms:
F5 Endpoint Inspection helper app is not updated, but other components such as F5 VPN helper App is auto updated.

Conditions:
Use a browser to establish VPN

Impact:
End users cannot to receive bug fixe or feature enhancement updates.

Workaround:
Download and install F5 Endpoint Inspection helper from BIG-IP.

https://APM_SERVER/public/download/f5epi_setup.exe

Fix:
F5 Endpoint Inspection helper app is auto updated.


832569-3 : APM end-user connection reset

Component: Access Policy Manager

Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.

Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.

Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:

-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.

Workaround:
None.


832021-3 : Port lockdown settings may not be enforced as configured

Solution Article: K73274382


832017-3 : Port lockdown settings may not be enforced as configured

Solution Article: K10251014


831781-4 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode

Component: Access Policy Manager

Symptoms:
Both AD Query and LDAP Auth/Query fails.

Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.

Impact:
Users may not be able to login to APM, and hence service is disrupted.

Workaround:
None.

Fix:
Users are now able to login to APM.


831293-5 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.


830717 : Appdata logical volume cannot be resized for some cloud images

Component: TMOS

Symptoms:
When resizing the appdata logical volume, the change may not be honored. This is because sometimes the disk metadata does not support the change without unmounting and remounting the disk.

Conditions:
This issue applies to deployments that provision multiple modules requiring a large appdata logical volume.

Impact:
The appdata logical volume cannot be resized, so you must reduce the number of modules and the associated provisioning level so that the existing appdata logical volume size does support them.

Workaround:
None.

Fix:
Logic was added to disk resizing to account for scenarios where the disk must be unmounted and then remounted to make the change. If the disk must be unmounted and remounted, this also requires a reboot (automatic).


830401-1 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228


830073-2 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.


829317-5 : Memory leak observed when running ICRD child

Component: TMOS

Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak slowly in tmsh and APM.

Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently

Impact:
Memory slowly leaks in tmsh and APM.

Fix:
Fixed a memory leak in tmsh and apm related to icrd.


829121-1 : State mirroring default does not require TLS

Solution Article: K65720640


829117-1 : State mirroring default does not require TLS

Solution Article: K17663061


828873-3 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor

Component: TMOS

Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.

Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.

Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.

Workaround:
Steps:

1. Mount the drive:
mount -o rw,remount /usr

2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty

3. Reload the daemon:
systemctl daemon-reload

4. Restart the service:
systemctl restart f5-label

Fix:
The I/O device has been changed to the default input device '/dev/null' to resolve the issue.


828601-1 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

Fix:
IPv6 routes now prioritize TMM interfaces.


825013-1 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.

Fix:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands now return correct data.


824365-5 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.


823893-7 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649


822025 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.


819197-2 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394


819189-1 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441


818853-1 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.


817709-3 : IPsec: TMM cored with SIGFPE in racoon2

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue no longer occurs.


812981-6 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.


811701-3 : AWS instance using xnet driver not receiving packets on an interface.

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.

Use The following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed


811149-2 : Remote users are unable to authenticate via serial console.

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.


809597-5 : Memory leak observed when running ICRD child

Component: Local Traffic Manager

Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak.

Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently

Impact:
The memory leak is very progressive. Eventually ICRD's child process will run out of memory.

Fix:
Fixed a memory leak in icrd.


803825-5 : WebSSO does not support large NTLM target info length

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.


803809-4 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.


802281-3 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state


795649-5 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system


793121-5 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.


793017-3 : Files left behind by failed Attack Signature updates are not cleaned

Component: Application Security Manager

Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.

Conditions:
Attack Signature update encounters an error during installation.

Impact:
This can eventually lead to disk space issues.

Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.

Fix:
These directories are now included in the periodic file cleanup task.


789921-5 : TMM may restart while processing VLAN traffic

Solution Article: K03386032


787677-5 : AVRD stays at 100% CPU constantly on some systems

Component: Application Visibility and Reporting

Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.

Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.

Impact:
System performance degrades.

Workaround:
Restart TMM:
bigstart restart tmm

Fix:
Added processing that prevents AVRD from entering endless loops.


778261-2 : CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate

Component: Application Security Manager

Symptoms:
CPB Connection (between BIG-IP and BIG-IQ logging node) is not refreshed to use the new certificate / new domain name to validate the certificate.

Conditions:
Either:
-- BIG-IQ logging node domain name updated.
-- BIG-IQ logging node webd certificate is replaced (and updated using webd restart).

Impact:
CPB Connection (between BIG-IP and BIG-IQ logging node) remains the same and is not refreshed to use the new certificate.

Workaround:
Restart Policy Builder on the BIG-IP system:

killall -s SIGHUP pabnagd

Fix:
Policy Builder now resets the connection upon update of BIG-IQ logging node certificate / domain name.


761303-5 : Upgrade of standby BIG-IP system results in empty Local Database

Component: Access Policy Manager

Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.

Conditions:
This happens on standby device in a high availability (HA) setup.

Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.

Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, do the following:

1. Reboot.
2. Switch to a new installation volume.
3. Force stop the localdbmgr process:
bigstart stop localdbmgr
4. Wait at least 15 minutes.
5. Restart the localdbmgr:
bigstart restart localdbmgr


760471-1 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.


758599-3 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.


755317-3 : /var/log logical volume may run out of space due to agetty error message in /var/log/secure

Component: TMOS

Symptoms:
An agetty error message is output to the /var/log/secure log fil every 10 seconds while the instance remains on:

 agetty[<process_id>]: /dev/tty0 ttyS0: No such file or directory.

Conditions:
This agetty error message is an issue on all BIG-IP Virtual Edition and Cloud instances. It is not configuration-dependent.

Impact:
This may fill the /var/log/secure log file. When /var/log is full, certain system services may degrade or become unresponsive (e.g., DNS).

Workaround:
Manually extend the /var/log logical volume.

For more information, see Increase disk space for BIG-IP VE :: https://clouddocs.f5.com/cloud/public/v1/shared/disk_space.html.

Fix:
The issue causing the agetty error message in /var/log/secure has been resolved.


744407-1 : While the client has been closed, iRule function should not try to check on a closed session

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.

Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.


742628-1 : Tmsh session initiation adds increased control plane pressure

Solution Article: K53843889

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash


722230-1 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.


714372-5 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.


706782-5 : Inefficient APM processing in large configurations.

Component: Access Policy Manager

Symptoms:
In configurations with large numbers of virtual servers or other entities, the apmd, oauth, and localdbmgr processes may consume large amounts of system resources.

Conditions:
-- Large configuration.
-- APM provisioned.
-- Multiple traffic groups exacerbate the effect.

Impact:
Heavy use of odd-numbered CPU cores may slow all control-plane operations, including user-interface response.

Workaround:
None known.


705112-6 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.


681010-4 : 'Referer' is not masked when 'Query String' contains sensitive parameter

Solution Article: K33572148

Component: Application Security Manager

Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.

Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.

-- 'Query String' contains the defined sensitive parameter.

Impact:
"Referer" header contains unmasked value of the sensitive parameter.

Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.

Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.


636400 : CPB (BIG-IP->BIGIQ log node) Hardening

Solution Article: K26462555


605675-6 : Sync requests can be generated faster than they can be handled

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.



Known Issues in BIG-IP v15.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
864513-1 1-Blocking   ASM policies didn't load immediately after upgrade to v14.1.0.1
858173-3 1-Blocking   SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1
809553-5 1-Blocking   ONAP Licensing - Cipher negotiation fails
896217-2 2-Critical   BIG-IP GUI unresponsive
891477-3 2-Critical   No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
888765-1 2-Critical   After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files
888341-7 2-Critical   HA Group failover may fail to complete Active/Standby state transition
886693-3 2-Critical   System may become unresponsive after upgrading
882757-1 2-Critical   sflow_agent crash SIGABRT in the cleanup flow
876957-1 2-Critical   Reboot after tmsh load sys config changes sys FPGA firmware-config value
871561-5 2-Critical   Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'
865653 2-Critical   Wrong FDB table entries with same MAC and wrong VLAN combination
865329-1 2-Critical   WCCP crashes on "ServiceGroup size exceeded" exception
860517-1 2-Critical   MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
860349-3 2-Critical   Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
858877-3 2-Critical   SSL Orchestrator config sync issues between HA-pair devices
856713-3 2-Critical   IPsec crash during rekey
849405-2 2-Critical   LTM v14.1.2.1 does not log after upgrade
842865-2 2-Critical   Add support for Auto MAC configuration (ixlv)
841581 2-Critical   License activation takes a long time to complete on Google GCE platform
840769-2 2-Critical   Having more than one IKE-Peer version value results in upgrade failure
837637-1 2-Critical   Orphaned bigip_gtm.conf can cause config load failure after upgrading
831821-1 2-Critical   Corrupted DAG packets causes bcm56xxd core on VCMP host
829677-2 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
816233-1 2-Critical   Session and authentication cookies should use larger character set
805417-3 2-Critical   Unable to enable LDAP system auth profile debug logging
796601-2 2-Critical   Invalid parameter in errdefsd while processing hostname db_variable
785017-3 2-Critical   Secondary blades go offline after new primary is elected
780437-6 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777389-5 2-Critical   In a corner case, for PostgreSQL monitor MCP process restarts
776393-3 2-Critical   Memory leak in restjavad causing restjavad to restart frequently with OOM
769817-7 2-Critical   BFD fails to propagate sessions state change during blade restart
769581-5 2-Critical   Timeout when sending many large requests iControl Rest requests
750588-3 2-Critical   While loading large configurations on BIG-IP systems, some daemons may core intermittently.
737322-3 2-Critical   tmm may crash at startup if the configuration load fails
718573-3 2-Critical   Internal SessionDB invalid state
621260-7 2-Critical   mcpd core on iControl REST reference to non-existing pool
593536-9 2-Critical K64445052 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
382363-3 2-Critical K30588577 min-up-members and using gateway-failsafe-device on the same pool.
904785-1 3-Major   Remotely authenticated users may experience difficuly logging in over the serial console
904041-2 3-Major   Ephemeral pool members are missing from pool of Common partition when reloading configuration for current partition
903265-3 3-Major   Single user mode faced sudden reboot
902401 3-Major   OSPFd SIGSEGV core when ospf clear is done on remote device
901989-2 3-Major   Boot_marker writes to /var/log/btmp
900933-1 3-Major   IPsec interoperability problem with ECP PFS
900485-2 3-Major   Syslog-ng 'program' filter does not work
899933-2 3-Major   Listing property groups in TMSH without specifying properties lists the entire object
898705-5 3-Major   IPv6 static BFD configuration is truncated or missing
898577-2 3-Major   Executing a command in "mgmt tm" using iControl REST results in tmsh error
898461-2 3-Major   Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
898389-1 3-Major   Traffic is not classified when adding port-list to virtual server from GUI
896817-2 3-Major   iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
895845-5 3-Major   Implement automatic conflict resolution for gossip-conflicts in REST
895837-3 3-Major   Mcpd crash when a traffic-matching-criteria destination-port-list is modified
894545-2 3-Major   Creating a virtual server in the GUI with a destination address list and 'All Ports' can erroneously conflict with other virtual servers
893885-3 3-Major   The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation
892445-2 3-Major   BWC policy names are limited to 128 characters
891337-1 3-Major   'save_master_key(master): Not ready to save yet' errors in the logs
891221-2 3-Major   Router bgp neighbor password CLI help string is not helpful
890421-2 3-Major   New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers
889029-2 3-Major   Unable to login if LDAP user does not have search permissions
888081-4 3-Major   BIG-IP VE Migration feature fails for 1NIC
887117-2 3-Major   Invalid SessionDB messages are sent to Standby
886689-6 3-Major   Generic Message profile cannot be used in SCTP virtual
886649-2 3-Major   Connections stall when dynamic BWC policy is changed via GUI and TMSH
884989-1 3-Major   IKE_SA's Not mirrored of on Standby device if it reboots
884729-2 3-Major   The vCMP CPU usage stats are incorrect
883149-1 3-Major   The fix for ID 439539 can cause mcpd to core.
882609-1 3-Major   ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
882557-2 3-Major   TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
880625-3 3-Major   Check-host-attr enabled in LDAP system-auth creates unusable config
880473-1 3-Major   Under certain conditions, the virtio driver may core during shutdown
880165-2 3-Major   Auto classification signature update fails
880013-1 3-Major   Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration
880009-1 3-Major   Tcpdump does not export the TLS1.3 early secret
879969-5 3-Major   FQDN node resolution fails if DNS response latency >5 seconds
879405-1 3-Major   Incorrect value in Transparent Nexthop property
879001-1 3-Major   LDAP data is not updated consistently which might affect authentication.
878893-3 3-Major   During system shutdown it is possible the for sflow_agent to core
877145-4 3-Major   Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
876937-3 3-Major   DNS Cache not functioning
876809-3 3-Major   GUI cannot delete a cert with a name that starts with * and ends with .crt
871705-6 3-Major   Restarting bigstart shuts down the system
871657-1 3-Major   Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
871045-1 3-Major   IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
867793-1 3-Major   BIG-IP sending the wrong trap code for BGP peer state
867253-3 3-Major   Systemd not deleting user journals
867181-1 3-Major   ixlv: double tagging is not working
867177-3 3-Major   Outbound TFTP and Active FTP no longer work by default over the management port
867013-2 3-Major   Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
865241-1 3-Major   Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
865177-4 3-Major   Cert-LDAP returning only first entry in the sequence that matches san-other oid
862937-3 3-Major   Running cpcfg after first boot can result in daemons stuck in restart loop
862693-6 3-Major   PAM_RHOST not set when authenticating BIG-IP using iControl REST
862525-1 3-Major   GUI Browser Cache Timeout option is not available via tmsh
860317-3 3-Major   JavaScript Obfuscator can hang indefinitely
860245-1 3-Major   SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x
860181-1 3-Major   After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error
858769-6 3-Major   Net-snmp library must be upgraded to 5.8 in order to support SHA-2
858197-2 3-Major   Merged crash when memory exhausted
856953-4 3-Major   IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
853617-1 3-Major   Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
853161-4 3-Major   Restjavad has different behavior for error responses if the body is over 2k
852565-5 3-Major   On Device Management::Overview GUI page, device order changes
852265-1 3-Major   Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width
851785-3 3-Major   BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
851021-1 3-Major   Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
850997-1 3-Major   'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
850777-3 3-Major   BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
849157-2 3-Major   An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck
846141-1 3-Major   Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.
846137-4 3-Major   The icrd returns incorrect route names in some cases
844925-3 3-Major   Command 'tmsh save /sys config' fails to save the configuration and hangs
844085-1 3-Major   GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
843661-1 3-Major   TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
843597-1 3-Major   Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
842669-3 3-Major   Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
842189-4 3-Major   Tunnels removed when going offline are not restored when going back online
842125-6 3-Major   Unable to reconnect outgoing SCTP connections that have previously aborted
841721-2 3-Major   BWC::policy detach appears to run, but BWC control is still enabled
841649-4 3-Major   Hardware accelerated connection mismatch resulting in tmm core
841277-7 3-Major   C4800 LCD fails to load after annunciator hot-swap
839121-3 3-Major   A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade
838901-4 3-Major   TMM receives invalid rx descriptor from HSB hardware
838337-1 3-Major   The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
838297-2 3-Major   Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
837481-7 3-Major   SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
829821-1 3-Major   Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
829193-4 3-Major   REST system unavailable due to disk corruption
828789-1 3-Major   Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
827209-4 3-Major   HSB transmit lockup on i4600
827021-7 3-Major   MCP update message may be lost when primary blade changes in chassis
826313-6 3-Major   Error: Media type is incompatible with other trunk members
826265-5 3-Major   The SNMPv3 engineBoots value restarts at 1 after an upgrade
821309-1 3-Major   After an initial boot, mcpd has a defunct child "systemctl" process
820845-3 3-Major   Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
820213-4 3-Major   'Application Service List' empty after UCS restore
819457-1 3-Major   LTM high availability (HA) sync should not sync GTM zone configuration
819261-4 3-Major   Log HSB registers when parts of the device becomes unresponsive
818505-1 3-Major   Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
817089-3 3-Major   Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
816229-3 3-Major   Kernel Log Messages Logged Twice
814585-1 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
814353-6 3-Major   Pool member silently changed to user-disabled from monitor-disabled
814273-1 3-Major   Multicast route entries are not populating to tmm after failover
812493-4 3-Major   When engineID is reconfigured, snmp and alert daemons must be restarted
811053-6 3-Major   REBOOT REQUIRED prompt appears after failover and clsh reboot
811041-7 3-Major   Out of shmem, increment amount in /etc/ha_table/ha_table.conf
810381-2 3-Major   The SNMP max message size check is being incorrectly applied.
807945-3 3-Major   Loading UCS file for the first time not updating MCP DB
807337-5 3-Major   Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
807005-5 3-Major   Save-on-auto-sync is not working as expected with large configuration objects
806073-1 3-Major   MySQL monitor fails to connect to MySQL Server v8.0
803833-7 3-Major   On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host
803237-2 3-Major   PVA does not validate interface MTU when setting MSS
803157-3 3-Major   LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
802685-2 3-Major   Unable to configure performance HTTP virtual server via GUI
799001-1 3-Major   Sflow agent does not handle disconnect from SNMPD manager correctly
798885-4 3-Major   SNMP response times may be long due to processing burden of requests
797829-6 3-Major   The BIG-IP system may fail to deploy new iApps or to reconfigure existing iApps.
796985-3 3-Major   Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'
789181-5 3-Major   Link Status traps are not issued on VE based BIG-IP systems
788577-7 3-Major   BFD sessions may be reset after CMP state change
785741-3 3-Major K19131357 Unable to login using LDAP with 'user-template' configuration
783113-7 3-Major   BGP sessions remain down upon new primary slot election
780745-3 3-Major   TMSH allows creation of duplicate community strings for SNMP v1/v2 access
778513-1 3-Major   APM intermittently drops log messages for per-request policies
775797-3 3-Major   Previously deleted user account might get authenticated
767737-4 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
767341-1 3-Major   If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
760622-5 3-Major   Allow Device Certificate renewal from BIG-IP Configuration Utility
760354-4 3-Major   Continual mcpd process restarts after removing big logs when /var/log is full
759737-3 3-Major   Control and Analysis Plane CPU usage statistics may be inaccurate
758781 3-Major   iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
757787-3 3-Major   Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI.
756139-3 3-Major   Inconsistent logging of hostname files when hostname contains periods
755976-4 3-Major   ZebOS might miss kernel routes after mcpd deamon restart
755197-5 3-Major   UCS creation might fail during frequent config save transactions
754460-3 3-Major   No failover on HA Dual Chassis setup using HA score
752228-2 3-Major   GUI Network Map to account for objects in a Disabled By Parent state
746861-3 3-Major   SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated
746758-1 3-Major   Qkview produces core file if interrupted while exiting
743234-6 3-Major   Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
737098-1 3-Major   ASM Sync does not work when the configsync IP address is an IPv6 address
730852-1 3-Major   The tmrouted repeatedly crashes and produces core when new peer device is added
719555-3 3-Major   Interface listed as 'disable' after SFP insertion and enable
718230-8 3-Major   Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
716140-3 3-Major   Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
714216-4 3-Major   Folder in a partition may result in load sys config error
708803-3 3-Major   Remote admin user with misconfigured partition fallback to "All"
692218-1 3-Major   Audit log messages sent from the primary blade to the secondaries should not be logged.
688231-3 3-Major   Unable to set VET, AZOT, and AZOST timezones
675911-9 3-Major K13272442 Different sections of the WebUI can report incorrect CPU utilization
662301-2 3-Major   'Unlicensed objects' error message appears despite there being no unlicensed config
658850-3 3-Major   Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
654635-1 3-Major K34003145 FTP virtual server connections may rapidly reuse ephemeral ports
615329-1 3-Major   Special Virtual IP configuration required for IPv6 connectivity on some Virtual Edition interfaces
587821-10 3-Major   vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
554506-1 3-Major K47835034 PMTU discovery from management does not work
499348-11 3-Major   System statistics may fail to update, or report negative deltas due to delayed stats merging
469724-3 3-Major   When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
398683-4 3-Major K12304 Use of a # in a TACACS secret causes remote auth to fail
385013-2 3-Major   Certain user roles do not trigger a sync for a 'modify auth password' command
902417-2 4-Minor   Configuration error caused by Drafts folder in a deleted custom partition
901669-4 4-Minor   Error status in "show cm failover-status" after MGMT-IP change
899097-2 4-Minor   Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking
896693-4 4-Minor   Patch installation is failing for iControl REST endpoint.
896689-4 4-Minor   Asynchronous tasks can be managed via unintended endpoints
893813-3 4-Minor   Modifying pool enables address and port translation in TMUI
893093-2 4-Minor   An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
892677-1 4-Minor   Loading config file with imish adds the newline character
890277-3 4-Minor   Mcpd takes too long on full config sync to a device group when there are large amount of partitions.
887505-1 4-Minor   Coreexpiration script improvement
884953-3 4-Minor   IKEv1 IPsec daemon racoon goes into an endless restart loop
882713-3 4-Minor   BGP SNMP trap has the wrong sysUpTime value
879189-1 4-Minor   Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
869237-5 4-Minor   Management interface might become unreachable when alternating between DHCP/static address assignment.
865313-3 4-Minor   Validation of monitor field fails in transaction
864757-3 4-Minor   Traps that were disabled are enabled after configuration save
860573-3 4-Minor   LTM iRule validation performance improvement by tracking procedure/event that have been validated
857045-1 4-Minor   LDAP system authentication may stop working
853101-2 4-Minor   ERROR: syntax error at or near 'FROM' at character 17
851393-1 4-Minor   Tmipsecd leaves a zombie rm process running after starting up
848681-7 4-Minor   Disabling the LCD on a VIPRION causes blade status lights to turn amber
846521-7 4-Minor   Config script does not refresh management address entry properly when alternating between dynamic and static
838925-7 4-Minor   Rewrite URI translation profile can cause connection reset while processing malformed CSS content
832665-1 4-Minor   The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
828625-3 4-Minor   User shouldn't be able to configure two identical traffic selectors
826189-3 4-Minor   The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
824205-3 4-Minor   GUI displays error when a virtual server is modified if it is using an address-list
822253-1 4-Minor   After starting up, mcpd may have defunct child "run" and "xargs" processes
818737-3 4-Minor   Improve error message if user did not select a address-list or port list in the GUI
818297-3 4-Minor   OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
817989-1 4-Minor   Cannot change managemnet IP from GUI
816353-3 4-Minor   Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
807309-3 4-Minor   Incorrect Active/Standby status in CLI Prompt after failover test
804309-1 4-Minor   [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
774617-3 4-Minor   SNMP daemon reports integer truncation error for values greater than 32 bits
759606-3 4-Minor   REST error message is logged every five minutes on vCMP Guest
757167-3 4-Minor   TMM logs 'MSIX is not supported' error on vCMP guests
753536-3 4-Minor   REST no longer requires a token to login for TACACS use
751103-2 4-Minor   TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
745465-4 4-Minor   The tcpdump file does not provide the correct extension
742753-5 4-Minor   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742105-3 4-Minor   Displaying network map with virtual servers is slow
713614-7 4-Minor   Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
713183-6 4-Minor   Malformed JSON files may be present on vCMP host
712241-3 4-Minor   A vCMP guest may not provide guest health stats to the vCMP host
706685-1 4-Minor   Unable to log into BIG-IP GUI after partition is deleted
689147-3 4-Minor   Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
673573-1 4-Minor   tmsh logs boost assertion when running child process and reaches idle-timeout
671025-4 4-Minor   File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
658943-3 4-Minor   Errors when platform-migrate loading UCS using trunks on vCMP guest
646768-1 4-Minor K71255118 VCMP Guest CM device name not set to hostname when deployed
617636-3 4-Minor K15009669 LTM v11.6.x Errors in F5-BIGIP-LOCAL-MIB.txt prevent its compilation in NMS (Network Management System)
583084-6 4-Minor K15101680 iControl produces 404 error while creating records successfully
849085-1 5-Cosmetic   Lines with only asterisks filling message and user.log file
832661 5-Cosmetic   Default provisioning for all instances is LTM nominal
818777-2 5-Cosmetic   MCPD error - Trouble allocating MAC address for VLAN object
714176-1 5-Cosmetic   UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed
353607-1 5-Cosmetic   cli global-settings { service number } appears to have no effect


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
901033-2 2-Critical   TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window
879409-3 2-Critical   TMM core with mirroring traffic due to unexpected interface name length
876801-5 2-Critical   Tmm crash: invalid route type
866481-2 2-Critical   TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode
864897-2 2-Critical   TMM may crash when using "SSL::extensions insert"
858429-3 2-Critical   BIG-IP system sending ICMP packets on both virtual wire interface
851857-1 2-Critical   HTTP 100 Continue handling does not work when it arrives in multiple packets
851581-3 2-Critical   Server-side detach may crash TMM
851385-1 2-Critical   Failover takes too long when traffic blade failure occurs
851345-1 2-Critical   The TMM may crash in certain rare scenarios involving HTTP/2
842937-6 2-Critical   TMM crash due to failed assertion 'valid node'
841469-6 2-Critical   Application traffic may fail after an internal interface failure on a VIPRION system.
837617-1 2-Critical   Tmm may crash while processing a compression context
835505-1 2-Critical   Tmsh crash possibly related to NGFIPS SDK
824437-7 2-Critical   Chaining a standard virtual server and an ipother virtual server together can crash TMM.
758491-3 2-Critical   When using Thales NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), the BIG-IP will not be able to use the keys
726518-1 2-Critical   Tmsh show command terminated with CTRL-C can cause TMM to crash.
705768-2 2-Critical   dynconfd may core and restart with multiple DNS name servers configured
625807-3 2-Critical   tmm cored in bigproto_cookie_buffer_to_server
903273-2 3-Major   TMM core in bigproto_output due to NULL peer
902377-2 3-Major   HTML profile forces re-chunk even though HTML::disable
901929-2 3-Major   GARPs not sent on virtual server creation
898733-3 3-Major   SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
898685-4 3-Major   Order of ciphers changes after updating cipher group
897185-2 3-Major   Resolver cache not using random port distribution
896245-3 3-Major   Inconsistency is observed in ARP behavior across releases
895205-2 3-Major   A circular reference in rewrite profiles causes MCP to crash
895165-2 3-Major   Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
893281-3 3-Major   Possible ssl stall on closed client handshake
892801-2 3-Major   When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
892485-2 3-Major   A wrong OCSP status cache may be looked up and re-used during SSL handshake.
892385 3-Major   HTTP does not process WebSocket payload when received with server HTTP response
892073-3 3-Major   TLS1.3 LTM policy rule based on SSL SNI is not triggered
891373-2 3-Major   BIG-IP does not shut a connection for a HEAD request
890229-1 3-Major   Source port preserve setting is not honoured
889209-2 3-Major   Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
889165-3 3-Major   "http_process_state_cx_wait" errors in log and connection reset
888885-1 3-Major   BIG-IP Virtual Edition TMM restarts frequently without core
888113-3 3-Major   HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy
887045-1 3-Major   The session key does not get mirrored to standby.
885325-2 3-Major   Stats might be incorrect for iRules that get executed a large number of times
883529-1 3-Major   HTTP/2 Method OPTIONS allows "*" (asterisk) as an only value for :path
883049-2 3-Major   Statsd can deadlock with rrdshim if an rrd file is invalid
882725-5 3-Major   Mirroring not working properly when default route vlan names not match.
881065-1 3-Major   Adding port-list to Virtual Server changes the route domain to 0
881041-3 3-Major   BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
879413-1 3-Major   Statsd fails to start if one or more of its *.info files becomes corrupted
878925-2 3-Major   SSL connection mirroring failover at end of TLS handshake
878253-1 3-Major   LB::down no longer sends an immediate monitor probe
876145-3 3-Major   Nitrox5 failure on vCMP guest results in all crypto requests failing.
874877-1 3-Major   Bigd http monitor shows misleading 'down' reason when recv does not match
874317-1 3-Major   Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
873677-7 3-Major   LTM policy matching does not work as expected
872981-1 3-Major   MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction
872721-3 3-Major   SSL connection mirroring intermittent failure with TLS1.3
872685-1 3-Major   Some HTTP/3 streams terminate early
870309-4 3-Major   Ephemeral pool member not created when FQDN resolves to new IP address
868209-3 3-Major   Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
868033-1 3-Major   SSL option "passive-close" option is unused and should be removed
864649-4 3-Major   The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table
863401-1 3-Major   QUIC congestion window sometimes increases inappropriately
863165-3 3-Major   Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
862069-1 3-Major   Using non-standard HTTPS and SSH ports will fail under certain conditions
862001-1 3-Major   Improperly configured NTP server can result in an undisciplined clock stanza
860277-4 3-Major   Default value of TCP Profile Proxy Buffer High Low changed in 14.1
860005-1 3-Major   Ephemeral nodes/pool members may be created for wrong FQDN name
858701-1 3-Major   Running config and saved config are having different route-advertisement values after upgrading from v12.1.x
857845-1 3-Major   ASSERTs in hudproxy_tcp_repick() converted into an OOPS
852953-1 3-Major   Accept Client Hello spread over multiple QUIC packets
852325-1 3-Major   HTTP2 does not support Global SNAT
851789-2 3-Major   SSL monitors flap with client certs with private key stored in FIPS
851477-1 3-Major   Memory allocation failures during proxy initialization are ignored leading to TMM cores
851353-1 3-Major   Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request
851101-4 3-Major   Unable to establish active FTP connection with custom FTP filter
851045-1 3-Major   LTM database monitor may hang when monitored DB server goes down
850873-3 3-Major   LTM global SNAT sets TTL to 255 on egress.
850349-1 3-Major   Incorrect MAC when virtual wire is configured with FastL4
850145-1 3-Major   Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
848777-3 3-Major   Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
846977-1 3-Major   TCP:collect validation changed in 12.0.0: the first argument can no longer be zero
846873-4 3-Major   Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
846441-2 3-Major   Flow-control is reset to default for secondary blade's interface
845333-6 3-Major   An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
843317-3 3-Major   The iRules LX workspace imported with incorrect SELinux contexts
842517-2 3-Major   CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails
842425-1 3-Major   Mirrored connections on standby are never removed in certain configurations
842137-3 3-Major   Keys cannot be created on module protected partitions when strict FIPS mode is set
841369-3 3-Major   HTTP monitor GUI displays incorrect green status information
841341-6 3-Major   IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-1 3-Major   Update documented examples for REST::send to use valid REST endpoints
838353-1 3-Major   MQTT monitor is not working in route domain.
836661-2 3-Major   Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
832133-1 3-Major   In-TMM monitors fail to match certain binary data in the response from the server.
830797-3 3-Major   Standby high availability (HA) device passes traffic through virtual wire
825245-4 3-Major   SSL::enable does not work for server side ssl
824433-3 3-Major   Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
823825-7 3-Major   Renaming HA VLAN can disrupt state-mirror connection
820333-1 3-Major   LACP working member state may be inconsistent when blade is forced offline
818833-1 3-Major   TCP re-transmission during SYN Cookie activation results in high latency
818789-7 3-Major   Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
816953-1 3-Major   RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy
813701-6 3-Major   Proxy ARP failure
810821-3 3-Major   Management interface flaps after rebooting the device
810533-2 3-Major   SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
807821-5 3-Major   ICMP echo requests occasionally go unanswered
803629-7 3-Major   SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
803233-1 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
803109-3 3-Major   Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows
801549-1 3-Major   Tmm memory utilization growth.
801497-3 3-Major   Virtual wire with LACP pinning to one link in trunk.
794417-4 3-Major   Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
794385-3 3-Major   BGP sessions may be reset after CMP state change
790845-4 3-Major   An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
788753-2 3-Major   GATEWAY_ICMP monitor marks node down with wrong error code
787973-1 3-Major   Potential memory leak when software crypto request is canceled.
786517-5 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
785877-5 3-Major   VLAN groups do not bridge non-link-local multicast traffic.
785361-3 3-Major   In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
767217-5 3-Major   Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-5 3-Major   RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
764969-2 3-Major   ILX no longer supports symlinks in workspaces as of v14.1.0
762137-3 3-Major   Ping6 with correctly populated NDP entry fails
760406-1 3-Major   HA connection might stall on Active device when the SSL session cache becomes out-of-sync
758041-1 3-Major   Pool Members may not be updated accurately when multiple identical DB monitors configured
757029-6 3-Major   Ephemeral pool members may not be created after config load or reboot
756313-6 3-Major   SSL monitor continues to mark pool member down after restoring services
724824-1 3-Major   Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
720440-6 3-Major   Radius monitor marks pool members down after 6 seconds
714642-2 3-Major   Ephemeral pool-member state on the standby is down
709952-4 3-Major   Disallow DHCP relay traffic to traverse between route domains
700639-2 3-Major   The default value for the syncookie threshold is not set to the correct value
646440-5 3-Major   TMSH allows mirror for persistence even when no mirroring configuration exists
512490-11 3-Major   Increased latency during connection setup when using FastL4 profile and connection mirroring.
898753-5 4-Minor   Multicast control-plane traffic requires handling with AFM policies
895153 4-Minor   HTTP::has_responded returns incorrect values when using HTTP/2
883105-1 4-Minor   HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect
880697-1 4-Minor   URI::query command returning fragment part, instead of query part
858309-4 4-Minor   Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart
851757-1 4-Minor   Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION
851425-1 4-Minor   Update QLOG to draft-01
845545 4-Minor   Potential name collision for client-ssl profile named 'clientssl-quic'
844337-4 4-Minor   Tcl error log improvement for node command
838405-3 4-Minor   Listener traffic-group may not be updated properly when spanning is in use.
838305-7 4-Minor   BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-7 4-Minor   Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-1 4-Minor   The iRule regexp command issues an incorrect warning
822245-2 4-Minor   Large number of in-TMM monitors results in some monitors being marked down
818721-3 4-Minor   Virtual address can be deleted while it is in use by an address-list.
814037-6 4-Minor   No virtual server name in Hardware Syncookie activation logs.
751586-3 4-Minor   http2 virtual does not honour translate-address disabled
738032-3 4-Minor   BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
714502-3 4-Minor   bigd restarts after loading a UCS for the first time
873249-1 5-Cosmetic   Switching from fast_merge to slow_merge can result in incorrect tmm stats


Performance Issues

ID Number Severity Solution Article(s) Description
850193-4 3-Major   Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
850509-1 2-Critical   'Decryption of the field (privatekey) for object (13079) failed' message
744743-2 2-Critical   Rolling DNSSEC Keys may stop generating after BIG-IP restart
903521-2 3-Major   TMM fails to sign responses from BIND when BIND has "dnssec-enable no"
899253-6 3-Major   [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
898093-2 3-Major   Removing one member from a WideIP removes it from all WideIPs.
894081-2 3-Major   The Wide IP members view in the WebUI may report the incorrect status for a virtual server.
887921-1 3-Major   iRule command “RESOLVER::name_lookup” returns null for responses more than 512 bytes
880125-5 3-Major   WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner
879301-1 3-Major   When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended
876677-1 3-Major   When running a debug version of TMM, an assertion may be triggered due to and expired DNS lookup
874221-1 3-Major   DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd
872037-2 3-Major   DNS::header rd does not set the Recursion desired
869361-1 3-Major   Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated
858973-1 3-Major   DNS request matches less specific WideIP when adding new wildcard wideips
852101-1 3-Major   Monitor fails.
844689-1 3-Major   Possible temporary CPU usage increase with unusually large named.conf file
835209-3 3-Major   External monitors mark objects down
813221-5 3-Major   Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
781985-2 3-Major   DNSSEC zone SEPS records may be wiped out from running configuration
760835-2 3-Major   Static generation of rolling DNSSEC keys may be missing when the key generator is changed
760833-2 3-Major   BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner
746348-4 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
726164-2 3-Major   Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system
889801-1 4-Minor   Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
886145-2 4-Minor   The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.
885869-2 4-Minor   Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
839361-6 4-Minor   iRule 'drop' command does not drop packets when used in DNS_RESPONSE
774257-4 5-Cosmetic   tmsh show gtm pool and tmsh show gtm wideip print duplicate object types


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
898365-1 2-Critical   XML Policy cannot be imported
887621-2 2-Critical   ASM virtual server names configuration CRC collision is possible
868641-3 2-Critical   Possible TMM crash when disabling bot profile for the entire connection
865981-1 2-Critical   ASM GUI and REST become unresponsive upon license change
865461-1 2-Critical   BD crash on specific scenario
865289-1 2-Critical   TMM crash following DNS resolve with Bot Defense profile
857677-3 2-Critical   Security policy changes are applied automatically after asm process restart
843801-2 2-Critical   Like-named previous Signature Update installations block Live Update usage after upgrade
825413-4 2-Critical   /var/lib/mysql disk is full
903357-2 3-Major   Bot defense Profile list is loading too slow when there are 750+ Virtual servers
901061-2 3-Major   Safari browser might be blocked when using Bot Defense profile and related domains.
900797-2 3-Major   Brute Force Protection (BFP) hash table entry cleanup
900789-2 3-Major   Alert before Brute Force Protection (BFP) hash are fully utilized
898825-2 3-Major   Attack signatures are enforced on excluded headers under some conditions
898741-2 3-Major   Missing critical files causes FIPS-140 system to halt upon boot
893061-2 3-Major   Out of memory for restjavad
892653-1 3-Major   Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
891181-2 3-Major   Wrong date/time treatment in logs in Turkey/Istambul timezone
890169-2 3-Major   URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
888289-1 3-Major   Add option to skip percent characters during normalization
888261-1 3-Major   Policy created with declarative WAF does not use updated template.
887265-2 3-Major   BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration
887261-1 3-Major   JSON schema validation files created from swagger should support "draft-04" only
882769-1 3-Major   Request Log: wrong filter applied when searching by Response contains or Response does not contain
882377-3 3-Major   ASM Application Security Editor Role User can update/install ASU
880789-3 3-Major   ASMConfig Handler undergoes frequent restarts
874753-3 3-Major   Filtering by Bot Categories on Bot Requests Log shows 0 events
871881-2 3-Major   Apply Policy action is not synchronized after making bulk signature changes
868721-1 3-Major   Transactions are held for a long time on specific server related conditions
867825-4 3-Major   Export/Import on a parent policy leaves children in an inconsistent state
864677-1 3-Major   ASM causing high mcpd CPU usage
863609-4 3-Major   Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
862793-1 3-Major   ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation
862413-1 3-Major   Broken layout in Threat Campaigns and Brute Force Attacks pages
854177-5 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
853989-1 3-Major   DOSL7 Logs breaks CEF connector by populating strings into numeric fields
853565-2 3-Major   VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade
853269-1 3-Major   Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages in case of complex role user
853177-1 3-Major   'Enforcement Mode' in security policy list is shown without value
852429-1 3-Major   "ASM subsystem error" logged when creating policies
850677-4 3-Major   Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
850633-1 3-Major   Policy with % in name cannot be exported
849349-5 3-Major   Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
849269-1 3-Major   High CPU usage after Inheritance page opened
848921-1 3-Major   Config sync failure when importing a Json policy
848757-1 3-Major   Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload
846181-3 3-Major   Request samples for some of the learning suggestions are not visible
846057-3 3-Major   UCS backup archive may include unnecessary files
845933-1 3-Major   Unused parameters remain after modifying the swagger file of a policy
844373-1 3-Major   Learning suggestion details layout broken in some browsers
841285-1 3-Major   Sometimes apply policy is stuck in Applying state
839509-1 3-Major   Incorrect inheritance treatment in Response and Blocking Pages page
839141-1 3-Major   Issue with 'Multiple of' validation of numeric values
837341-1 3-Major   Response and Blocking Pages page: Deception Response pages should not be shown in parent policy
833685-5 3-Major   Idle async handlers can remain loaded for a long time doing nothing
829029-1 3-Major   Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
802873-2 3-Major   Manual changes to policy imported as XML may introduce corruption for Login Pages
799749-2 3-Major   Asm logrotate fails to rotate
783165-1 3-Major   Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
753715-2 3-Major   False positive JSON max array length violation
742549-3 3-Major   Cannot create non-ASCII entities in non-UTF ASM policy using REST
739618-3 3-Major   When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
640842-5 3-Major   ASM end user using mobile might be blocked when CSRF is enabled
580715-2 3-Major   ASM is not sending 64k remote logs over UDP
887625-3 4-Minor   Note should be bold back, not red
886865-1 4-Minor   P3P header is added for all browsers, but required only for Internet Explorer
882729-3 4-Minor   Applied Blocking Masks discrepancy between local/remote event log
879777-3 4-Minor   Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge
875373-3 4-Minor   Unable to add domain with leading '.' through webUI, but works with tmsh.
864989-2 4-Minor   Remote logger violation_details field content appears as "N/A" when violations field is not selected.
858445-1 4-Minor   Missing confirmation dialog for apply policy in new policy pages
842265-1 4-Minor   Create policy: trusted IP addresses from template are not shown
841985-5 4-Minor   TSUI GUI stuck for the same session during long actions
807569-2 4-Minor   Requests fail to load when backend server is overriding request cookies and Bot Defense is used
765365-2 4-Minor   ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive
759671-2 4-Minor   Unescaped slash in RE2 in user-defined signature should not be allowed


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
828937-1 2-Critical K45725467 Some systems can experience periodic high IO wait due to AVR data aggregation


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
891505-3 2-Critical   TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
880073-1 2-Critical   Memory leak on every DNS query made for "HTTP Connector" agent
879401-1 2-Critical   Memory corruption during APM SAML SSO
817137-1 2-Critical   SSO setting for Portal Access resources in webtop sections cannot be updated.
579219-5 2-Critical   Access keys missing from SessionDB after multi-blade reboot.
903501-2 3-Major   VPN Tunnel establishment fails with some ipv6 address
891613-1 3-Major   RDP resource with user-defined address cannot be launched from webtop with modern customization
884797-4 3-Major   Portal Access: in some cases data is not delivered via WebSocket connection
883577-4 3-Major   ACCESS::session irule command does not work in HTTP_RESPONSE event
881641 3-Major   Errors on VPN client status window in non-English environment
857589-1 3-Major   On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'
835285-1 3-Major   Client browser traffic through APM SWG transparent proxy using captive portal might get reset.
771961-3 3-Major   While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
886841-1 4-Minor   Allow LDAP Query and HTTP Connector for API Protection policies
872105 4-Minor   APM Hosted Content feature incorrectly guesses content type for CSS files
819233-3 4-Minor   Ldbutil utility ignores '--instance' option if '--list' option is specified
438684-1 4-Minor   Access Profile Type of SSO requires SSO configuration at create time


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
900825 3-Major   WAM image optimization can leak entity reference when demoting to unoptimized image
890573 3-Major   BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart
890401 3-Major   Restore correct handling of small object when conditions to change cache type is satisfied
833213-1 3-Major   Conditional requests are served incorrectly with AAM policy in webacceleration profile
489960 4-Minor   Memory type stats is incorrect


Service Provider Issues

ID Number Severity Solution Article(s) Description
839389-1 2-Critical   TMM can crash when connecting to IVS under extreme overload
898997-2 3-Major   GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
895801-2 3-Major   Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
891385-2 3-Major   Add support for URI protocol type "urn" in MRF SIP load balancing
876077-1 3-Major   MRF DIAMETER: stale pending retransmission entries may not be cleaned up
868381-1 3-Major   MRF DIAMETER: Retransmission queue unable to delete stale entries
866021-1 3-Major   Diameter Mirror connection lost on the standby due to "process ingress error"
824149-5 3-Major   SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
815877-2 3-Major   Information Elements with zero-length value are rejected by the GTP parser
696348-5 3-Major   "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
862337-2 4-Minor   Message Routing Diameter profile fails to forward messages with zero length AVPs
844169-1 4-Minor   TMSH context-sensitive help for diameter session profile is missing some descriptions
788513-6 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
793005-1 5-Cosmetic   'Current Sessions' statistic of MRF/Diameter pool may be incorrect


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
870381-1 2-Critical   Network Firewall Active Rule page does lot load
802421-6 2-Critical   The /var partition may become 100% full requiring manual intervention to clear space
876805-3 3-Major   Modifying address-list resets the route advertisement on virtual servers.
874797-1 3-Major   Unable to configure FQDN in device DNS NXDOMAIN QUERY Vector
872645-2 3-Major   Protected Object Aggregate stats are causing elevated CPU usage
872049-1 3-Major   Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command
871985-1 3-Major   No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection
870385-5 3-Major   TMM may restart under large amount traffic load
867321-3 3-Major   Error: Invalid self IP, the IP address already exists.
844597-4 3-Major   AVR analytics is reporting null domain name for a dns query
840809-2 3-Major   If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged
837233-3 3-Major   "Application Security Administrator" user role cannot manage Dos Profile GUI
813969-5 3-Major   Network DoS reporting events as 'not dropped' while in fact, events are dropped
791361-3 3-Major   Configured management port rules can be lost after loading UCS file and rebooting
896917 4-Minor   The fw_zone_stat 'Hits' field may not increment in some scenarios


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
845313-3 2-Critical   Tmm crash under heavy load
886653-2 3-Major   Flow lookup on subsequent packets fail during CMP state change.
875401-2 3-Major   PEM subcriber lookup can fail for internet side new connections
842989-6 3-Major   PEM: tmm could core when running iRules on overloaded systems


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
888625 3-Major   CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks
812705-3 3-Major   'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
767045-4 4-Minor   TMM cores while applying policy


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
874677-1 2-Critical   TC auto signature update failing from GUI on 14.1.2


Device Management Issues

ID Number Severity Solution Article(s) Description
718796-5 2-Critical   IControl REST token issue after upgrade
710809-5 2-Critical   Restjavad hangs and causes GUI page timeouts
880565-1 3-Major   Audit Log: "cmd_data=list cm device recursive" is been generated continuously
839597-6 3-Major   Restjavad fails to start if provision.extramb has large value
835517-1 3-Major   After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED"
760752-3 3-Major   Internal sync-change conflict after update to local users table
717174-3 3-Major   WebUI shows error: Error getting auth token from login provider
560682-3 4-Minor   The REST Framework no longer works when downgrading from BIG-IP version 12.x or 13.x to 11.6.x or 11.5.x


iApp Technology Issues

ID Number Severity Solution Article(s) Description
842193-1 3-Major   Scriptd coring while running f5.automated_backup script
778817-3 3-Major   Invalid client request can cause un-captured exception on ASM container.


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
825501-3 3-Major   IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

 

Known Issue details for BIG-IP v15.1.x

904785-1 : Remotely authenticated users may experience difficuly logging in over the serial console

Component: TMOS

Symptoms:
- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
- Login over SSH is successful for the same user

Conditions:
- remote authentication (e.g. LDAP) and role mapping configured on theBIG-IP
- attemped login over serial console for a remotely authenticated user who has been assigned a role

Impact:
- remotely authenticated user unable to log in over the serial console

Workaround:
- user can log in over SSH instead
- if acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, e.g. with 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.


904041-2 : Ephemeral pool members are missing from pool of Common partition when reloading configuration for current partition

Component: TMOS

Symptoms:
-- A pool in a partition other than Common has issues when reloading the configuration of that partition when the ephemeral nodes are assigned to the Common partition instead of the partition that the ephemeral member belongs to.
-- Ephemeral pool members are missing from pool.

Conditions:
When reloading the configuration of non-"Common" partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"

Impact:
Missing pool members.

Workaround:
Reload the entire configuration instead of just the single partition.


903521-2 : TMM fails to sign responses from BIND when BIND has "dnssec-enable no"

Component: Global Traffic Manager (DNS)

Symptoms:
TMM fails to sign responses from BIND.

Conditions:
BIND has "dnssec-enable no" in named.conf.

Impact:
TMM fails to sign responses from BIND.

Workaround:
Remove "dnssec-enable no" from named.conf in options section.


903501-2 : VPN Tunnel establishment fails with some ipv6 address

Component: Access Policy Manager

Symptoms:
VPN Tunnel establishment fails with some ipv6 address

Conditions:
- APM is provisioned.
- Network Access with IPV6 VIP is configured.

Impact:
VPN Tunnel cannot be established.

Workaround:
1) Disable the DB variable - isession.ctrl.apm
2) Do "Apply Access Policy" for the access policy attached to the virtual server.

Note, use this work-around, if No optimized apps are configured.


903357-2 : Bot defense Profile list is loading too slow when there are 750+ Virtual servers

Component: Application Security Manager

Symptoms:
Security ›› Bot Defense : Bot Defense Profiles page is loaded to slowly when there are profiles configured with hundreds of virtual servers. For example: configuration with 750 virtual servers - takes about 40 seconds to load the page. Configuration with 1300 virtual servers- more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.


903273-2 : TMM core in bigproto_output due to NULL peer

Component: Local Traffic Manager

Symptoms:
The following log messages:

--A Enforced Device DOS attack has stopped for vector Bad UDP checksum, Attack ID 3778490180.

--err tmm2[29601]: 011e0003:3: Aggressive mode sweeper: /Common/default-eviction-policy (2000000000001) (global memory) 2291 Connections killed

Conditions:
-- Lots of DoS attacks.
-- Fast L4 protocol profile is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


903265-3 : Single user mode faced sudden reboot

Component: TMOS

Symptoms:
Being logged into the system in single user mode (emergency shell) causes a sudden automatic reboot after some time (~5-to-10 minutes, or longer).

Conditions:
-- Using iSeries platforms.
-- When logged into the emergency shell by appending rd.break to kernel command line.

Impact:
The device reboots after some time. Because of the automatic reboot, you cannot reliably use the emergency shell.

Workaround:
None.


902417-2 : Configuration error caused by Drafts folder in a deleted custom partition

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.


902401 : OSPFd SIGSEGV core when ospf clear is done on remote device

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.


902377-2 : HTML profile forces re-chunk even though HTML::disable

Component: Local Traffic Manager

Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.

Conditions:
Using HTML::disable in an HTTP_RESPONSE event.

Impact:
The HTML profile still performs a re-chunk.

Workaround:
None.


901989-2 : Boot_marker writes to /var/log/btmp

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
-- Rebooting a BIG-IP.

Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.

Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp


901929-2 : GARPs not sent on virtual server creation

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.


901669-4 : Error status in "show cm failover-status" after MGMT-IP change

Component: TMOS

Symptoms:
The "tmsh show cm failover-status" command shows failover connection status "Error" on one device, but manual failover is working properly.

Conditions:
-- Two or more devices configured with high availability (HA) and are in sync.
-- The management IP address is changed on one of the devices
--show cm failover-status" on peer. You will see "show cm failover-status" returns "Error" status.

Impact:
The tmsh show cm failover-status command indicates an error, even though the devices are in sync and failover communication is working.

Workaround:
tmsh restart sys service sod


901061-2 : Safari browser might be blocked when using Bot Defense profile and related domains.

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.


901033-2 : TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window

Component: Local Traffic Manager

Symptoms:
The test traffic is controlled and being increased with an iRule running TCP::respond . iRules operate fine until some threshold is reached, after which memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed.

Conditions:
A specific threshold of data is reached. The threshold varies, depending on the memory available on the BIG-IP system.

Impact:
Memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed. A tmm core is observed. Traffic disrupted while tmm restarts.

Workaround:
None.


900933-1 : IPsec interoperability problem with ECP PFS

Component: TMOS

Symptoms:
IPsec tunnels will fail to remain established after initially working.
 
On the first ESP Security Associations (SAs) establishment an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP. The BIG-IP sends ESP packets to the remote peer, but the remote peer can't decrypt the packet. Likewise, the BIG-IP cannot decrypt packets from the remote peer.

This may also immediately present as a problem when trying to establish a second tunnel to the same peer.

Conditions:
- IPsec IKEv2 tunnel
- A remote peer that is not another BIG-IP system
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS)

Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.

Workaround:
Do not use ECP for PFS


900825 : WAM image optimization can leak entity reference when demoting to unoptimized image

Component: WebAccelerator

Symptoms:
WAM image optimization can leak entity reference when demoting to unoptimized image.

WAM allows PNG files to be optimized to WEBP and JPG files to be optimized to JPEG XR formats, based on capabilities inferred from the client's User-Agent value. Once the optimized version is in the cache, internal check failures might cause the entity/document to be reverted to the unoptimized version. If this unoptimized version is already present in the cache, a reference to the corresponding entity is leaked, thus causing the entity to be held in memory along with attached resource/document objects and associated storage (UCI).

Conditions:
-- WAM-optimized PNG files (to WEBP) and JPG files (to JPEG XR) on tye system.
-- A policy change occurs that causes an internal check to fail.

Note: This can also occur in some cases without actual changes to the policy if the optimization step is skipped by wamd.

Impact:
WAM image optimization might leak entity reference.

Workaround:
None.


900797-2 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A


900789-2 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
However, before reaching this scenario an alert should be sent to '/var/log/asm', currently there is no tangible warning/alert that statets the status of the hash table for the relevant virtual server.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
No alert is sent in case of reaching maximum capacity of the hash table.

Workaround:
N/A


900485-2 : Syslog-ng 'program' filter does not work

Component: TMOS

Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.

Conditions:
-- Using the 'program' expression in a syslog-ng filter.

Impact:
Unable to filter messages as expected.

Workaround:
None.


899933-2 : Listing property groups in TMSH without specifying properties lists the entire object

Component: TMOS

Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.

Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.

Impact:
Unexpected output.

Workaround:
None.


899253-6 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist

Component: Global Traffic Manager (DNS)

Symptoms:
Making changes to wide IP pools through GUI management do not take effect.

Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.

Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.

Workaround:
Use TMSH.


899097-2 : Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking

Component: TMOS

Symptoms:
When using the rewrite profile, unchunked server responses where content-type is not text/html or text/css also gets converted to chunked encoding in client-side. Also, the server response is missing a message-body (no content-type/content-length).

The client device receives 'Transfer-Encoding: chunked' in the message-header and receives a chunked body if the origin response has a message-body. The client receives a zero-length chunk if the origin response has no message-body.

Prior to BIG-IP version 15, chunking happens only if origin server response has content-type header set to either text/html or text/css.

Conditions:
- HTTP profile response chunking is set to 'sustain'.
- The virtual server has rewrite profile attached.
- Server response has content-type set not to text/html or text/css OR no content-type header.

Impact:
End users may notice a change in chunking behavior after upgrading from prior release.

Workaround:
Use response chunking mode 'unchunk'


898997-2 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted


898825-2 : Attack signatures are enforced on excluded headers under some conditions

Component: Application Security Manager

Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).

Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.

Impact:
False positive enforcement for header signature.

Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.


898753-5 : Multicast control-plane traffic requires handling with AFM policies

Component: Local Traffic Manager

Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.

Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.

Impact:
OSPF neighborship is not formed.

Workaround:
Add an AFM route-domain policy.


898741-2 : Missing critical files causes FIPS-140 system to halt upon boot

Component: Application Security Manager

Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.

Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing

Impact:
System halts during boot because of sys-eicheck.py failure.

Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.

If the missing files are due to missing signature update files:

- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.


898733-3 : SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM

Component: Local Traffic Manager

Symptoms:
SSL handshakes intermittently fail for virtual servers using HSM keys.

In /var/log/ltm you see errors:
err pkcs11d[6575]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software with fipskey.nethsm wrapper, and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm wrapper.

3. The platform is a multi-bladed Viprion.

This can occur after applying the workaround for ID758491:
https://cdn.f5.com/product/bugtracker/ID758491.html

Impact:
SSL handshakes that arrive on the secondary blade(s) fail.

Handshakes arriving on the primary blade work fine.

Workaround:
Re-install the Thales client after the upgrade.


898705-5 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.


898685-4 : Order of ciphers changes after updating cipher group

Component: Local Traffic Manager

Symptoms:
The order of cipher results may change with no modification in the cipher group.

Conditions:
Click 'Update' in a cipher group in the GUI without making any changes.

Impact:
The order of the ciphers changes. During a handshake, SSL/TLS may not be able to select ciphers in the preferred order.

Workaround:
Create a cipher rule with the preferred cipher order and include only a single rule in cipher group allow list.


898577-2 : Executing a command in "mgmt tm" using iControl REST results in tmsh error

Component: TMOS

Symptoms:
When you try to update the frequency of live-update using iControl REST, it results in a java exception being returned instead of updating the value.

Conditions:
When a command for updating the frequency of live updates is executed using iControl REST in an ASM configured BIG-IP.

Impact:
You are unable to update the frequency of live-update via iControl REST.


898461-2 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.


898389-1 : Traffic is not classified when adding port-list to virtual server from GUI

Component: TMOS

Symptoms:
Traffic is not matching to the virtual server.

Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.

Impact:
Traffic loss.

Workaround:
Creating traffic-matching-criteria from the command line

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>


898365-1 : XML Policy cannot be imported

Component: Application Security Manager

Symptoms:
XML Export does not work in configurations that have metacharacters or method overrides defined on URLs.

Conditions:
A policy that has metacharacter or method overrides defined on a URL is exported to XML format.

Impact:
Such a policy cannot be imported.

Workaround:
Use binary export/import or move/remove the problematic elements from the XML file:
* <mandatory_body>
* <operation_id>


898093-2 : Removing one member from a WideIP removes it from all WideIPs.

Component: Global Traffic Manager (DNS)

Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.

Conditions:
Use the 'Remove' button.

Impact:
Unintended configuration changes via GUI.

Workaround:
Use the 'Manage' button, rather than the 'Remove' button.


897185-2 : Resolver cache not using random port distribution

Component: Local Traffic Manager

Symptoms:
Outgoing queries to backend dns server use incremented port numbers instead of being distributed random ports.

Conditions:
-- Fix of ID726176 is applied (see https://cdn.f5.com/product/bugtracker/ID726176.html )

Impact:
The port numbers are incremented.


896917 : The fw_zone_stat 'Hits' field may not increment in some scenarios

Component: Advanced Firewall Manager

Symptoms:
The fw_zone_stat 'Hits' field does not reflect the current stats.

Conditions:
When the firewall rule has multiple VLANs defined as destinations (in a zone).

Impact:
The counter for all VLANs does not hit : fw_zone_stat. The corresponding stat value does not increment.

Workaround:
None.


896817-2 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb

Component: TMOS

Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:

01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.

Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.

Impact:
Unable to replace configuration using TMSH's 'replace' verb.

Workaround:
None.


896693-4 : Patch installation is failing for iControl REST endpoint.

Component: TMOS

Symptoms:
iControl REST async endpoint /mgmt/tm/task/util/ihealth behaving inconsistently:

-- A call to VALIDATE the async task is rejected with the error message: 'Operation is not allowed on component /util/ihealth.'
-- The task can be started by calling a different endpoint (e.g., /mgmt/tm/task/cli/script). In this case, the task completes immediately, however, a qkview generating iHealth util is still running. At the end, the qkview is generated.

Conditions:
-- Use iControl REST to create an async task for creating qkview using 'ihealth' with -n option (just generate file, do not upload to iHealth).
-- Try starting the async task by changing the status to VALIDATING.

Impact:
Patch for iControl REST endpoint is not successful. Patch operation is accepted by /mgmt/tm/task/cli/script/ but rejected by /mgmt/tm/task/util/ihealth.

Workaround:
None.


896689-4 : Asynchronous tasks can be managed via unintended endpoints

Component: TMOS

Symptoms:
An asynchronous task created on one endpoint can be started using some other endpoint

Conditions:
Create an asynchronous task e.g. creating qkview using ihealth
using endpoint /mgmt/tm/task/util/ihealth

Gather the task id of the created asynchronous task and send it to a different endpoint e.g. /mgmt/tm/task/cli/script

Impact:
The asynchronous task can be started using this endpoint but this is not intended behavior.


896245-3 : Inconsistency is observed in ARP behavior across releases

Component: Local Traffic Manager

Symptoms:
Creating and deleting VLANs/self IPs might end up with a different number of GARP responses, depending on the BIG-IP software version.

You might notice the differences when comparing older and newer releases, for example, comparing v14.1.0 and earlier compared with versions older than v14.1.0.

Conditions:
This might become evident when you upgrade from an older version.

Impact:
There is no functional impact as a result of this discrepancy.

Workaround:
None.


896217-2 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat


895845-5 : Implement automatic conflict resolution for gossip-conflicts in REST

Component: TMOS

Symptoms:
The devices in a high availability (HA) environment are out of sync in strange ways; config sync status indicates 'In Sync', but iApps such as SSL Orchestrator are out of sync.

Conditions:
-- HA environment with two or more devices.
-- Gossip used for config sync. (Note: Gossip sync is used by BIG-IQ for BIG-IP config sync by iAppLX.)
-- A gossip conflict occurs for some reason.

You can detect gossip conflicts at the following iControl REST endpoint:
/mgmt/shared/gossip-conflicts

You can check gossip sync status at the following iControl REST endpoint:
/mgmt/shared/gossip

Impact:
If there are gossip conflicts, the devices requires manual intervention to get back in sync.

Workaround:
When two devices are out of sync with different generation numbers due to gossip conflict, you can use the following guidance to resolve the conflict:

1. Update devices info to use the same generation number.

2. This info found on REST Storage worker. Storage worker uses the selflink plus a generation number as the key to a given set of data.

3. Add the data from the unit with the highest generation number to the other unit.

4. Must also take care to increase the generation number on the new data to match that of the highest generation

Commands used:
1. Look for GENERATION_MISSING and gossip-conflict objects:
tmsh list mgmt shared gossip-conflicts

2. Get the 'selflink in remoteState' attribute. This self link is same across all devices and checks on the browser with each device to discover the device that is on the highest generation number:
tmsh list mgmt shared gossip-conflicts <OBJECT_ID>

3. Now you know what device contains the most recent version of your data, run this command to get up-to-date data:
restcurl /shared/storage?key=<everything after 'https://localhost/mgmt/' on selflink>

4. Make a post to the out-of-date device that includes the info from the up-to-date device as the post body:
restcurl -X POST /shared/storage -d '{<data from above command>}'


895837-3 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified

Component: TMOS

Symptoms:
Virtual server configured with:

-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0

-- The configuration uses a destination port list.

Conditions:
Modify the virtual server's port-list to a different one.

Impact:
Mcpd generates a core, and causes services to restart and failover.

Workaround:
None.


895801-2 : Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted

Component: Service Provider

Symptoms:
After modifying an MRF transport-config to use a different TCP profile, TMM must be restarted for this change to take effect. tmm crash

Conditions:
-- Using MRF with a transport-config.
-- Modifying the transport-config so that it uses a different TCP profile.

Impact:
Expected changes do not take effect until TMM is restarted.

Workaround:
Restart TMM.

Note: Traffic is disrupted while tmm restarts.


895205-2 : A circular reference in rewrite profiles causes MCP to crash

Component: Local Traffic Manager

Symptoms:
MCPD crash when modifying rewrite profile.

Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.

Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.

Workaround:
Do not create circular references with profiles.


895165-2 : Traffic-matching-criteria with "any" protocol overlaps with explicit protocols

Component: Local Traffic Manager

Symptoms:
An error like the example below when defining "any" protocol after previously defining traffic-matching-criteria with explicit protocols.
01b90011:3: Virtual Server /Common/vs-tcp's Traffic Matching Criteria /Common/vs-tcp_IP_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs-any destination address, source address, service port.

Conditions:
-- Previously defining traffic-matching-criteria with explicit protocols
-- Afterwards defining virtual server with "any" protocol

Impact:
Cannot define a valid virtual server with "any" protocol

Workaround:
N/A


895153 : HTTP::has_responded returns incorrect values when using HTTP/2

Component: Local Traffic Manager

Symptoms:
HTTP::has_responded isn't detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded will always return the value false.

Conditions:
-- HTTP2 Profile.
-- iRule containing the command HTTP::has_responded

Impact:
Calls to HTTP::respond or HTTP::redirect will not be correctly identified by HTTP::has_responded when using HTTP/2.

Workaround:
None.


894545-2 : Creating a virtual server in the GUI with a destination address list and 'All Ports' can erroneously conflict with other virtual servers

Component: TMOS

Symptoms:
If you have an existing virtual server that uses an address list for its destination and 'All Ports' configured for its port, then if you attempt to create another virtual server with a different (non-overlapping) address list with 'All Ports' configured and a protocol that overlaps (i.e., is either the same, or one of the protocols is 'All Protocols'), then creation of the virtual server will fail with an error similar to:

01b90011:3: Virtual Server /Common/test's Traffic Matching Criteria /Common/test_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/test2 destination address, source address, service port.

Conditions:
-- Using the GUI.
-- An existing virtual server that uses an address list as its destination and has its Service Port set to 'All Ports'.
-- An attempt to create another virtual server with a (non-overlapping) destination address list and 'All Ports' that has an overlapping Protocol (i.e., is either the same, or one of the protocols is 'All Protocols').

Impact:
Unable to create a valid virtual server.

Workaround:
Use TMSH to create the second virtual server instead.


894081-2 : The Wide IP members view in the WebUI may report the incorrect status for a virtual server.

Component: Global Traffic Manager (DNS)

Symptoms:
A virtual server which is actually down and should show red is reported as up and shows green.

Conditions:
This issue happens when a virtual server is marked down by the system due to inheriting the status of its parent link.

Note: This issue only affects Link Controller systems, and not DNS/GTM systems.

Impact:
The WebUI cannot be used to reliably assess the status of Wide IP members (virtual servers).

Workaround:
Use the tmsh utility in one of the following ways to inspect the status of Wide IP members:

# tmsh show gtm pool a members

# tmsh show gtm server virtual-servers


893885-3 : The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation

Component: TMOS

Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.

Conditions:
-- BIG-IP software v14.1.0 or later version.
-- EHF installed on TPM-supported BIG-IP platform.

Impact:
Incorrect presentation of system software status.

Workaround:
None.


893813-3 : Modifying pool enables address and port translation in TMUI

Component: TMOS

Symptoms:
When modifying the pool for a virtual server, address translation and port translation checkboxes are enabled irrespective of their initial state.

Conditions:
-- Creating a virtual server using the GUI
-- Advanced Configuration is selected
-- Address Translation or Port Translation checkboxes are initially unchecked
-- You modify a pool from this screen

Impact:
Virtual server is created with address and port translation enabled.

Workaround:
You can disable it by again editing the virtual server.


893281-3 : Possible ssl stall on closed client handshake

Component: Local Traffic Manager

Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.

Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.

Impact:
Some ssl client connection remain until idle timeout.


893093-2 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.

Component: TMOS

Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:

-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates

-- DNS :: GSLB :: Servers :: Trusted Server Certificates

The system returns the following error:

An error has occurred while trying to process your request.

Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.

Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.

-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.

-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.

Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.

Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).

You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.

For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.


893061-2 : Out of memory for restjavad

Component: Application Security Manager

Symptoms:
REST framework not available due to Out of memory error

Conditions:
Long list of Live Update installations

Impact:
Live Update GUI is not responding.

Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)

# tmsh modify sys db provision.extramb value 1000

2) Allow restjavad to access the extra memory:

# tmsh modify sys db restjavad.useextramb value true

3) Save the config:

# tmsh save sys config

4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.

5) Increase the restjavad maxMessageBodySize property:

# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
  "maxMessageBodySize": 134217728,
  "localhostRestnodedConnectionLimit": 8,
  "defaultEventHandlerTimeoutInSeconds": 60,
  "minEventHandlerTimeoutInSeconds": 15,
  "maxEventHandlerTimeoutInSeconds": 60,
  "maxActiveLoginTokensPerUser": 100,
  "generation": 6,
  "lastUpdateMicros": 1558012004824502,
  "kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
  "selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}

Ensure the command returns output showing the limit has been increased (as shown above).

6) Reboot the unit.


892801-2 : When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"

Component: Local Traffic Manager

Symptoms:
When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent".

Conditions:
-- An Internal Virtual Server is created without an existing 0.0.0.0 virtual address.

Impact:
The Internal Virtual Server will be considered unavailable and will not process traffic.

Workaround:
Create a 0.0.0.0 virtual address prior to creating the Internal Virtual Server.


892677-1 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted


892653-1 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html


892485-2 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.

Component: Local Traffic Manager

Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.

Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.

Impact:
A wrong OCSP status may be reported in the SSL handshake.


892445-2 : BWC policy names are limited to 128 characters

Component: TMOS

Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:

01070088:3: The requested object name <name> is invalid.

Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.

Impact:
Unable to create BWC policy objects with names that have more than 128 characters.

Workaround:
Use fewer than 128 characters when creating a BWC policy.


892385 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.


892073-3 : TLS1.3 LTM policy rule based on SSL SNI is not triggered

Component: Local Traffic Manager

Symptoms:
A policy rule based on SSL SNI at SSL client hello is not triggered for a TLS1.3 connection.

Conditions:
-- LTM policy rule specifying SSL client hello SNI.
-- TLS1.3 connection.

Impact:
Policy rule not triggered for TLS1.3.

Workaround:
None.


891613-1 : RDP resource with user-defined address cannot be launched from webtop with modern customization

Component: Access Policy Manager

Symptoms:
RDP resource with a user-defined address cannot be launched from the webtop when configured with modern customization.

After requesting the RDP file for a remote address, the RDP file fails to download and the system reports an error message:

Logon failed. Connection to your resource failed. Please click the Try Again button to try again or Close button to close this dialog.

Conditions:
-- Webtop with modern customization.
-- RDP resource with a user-defined address is assigned to the webtop.

Impact:
Cannot use remote desktop resource with user-defined addresses.

Workaround:
As the problem is with modern access policy with modern webtop, a quick workaround:

1. Create a standard access policy with standard webtop (it is similar to modern access policy and modern webtop):

-- 1.1 GUI: Access :: Profiles / Policies :: Create :: {choose Customization Type as 'Standard').
-- 1.2 GUI: Access :: Webtops :: Create :: {choose Customization Type as 'Standard').

Recreate similar access policy as modern access policy that is showing this problem.

If manually re-creating similar standard access policy is not possible, there is no workaround.


891505-3 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.

Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.

Workaround:
None.


891477-3 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server

Component: TMOS

Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None.


891385-2 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.


891373-2 : BIG-IP does not shut a connection for a HEAD request

Component: Local Traffic Manager

Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.

Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.

Impact:
Connection remains idle until it expires normally, consuming network resources.

Workaround:
None.


891337-1 : 'save_master_key(master): Not ready to save yet' errors in the logs

Component: TMOS

Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.

Conditions:
UCS load or configuration synchronization that includes encrypted objects.

Impact:
Many errors seen in the logs.

Workaround:
None.


891221-2 : Router bgp neighbor password CLI help string is not helpful

Component: TMOS

Symptoms:
Unable to confirm the supported encryption types.

enable or add BGP routing prorotol to a route domain
imish >> enable >> conf t >> router bgp 20065004 >> neighbor 1.2.3.4 password ?

b7000.lab[0](config-router)#neighbor 1.1.1.1 password ?
  WORD Encryption Type or the password

Conditions:
Configuring the bgp neighbor with encryption password.

Impact:
Unable to confirm the supported encryption types.

Workaround:
None.


891181-2 : Wrong date/time treatment in logs in Turkey/Istambul timezone

Component: Application Security Manager

Symptoms:
There is mismatch between server and GUI timezone treatment for Turkey/Istambul timezone.

Conditions:
User sets Turkey/Istambul timezone on BIG-IP

Impact:
When filtering logs by time period, results differ from set period by an hour

Workaround:
Define time period one hour earlier for filtering ASM logs


890573 : BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart

Component: WebAccelerator

Symptoms:
BIG-IP WAM/AAM provides a faster cache store called small object cache. To get into this cache, an object must have its size below a threshold defined in BigDB variable wam.cache.smallobject.threshold. BIG-IP does not always pickup this value after a restart of TMM.

Conditions:
- WAM/AAM is provisioned;
- A virtual server is configured with a webacceleration profile having a web application.

Impact:
When small object cache has a non-default value, it may incorrectly place an object into Small Object cache (faster cache store) or MetaStor (slower cache store), causing performance impact.

Workaround:
Reset wam.cache.smallobject.threshold value.


890421-2 : New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers

Component: TMOS

Symptoms:
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217

Conditions:
When 15.0.1.2 is upgraded to 15.1.0 then the traps would be renumbered.

Impact:
This may be confusing for SNMP clients expecting specific trap IDs.

Workaround:
None.


890401 : Restore correct handling of small object when conditions to change cache type is satisfied

Component: WebAccelerator

Symptoms:
BIG-IP system software allows you to cache HTTP responses with WAM/AMM web applications. There is a special storage location for small-size objects. If a caching object is about to exceed a threshold limit, the BIG-IP system might change its caching storage to MetaStor. A fix for ID 792045 introduced an issue for instances in which it does not, which resulted in not serving a cached object.

Conditions:
-- WAM/AAM is provisioned.
-- Virtual server has a webacceleration profile with a web application.
-- The BIG-IP software contains a fix for ID 792045.

Impact:
The BIG-IP system resets a connection with an error, a cached object is not served, and the rendering of a client's webpage is not correct.

Workaround:
None.


890277-3 : Mcpd takes too long on full config sync to a device group when there are large amount of partitions.

Component: TMOS

Symptoms:
When Full config sync is done to a device group with large amount of partitions
a) Mcpd is taking more time to complete config sync.
b) Spike in cpu usage in the device where config push is done
c) Mcpd is un responsive to daemons like tmsh, GUI etc. as it is busy pushing the config sync.
d) iQuery connections are getting killed due to high cpu utilization

Conditions:
Full config sync on device with large partitions.

Impact:
Impedes management of device as well as kills iQuery connections to GTM

Workaround:
Enable Manual Incremental Sync


890229-1 : Source port preserve setting is not honoured

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000- or 4000-series hardware platforms
-- The virtual server is configured with source-port preserve.

Impact:
Applications relying on a specific, fixed source port could break.

Workaround:
Set source-port to preserve-strict.


890169-2 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.


889801-1 : Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.

Component: Global Traffic Manager (DNS)

Symptoms:
Upon close inspection of the statistics of a particular DNS Cache, for example by running the command 'tmsh show ltm dns cache resolver <name>', you realize that the 'Total Responses' counter for the cache is not incrementing as much as it should be.

Specifically, by comparing the counter with packet captures or the stats of the DNS Profile, you realize the system is under-reporting 'Total Responses'.

Conditions:
The virtual server using the DNS Cache also uses an iRule which happens to include a suspending command (e.g., 'table') under the DNS_RESPONSE event.

Impact:
The incorrect DNS Cache statistics may confuse or mislead a BIG-IP Administrator.

No traffic impact exists as part of this issue. Responses are still being served from the cache even when the counter says they are not.

Workaround:
None.


889209-2 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.

Component: Local Traffic Manager

Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.

Conditions:
Enabled sflow receiver is configured.

Impact:
Egress traffic is dropped.

Workaround:
Disable Sflow receiver, save configuration, reboot.


889165-3 : "http_process_state_cx_wait" errors in log and connection reset

Component: Local Traffic Manager

Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:

err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside

Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server

Impact:
Possible connection failure.


889029-2 : Unable to login if LDAP user does not have search permissions

Component: TMOS

Symptoms:
A user is unable to log in using remote LDAP.

Conditions:
-- BIG-IP configured to use LDAP authentication.
-- Remote user has no search permissions on directory

Impact:
Authentication does not work

Workaround:
Grant search permissions to the user in LDAP.


888885-1 : BIG-IP Virtual Edition TMM restarts frequently without core

Component: Local Traffic Manager

Symptoms:
The following messages are found in the QKViews:
"bigipA notice MCP bulk connection aborted, retrying"
"bigipA notice Initiating TMM shutdown"

Prior to this, the TMM process logs that it is waiting for its instances to reach different states. For example,
"localhost notice ixlv(1.3)[0:7.0]: Waiting for tmm1 to reach state 1..."

In the /var/log/ltm file, the following message are found sometimes.
"bigip1 crit tmm9[19358]: 01230017:2: Unable to attach to PCI device 00:09.00 for Interface 1.5"

Conditions:
BIG-IP VE with SR-IOV enabled on a Red Hat Enterprise Linux 7.7 which is a part of Red Hat OpenStack Platform 13

Impact:
The TMM process restarts without a core file repeatedly.
Traffic disrupted while tmm restarts.


888765-1 : After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files

Component: TMOS

Symptoms:
After upgrading, CGNAT is de-provisioned and tmm is restarted after config load.

Conditions:
- CGNAT provisioned prior to upgrade
- Upgrade from 13.1.0 to 15.1.0.1 and reboot

Impact:
-- CGNAT is de-provisioned
-- Tmm restarts

Workaround:
After upgrading, re-provision CGNAT:

tmsh modify sys provision cgnat level <level>
tmsh save sys config


888625 : CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks

Component: Carrier-Grade NAT

Symptoms:
There is a difference in active port block counter between statistics collected in TMM and actual allocations in 'lsndb list pba'.

Conditions:
The issue happens when the port block allocation process fails after incrementing the active port blocks counter.

Impact:
No functional impact. But the stats counters will be incorrect.


888341-7 : HA Group failover may fail to complete Active/Standby state transition

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), high availability (HA) Group failover may not complete despite an high availability (HA) Group score change occurring. As a result, a BIG-IP unit with a lower high availability (HA) Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 1 floating traffic group, after 2485~ days.
-- For 2 floating traffic groups, after 1242~ days.
-- For 4 floating traffic groups, after 621~ days.
-- For 8 floating traffic groups, after 310~ days.
-- For 9 floating traffic groups, after 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
-- high availability (HA) Group failover mode configured.

Note: No other failover configuration is affected except for high availability (HA) Group failover.

 o VLAN failsafe failover.
 o Gateway failsafe failover.
 o Failover triggered by loss of network failover heartbeat packets.
 o Failover caused by system failsafe (i.e., the TMM process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite high availability (HA) Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.


888289-1 : Add option to skip percent characters during normalization

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.


888261-1 : Policy created with declarative WAF does not use updated template.

Component: Application Security Manager

Symptoms:
When importing a declarative policy with an updated template, the operation uses the old version of the template, which is saved on the machine.

Conditions:
Declarative policy is created from a user-defined template and then re-created after updating the template.

Impact:
The re-created declarative policy is based on the old template, which is saved without the changes that were made in the template.

Workaround:
Create new template and use it when recreating the declarative policy.


888113-3 : HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy

Component: Local Traffic Manager

Symptoms:
TMM cores in HTTP-MR proxy.

Conditions:
-- HTTP and HTTP Router profiles are configured on the virtual server.
-- HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy.

Impact:
TMM stops processing traffic.

Workaround:
None.


888081-4 : BIG-IP VE Migration feature fails for 1NIC

Component: TMOS

Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails.

load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting.

Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable.

Impact:
The UCS restore fails.

Workaround:
The DB variable can be set to enable before loading the UCS.

# tmsh modify sys db provision.1nicautoconfig value enable


887921-1 : iRule command “RESOLVER::name_lookup” returns null for responses more than 512 bytes

Component: Global Traffic Manager (DNS)

Symptoms:
“RESOLVER::name_lookup” returns null.

Conditions:
Response is larger than 512 bytes.

Impact:
“RESOLVER::name_lookup” returns empty answer.


887625-3 : Note should be bold back, not red

Component: Application Security Manager

Symptoms:
Under Session Hijacking :: Device Session Hijacking by Device ID Tracking, the note text below the 'enable' checkbox is shown in bold red color

Note : Device-ID mode must be configured in bot profile for this option to work.

Conditions:
This always occurs.

Impact:
The Note does not indicate a hazardous situation (as might be implied by the color), so the text should be black instead of red.

Workaround:
None.


887621-2 : ASM virtual server names configuration CRC collision is possible

Component: Application Security Manager

Symptoms:
A policy add/modify/delete fails with the following error: Mar 3 03:45:24 bit21 crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY')

Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers.

Impact:
Every config update fails.

Workaround:
Figure out which virtual servers has the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers.

You can get the name of the affected virtual server by using the entry reported in the "Duplicate entry" log and running this command.

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375'


887505-1 : Coreexpiration script improvement

Component: TMOS

Symptoms:
Script fails with
stat: cannot stat '/shared/core/*.core.*': No such file or directory

Conditions:
Coreexpiration script is run.

Impact:
No core is produced.

Workaround:
To resolve the issue, add the following line to the script:

  for filename in /shared/core/*.core.*; do
   + [ -e "$filename" ] || continue
         # Time of last modification as seconds since Epoch


887265-2 : BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration

Component: Application Security Manager

Symptoms:
When booting to a boot location for the first time, the system does not come on-line.

Conditions:
-- There is a large ASM configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.

Impact:
BIG-IP processes continually restart (vlan failsafe-action failover-restart-tm) or the BIG-IP system continually reboots (vlan failsafe-action reboot)

Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.


887261-1 : JSON schema validation files created from swagger should support "draft-04" only

Component: Application Security Manager

Symptoms:
The JSON schema validation file creation from swagger's schema entry fails and errors are logged to /ts/log/asm_config_server.log.

Conditions:
-- API Protection used in a security policy
-- Swaggers's schema entry contains one or more fields that are incompatible between draft-04 and draft-07 of the JSON schema validation spec (e.g.: "exclusiveMinimum")

Impact:
Since BIG-IP is locked to draft-07, a security policy created from swagger file will not include some entities.

Workaround:
No workaround


887117-2 : Invalid SessionDB messages are sent to Standby

Component: TMOS

Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:

SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.

Impact:
Standby drops these messages

Workaround:
None.


887045-1 : The session key does not get mirrored to standby.

Component: Local Traffic Manager

Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.

Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives

Impact:
The session key does not get mirrored to standby.

Workaround:
None


886865-1 : P3P header is added for all browsers, but required only for Internet Explorer

Component: Application Security Manager

Symptoms:
The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.

Conditions:
Bot Defense Profile is attached to a virtual server.

Impact:
Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.

Workaround:
The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header.

It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.


886841-1 : Allow LDAP Query and HTTP Connector for API Protection policies

Component: Access Policy Manager

Symptoms:
APM has several types of access policies for different deployment types, such as general per-request policies, OAuth policies, full webtop portal policies, and so on. One type of policy is designed for API clients, called API Protection.

API Protection requests are generally authenticated by user information present in an HTTP authorization header. APM then uses this authorization header data to authenticate users against an AAA server.

In addition to authentication, some deployments of API Protection also require authorization decisions to be performed against out-of-band data from external servers, typically group membership data from an external HTTP or LDAP server.

Conditions:
Administrators attempt to use HTTP Connector or LDAP Query in an API Protection type access policy.

Impact:
Administrators are not able to use HTTP Connector or LDAP Query in API Protection policies.


886693-3 : System may become unresponsive after upgrading

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration works in the previous release, but does not work properly in the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown. In the environment in which it occurred, a datagroup had been deleted, but an iRule was still referencing it, see https://cdn.f5.com/product/bugtracker/ID688629.html

Impact:
-- System down, too busy to process traffic
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to a pre-upgrade volume.

Note: This might require that you have console access if you are unable to SSH in to the device.


886689-6 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.


886653-2 : Flow lookup on subsequent packets fail during CMP state change.

Component: Policy Enforcement Manager

Symptoms:
When there is a failover event, there is a chance that some sessions will not move over to new active blade.

Conditions:
-- High availability (HA) environment
-- A CMP state change occurs

Impact:
For certain IPs which have failed to move to the new active, then a new session create request will not create/replace the current session as it is in inconsistent state.


886649-2 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.


886145-2 : The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.

Component: Global Traffic Manager (DNS)

Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked.

The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console.

The 'Reconnect All' button is clickable but returns the error "No response action specified by the request" when clicked.

Conditions:
You have accessed the buttons via the following WebUI path:

DNS > GSLB > Data Centers > [dc name] > Servers

Impact:
The buttons do not work, making the corresponding feature unavailable from the WebUI.

Workaround:
Access the buttons via the following alternative WebUI path:

DNS > GSLB > Servers


885869-2 : Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime

Component: Global Traffic Manager (DNS)

Symptoms:
iQuery incorrectly interprets iQuery SSL certificate times when they are using GenericTime instead of UTCTime.

Conditions:
An iQuery certificate using GenericTime instead of UTCTime.

Note that this would only occur with a date beyond the year 2049.

Impact:
Internal years are interpreted to be much later than they should be.

Workaround:
Use SSL certificates with UTCTime instead of GenericTime.


885325-2 : Stats might be incorrect for iRules that get executed a large number of times

Component: Local Traffic Manager

Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).

Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.

Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.

Workaround:
None.


884989-1 : IKE_SA's Not mirrored of on Standby device if it reboots

Component: TMOS

Symptoms:
After rebooting the standby BIG-IP device, IKE SA's are not mirrored.

Conditions:
-- IPSEC is configured in a high availability (HA) environment
-- Standby device is rebooted

Impact:
IKE_SA's will have to be renegotiated.
The performance impact is minimal.


884953-3 : IKEv1 IPsec daemon racoon goes into an endless restart loop

Component: TMOS

Symptoms:
The IKEv1 IPsec daemon racoon goes into an endless restart loop.

2020-01-02 08:36:36: ERROR: /etc/racoon/racoon.conf.BIG-IP:376: "}" duplicated sainfo: loc='ANONYMOUS', rmt='10.42.80.0/24', peer='ANY', id=0
2020-01-02 08:36:36: ERROR: fatal parse failure (1 errors)
2020-01-02 08:36:36: ERROR: failed to parse configuration file.

Conditions:
Duplicate wildcard traffic-selectors, one with ::/0 and one with 0.0.0.0/0, attached to different IPsec policies.

Impact:
IPsec IKEv1 tunnels cannot be established.

Workaround:
Configure duplicate traffic-selectors only when they are attached to interface mode IPsec policies.


884797-4 : Portal Access: in some cases data is not delivered via WebSocket connection

Component: Access Policy Manager

Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.

Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client

Impact:
Data is not delivered to the client browser via the WebSocket connection.


884729-2 : The vCMP CPU usage stats are incorrect

Component: TMOS

Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.

Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.

Impact:
The vCMP CPU usage stats are intermittently incorrect.

Workaround:
None.


883577-4 : ACCESS::session irule command does not work in HTTP_RESPONSE event

Component: Access Policy Manager

Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm

No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)

Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.

Impact:
Cannot create APM session using the ACCESS::session irule command.

Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.


883529-1 : HTTP/2 Method OPTIONS allows "*" (asterisk) as an only value for :path

Component: Local Traffic Manager

Symptoms:
HTTP/2 request is not forwarded and RST_STREAM with PROTOCOL_ERROR is sent back to the client.

Conditions:
HTTP/2 request with method OPTIONS and pseudo header :path value equal to something other than "*" (asterisk).

Impact:
HTTP/2 request with Method OPTIONS is limited to :path "*" only. Any other URIs are not forwarded to the server but rejected with RST_STREAM with PROTOCOL_ERROR.

Workaround:
None.


883149-1 : The fix for ID 439539 can cause mcpd to core.

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
NA


883105-1 : HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect

Component: Local Traffic Manager

Symptoms:
If a virtual server is configured with both client-side and server-side using HTTP/2, and with translate-address disabled, the connection to the server-side does not succeed.

Conditions:
-- HTTP/2 profiles on both client-side and server-side, using an http-router profile.
-- Translate-address is disabled.

Impact:
Connections fail.

Workaround:
None.


883049-2 : Statsd can deadlock with rrdshim if an rrd file is invalid

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd


882769-1 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API


882757-1 : sflow_agent crash SIGABRT in the cleanup flow

Component: TMOS

Symptoms:
Disabling DHCP on the management port causes sflow_agent to crash.

Conditions:
This does not always occur, but when it does occur, it crashes when disabling DHCP on the management port.

Impact:
sflow_agent crashes.

Workaround:
Do not disable DHCP on the management port


882729-3 : Applied Blocking Masks discrepancy between local/remote event log

Component: Application Security Manager

Symptoms:
Applied Blocking Masks discrepancy between local/remote event log, ASM logging event logs both locally and remotely to BIG-IQ has discrepancy.

Conditions:
This occurs when "Applied Blocking Masks" logs are emitted on a device where local and remove event logging is configured.

Impact:
This is cosmetic but can lead to confusion.


882725-5 : Mirroring not working properly when default route vlan names not match.

Component: Local Traffic Manager

Symptoms:
When using two BIG-IP systems to mirror traffic, mirroring functions correctly if the default gateway VLAN names match; however, if default gateway VLAN names don't match, then the BIG-IP system does not mirror client-side packets to the peer, which causes the standby BIG-IP system to reset all client-side flows on failover.

Conditions:
-- Two BIG-IP LTM BIG-IP Virtual Edition (VE) systems configured as a high availability (HA) pair.
-- Default gateway VLAN names don't match between them.

Impact:
BIG-IP system does not mirror client-side packets to the peer, which causes the next-active device to reset all client-side flows on failover.

Upon failover all flows are being RST just like a typical failover scenario without mirroring implemented.

Workaround:
Use same VLAN name on all external VLANs that might be used for mirroring.


882713-3 : BGP SNMP trap has the wrong sysUpTime value

Component: TMOS

Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.

Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition

Impact:
The sysUpTime in the trap generated by BGP is incorrect.

Workaround:
None.


882609-1 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back

Component: TMOS

Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.

MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.

Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.

Impact:
Devices unable to ConfigSync.

Workaround:
This workaround will disrupt traffic while TMM restarts:

1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm


This workaround should not disrupt traffic:

Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.

TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"


882557-2 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance


882377-3 : ASM Application Security Editor Role User can update/install ASU

Component: Application Security Manager

Symptoms:
Live Update modifications are allowed for Application Security Editor Role.

Conditions:
Login as Application Security Editor user and try to install ASU.

Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.


881641 : Errors on VPN client status window in non-English environment

Component: Access Policy Manager

Symptoms:
If Network Access resource is being accessed using user interface language other than English, JavaScript errors may be shown in VPN client status window.

Conditions:
- Access Policy with languages other than English
- Network Access resource assigned to this Access Policy
- standalone VPN client in non-English environment

Impact:
VPN connection cannot be established.


881065-1 : Adding port-list to Virtual Server changes the route domain to 0

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.


881041-3 : BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.

Component: Local Traffic Manager

Symptoms:
Some received packets are retransmitted back on the incoming VLAN interface.

Conditions:
The symptom is found with the following conditions:
1. A forwarding virtual server is configured.
2. A packet is received whose destination MAC address is its unicast VLAN MAC address and the destination IP address is the broadcast address of that subnet.

Impact:
Broadcast packets are forwarded back to the incoming VLAN interface might result in loops if there are multiple gateways on the network.

Workaround:
None.


880789-3 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.

Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.

Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None.


880697-1 : URI::query command returning fragment part, instead of query part

Component: Local Traffic Manager

Symptoms:
The iRule URI commands are designed to parse a given URI string to each components such as scheme (URI::protocol) or authority (URI::host). The URI::query command is designed to return the query part of an URI, but the returned string contains the fragment part. For example, for the URI "foo://example.com:8042/over/there?name=ferret#nose" (an example from Section 3, RFC 3986), URI::query returns "name=ferret#nose". The "#nose" part should not be present in the return value

Conditions:
Create a test rule with URI having '#' like this.

when HTTP_REQUEST {
  # from RFC 3986 Section 3
  set url "foo://example.com:8042/over/there?name=ferret#nose"
  log local0. "query: [URI::query $url]"
}

Impact:
URI operations that involve #fragments may fail.

Workaround:
NA


880625-3 : Check-host-attr enabled in LDAP system-auth creates unusable config

Component: TMOS

Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.

Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.

Impact:
LDAP-based auth does not function.

Workaround:
None.


880565-1 : Audit Log: "cmd_data=list cm device recursive" is been generated continuously

Component: Device Management

Symptoms:
The system generates and logs the following message continuously, at the rate of 3 times a minute, in /var/log/audit:

-- hostname.com notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;
-- hostname.com notice tmsh[47755]: 01420002:5: AUDIT - pid=47755 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm

Conditions:
This occurs during normal operation.

Impact:
Audit log file contains numerous 'cmd_data=list cm device recursive' messages.

Workaround:
Edit the 'include' section of syslog configuration to suppress audit logs of 'cmd_data=cd /' and 'cmd_data=list cm device recursive'.

# tmsh edit /sys syslog all-properties

Replace 'include none' with following syntax.
===
sys syslog {
- snip -
    include "
filter f_audit {
       facility(local0) and match(AUDIT) and not match(\"cmd_data=list cm device recursive|cmd_data=cd /\");
};"
- snip -
}


880473-1 : Under certain conditions, the virtio driver may core during shutdown

Component: TMOS

Symptoms:
If the virtio driver fails to initialize, it may core during shutdown.

Conditions:
-- Using the virtio VE driver.
-- The virtio driver fails initialization and shuts down instead.

Impact:
TMM cores during driver shutdown.


880165-2 : Auto classification signature update fails

Component: TMOS

Symptoms:
During classification update, you get an error:

"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"

An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".

Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.

It can occur when something goes wrong during license activation, but license activation ultimately succeeds.

Impact:
When this issue occurs, auto classification signature update will fail.

Workaround:
You may be able to recover by re-activating the BIG-IP license.


880125-5 : WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner

Component: Global Traffic Manager (DNS)

Symptoms:
Creating WideIP with aliases at the same time causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.

Conditions:
Creating WideIP with aliases at the same time(using GUI or tmsh) causes ZoneRunner to create CNAME RRset without matching A RRset on the peer.

Impact:
GTM peer will not respond with correct answer for DNS request.

Workaround:
Create wideip with two steps.


880073-1 : Memory leak on every DNS query made for "HTTP Connector" agent

Component: Access Policy Manager

Symptoms:
'plugin' subsystem of TMM leaks memory, when "HTTP Connector" agent performs DNS query.

Conditions:
Access Policy contains "HTTP Connector" agent.

Impact:
Roughly 500 KB is leaked for every 10000 requests.

Workaround:
None.


880013-1 : Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration

Component: TMOS

Symptoms:
Config load fails with an error:

01071769:3: Decryption of the field (privatekey) for object (12004) failed.
Unexpected Error: Loading configuration process failed.

Conditions:
-- BIG-IP configuration has a secured attribute, for example an encrypted dynad key
-- The master key password is changed
-- The configuration is loaded before saving the changes

Impact:
"tmsh load sys config" fails.

Workaround:
After modifying the master key password, save the configuration and then perform the tmsh load sys configuration.


880009-1 : Tcpdump does not export the TLS1.3 early secret

Component: TMOS

Symptoms:
Users running tcpdump with the 'ssl:v' flag to obtain the early traffic secret are given the early master secret instead.

Conditions:
Run tcpdump with the 'ssl:v' flag.

Impact:
Users cannot decrypt TLS1.3 early data packets.

Workaround:
None.


879969-5 : FQDN node resolution fails if DNS response latency >5 seconds

Component: TMOS

Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.

Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses

Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.

Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.


879777-3 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Component: Application Security Manager

Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.

Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Workaround:
Use "validate in a bulk" option.


879413-1 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd will fail to load it and end up restarting continuously. You see the following messages in /var/log/ltm:

err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'
err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
-- Corrupted *.info file in /var/rrd.

Impact:
Stats will no longer be accurate.

Workaround:
It might take multiple attempts to retain the *.info file:

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

... where <filename> is the actual name of the file (e.g. "throughput.info").


879409-3 : TMM core with mirroring traffic due to unexpected interface name length

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.

Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.

Workaround:
None.


879405-1 : Incorrect value in Transparent Nexthop property

Component: TMOS

Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN.

Conditions:
-- Virtual server configured with with transparent next-hop bychecking 'Transparent Nexthop' in the GUI on the LTM Virtual Server page: Transparent Nexthop = None

   Works fine with:

Impact:
Incorrect value shown in Transparent Nexthop property field.

Workaround:
Use tmsh to complete the action successfully.


879401-1 : Memory corruption during APM SAML SSO

Component: Access Policy Manager

Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted.

Conditions:
- BIG-IP system is configured as SAML SP.
- External SAML IdP sends SLO request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.


879301-1 : When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended

Component: Global Traffic Manager (DNS)

Symptoms:
When importing a BIND zone file, $ORIGIN is appended for rdata from SRV and NAPTR RRs, also not appended for DNAME's owner label.

Conditions:
$ORIGIN is used in original zone files and use zone runner to import.

Impact:
Zone files are not generated correctly.

Workaround:
Do not use $ORIGIN.


879189-1 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section

Component: TMOS

Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.

Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual but the module supporting the profile is not provisioned

Impact:
The Network Map shows an error message.

Workaround:
Provision the module that supports the profile.


879001-1 : LDAP data is not updated consistently which might affect authentication.

Component: TMOS

Symptoms:
Change not updated in LDAP when the system auth source ('systemauth.source' DB key/'Auth Source Type') is set to Active Directory.

This change is not applied when the setting is modified (e.g., from local or LDAP to Active Directory, or from Active Directory to LDAP). Instead, the change is applied only when MCPD is rewriting the file for other reasons.

Conditions:
Changing the 'systemauth.source' DB key/'Auth Source Type':
-- From local to Active Directory.
-- From LDAP to Active Directory.
-- From Active Directory to LDAP.

Impact:
LDAP data is not updated consistently, and authentication might fail.

Workaround:
None.


878925-2 : SSL connection mirroring failover at end of TLS handshake

Component: Local Traffic Manager

Symptoms:
In some cases, HTTP requests my fail if system failover occurs immediately after the TLS handshake finishes.

Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.

Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.

Workaround:
None.


878893-3 : During system shutdown it is possible the for sflow_agent to core

Component: TMOS

Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.

Conditions:
BIG-IP reboot can cause the sflow_agent to core.

Impact:
There is a core file in the /var/core directory after a system reboot.


878253-1 : LB::down no longer sends an immediate monitor probe

Component: Local Traffic Manager

Symptoms:
The iRule command LB::down is supposed to send an immediate monitor probe, but it does not.

Conditions:
-- Executing LB::down in an iRule.

Impact:
A monitor probe is not immediately sent, which may cause a pool member to be marked down longer than it should be.


877145-4 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException

Component: TMOS

Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.

Conditions:
This can be encountered intermittently while using iControl REST.

Impact:
Login failure.

Workaround:
None.


876957-1 : Reboot after tmsh load sys config changes sys FPGA firmware-config value

Component: TMOS

Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.

Chmand reports errors:

chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]

Conditions:
Running either of the following commands:

tmsh load sys config
/etc/init.d/fw_update_post reload

Impact:
Firmware update fails.

Workaround:
Use this procedure:

1. Mount /usr:
mount -o rw,remount /usr

2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload

3. Reload systemctl:
systemctl daemon-reload

4. Reload the file:
/etc/init.d/fw_update_post reload


876937-3 : DNS Cache not functioning

Component: TMOS

Symptoms:
DNS queries are not being cached on the BIG-IP device.

Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache)
-- Device receives DNS queries

Impact:
DNS queries are forwarded, but BIG-IP does not cache them.


876809-3 : GUI cannot delete a cert with a name that starts with * and ends with .crt

Component: TMOS

Symptoms:
If a cert is created with a name that begins with * (asterisk) and ending with .crt, you cannot delete it using the GUI.

Conditions:
-- Certificate with a name similar to *example.crt.

-- Select the checkbox in the GUI and click Delete.

Impact:
GUI displays the message: No records to display. The '*example' certificate is still present.

Workaround:
You can use TMSH to delete it without issue.


876805-3 : Modifying address-list resets the route advertisement on virtual servers.

Component: Advanced Firewall Manager

Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the list itself is modified.

Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all of Virtual address
-- Modify the address list.

Impact:
Modifications done to virtual addresses are lost.

Workaround:
None.


876801-5 : Tmm crash: invalid route type

Component: Local Traffic Manager

Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:

tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **

Conditions:
The issue is intermittent.

1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.

Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.


876677-1 : When running a debug version of TMM, an assertion may be triggered due to and expired DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
When running a debug TMM, if a DNS lookup takes more than 30 seconds, TMM may assert with a message similar to the following in the /var/log/ltm file:

-- notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.

Conditions:
-- Using the debug TMM.
-- Executing a DNS lookup that expires.

Impact:
TMM crash and (in a high availability (HA) configuration) failover.

Workaround:
Do not use the debug TMM.


876145-3 : Nitrox5 failure on vCMP guest results in all crypto requests failing.

Component: Local Traffic Manager

Symptoms:
Nitrox5 SSL card failure on a vCMP guest deployed on i11000 platform might cause all SSL transactions to fail.

Conditions:
- i11000 platform.
- vCMP guest.
- Nitrox5 card experiences a failure.

Impact:
- SSL transactions do not complete the handshake.
- Following logs can be seen in /var/log/ltm :

01260013:4 SSL Handshake failed for TCP 10.1.1.5:55368 -> 10.1.1.55:443
01260009:4: 10.2.36.5:55384 -> 10.1.1.1:443: Connection error: ssl_hs_vfy_vfydata_cont:14608: alert(47) verify failed


876077-1 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up

Component: Service Provider

Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.

Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.


875401-2 : PEM subcriber lookup can fail for internet side new connections

Component: Policy Enforcement Manager

Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.

Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm

Impact:
PEM subscriber lookup can fail on the internet side

Workaround:
No workaround.


875373-3 : Unable to add domain with leading '.' through webUI, but works with tmsh.

Component: Application Security Manager

Symptoms:
It is possible to create certain domain matches with leading dot '.' in tmsh, but not in the GUI.

Conditions:
Advanced WAF bot signature configuration with domain with a leading . character.

Impact:
You are unable to use the GUI to create custom bot-defense signatures.

Workaround:
Use tmsh to add custom bot-defense signatures as follows:

tmsh create security bot-defense signature ockerdocker category Crawler domains add {.ockerdocker} rule "headercontent:\"Google_Analytics_Snippet_Validator\"; useragentonly; nocase;"


874877-1 : Bigd http monitor shows misleading 'down' reason when recv does not match

Component: Local Traffic Manager

Symptoms:
When a recv string is used with an http monitor, the http status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.

Conditions:
Configure a BIG-IP to monitor an HTTP server.

Impact:
Misleading log messages, difficulty in identifying the real cause of the monitor failure.


874797-1 : Unable to configure FQDN in device DNS NXDOMAIN QUERY Vector

Component: Advanced Firewall Manager

Symptoms:
The GUI for device vector is missing functionality to Check, add and delete FQDN's

Conditions:
This is encountered in the GUI in the DNS tab while viewing the DNS NXDOMAIN Query vector.

Impact:
You are unable to configure a valid FQDN list

Workaround:
Use TMSH to set configuration


874753-3 : Filtering by Bot Categories on Bot Requests Log shows 0 events

Component: Application Security Manager

Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.

When filtering for only Bot Category: Browser Automation, nothing Shows up.

Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log

Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.

Workaround:
None.


874677-1 : TC auto signature update failing from GUI on 14.1.2

Component: Traffic Classification Engine

Symptoms:
From v14.1.0 onwards, Traffic Classification auto signature update fails from GUI.

Conditions:
-- Traffic Classification auto signature update failing from GUI only.
-- It's working through CLI and GUI manually.

Impact:
Fail to update the classification signature from GUI automatically.

Workaround:
Traffic Classification auto signature update from CLI and manually on GUI will work.


874317-1 : Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface.

Conditions:
BIG-IP is configured with (at least) two VLANs/interfaces, and with a virtual server with auto-lasthop disabled.

Impact:
The mismatch could lead to connections failing to establish.

Workaround:
Use the same VLAN on the client side.


874221-1 : DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response recursion desired (rd) flag does not match the DNS query when using the iRule command DNS::header rd.

Conditions:
-- iRule command DNS::header rd is used to set DNS query rd bit to a different value.
-- At least one wide IP is configured.

Impact:
DNS response rd flag does not match the DNS query. This is not RFC compliant.

Workaround:
Do not configure any wide IPs.


873677-7 : LTM policy matching does not work as expected

Component: Local Traffic Manager

Symptoms:
Policy matching may fail to work as expected

Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.

This may also be triggered by very complex policies with large numbers of rules.

Impact:
LTM policy matching does not work as expected.

Workaround:
None.


873249-1 : Switching from fast_merge to slow_merge can result in incorrect tmm stats

Component: Local Traffic Manager

Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.

Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.

Impact:
Incorrect reporting for TMM stats.

Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.

These files are roll-ups and will be re-created as necessary.


872981-1 : MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction

Component: Local Traffic Manager

Symptoms:
MCPD crashes when deleting a virtual server and traffic-matching-criteria in the same transaction. This can happen when explicitly using a transaction, or when using a feature that uses transactions, such as when deleting an iApp instance that created these objects.

Conditions:
-- Using a virtual server that has traffic-matching-criteria (e.g., port lists or address lists) attached.
-- Deleting the virtual server and its traffic-matching-criteria in the same transaction.

Impact:
MCP cores, which causes a failover (in a high availability (HA) system) or temporary outage.

Workaround:
Delete the traffic-matching-criteria object separately from the virtual server.


872721-3 : SSL connection mirroring intermittent failure with TLS1.3

Component: Local Traffic Manager

Symptoms:
Intermittent failure of standby connection mirroring TLS1.3 handshake.

Conditions:
TLS1.3 and connection mirroring. More easily reproduces with ecdsa signature.

Impact:
Standby device fails tls handshake, active success so connection succeeds but not mirrored.


872685-1 : Some HTTP/3 streams terminate early

Component: Local Traffic Manager

Symptoms:
Some HTTP/3 streams are terminated with a FIN before all the requested data is delivered.

Conditions:
-- Send multiple HTTP3 requests on different streams simultaneously.
-- The back-end in server is NGINX.

Note: This might happen with other web servers as well.

Impact:
Data transfer is incomplete.

Workaround:
Update the server-side connection to HTTP/2.


872645-2 : Protected Object Aggregate stats are causing elevated CPU usage

Component: Advanced Firewall Manager

Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.

Conditions:
AFM, ASM, or DoS features are provisioned.

Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.

Workaround:
None.


872105 : APM Hosted Content feature incorrectly guesses content type for CSS files

Component: Access Policy Manager

Symptoms:
APM has a hosted content feature where files can be uploaded for serving out to end users. This is typically used for Edge Client hosting, CSS, and Images.

When you upload a CSS file with Hosted Content enabled, BIG-IP classifies it as 'text/x-asm' when it should be 'text/css'.

Conditions:
APM Hosted Content feature serving CSS files.

Impact:
Incorrect content type used for CSS may confuse some web clients.

Workaround:
To work around this issue, use the Hosted Content GUI to change the file type from 'text/x-asm' to 'text/css'.


872049-1 : Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command

Component: Advanced Firewall Manager

Symptoms:
Value in mitigation thresholds are above infinite value (4294967295)

Conditions:
Multiplier based mitigation mode for Dos static vectors after run relearn thresholds command

Impact:
Incorrect display value for DoS thresholds in GUI and tmctl


872037-2 : DNS::header rd does not set the Recursion desired

Component: Global Traffic Manager (DNS)

Symptoms:
iRule command DNS::header rd not working as expected.

Conditions:
Virtual server configured with an iRule command to set DNS::header rd.

Impact:
The DNS::header rd iRule command does not set the Recursion Desired flag in DNS headers.

Workaround:
None.


871985-1 : No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection

Component: Advanced Firewall Manager

Symptoms:
There are no hardware mitigation for DoS attacks

Conditions:
Auto-threshold mode and detection for attacked destinations should be activate for DoS static vector

Impact:
DoS attack mitigation performed only by software


871881-2 : Apply Policy action is not synchronized after making bulk signature changes

Component: Application Security Manager

Symptoms:
After an action that affects thousands of objects a subsequent Apply Policy may be missed by a peer.

Conditions:
1) Devices are in an autosync device group with ASM sync enabled
2) A bulk action that affects thousands of objects is performed (like enforcing or disabling all signatures)
3) The Apply Policy action is taken immediately afterwards

Impact:
Peer devices that are still busy processing the large request miss the Apply Policy action, and it is never resent.

Workaround:
Make a spurious change and reapply the policy.


871705-6 : Restarting bigstart shuts down the system

Component: TMOS

Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.

Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.

Impact:
Different versions appear to have different behavior:

-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.

Workaround:
None.


871657-1 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.


871561-5 : Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'

Component: TMOS

Symptoms:
Due to a known issue, software upgrade to an engineering hotfix might fail with a log message in /var/log/ltm similar to:

info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)

Conditions:
Performing a software upgrade to a hotfix release on a vCMP guest.

Impact:
Unable to perform an upgrade.

Workaround:
Option 1:
Make sure that .iso files for both base image and hotfix reside only on a vCMP guest before starting the installation.

Option 2:
Even if the hotfix installation has failed, the base image should still have been installed properly, so you can restart the vCMP guest and perform a hotfix installation on top of already installed base image.


871045-1 : IP fragments are disaggregated to separate TMMs with hardware syncookies enabled

Component: TMOS

Symptoms:
With hardware syncookies enabled, HTTP POST requests that are fragmented into separate segments are processed by different TMMs.

Connection is subsequently reset with a TCP RST cause reported as: No flow found for ACK.

Conditions:
-- Hardware syncookies triggered.
-- IP fragmented HTTP POST request.

Impact:
Connection is subsequently reset with TCP RST cause 'No flow found for ACK'.

Workaround:
None.


870385-5 : TMM may restart under large amount traffic load

Component: Advanced Firewall Manager

Symptoms:
TMM occasionally restarts when running heavy workload. The crash is a timing based issue between different tmm threads, and thus happens only occasionally.

Conditions:
-- AFM is provisioned with dos functionality
-- When BIG-IP is under heavy workload

Impact:
Traffic disrupted while tmm restarts.


870381-1 : Network Firewall Active Rule page does lot load

Component: Advanced Firewall Manager

Symptoms:
The page (content frame) is blank and nothing is visible

Conditions:
This occurs when viewing the Active Rule page.

Impact:
You are unable to view active Rules in UI


870309-4 : Ephemeral pool member not created when FQDN resolves to new IP address

Component: Local Traffic Manager

Symptoms:
On rare occasions, when using FQDN nodes/pool members and the FQDN name resolves to a different IP address, the ephemeral pool member for the old IP address may be removed, but a new ephemeral pool member for the new IP address may not be created.

Under normal operation, the following sequence of messages is logged in /var/log/dynconfd.log when dynconfd logging is set to 'debug' level:

[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com
[D]: PoolMember::scan: pool /Common/my_fqdn_pool member /Common/my_fqdn_node fqdn my.fqdn.com

But when this problem occurs, the 'setFQDNPoolMembersModified' log message is not followed by a 'PoolMember::scan' log message:

[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com

Conditions:
This may occur under rare timing conditions while using using FQDN nodes/pool members, when the DNS server resolves the FQDN name to a different IP address.

Impact:
Pools configured with FQDN-based pool members may become empty, in which case no traffic will be processed by that pool.

Workaround:
To recover from this condition once it occurs, perform either of the following actions:

-- Restart the dynconfd daemon:
bigstart restart dynconfd

This temporarily interrupts queries for FQDN name resolution and updates (deletion/creation) of ephemeral nodes/pool members in response to FQDN resolution changes.

This action is not otherwise expected to affect traffic currently flowing to pools.


-- Remove the FQDN pool member, then re-add the FQDN pool member back to the pool:
tmsh modify ltm pool my_fqdn_pool { members delete { my_fqdn_node:port } }
tmsh modify ltm pool my_fqdn_pool { members add { my_fqdn_node:port <other parameters> } }

If the pool already has no ephemeral pool members, this has no effect on traffic (which is already not flowing to this pool).

If the pool has some ephemeral pool members but not the complete list of expected ephemeral members, this will interrupt traffic flowing to this pool while there are no pool members present.

In that case, temporarily adding at least one pool member with a statically-configured IP address before removing the FQDN pool member, then removing the same temporary pool members after replacing the FQDN pool member, allow straffic to continue flowing to the pool while this action is performed.


869361-1 : Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated

Component: Global Traffic Manager (DNS)

Symptoms:
Load balance methods for Link Controller inbound wide IP are always set to default values when the load balancing method is updated through GUI.

Conditions:
-- Multiple inbound wide IPs are configured;
-- Load balancing methods are updated through GUI once.

Impact:
Unable to manage wide IPs through the GUI.

Workaround:
Use tmsh to manage Inbound WideIPs.


869237-5 : Management interface might become unreachable when alternating between DHCP/static address assignment.

Component: TMOS

Symptoms:
When the Management IP address assignment is changed and the IP address obtained from DHCP lease is used for static interface configuration, the management port might become unreachable after the DHCP lease expiration time, even though interface has a static IP configured.

Conditions:
-- Management IP assignment is changed from dynamic (DHCP) to static.
-- The static IP address that is configured is identical to the DHCP address that was assigned.

Impact:
Remote management access is lost after the DHCP lease expires.

Workaround:
When changing the management interface configuration from DHCP to static, first delete the old configuration, then create new configuration. This can be done with TMSH:

(tmos)# modify sys global-settings mgmt-dhcp disabled
(tmos)# del sys management-ip 10.14.30.111/24
(tmos)# create sys management-ip 10.14.30.111/24 { description configured-statically }


868721-1 : Transactions are held for a long time on specific server related conditions

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.


868641-3 : Possible TMM crash when disabling bot profile for the entire connection

Component: Application Security Manager

Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.

Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.


868381-1 : MRF DIAMETER: Retransmission queue unable to delete stale entries

Component: Service Provider

Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.

Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.


868209-3 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.

This defect will also cause active FTP data connections over vlan-group to fail.

Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.

OR

- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.

Impact:
Server-side connections will fail.

Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)


868033-1 : SSL option "passive-close" option is unused and should be removed

Component: Local Traffic Manager

Symptoms:
The SSL profile "passive-close" option is available in TMSH (but not the GUI), but is not actually used.

A side-effect of this issue is: when the "passive-close" option is configured in TMSH, if the profile is later modified in the GUI, the "passive-close" option will be removed from the profile.

Conditions:
-- Modifying a client or server SSL profile in TMSH.

Impact:
The "passive-close" option is not actually used.

Workaround:
Do not use the "passive-close" option.


867825-4 : Export/Import on a parent policy leaves children in an inconsistent state

Component: Application Security Manager

Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.

Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.

Impact:
The children on the different devices are left unexpectedly in different states.


867793-1 : BIG-IP sending the wrong trap code for BGP peer state

Component: TMOS

Symptoms:
When BGP peer is going down, BIG-IP is sending the wrong 'bgpPeerState: 6(established)' with its SNMP trap.

Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.

Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.

Workaround:
None.


867321-3 : Error: Invalid self IP, the IP address already exists.

Component: Advanced Firewall Manager

Symptoms:
When loading a configuration, the config load fails with an error:

Invalid self IP, the IP address <ip_addr> already exists.

Conditions:
-- Config contains an IPv4 SelfIP
-- Config contains an IPv4-mapped IPv6 address that is assigned to the same vlan

BIG-IP does not prevent you from creating this condition and will allow you to save it.

Impact:
During configuration load will fail:

0107176c:3: Invalid self IP, the IP address <ip_addr> already exists.
Unexpected Error: Loading configuration process failed.

Workaround:
Delete one of the SelfIP addresses and load the configuration.


867253-3 : Systemd not deleting user journals

Component: TMOS

Symptoms:
When setting "SystemMaxUse" to any value, systemd does not get honored and the specified size is exceeded

Conditions:
-- Using a Non-TMOS user account with external authentication permission.
-- Systemd-journald is configured to create a user journal for every user that logs into the BIG-IP system.

Impact:
Journald filling up file system size. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Remove journal logs manually.


867181-1 : ixlv: double tagging is not working

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.


867177-3 : Outbound TFTP and Active FTP no longer work by default over the management port

Component: TMOS

Symptoms:
When attempting to use TFTP or Active FTP at the BIG-IP management port to transfer files to a remote system, the connection eventually times out and the file is not transferred.

This is expected behavior resulting from the enhancement made in BIG-IP v14.1.0:
"Support for network firewall rules on the management port" :: https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/releasenotes/product/relnote-bigip-14-1-0.html#rn_ltm-tmos_1410_new.

When attempting to use TFTP and Active FTP via tmm interfaces will work as it has the necessary Algorithm capabilities to set up return listeners.

Conditions:
- BIG-IP v14.1.0 or greater.
- Attempt to initiate TFTP or Active FTP from the BIG-IP management port through command line.

Impact:
Unable to use TFTP or Active FTP to transfer files to/from the BIG-IP system over management port

Workaround:
Consider using encrypted transport (sftp, scp, etc.) in order to avoid the exposure of sensitive data, including passwords.

Manually load connection tracking for the necessary protocol(s) from the command line with:
modprobe nf_conntrack_ftp
modprobe nf_conntrack_tftp


867013-2 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.


866481-2 : TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode

Component: Local Traffic Manager

Symptoms:
TMM may sometimes core when HTTPMR proxy attempts to go into passthrough mode

Conditions:
-- HTTP profile is attached to the virtual.
-- httprouter profile is attached to the virtual.
-- HTTP goes into passthrough mode for any of the variety of reasons.

Impact:
Traffic disrupted while tmm restarts.


866021-1 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.


865981-1 : ASM GUI and REST become unresponsive upon license change

Component: Application Security Manager

Symptoms:
When there is a license change at the same time as a security update (ex. Threat Campaigns or Attack Signatures), the system can reach a deadlock which blocks some operations, eventually leading to all the REST threads becoming blocked and unresponsive.

Conditions:
A license change occurs at the same time as a security update (ex. Threat Campaigns or Attack Signatures).

Impact:
ASM user interfaces are unresponsive.

Workaround:
Kill asm_config_server.pl or restart ASM


865653 : Wrong FDB table entries with same MAC and wrong VLAN combination

Component: TMOS

Symptoms:
Forwarding DataBase (FDB) table has duplicate MAC entries with the incorrect VLANs.

MAC entries are correct in the switch but not in the control plane.

Conditions:
Enable L2Wire.

Impact:
Duplicate MAC entries with incorrect VLANs in FDB table.

Workaround:
Restart bcm56xxd:
bigstart restart bcm56xxd

Note: You can use tmsh to see the table:
tmsh -m show net fdb


865461-1 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.


865329-1 : WCCP crashes on "ServiceGroup size exceeded" exception

Component: TMOS

Symptoms:
Under general usage; WCCP crashes with a "ServiceGroup size exceeded" exception.

Conditions:
Have WCCP service groups configured.

Impact:
WCCP throws an exception and crashes.

Workaround:
None.


865313-3 : Validation of monitor field fails in transaction

Component: TMOS

Symptoms:
Validation of monitor destination/address fails if used with transactions. The transaction consists of two operations: a delete and a create (with a new destination).

This passes validation on the BIG-IP system where the change was made. However when the change is synced to the peer, it fails validation on the peer.

Conditions:
1. Create monitor destination/address in transaction.
-- Delete monitor.
-- Create monitor with destination as *:80 and *:*.
2. Sync to peer.

Impact:
It passes validation on BIG-IP but fails on config sync to the peer.

Workaround:
In order to get the devices back in sync, run config sync with force-full-load-push.


865289-1 : TMM crash following DNS resolve with Bot Defense profile

Component: Application Security Manager

Symptoms:
TMM may crash when Bot Defense is enabled and network DNS is configured.

Conditions:
This can occur when is Bot Defense enabled and network DNS is configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A


865241-1 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.


865177-4 : Cert-LDAP returning only first entry in the sequence that matches san-other oid

Component: TMOS

Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists

Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids

Impact:
Only the first matching oid is returned.


864989-2 : Remote logger violation_details field content appears as "N/A" when violations field is not selected.

Component: Application Security Manager

Symptoms:
When remote logger is enabled and violation_details field is selected for output, but violations field is not selected - content of violation_details field appears as "N/A".

Conditions:
- Remote logger is enabled;
- violation_details field is selected for output;
- violations field is not selected for output;
- violation is detected and reported to remote logger.

Impact:
Remote logger will not contain violation_details in report.

Workaround:
Enable violations field for remote logging.


864897-2 : TMM may crash when using "SSL::extensions insert"

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
iRule with "SSL::extensions insert"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


864757-3 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.


864677-1 : ASM causing high mcpd CPU usage

Component: Application Security Manager

Symptoms:
CPU utilization is high on the odd-numbered cores.

Conditions:
-- One or more virtual server have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.

Impact:
Elevated CPU usage.

Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.

-- Restart ASM:
bigstart restart asm


864649-4 : The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table

Component: Local Traffic Manager

Symptoms:
The client-side connection of the dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table.

Conditions:
Configure dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server.

Impact:
Even after correcting the listener to use dhcpv4 (relay) instead of dhcpv4_fwd (forwarding) profile, the client-side connection from the dhcpv4_fwd profile remains.

Workaround:
Delete the long-standing connection from the connection table.


864513-1 : ASM policies didn't load immediately after upgrade to v14.1.0.1

Component: TMOS

Symptoms:
ASM policies didn't load immediately after upgrade to v14.1.0.1 or later version because selinux policy was incorrect for some files after up-gradation.This is selinux issue.

Conditions:
1) Install and configure ASM including a number of active policies on virtual servers on version 13.1
2) Upgrade to version 14.1 or 15.x

Impact:
Traffic will start failing due to ASM policies not loading after upgrade.

Workaround:
Save the UCS from pre-upgrade and load it on a fresh install of 15.0.1

OR

Remove policy from the ASM profiles from the virtual servers and do the upgrade.
Apply policy after upgrade.


863609-4 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies

Component: Application Security Manager

Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.

Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes

Impact:
There are differences after deploy.

Workaround:
Discover and deploy again from BIG-IQ


863401-1 : QUIC congestion window sometimes increases inappropriately

Component: Local Traffic Manager

Symptoms:
When QUIC is discovering the link bandwidth, it sometimes increases the congestion window when there is not enough available data to use the existing congestion window.

Conditions:
When the application is not generating enough data, or any streams with data are stream flow control limited.

Impact:
In some cases, the congestion window can be too large for the path and cause packet losses if it is later fully utilized.

Workaround:
None


863165-3 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.


862937-3 : Running cpcfg after first boot can result in daemons stuck in restart loop

Component: TMOS

Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.

Conditions:
Running cpcfg on a volume that has already been booted into.

Impact:
Services do not come up.

Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:

# touch /.autorelabel
# reboot


862793-1 : ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation

Component: Application Security Manager

Symptoms:
When ASM detects "virus" (with help of external icap server), the response page will be JS-Challenge instead of blocking.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Anti-Virus protection enabled in ASM policy.
-- ASM finds a virus in a request.

Impact:
-- End user client gets JS-Challenge response instead of blocking page.
-- End user does not see ASM support ID.
-- Browser can run the JavaScript and resend the request to ASM, which is then forwarded to the backend server.

Workaround:
None.


862693-6 : PAM_RHOST not set when authenticating BIG-IP using iControl REST

Component: TMOS

Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp

Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }

2. modify auth source type to radius
tmsh modify auth source { type radius }

3. try to authenticate to BIG-IP using iControl REST

Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id


862525-1 : GUI Browser Cache Timeout option is not available via tmsh

Component: TMOS

Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
  bigpipe httpd browsercachetimeout

In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.

However there is no tmsh equivalent in any version.

Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.

Impact:
Unable to modify browser cache timeout except from GUI

Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.


862413-1 : Broken layout in Threat Campaigns and Brute Force Attacks pages

Component: Application Security Manager

Symptoms:
Horizontal scroll added to the page unnecessarily.

Conditions:
This occurs when viewing the Threat Campaigns or Brute Force Attacks page in any browser

Impact:
The horizontal scroll bar breaks the intended page layout.

Workaround:
N/A


862337-2 : Message Routing Diameter profile fails to forward messages with zero length AVPs

Component: Service Provider

Symptoms:
Message Routing Diameter profile does not forward diameter messages that include an AVP with a zero (0) length data field.

Conditions:
-- A virtual server with an Message Routing Diameter Profile.
-- A diameter message containing an AVP with a zero length data field.

Impact:
Diameter messages with zero length AVPs are not forwarded as expected.

Workaround:
None.


862069-1 : Using non-standard HTTPS and SSH ports will fail under certain conditions

Component: Local Traffic Manager

Symptoms:
On all versions 12.1.0 or above, if you try to change the HTTPS port (e.g. to 8443) and then expose the management UI via a self IP in a non-zero route domain, it won't work.

In versions 14.1.0 and above on VEs, attempting to manage a BIG-IP over a self IP can fail if all these conditions are met:
   - Non-standard HTTPS port used.
   - No TMM default route configured.
      - No route to the client IP configured.

Conditions:
-- Modify the default HTTPS and/or default SSH ports.

And either:

On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.

... or:

On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP configured.

Impact:
Unable to access BIG-IP GUI on non-standard HTTPS port, and/or unable to access BIG_IP CLI on non-standard SSH port.


862001-1 : Improperly configured NTP server can result in an undisciplined clock stanza

Component: Local Traffic Manager

Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.

NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock

Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.

Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.

Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.

While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.
 
However, if the 'dummy' source starts responding, it could become a rogue time source.


860573-3 : LTM iRule validation performance improvement by tracking procedure/event that have been validated

Component: TMOS

Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with.

Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules.

Impact:
Task fails (via REST) or ends up taking a really long time when run manually.

Workaround:
None.


860517-1 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.


860349-3 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication

Component: TMOS

Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .

The /var/log/secure will show :

/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145

/var/log/daemon.log will show ;

/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.


> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault

Conditions:
LDAP/nslcd config , remote authentication , user-template used

The values within user-template include white spaces :

example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org

Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.

Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon


860317-3 : JavaScript Obfuscator can hang indefinitely

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process


860277-4 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1

Component: Local Traffic Manager

Symptoms:
Version: 13.1.3.1

# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 49152
    proxy-buffer-low 32768
}

       proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 49152.

       proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 32768.

Version: 14.1.2.2

# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 65535
    proxy-buffer-low 32768
}


proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 131072.

proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 98304.

Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh

Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.


860245-1 : SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x

Component: TMOS

Symptoms:
The SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.

The REST framework versions are different on the devices.

Conditions:
-- BIG-IP devices configured for HA.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.

Impact:
SSL Orchestrator configuration does not sync across BIG-IP HA peers.

Workaround:
The following steps are required on all HA peers, first on the active and then on the standby BIG-IP devices.

1. Open a BIG-IP terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-allBIG-IPs/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded


860181-1 : After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error

Component: TMOS

Symptoms:
If you have BIG-IPs in a Device Service Cluster, and you attempt to sync a new floating self-IP over to a standby on a VLAN that the standby does not currently have a non-floating self-IP on, you will get an error and the sync will fail. This is the correct behavior. The issue, though, is that if you subsequently create a non-floating self-IP on the standby in order to rectify this issue, the sync will still fail.

Conditions:
-- BIG-IPs configured in a Device Service Cluster.
-- Device group is configured to use Automatic Sync or Manual with Incremental sync.
-- Attempting to sync a floating self-IP to a system that does not have a non-floating self-IP on the same VLAN.

Impact:
You are unable to sync BIG-IPs. Both devices will be out of sync and you will see an error displayed:

01070355:3: Self IP <address> is declared as a floating address but there is no non-floating address defined for this network

Even after you add a non-floating self-IP on the affected device, a subsequent config sync does not fix the error.

Workaround:
If you make any other configuration change that generates a config sync, this will correct itself after the other device has added a non-floating Self-IP.

Otherwise, this can be corrected by doing a full config sync, and can be done via the GUI or via tmsh.

In the GUI, change the Sync Type for the device group to Manual with Full Sync, and then do a config sync.

In tmsh, the command is:
run cm config-sync force-full-load-push to-group <affected_device_group>


860005-1 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.


858973-1 : DNS request matches less specific WideIP when adding new wildcard wideips

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm


858877-3 : SSL Orchestrator config sync issues between HA-pair devices

Component: TMOS

Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost.

Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group.

Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group.

Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help.


858769-6 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2

Component: TMOS

Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.

Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.

Impact:
The longer keys lengths for SNMPv3 cannot be used.


858701-1 : Running config and saved config are having different route-advertisement values after upgrading from v12.1.x

Component: Local Traffic Manager

Symptoms:
If you upgrade a 12.1.x device with route advertisement enabled, there will be a difference between the running configuration and the saved configuration post upgrade.

-- In the running configuration, the word 'enabled' changes to 'selective'.
-- In bigip.conf, the setting is still set to 'enabled'.

Conditions:
-- Upgrading a v12.1.x device with route advertisement enabled.
-- After saving config both the running-config and bigip.conf are having same value i.e., 'selective'.
-- Load the configuration (tmsh load sys config).

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
After the running config is set to the 'disabled' value, reload the configuration again using the following command to set the running config and saved config to to 'selective':

tmsh load sys config


858445-1 : Missing confirmation dialog for apply policy in new policy pages

Component: Application Security Manager

Symptoms:
There is no confirmation dialog for applying a policy.

Conditions:
This occurs when visiting any policy page available from the policies list.

Impact:
Without a confirmation dialog, it is easier to apply a policy by mistake

Workaround:
N/A


858429-3 : BIG-IP system sending ICMP packets on both virtual wire interface

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.


858309-4 : Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart

Component: Local Traffic Manager

Symptoms:
TMM keeps restarting after setting a self IP to an IPv6 address with an embedded IPv4 address in TMSH.

Conditions:
Set self IP to an IPv6 address with an embedded Ipv4 address using tmsh.

Impact:
Tmm restarts repeatedly. Traffic disrupted while tmm restarts.

Workaround:
Set self IP to IPv4 address.


858197-2 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system


858173-3 : SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1

Component: TMOS

Symptoms:
With BIG-IP devices configured in high availability (HA) mode, with SSL Orchestrator configured, when upgrading from v14.1.2 to v15.1.x or newer, the SSL Orchestrator configuration is not synced properly across the HA configuration.

This problem is caused by a REST framework sync issue between the devices in the high availability (HA) pair.

Conditions:
-- BIG-IP devices configured in HA mode.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.

Impact:
SSLO configuration not syncing across the BIG-IP HA pair.

Workaround:
The following steps are required on both HA peers, first on the active and then on the standby BIG-IP device.

1. Open a terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded


857845-1 : ASSERTs in hudproxy_tcp_repick() converted into an OOPS

Component: Local Traffic Manager

Symptoms:
Hudproxy_tcp_repick() asserts that no data is present.

Example of assertion in /var/log/tmm:
notice panic: ../modules/hudproxy/tcp/tcp_proxy.c:1610: Assertion "server drained" failed.

Conditions:
If data is present, then assertion fails.

Example of how to recreate ("server drained" failed):
-The virtual server uses an iRule containing both the TCP::collect and LB::detach statements.
-The LB::detach statement is not applied in a USER_REQUEST or USER_RESPONSE event.
-The server-side connection is detached before the TCP::collect has been drained.

Impact:
BIG-IP fails to process traffic when asserts fail.

Workaround:
There is no work around.
To avoid ("server drained" failed):
-Use TCP::notify to generate a USER_REQUEST or USER_RESPONSE event, and detach the server connection within the event.
For more information, refer to DevCentral iRules on TCP::notify.


857677-3 : Security policy changes are applied automatically after asm process restart

Component: Application Security Manager

Symptoms:
Changes in security policy are applied after ASM restart. This may activate unintended enforcement.

Conditions:
Restart ASM.

Impact:
Potentially unintended activation of new security entities.

Workaround:
None.


857589-1 : On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'

Component: Access Policy Manager

Symptoms:
On the Citrix Workspace app, clicking 'Refresh Apps' after signing out fails with message "Refresh Failed" with v15.1.x

Conditions:
-- Running the Citrix Workspace all.
-- Clicking 'Refresh Apps' after signing out.
-- Running software v15.1.x.

Impact:
The system reports a 'Refresh failed' error, and the app must to be reset.

Workaround:
None.


857045-1 : LDAP system authentication may stop working

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

tmsh start sys service nslcd


856953-4 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1

Component: TMOS

Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.

Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.


856713-3 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.


854177-5 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.


853989-1 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields

Component: Application Security Manager

Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.

Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual

Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.

Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.


853617-1 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles

Component: TMOS

Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:

-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG

In older versions:

-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error

Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.

Impact:
Virtual server is defined and in configuration, but does not pass traffic.

On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.

Workaround:
None.


853565-2 : VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade

Component: Application Security Manager

Symptoms:
After rebooting a vCMP guest with ASM provisioned and configured, there are no asm policies. The following command returns no results:

tmsh list asm policy all-properties

Conditions:
-- vCMP host with 2+ slots
-- vCMP guest with 2+ slots
-- LTM+ASM provisioned
-- ASM security policy + virtual server configured
-- reboot primary slot of VCMP host

Impact:
There are no ASM policies on the vCMP guest.


853269-1 : Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages in case of complex role user

Component: Application Security Manager

Symptoms:
Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages are given

Conditions:
User has a complex role, e.g. ASM Admin in partition A and Guest in partition B

Impact:
User with complex role gets incorrect privileges in "Policy List" and "Security Policy Configuration" pages

Workaround:
N/A


853177-1 : 'Enforcement Mode' in security policy list is shown without value

Component: Application Security Manager

Symptoms:
The 'Enforcement Mode' field in the security policy list has no value.

Conditions:
Security policy list in the GUI is sorted by 'last modified'.

Impact:
Security policy list page has empty 'Enforcement Mode' field.

Workaround:
None.


853161-4 : Restjavad has different behavior for error responses if the body is over 2k

Component: TMOS

Symptoms:
The error Response body from iControl REST is truncated at 2048 characters. If an iControl REST response sends an error that is longer than 2048 characters, the truncated response will not contain valid JSON.

Conditions:
This occurs when iControl REST error messages are longer than 2048 characters.

Impact:
The error response body is deformed when the length of the error body is more than 2k characters


853101-2 : ERROR: syntax error at or near 'FROM' at character 17

Component: TMOS

Symptoms:
After clicking UI Security :: Network Firewall : Active Rules, /var/log/ltm reports the following error message:
--warning postgres ERROR: syntax error at or near 'FROM' at character 17.

Conditions:
Enabled turboflex-security and AFM module.

Impact:
-- Possible leak of postgres database connections.
-- A warning log message is created, but the system continues to function normally.

Workaround:
None.


852953-1 : Accept Client Hello spread over multiple QUIC packets

Component: Local Traffic Manager

Symptoms:
A QUIC connection does not complete the handshake successfully when the Client Hello spans multiple initial packets.

Conditions:
-- QUIC is in use.
-- A Client Hello is received that spans multiple packets.

Impact:
QUIC is unable to process a Client Hello that spans multiple packets.

Workaround:
None.


852565-5 : On Device Management::Overview GUI page, device order changes

Component: TMOS

Symptoms:
When manual device group sync is enabled, the device with the most recent change will be displayed at the top of the Device Management::Overview GUI page.

Conditions:
-- Multiple devices in a device group
-- Device group has manual config sync enabled
-- A change is made on a device

Impact:
When the list loads, the device with the most recent changes is displayed at the top. This can make the device order appear to be inconsistent, and can create confusion when doing manual config sync if you are expecting the order to be always consistent.


852429-1 : "ASM subsystem error" logged when creating policies

Component: Application Security Manager

Symptoms:
After creating certain security policies, errors are logged to /var/log/asm:

crit g_server_rpc_handler_async.pl[2328]: 01310027:2: ASM subsystem error
(asm_config_server.pl,F5::DbUtils::insert_data_to_table): Row 7 of table PLC.PL_SUGGESTIONS is missing viol_index () -- skipping
N

Conditions:
This occurs when creating security policy based on the following security templates:
- drupal
- owa
- sharepoint
- wordpress

Impact:
Misleading errors are logged in ASM log file; they can be safely ignored.


852325-1 : HTTP2 does not support Global SNAT

Component: Local Traffic Manager

Symptoms:
The Global SNAT feature does not work with HTTP2.

Conditions:
-- Global SNAT is used
-- HTTP2 is used.

Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.

Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.


852265-1 : Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width

Component: TMOS

Symptoms:
The 'SSL Profile (Client)' and 'SSL Profile (Server)' listboxes (both 'Selected' and 'Available') now have a fixed width when viewing Virtual Server settings.

Conditions:
-- An SSL profile (client or server) with a long name.
-- Accessing the Virtual Server settings page in the GUI.

Impact:
If many SSL profiles start with the same several letters, it may be impossible to detect which one is the desired profile.

Workaround:
None.


852101-1 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.


851857-1 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.


851789-2 : SSL monitors flap with client certs with private key stored in FIPS

Component: Local Traffic Manager

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.


851785-3 : BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/13: page allocation failure: order:2, mode:0x204020

After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the appliance 10350V-F D112.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to 128 MB (131072 KB).

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


851757-1 : Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION

Component: Local Traffic Manager

Symptoms:
When a TLS END_OF_EARLY_DATA message is received by QUIC, a CONNECTION_CLOSE frame with a CRYPTO_ERROR is produced. However, the error should be a PROTOCOL_VIOLATION.

Conditions:
-- QUIC is in use.
-- A TLS END_OF_EARLY_DATA message is received.

Impact:
A CRYPTO_ERROR is produced, however, the error should be PROTOCOL_VIOLATION.

Workaround:
None.


851581-3 : Server-side detach may crash TMM

Component: Local Traffic Manager

Symptoms:
TMM crash with 'server drained' panic string.

Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.

Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.

Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.

-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.


851477-1 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.


851425-1 : Update QLOG to draft-01

Component: Local Traffic Manager

Symptoms:
The BIG-IP QLOG implementation is currently on draft-00, and draft-01 has been released.

Conditions:
QUIC and QLOG are in use.

Impact:
Existing third-party applications might remove support for QLOG draft-00 at some point.

Workaround:
None.


851393-1 : Tmipsecd leaves a zombie rm process running after starting up

Component: TMOS

Symptoms:
After booting the system, you notice zombie 'rm' processes:

$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm

Restarting tmipsecd will kill the zombied process but will start a new one.

Conditions:
-- IPsec is enabled.
-- Booting up the system.

Impact:
A zombie 'rm' process exists. There should be no other impact.

Workaround:
None.


851385-1 : Failover takes too long when traffic blade failure occurs

Component: Local Traffic Manager

Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
  
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.

Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI

Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover


851353-1 : Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request

Component: Local Traffic Manager

Symptoms:
Invalid pseudo header or malformed header in an HTTP/3 request should result in resetting of the stream with error code of HTTP3_GENERAL_PROTOCOL_ERROR. Instead the connection is reset with HTTP3_UNEXPECTED_FRAME error code.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL, and httprouter profiles.
-- HTTP/3 header frame from client with invalid or malformed header is received.

Impact:
Connection is reset with incorrect error code, instead of just the individual stream.

Workaround:
No workaround.


851345-1 : The TMM may crash in certain rare scenarios involving HTTP/2

Component: Local Traffic Manager

Symptoms:
The HTTP/2 Gateway configuration is used without the HTTP MRF Router.

The TMM may crash in rare scenarios when a stream is being torn down.

Conditions:
-- HTTP/2 is configured in the Gateway scenario.
-- The HTTP MRF Router is not used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


851101-4 : Unable to establish active FTP connection with custom FTP filter

Component: Local Traffic Manager

Symptoms:
Unable to establish active FTP connection with custom FTP filter.

Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.

Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.

Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.


851045-1 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.


851021-1 : Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error

Component: TMOS

Symptoms:
TMSH error example:

Configuration error: Can't associate ASM device sync (/Common/testsync/staging.example.com) folder does not exist

Conditions:
The conditions under which this occurs are unknown.

Impact:
Load of config file fails with an error that the folder does not exist.

Workaround:
Use 'tmsh load sys config verify', without specifying a specific file.


850997-1 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page

Component: TMOS

Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.

Conditions:
Viewing the page at:

System :: High Availability : Fail-safe : System

Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.

Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.


850873-3 : LTM global SNAT sets TTL to 255 on egress.

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.


850777-3 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config

Component: TMOS

Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.

Errors similar to one below are seen in an LTM log:

err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.

Conditions:
- Static management IP address configuration.
- Instance is restarted.

Impact:
Instance is not operational after restart.

Workaround:
After instance is fully booted, reload the license with 'reloadlic'.


850677-4 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.


850633-1 : Policy with % in name cannot be exported

Component: Application Security Manager

Symptoms:
Policies with characters that are encoded with urlencode in name cannot be exported in GUI

Conditions:
Policies has characters that are encoded with urlencode in name

Impact:
Policy cannot be exported in GUI

Workaround:
Most policies can be cloned, and during clone user can select name without special characters. Then cloned policy can be exported.


850509-1 : 'Decryption of the field (privatekey) for object (13079) failed' message

Component: Global Traffic Manager (DNS)

Symptoms:
During config load or system start-up, you see the following error:

01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.

Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.

Impact:
Unable to view TSIG keys. Configuration cannot be loaded.

Workaround:
None.


850349-1 : Incorrect MAC when virtual wire is configured with FastL4

Component: Local Traffic Manager

Symptoms:
Incorrect MAC is seen in the network when virtual wire is configured with a FastL4 profile.

Conditions:
Virtual wire is configured with a FastL4 profile.

Impact:
Incorrect MAC on the packets.

Workaround:
None.


850193-4 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues

Component: Performance

Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.

Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.

Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.

Workaround:
None.


850145-1 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.


849405-2 : LTM v14.1.2.1 does not log after upgrade

Component: TMOS

Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.

Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.

Impact:
Logs are not generated and sysstat.service is not running.

Workaround:
Once the BIG-IP system starts up, check for failed services:

systemctl list-units --failed

If results show sysstat.service as FAILED, run the following command:

restorecon -Rv /var/log/sa6 && systemctl start sysstat


849349-5 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db

Component: Application Security Manager

Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy

Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.

Impact:
Web application flow might fail.

Workaround:
Attach an iRule:

when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}


849269-1 : High CPU usage after Inheritance page opened

Component: Application Security Manager

Symptoms:
After you visit the Policy Inheritance page, there is high CPU usage in the browser until you leave the policies page.

Conditions:
This occurs when opening the Policy Inheritance page for a policy that does not have a parent.

Impact:
High CPU usage by browser

Workaround:
N/A


849157-2 : An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck

Component: TMOS

Symptoms:
The outgoing SCTP connection does not expire after attempting to INIT the maximum number of times. It then becomes stuck and does not expire when it reaches its idle-timeout, and cannot be manually deleted.

Conditions:
An outgoing SCTP connection is permitted to attempt the INIT retransmit the maximum number of times configured with no responses (accepting or aborting) from the target endpoint.

Impact:
Stale SCTP connections are left in the system and start to use up memory. Traffic may be interrupted in certain configurations, as the system thinks it is still attempting to bring up the lost SCTP connection and does not ever try to create a new one.

Workaround:
To clear the stale connections, restart tmm:
bigstart restart tmm

Note: Restarting tmm causes an interruption to traffic.


849085-1 : Lines with only asterisks filling message and user.log file

Component: TMOS

Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.

For example:

Nov 12 10:40:57 bigip1 **********************************************

Conditions:
Snmp query an OID handled by sflow, for example:

snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1

Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.

Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.

Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.

=============================================
Solution #1 - Filter out all sflow_agent logs:

1) remount /usr as read+write:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl

4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

  For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only
    mount -o ro,remount /usr

=============================================
Solution #2 - Filter out all messages with \n or \r:

1) remount /usr as r+w:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl:

4a) Open syslog.tmpl for edit:
    vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

   For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':

tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only:
    mount -o ro,remount /usr


848921-1 : Config sync failure when importing a Json policy

Component: Application Security Manager

Symptoms:
Importing a json policy to a BIG-IP that is in a device group machine causes errors on the other devices, which leads to a sync failure.

Conditions:
This can occur when a json policy is imported to a BIG-IP that is in a device group

Impact:
Config sync fails.


848777-3 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.

Component: Local Traffic Manager

Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:

-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

Conditions:
-- Create Custom partition.
-- Create Custom Route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port.
-- Now, try to Sync to high availability (HA) peer.

Impact:
Sync fails with error. Configuration will not sync to peer node.

Workaround:
None.


848757-1 : Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload

Component: Application Security Manager

Symptoms:
Link between 'API protection profile' and 'Security Policy' created with swagger based 'API protection profile' preserved in UCS file. This link is not restored after UCS upload.

Conditions:
UCS upload.

Impact:
'API protection profile' has no link to related security policy.

Workaround:
None.


848681-7 : Disabling the LCD on a VIPRION causes blade status lights to turn amber

Component: TMOS

Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.

Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable

Impact:
Blade status lights change to amber, even if nothing is wrong with the system.

Workaround:
None.


846977-1 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero

Component: Local Traffic Manager

Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.

Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:

/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].

Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.

Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.

Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.


846873-4 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure

Component: Local Traffic Manager

Symptoms:
Traffic fails to pass through a virtual server.

Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.

For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction

Impact:
Traffic failure on the new virtual server.

Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:

tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config


846521-7 : Config script does not refresh management address entry properly when alternating between dynamic and static

Component: TMOS

Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.

Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.

Impact:
Remote management access is lost after DHCP lease expires.

Workaround:
Restart BIG-IP after changing the management IP address.


846441-2 : Flow-control is reset to default for secondary blade's interface

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.


846181-3 : Request samples for some of the learning suggestions are not visible

Component: Application Security Manager

Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.

Conditions:
'Learning Suggestion' created from only one 'Request Log' record.

Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section

Workaround:
None.


846141-1 : Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.

Component: TMOS

Symptoms:
Rest API returns 404 'Object not found"' error when attempting direct access to pool member that has pipe symbol '|' in the server or virtual server name.

Conditions:
An iControl/REST call to a pool member that has a virtual server on the Server whose name contains a | character in the server or virtual server name.

Impact:
The iControl/REST call cannot manage a pool member associated with a virtual server or server whose name contains a | character.

Workaround:
Rename the server or virtual server to a name that does not contains the | character.


846137-4 : The icrd returns incorrect route names in some cases

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.


846057-3 : UCS backup archive may include unnecessary files

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/


845933-1 : Unused parameters remain after modifying the swagger file of a policy

Component: Application Security Manager

Symptoms:
After you update the swagger file of a policy, some parameters that are not defined in the updated swagger may remain in the policy.

Conditions:
1. Policy contains global parameters that were added manually
2. All the URL parameters are deleted in the new swagger file

Impact:
Traffic to these parameters will not raise a violation ILLEGAL PARAMETER as expected

Workaround:
The leftover parameters need to be removed manually


845545 : Potential name collision for client-ssl profile named 'clientssl-quic'

Component: Local Traffic Manager

Symptoms:
This release includes a new base client-ssl profile for use by QUIC virtual servers. If an existing client-ssl profile named 'clientssl-quic' exists, it will be overwritten by the new built-in profile after upgrading.

Conditions:
The system to be upgraded has an existing client-ssl profile named 'clientssl-quic'.

Impact:
The existing profile will be overwritten by the new built-in profile.

Workaround:
Rename the existing profile prior to upgrade.


845333-6 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config

Component: Local Traffic Manager

Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]

Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.

Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.

Workaround:
Make the datagroup a Tcl variable to bypass validation.


845313-3 : Tmm crash under heavy load

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


844925-3 : Command 'tmsh save /sys config' fails to save the configuration and hangs

Component: TMOS

Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.

Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.

Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.

Workaround:
Run the command:
tmsh save /sys config binary

This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.

That way, you can reboot the BIG-IP system and not lose the configuration.

Note: It os possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save, which is impossible to predict. It is possible that every time you want to save the config, you must use the binary option.


844689-1 : Possible temporary CPU usage increase with unusually large named.conf file

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.


844597-4 : AVR analytics is reporting null domain name for a dns query

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.


844373-1 : Learning suggestion details layout broken in some browsers

Component: Application Security Manager

Symptoms:
One of the suggestion details is placed incorrectly, out of alighment.

Conditions:
This occurs when you open the details for learning suggestion, e.g., based on refinement.

Impact:
Refinement title is out of line.

Workaround:
Use a different browser, if needed.


844337-4 : Tcl error log improvement for node command

Component: Local Traffic Manager

Symptoms:
Because of the Tcl error, connection gets reset and reports an error:

err tmm[18774]: 01220001:3: TCL error: /Common/test2- bad port in node <addr> <port> cmdTCL error (line 43) (line 43) invoked from within "node 172.x.x.x IP [LB::server port]"

Conditions:
Using node command under pre-load-balancing iRule events.

Impact:
Unclear port values in Tcl error message.

Workaround:
None.


844169-1 : TMSH context-sensitive help for diameter session profile is missing some descriptions

Component: Service Provider

Symptoms:
The tmsh context-sensitive help content for the following diameter session attributes is missing:
-- respond-unroutable
-- retransmission-action
-- retransmission-queue-limit-high
-- retransmission-queue-limit-low
-- retransmission-queue-max-bytes
-- retransmission-queue-max-messages

Conditions:
When attempting in tmsh to list a diameter session profile followed by a question mark for context-sensitive help- for example:
list ltm message-routing diameter profile session <sess-name> ?

Impact:
The specified attributes are no described.

Workaround:
These are the missing descriptions:

-- respond-unroutable: When selected (enabled), messages that do not match any known route will be transformed into an error answer message and sent to the originator of the request. When disabled, unroutable request messages are routed back to the connection where they came from. The default value is disabled.

-- retransmission-action: Specifies the action performed when retransmission has been triggered for a request message. The options are:
  1) Disabled: Retransmission is disabled. This is the default action.
  2) Busy: An answer message is generated with a TOO_BUSY result code and returned to the originator of the request.
  3) Unable: An answer message is generated with an UNABLE_TO_DELIVER result code and returned to the originator of the request.
  4) Retransmit: The request message will be retransmitted.

-- retransmission-queue-limit-high: Specifies the high watermark for the retransmission queue (in percentage). If the retransmission queue exceeds this limit, the transport window will begin closing. A value of 0 will disable closing the transport window. Valid range from 0 to 100. The default value is 90.

-- retransmission-queue-limit-low: Specifies the low watermark for the retransmission queue (in percentage). If the retransmission queue drops below this limit, the transport window will reopen. Valid range from 0 to 100. The default value is 60.

-- retransmission-queue-max-bytes: Specifies the maximum number of bytes that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 131072 bytes.

-- retransmission-queue-max-messages: Specifies the maximum number of messages that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 1024 messages.


844085-1 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: TMOS

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any


843801-2 : Like-named previous Signature Update installations block Live Update usage after upgrade

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.


843661-1 : TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command

Component: TMOS

Symptoms:
TMSH currently allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command, but the option is not honored and the entire license is revoked.

Conditions:
-- BIG-IP license and add-on license are installed.
-- Attempt to revoke the system license with 'add-on-keys' as an option.

Impact:
Add-on-keys option is ignored, and the entire license is revoked instead.

Workaround:
None.


843597-1 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.

Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0


843317-3 : The iRules LX workspace imported with incorrect SELinux contexts

Component: Local Traffic Manager

Symptoms:
Files imported from iRules LX workspace may have incorrect SELinux contexts such as abrt_var_cache_t.

This can cause reloading the workspace to fail with errors:

01070079: failed to create workspace archive ... Return code {2}

Conditions:
Importing the iRules LX workspace.

Impact:
Workspace cannot be imported

Workaround:
As a workaround you can run the following command on the folders to restore the context:
restorecon -R -v


842989-6 : PEM: tmm could core when running iRules on overloaded systems

Component: Policy Enforcement Manager

Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.

Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Reduce the load on tmm or modify the optimize the irule.


842937-6 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.


842865-2 : Add support for Auto MAC configuration (ixlv)

Component: TMOS

Symptoms:
Mac addresses are forced to be the same for ixlv trunks.

Conditions:
This happens when ixlv trunks are used.

Impact:
Mac addresses may not be as depicted on the device.

Workaround:
None.


842669-3 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Component: TMOS

Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as

-The cron process tries and fails to send an email because of output about a cron script.
-Modify syslog include configuration
-Apply ASM policy configuration change

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first part to the appropriate file, and the other lines to /var/log/user.log.

Workaround:
No known workaround.


842517-2 : CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails

Component: Local Traffic Manager

Symptoms:
SSL handshake fails with error in LTM logs.pkcs11d[10407]:
err pkcs11d[10407]: 01680048:3: C_Sign: pkcs11_rv=0x00000082, CKR_OBJECT_HANDLE_INVALID

Conditions:
Key created with Safenet NetHSM is used in SSL profile for virtual server. This error is seen randomly.

Impact:
SSL handshake fails.

Workaround:
Restart the PKCS11D.


842425-1 : Mirrored connections on standby are never removed in certain configurations

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.


842265-1 : Create policy: trusted IP addresses from template are not shown

Component: Application Security Manager

Symptoms:
If there are trusted IP addresses in the selected template, they are not shown in GUI during policy creation

Conditions:
Create user-defined template from policy with trusted IP addresses.

Impact:
If you manually enter the same IP addresses that were in template, you may get an error message after policy creation

Workaround:
None.


842193-1 : Scriptd coring while running f5.automated_backup script

Component: iApp Technology

Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED

Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.

Impact:
Scriptd core.

Workaround:
None.


842189-4 : Tunnels removed when going offline are not restored when going back online

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
Configuration including tunnels.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.


842137-3 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Component: Local Traffic Manager

Symptoms:
When FIPS mode is set to use FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition
-- You attempt to create a FIPS key using that partition

Impact:
New Keys cannot be created

Workaround:
Here are all the steps to generate a new netHSM key called "workaround" and install it into the BIG-IP config:

1.

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>


str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
 operation Operation to perform generate
 application Application pkcs11
 protect Protected by module
 verify Verify security of key yes
 type Key type RSA
 size Key size 2048
 pubexp Public exponent for RSA key (hex)
 embedsavefile Filename to write key to workaround
 plainname Key name workaround
 x509country Country code
 x509province State or province
 x509locality City or locality
 x509org Organisation
 x509orgunit Organisation unit
 x509dnscommon Domain name
 x509email Email address
 nvram Blob in NVRAM (needs ACS) no
 digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory

2. (this is to confirm the key is present with the label "workaround"

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

 key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...

3.
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm

4. (install public certificate)
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround


842125-6 : Unable to reconnect outgoing SCTP connections that have previously aborted

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.


841985-5 : TSUI GUI stuck for the same session during long actions

Component: Application Security Manager

Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).

Conditions:
Long-running task is performed, such as export/import/update signatures.

Impact:
GUI is unresponsive for that session.

Workaround:
If you need to continue working during long task is performed, you can log in via another browser.


841721-2 : BWC::policy detach appears to run, but BWC control is still enabled

Component: TMOS

Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.

Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.

Impact:
The detached policy continues to work.


841649-4 : Hardware accelerated connection mismatch resulting in tmm core

Component: TMOS

Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.

Conditions:
A FastL4 virtual server that has hardware acceleration enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable hardware acceleration.


841581 : License activation takes a long time to complete on Google GCE platform

Component: TMOS

Symptoms:
The license installation and activation process takes a very long time to complete.

Conditions:
- BIG-IP Virtual Edition running on Google Compute Engine (GCE) Platform.
- Activating the BIG-IP license.

Impact:
It can take 2-3 minutes to report the device is licensed and 3-4 minutes for BIG-IP system to become Active after that.

Workaround:
None.


841469-6 : Application traffic may fail after an internal interface failure on a VIPRION system.

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.


841369-3 : HTTP monitor GUI displays incorrect green status information

Component: Local Traffic Manager

Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.

TMSH shows correct information

Conditions:
LTM HTTP monitor destination port does not match with pool member port.

Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green

Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.


841341-6 : IP forwarding virtual server does not pick up any traffic if destination address is shared.

Component: Local Traffic Manager

Symptoms:
Virtual servers do not forward any traffic but the SNAT does.

Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.

Impact:
IP forwarding virtual server does not pick up any traffic.

Workaround:
Delete and then re-create virtual servers.


841285-1 : Sometimes apply policy is stuck in Applying state

Component: Application Security Manager

Symptoms:
The word "Applying" is displayed long after the policy has been applied.

Conditions:
This can occur when applying policies.

Impact:
It appears that Apply policy is stuck, when it is not.

Workaround:
Refresh the page, or look for the log entry in /var/log/asm

ASMConfig change: Apply Policy Task Apply Policy Task [update]: Status was set to COMPLETED.


841277-7 : C4800 LCD fails to load after annunciator hot-swap

Component: TMOS

Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.

Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.

Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.

Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable

2. Wait 10 seconds.

3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.

This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.


840809-2 : If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged

Component: Advanced Firewall Manager

Symptoms:
When subscriber info changes, the log events for LSN_PB_UPDATE are not logged.

Conditions:
If subscriber info changes, for example, if a client is sending a radius message with IMSI A - LSN_PB_UPDATE logs are observed. And later when the IMSI is changed to B and another radius message is sent from the client, then LSN_PB_UPDATE log events are not observed.

Impact:
LSN_PB_UPDATE are not logged.


840785-1 : Update documented examples for REST::send to use valid REST endpoints

Component: Local Traffic Manager

Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.

Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.

Impact:
Invalid examples lead to potential confusion.

Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.


840769-2 : Having more than one IKE-Peer version value results in upgrade failure

Component: TMOS

Symptoms:
When a 'net ipsec ike-peer' object has the version attribute with more than one value, upgrading to version 15.1.0 results in a failed upgrade.

Conditions:
The version attribute has two values, in this example, 'v1' and 'v2.'

net ipsec ike-peer test {
    my-cert-file default.crt
    my-cert-key-file default.key
    my-id-value 38.38.38.64
    peers-id-value 38.38.38.38
    phase1-auth-method rsa-signature
    phase1-encrypt-algorithm 3des
    phase1-hash-algorithm sha256
    prf sha256
    remote-address 38.38.38.38
    traffic-selector { /Common/homer2 }
    version { v1 v2 }
}

Impact:
Upgrading to version 15.1.0, which allows only one value for the version attribute, results in a failed upgrade/config load error.

Workaround:
Before upgrading, modify your config so that the version attribute has only one value for the version attribute.


839597-6 : Restjavad fails to start if provision.extramb has large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad every few seconds typically due to failure to start and reports messages in daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
  + above ~2700-2800MB for v12.1.0 and earlier.
  + above ~2900-3000MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extrammb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad


839509-1 : Incorrect inheritance treatment in Response and Blocking Pages page

Component: Application Security Manager

Symptoms:
Deception Response Pages is not inherited, but if common response pages are inherited, you are unable to save changes.

Conditions:
-- Deception Response Pages features licensed.
-- Parent policy selected with inheritance of response pages.

Impact:
Deception Response Pages cannot be modified.

Workaround:
None.


839389-1 : TMM can crash when connecting to IVS under extreme overload

Component: Service Provider

Symptoms:
TMM might crash while attempting to connect internally to an internal virtual server (IVS) and the connection setup cannot be completed due to internal factors.

Conditions:
-- Extreme overload such that TMM is out of memory, or some other internal condition that prevents connection setup.
-- Connection to an internal virtual server is attempted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


839361-6 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.

Conditions:
iRule drop is used under DNS_RESPONSE event.

Impact:
DNS response may be improperly forwarded to the client.

Workaround:
Use DNS::drop instead.


839141-1 : Issue with 'Multiple of' validation of numeric values

Component: Application Security Manager

Symptoms:
'Multiple of' validation of numeric values may not be correct in some scenarios.

Conditions:
-- Create default policy from API Security template.
-- Create default decimal parameter with 'Multiple of'=5.
-- Send request to /index.php?param=0.

Impact:
'Multiple of' validation of numeric values does not block as expected.

Workaround:
None.


839121-3 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade

Component: TMOS

Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

Conditions:
The upgrade failure is seen when all the following conditions are met:

-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Workaround:
There are two possible workarounds:

-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.

-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:

 1. cp /config/bigip.conf /config/backup_bigip.conf
 2. Run: sed -i "s/\!SSLv2://g" /config/bigip.conf
 3. tmsh load /sys config


838925-7 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content

Component: TMOS

Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.

Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.

Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.

Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.


838901-4 : TMM receives invalid rx descriptor from HSB hardware

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.


838405-3 : Listener traffic-group may not be updated properly when spanning is in use.

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group:

> modify ltm virtual-address 0.0.0.0 traffic-group none spanning enabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled


838353-1 : MQTT monitor is not working in route domain.

Component: Local Traffic Manager

Symptoms:
MQTT monitor fails when non-default route domains are used.

Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use

Impact:
Mqtt monitor does not work in route domain.


838337-1 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.


838305-7 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.


838297-2 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.


837637-1 : Orphaned bigip_gtm.conf can cause config load failure after upgrading

Component: TMOS

Symptoms:
Configuration fails to load after upgrade with a message like
01420006:3: Can't find specified cli schema data for 13.1.1.4

Conditions:
Orphaned bigip_gtm.conf from an older-version.
This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade leaving behind a bigip_gtm.conf with the old schema.

Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
After deprovisioning DNS, before upgrading run
rm -f /config bigip_gtm.conf
tmsh load sys config gtm-only


837617-1 : Tmm may crash while processing a compression context

Component: Local Traffic Manager

Symptoms:
Tmm crashes on segfault.

Conditions:
Conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.


837481-7 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID

Component: TMOS

Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.

Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.

Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.

Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device

- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID

            display-name "Authoritative (security) engineID for SNMPv3"
            display-name "Authentication pass phrase for SNMPv3 messages"
            display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
            display-name "User's passphrase"
            display-name "Privacy passphrase"

### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config

Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using

tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }

Then each device should respond OK to query for that same pass phrase

snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv


For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps


837341-1 : Response and Blocking Pages page: Deception Response pages should not be shown in parent policy

Component: Application Security Manager

Symptoms:
Deception Response pages shown and editable in parent policy.

Conditions:
-- Deception Response Pages feature is licensed and enabled.
-- You are editing the parent policy.

Impact:
Deception Response pages cannot be updated from the parent policy, thus any update of response pages fails with error.

Workaround:
None.


837233-3 : "Application Security Administrator" user role cannot manage Dos Profile GUI

Component: Advanced Firewall Manager

Symptoms:
BIG-IP GUI users in "Application Security Administrator" role are not allowed to manage DoS profile page and settings.

Conditions:
This affects users logged in with the "Application Security Administrator" role

Impact:
DoS profiles cannot be edited from GUI

Workaround:
Either change user role to allow managing DoS profile or edit profiles from tmsh


836661-2 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.

Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.

Workaround:
None.


835517-1 : After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED"

Component: Device Management

Symptoms:
After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED" and the REST endpoint /resolver/device-groups/tm-shared-all-BIG-IPs/devices/ may show only one device.

Conditions:
This has been observed during upgrade from 14.x.x to 15.x.x.

Impact:
SSLO won't work as expected

Workaround:
If gossip shows "UNPAIRED" after upgrade, you may need to do following at both devices:

1. Delete existing device information.
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-BIG-IPs/devices
 
2. Force updating.
bigstart restart restjavad
restcurl -X POST -d '{}' tm/shared/bigip-failover-state


835505-1 : Tmsh crash possibly related to NGFIPS SDK

Component: Local Traffic Manager

Symptoms:
tmsh crashes

Conditions:
The conditions that trigger this are unknown, and it occurs rarely. The NGFIPS SDK may core dump as well.

Impact:
Tmsh may crash.


835285-1 : Client browser traffic through APM SWG transparent proxy using captive portal might get reset.

Component: Access Policy Manager

Symptoms:
Client browser traffic through APM Secure Web Gateway is being reset by APM SWG.

Conditions:
-- APM SWG transparent proxy is configured with captive portal. -- Client browser sends redirect to original URI on a TCP connection that was opened before access policy completion on captive portal.

Impact:
The connection is reset.


835209-3 : External monitors mark objects down

Component: Global Traffic Manager (DNS)

Symptoms:
Object to which the external monitor is attached is marked down.

Conditions:
Executing external monitors trying to access something without appropriate permissions.

Impact:
Object to which the external monitor is attached is marked down.

Workaround:
None.


834217-7 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.

Component: Local Traffic Manager

Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.

Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).

Impact:
Degraded TCP performance.

Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).

Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.


833685-5 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing becasue they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Idle async handlers remain for a long time.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart it periodically via cron, as idle handlers are soon created again.


833213-1 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.


832665-1 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools will not be available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools will not be available.

Workaround:
None.


832661 : Default provisioning for all instances is LTM nominal

Component: TMOS

Symptoms:
Prior to configuring an AWS WAF (AWAF) PAYG cloud instance, you may see errors related to an unlicensed LTM module. This occurs because the default provisioning for all instances is LTM nominal. However, the license associated with an AWAF PAYG cloud instance does not enable the LTM feature. As a result, the default provisioning for an unconfigured AWAF PAYG cloud instance will be incompatible with the PAYG license.

Conditions:
-- This issue relates only to AWAF PAYG cloud instances.
-- Not using the onboarding/templates to configure/provision the instance prior to use.

Impact:
Licensing error messages may be observed before the AWAF cloud instance is configured/provisioned. The functionality works as expected, however, so you can ignore these messages.

Workaround:
The recommended workflow for all cloud instances is to use onboarding/templates to configure/provision the instance prior to use. If this workflow is followed, any provisioning errors associated with the default provisioning are cleared prior to usage.


832233-1 : The iRule regexp command issues an incorrect warning

Component: Local Traffic Manager

Symptoms:
At validation time, mcpd issues a warning similar to the following:

warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]

Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.

Impact:
A warning is generated, "\1" has no meaning, even though it is valid.

Workaround:
Ignore the warning.


832133-1 : In-TMM monitors fail to match certain binary data in the response from the server.

Component: Local Traffic Manager

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.

-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
You can use either of the following workarounds:

-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

-- Do not monitor the application through a binary response (if the application allows it).


831821-1 : Corrupted DAG packets causes bcm56xxd core on VCMP host

Component: TMOS

Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.

Conditions:
Unknown.

Impact:
Device goes offline, traffic disruption.


830797-3 : Standby high availability (HA) device passes traffic through virtual wire

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.


829821-1 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.


829677-2 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad


829193-4 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.


829029-1 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error

Component: Application Security Manager

Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.

Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.

Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.

Workaround:
Retry the subsequent REST calls.


828937-1 : Some systems can experience periodic high IO wait due to AVR data aggregation

Solution Article: K45725467

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local DB (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on local DB.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and can be restarted.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).


828789-1 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.

This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.

Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.


828625-3 : User shouldn't be able to configure two identical traffic selectors

Component: TMOS

Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.

Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.

Impact:
Config load will fail after a reboot

Workaround:
Delete duplicate traffic-selectors.


827209-4 : HSB transmit lockup on i4600

Component: TMOS

Symptoms:
TMM shows HSB transmit lockup message and cored.

Conditions:
-- Using an i4600 platform.
-- Other conditions under which this occurs are unknown.

Impact:
Disruption to processing traffic on the BIG-IP system.

Workaround:
None.


827021-7 : MCP update message may be lost when primary blade changes in chassis

Component: TMOS

Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.

Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.

Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.

For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.

Workaround:
None.


826313-6 : Error: Media type is incompatible with other trunk members

Component: TMOS

Symptoms:
Loading system configuration is failing after upgrade with an error message

01070619:3: Interface 5.0 media type is incompatible with other trunk members

Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.

Impact:
The system configuration is failing to load.

Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.


826265-5 : The SNMPv3 engineBoots value restarts at 1 after an upgrade

Component: TMOS

Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.

Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.

Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.

Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):

tmsh modify sys snmp include 'engineBoots n'

2. Restart SNMPD.


826189-3 : The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

Component: TMOS

Symptoms:
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96).

In contrast, the TMSH utility correctly enforces values for this option.

Conditions:
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.

Impact:
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource.

The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.

Workaround:
When configuring this option using the WebUI, do not specify a subnet mask.


825501-3 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.


825413-4 : /var/lib/mysql disk is full

Component: Application Security Manager

Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.

Conditions:
ASM provisioned

Impact:
/var/lib/mysql can run out of disk space

Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
   Note that existing brute force username and IPs reporting data will be lost.

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"

2. Add row_limit for the two tables to avoid the same issue in the future.

Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml

  PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
    row_limit: 100000
    order_by: brute_force_mitigated_username_id

  PRX.BRUTE_FORCE_MITIGATED_IPS:
    row_limit: 100000
    order_by: brute_force_mitigated_ip_id

Restart clean_db process (there is no impact of restarting this process)

# pkill -f clean_db

Wait 30 sec, and make sure the process came back

# ps aux | grep clean_db


825245-4 : SSL::enable does not work for server side ssl

Component: Local Traffic Manager

Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.

Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.

Impact:
The connection will close instead of completing.

Workaround:
Do not use a disabled server-ssl profile in this situation.


824437-7 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.


824433-3 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.

There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.

Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.

Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.

Workaround:
None.


824205-3 : GUI displays error when a virtual server is modified if it is using an address-list

Component: TMOS

Symptoms:
When you modify a virtual server, the GUI returns an error similar to the following:

01b90011:3: Virtual Server /Common/vs2_udp's Traffic Matching Criteria /Common/vs2_udp_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1_tcp destination address, source address, service port.

Conditions:
This occurs when either of the following occur:

-- When renaming the virtual server.
-- When changing the address-list attribute.

Impact:
Cannot update virtual configuration with new value.

Workaround:
None.


824149-5 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.


823825-7 : Renaming HA VLAN can disrupt state-mirror connection

Component: Local Traffic Manager

Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.

Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

Impact:
System might crash eventually.

Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an HA configuration.


822253-1 : After starting up, mcpd may have defunct child "run" and "xargs" processes

Component: TMOS

Symptoms:
After starting up, mcpd may have defunct child "run" and "xargs" processes

Conditions:
Slow disk storage or large configuration files.

Impact:
Minimal; some zombie processes are created.


822245-2 : Large number of in-TMM monitors results in some monitors being marked down

Component: Local Traffic Manager

Symptoms:
Pool members are marked down from the in-TMM monitor.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
Monitor target may appear down when it is actually up.

Workaround:
Disable in-tmm monitors:
  tmsh modify sys db bigd.tmm value disable


821309-1 : After an initial boot, mcpd has a defunct child "systemctl" process

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.


820845-3 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.

Component: TMOS

Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.

Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.

Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.

Workaround:
Create static ARP entries on affected endpoints.


820333-1 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.


820213-4 : 'Application Service List' empty after UCS restore

Component: TMOS

Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.

Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the iAppLX package.

Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.

Workaround:
Run the following command before restoring the UCS file:

clear-rest-storage


819457-1 : LTM high availability (HA) sync should not sync GTM zone configuration

Component: TMOS

Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.

Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.

Impact:
GTM zone files are accidentally modified.


819261-4 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive, and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.


819233-3 : Ldbutil utility ignores '--instance' option if '--list' option is specified

Component: Access Policy Manager

Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.

Conditions:
When both '--list' and '--instance' options are specified.

Impact:
The output lists all the local users and not limiting to the '--instance' option given.

Workaround:
None.


818833-1 : TCP re-transmission during SYN Cookie activation results in high latency

Component: Local Traffic Manager

Symptoms:
Issue is reported at the following system setup:

client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet

-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.

Conditions:
Haredware SYN Cookie is enabled on FastL4 profile

Impact:
High latency is observed.

Workaround:
Disable the SYN Cookie on the FastL4 profile


818789-7 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile

Component: Local Traffic Manager

Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.

Conditions:
Configure HTTPS Monitor with ssl-profile "None".

Impact:
Ciphers are not exchanged as expected in the ClientHello Packets

Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used


818777-2 : MCPD error - Trouble allocating MAC address for VLAN object

Component: TMOS

Symptoms:
You see the following errors in /var/log/ltm:

err mcpd[8985]: 0107071c:3: Trouble allocating mac address for vlan object /Common/external.

Conditions:
Conditions under which this occurs are unknown.

Impact:
There is no known impact to the system as a result of this log message.

Workaround:
If this reoccurs, you can try force reloading mcpd.

For more information, see K13030: Forcing the mcpd process to reload the BIG-IP configuration, available at https://support.f5.com/csp/article/K13030.


818737-3 : Improve error message if user did not select a address-list or port list in the GUI

Component: TMOS

Symptoms:
In the GUI, the Virtual Server screen displays the available address-lists or port lists for source address, but there is no clarity on whether the options are selected or available.

Conditions:
-- Virtual server's source address section.

Impact:
If you do not make a selection and try to create the Virtual Server, an error occurs: An error has occurred while trying to process your request.

Workaround:
Click to select the address-list of port-list displayed as source address for Virtual Server.


818721-3 : Virtual address can be deleted while it is in use by an address-list.

Component: Local Traffic Manager

Symptoms:
-- The virtual-address (and virtual server) will no longer work.

-- The BIG-IP won't answer ARP requests for it.

-- Loading the config again or performing similar operations will not re-create the virtual-address.

Conditions:
-- A virtual address is deleted while it is in use by an address list and virtual server.
-- MCPD is restarted (or the unit rebooted, etc.).

Impact:
Traffic processing is disrupted


818505-1 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Component: TMOS

Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

Conditions:
Modifying a virtual address using an iControl PUT command.

Impact:
An unintentional change to the virtual address's netmask.

Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.


818297-3 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Component: TMOS

Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.

In /var/log/openvswitch/ovsdb-server.log:

...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).

Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.

Impact:
Permission denied, SSL connection failure.

Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };

Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t

Step 4: Apply the policy:
# semodule -i openvswitch_t.pp


817989-1 : Cannot change managemnet IP from GUI

Component: TMOS

Symptoms:
You are unable to change the management IP from the GUI

Conditions:
This is encountered when using the GUI to change the management IP address via the System :: Platform page.

Impact:
The GUI indicates that it will redirect you to the new IP address. You will eventually be redirected but the management IP address is not changed on the BIG-IP device.

Workaround:
Use tmsh to create the management IP. This will overwrite the old one.

Example:
create /sys management-ip [ip address/prefixlen]

To view the management IP configurations

tmsh list /sys management-ip


817137-1 : SSO setting for Portal Access resources in webtop sections cannot be updated.

Component: Access Policy Manager

Symptoms:
SSO setting for Portal Access (PA) resource assigned to any webtop section cannot be updated due to the following error:

No such atomic attribute:name in class:webtop_section_webtop_section_resource

Configuration with such a resource cannot be transferred to another BIG-IP system due to the same error.

Conditions:
BIG-IP system configuration with the following objects:
-- SSO configuration (any type).
-- PA resource with resource item.
-- The webtop section with the PA resource.
-- Full webtop.
-- Per-session access policy with resource assignment agent which assigns webtop, webtop section, and PA resource.

Impact:
Configuration cannot be updated or transferred.

Workaround:
Delete webtop sections from the configuration and re-create them after transfer / upgrade / update process.


817089-3 : Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing

Component: TMOS

Symptoms:
Connections that are hardware accelerated and that use asymmetric routing may use the wrong MAC address for return traffic. This can be observed by looking at a packet capture.

Conditions:
Hardware acceleration is enabled (ePVA/fastL4) with asymmetric routing.

Impact:
The return traffic has the wrong source MAC address. This may affect packet forwarding depending on the configuration.

Workaround:
Disable HW acceleration.


816953-1 : RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy

Component: Local Traffic Manager

Symptoms:
RST_STREAM is sent on a serverside stream in closing state in HTTP/2 full proxy.

Conditions:
-- HTTP/2 clientside and serverside profiles are attached to the virtual server.
-- HTTP and httprouter profiles are attached to the virtual server.
-- Race between clientside and serverside closing, where clientside closes faster.

Impact:
RST_STREAM is sent on a stream in closed state.


816353-3 : Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1

Component: TMOS

Symptoms:
During re-licensing or license reload, an unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 may be sent.

Conditions:
Occurs during license reload or reactivation.

Impact:
After a license reload, the unknown trap can be seen like the following:

run "tcpdump -ni mgmt port 162 -vvvv &":

12:01:59.883331 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 101)
    10.248.136.179.55540 > 172.28.8.68.snmptrap: [bad udp cksum 0x486e -> 0xd7b8!] { SNMPv2c { V2Trap(58) R=1205683810 .1.3.6.1.2.1.1.3.0=1775555 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.2.1.47.2.0.1.0.1 } }


816233-1 : Session and authentication cookies should use larger character set

Component: TMOS

Symptoms:
The session and authentication cookies are created using a limited character set.

Conditions:
Creating session and authentication cookies.

Impact:
Cookies created with a less broad character set than they could be.

Workaround:
None.


816229-3 : Kernel Log Messages Logged Twice

Component: TMOS

Symptoms:
You see duplicate log messages in /var/log/kern.log

Conditions:
This can be encountered when viewing /var/log/kern.log right after startup in BIG-IP versions dating back to 14.1.0

Impact:
Viewing ('cat'ing) kern.log results in duplicated log messages in the buffer.


815877-2 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.


814585-1 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


814353-6 : Pool member silently changed to user-disabled from monitor-disabled

Component: TMOS

Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:

'Available (Disabled) pool members is available, monitor disabled'.

To:

'Available (Disabled), pool member is available, user disabled'.

Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.

Impact:
Pool member goes to 'user-disabled'.

Workaround:
To recover, re-enable the pool member.


814273-1 : Multicast route entries are not populating to tmm after failover

Component: TMOS

Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.

Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.

Impact:
Multicast traffic does not pass through properly

Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group


814037-6 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.


813969-5 : Network DoS reporting events as 'not dropped' while in fact, events are dropped

Component: Advanced Firewall Manager

Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.

Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.

Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped

Workaround:
There is no workaround at this time.


813701-6 : Proxy ARP failure

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.


813221-5 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync

Component: Global Traffic Manager (DNS)

Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.

Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.

Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.

Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.


812705-3 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic

Component: Carrier-Grade NAT

Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.

Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.

Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.

Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.


812493-4 : When engineID is reconfigured, snmp and alert daemons must be restarted

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd


811053-6 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.


811041-7 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf

Component: TMOS

Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.

Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.

Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.

Workaround:
None.


810821-3 : Management interface flaps after rebooting the device

Component: Local Traffic Manager

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.


810533-2 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile

Component: Local Traffic Manager

Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.

Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.

Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.

Workaround:
Specify a valid server name in the server name field of the client SSL profile.


810381-2 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.


809553-5 : ONAP Licensing - Cipher negotiation fails

Component: TMOS

Symptoms:
Cipher negotiation fails between the BIG-IP and a third-party license server.

Conditions:
This occurs when BIG-IP is deployed in a custom ONAP environment that uses a third-party license server.

Impact:
TLS negotiation fails.

Workaround:
Change the order of ciphers.
Enable only ECDHE ciphers.


807945-3 : Loading UCS file for the first time not updating MCP DB

Component: TMOS

Symptoms:
MCP DB is not updated after loading a UCS file.

Conditions:
1. Save UCS with 'flow-control' default value 'tx-rx'.
2. Modify the value from 'rx-tx' to 'none'.
3. Save another UCS with modified value.
4. Load the UCS with default value, everything works fine here.
5. Load the UCS with the modified value.

Impact:
The 'flow-control' setting gets changed. The functionality does not work after the first UCS load as MCP DB is not getting updated.

Workaround:
Load the same UCS again.

The MCP DB gets updated properly.


807821-5 : ICMP echo requests occasionally go unanswered

Component: Local Traffic Manager

Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.

Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.

Impact:
Possible traffic failures.

Workaround:
None.


807569-2 : Requests fail to load when backend server is overriding request cookies and Bot Defense is used

Component: Application Security Manager

Symptoms:
When Bot Defense is used on the backend server that overrides request cookies, requests to non-HTML resources may fail , or may receive the whitepage JavaScript challenge. An example is when a back-end server responds with a Set-Cookie header containing empty values for each cookie request cookie it did not recognize.

Conditions:
-- Bot Defense is enabled.
-- Backend server is overriding the TS Bot Defense cookies.

Impact:
Some URLs fail to load following the JavaScript challenge.

Workaround:
Use an iRule to strip the TSPD_101 cookie from the request before forwarding it to the backend:
when HTTP_REQUEST_RELEASE {
    HTTP::cookie remove "TSPD_101"
}


807337-5 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
Web UI shows misleading info about pool monitor.The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').


807309-3 : Incorrect Active/Standby status in CLI Prompt after failover test

Component: TMOS

Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt.

Conditions:
This occurs under the following conditions:

1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system.

Impact:
Status shown in the prompt does not change.

Workaround:
Do not run 'promptstatusd -y' command manually.

The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status.

Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought.


807005-5 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration it not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.


806073-1 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.


805417-3 : Unable to enable LDAP system auth profile debug logging

Component: TMOS

Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.

Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.

Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.

Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:

   systemctl stop nslcd
   nslcd -d

Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.

You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.

When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:

   systemctl start nslcd


804309-1 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument

Component: TMOS

Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:

[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy

Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.

Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.

Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false

tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false


803833-7 : On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host

Component: TMOS

Symptoms:
An upgrade or UCS restore fails on the host with an error message:

err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.

Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.

Impact:
The upgrade or UCS restore fails with an MCPD error.

Workaround:
Comment out the sym-unit-key field and load the configuration.


803629-7 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.


803237-2 : PVA does not validate interface MTU when setting MSS

Component: TMOS

Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.

Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.

Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.

Workaround:
Increase MTU size.


803233-1 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.


803157-3 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots

Component: TMOS

Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.

Conditions:
Reboot the BIG-IP system.

Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.

Workaround:
None.


803109-3 : Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows

Component: Local Traffic Manager

Symptoms:
Source-port preserve-strict and OneConnect may result in zombie forwarding flows.

Conditions:
-- Source-port is set to preserve-strict.
-- OneConnect configured.

Impact:
Zombie forwarding flows. Over time, the the current allocation count grows and does not return to its prior level when traffic stops.

Workaround:
None.


802873-2 : Manual changes to policy imported as XML may introduce corruption for Login Pages

Component: Application Security Manager

Symptoms:
Manual changes to a policy imported as XML may introduce corruption for Response Pages. The following log appears:
ASM subsystem error (asm_config_server.pl ,F5::PrepareConf::Policy::prepare_alternate_response_file_tbl): failed to parse response headers - please check response page.

Conditions:
-- XML policy file is missing a response header.
-- Import the policy.

Impact:
The affected reponse page is not returned for traffic as expected, and an error is reported instead.

Workaround:
Mitigation:
Ensure that response_header exists in XML policy file before import.

Workaround:
Go to the affected policy's Response Pages: Login Page, click Save and then click Apply Policy.


802685-2 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }


802421-6 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


801549-1 : Tmm memory utilization growth.

Component: Local Traffic Manager

Symptoms:
Tmm memory growth with improper high availability (HA) configuration.

Conditions:
- The device mirror-ip is not configured properly, along with either of the following:
  + Persistence mirroring is configured.
  + Connection mirroring of a virtual server with a persistence profile.

Impact:
Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.

Workaround:
- Properly configure the cm device mirror-ip and/or mirror-secondary-ip. After doing this, the memory utilization should drop.

- Disable mirroring on the persistence profiles and/or virtual servers. After doing this, the memory utilization will not drop until tmm is restarted.


801497-3 : Virtual wire with LACP pinning to one link in trunk.

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.


799749-2 : Asm logrotate fails to rotate

Component: Application Security Manager

Symptoms:
ASM logrotate reports errors in /var/log/asm.:

error: error creating output file /ts/log//bd.log.1: File exists

Conditions:
Files ending with .1 exists in the logs directories.

Impact:
Logrotate does not work. May fill disk with logs over time.

Workaround:
Remove or rename all of the .1 logs.


799001-1 : Sflow agent does not handle disconnect from SNMPD manager correctly

Component: TMOS

Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.

Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.

Impact:
Snmpd service restarts repeatedly

Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.


798885-4 : SNMP response times may be long due to processing burden of requests

Component: TMOS

Symptoms:
It is possible with large configurations to make SNMP requests that require a lot of processing to gather the statistics needed to respond to the request.

Conditions:
With large configurations, it is possible to overburden MCPD and SNMPD such that client queries time out.

Impact:
SNMP clients might think the BIG-IP system has become unresponsive.

Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.


797829-6 : The BIG-IP system may fail to deploy new iApps or to reconfigure existing iApps.

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new iApps or to reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequentially, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.


796985-3 : Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'

Component: TMOS

Symptoms:
vCMP host or guest is upgraded, and the vCMP guest is 'Inoperative', with messages similar to the following in /var/log/ltm:

-- warning clusterd[1546]: 013a0005:4: Clusterd using /VERSION for SW specification.
-- info clusterd[1546]: 013a0023:6: Blade 1: No info received from slot: Starting up
-- err clusterd[1546]: 013a0004:3: result {
-- err clusterd[1546]: 013a0004:3: result.code 17237812
-- err clusterd[1546]: 013a0004:3: result.attribute float_mgmt2_ip
-- err clusterd[1546]: 013a0004:3: result.message 01070734:3: Configuration error: Cluster alt-address: 192.168.1.246 cannot be the same address family as cluster address: 192.168.1.246
-- err clusterd[1546]: 013a0004:3: }
-- err clusterd[1546]: 013a0004:3: Per-invocation log rate exceeded; throttling.
-- notice clusterd[1546]: 013a0006:5: Disconnecting from mcpd.
-- info clusterd[1546]: 013a0007:6: clusterd stopping...

Conditions:
-- Isolated vCMP guest.
-- Both 'Address' and 'Alt-Address' are assigned the same IPv4 address.
-- Upgrade occurs.

Impact:
Upon host/guest upgrade, vCMP guest is 'Inoperative'.

Workaround:
There are 3 workarounds:
-- Assign IPv4 management-ip for the guest PRIOR to upgrade:
tmsh modify vcmp <guest_name> management-ip <ip>/<mask>

-- Prior to upgrade, assign IPv6 'Alt-Address' within the guest:
tmsh modify sys cluster default alt-address <IP>/<mask>

-- When already upgraded and seeing the issue on a guest: execute:

> /shared/db/cluster.conf

The config loads, and /shared/db/cluster.conf is recreated:

cat /shared/db/cluster.conf
cluster default {
    alt_addr="192.168.1.246/24" ====>
    min_up_members="1"
    min_up_members_enable="disable"
    min_up_members_action="failover"
    addr 192.168.1.246/24 ====>
    members {
        1
        2
        3
        4
    }
    software HD1.1 "BIG-IP 14.1.0.3 0.0.6 0.0.6" true
    software HD1.2 " " false
    software HD1.3 " " false
}


796601-2 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.


794417-4 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Component: Local Traffic Manager

Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:

1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Impact:
The configuration will not load if saved.

Workaround:
Do not simultaneously disable 'Enforce TLS Requirements' in the HTTP/2 profile, and enable 'TLS Renegotiation' in the Client SSL profile on a single virtual server.


794385-3 : BGP sessions may be reset after CMP state change

Component: Local Traffic Manager

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection

Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.


793005-1 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.


791361-3 : Configured management port rules can be lost after loading UCS file and rebooting

Component: Advanced Firewall Manager

Symptoms:
Configured management port rules are missing after loading a UCS file that adds the management-ip to the failover network, and subsequently rebooting.

Conditions:
-- Load a UCS file that adds the management-ip to the failover network.
-- Reboot.

Impact:
Management port rules can be lost. This can prevent normal operation of high availability (HA) configurations.

Workaround:
There is no workaround at this time.


790845-4 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.


789181-5 : Link Status traps are not issued on VE based BIG-IP systems

Component: TMOS

Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.

Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).

Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.

On a VE-based BIG-IP system, these logs and traps do not occur.

An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.

Workaround:
None.


788753-2 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.


788577-7 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.


788513-6 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.


787973-1 : Potential memory leak when software crypto request is canceled.

Component: Local Traffic Manager

Symptoms:
Memory may occasionally leak when a software crypto request is cancelled before it has completed.

Conditions:
There are a number of reasons why a software crypto request may be canceled.

Impact:
Memory may leak.

Workaround:
No workaround.


786517-5 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.


785877-5 : VLAN groups do not bridge non-link-local multicast traffic.

Component: Local Traffic Manager

Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.

Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.

Impact:
Non-link-local multicast traffic does not get forwarded.

Workaround:
None.


785741-3 : Unable to login using LDAP with 'user-template' configuration

Solution Article: K19131357

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.


785361-3 : In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system is configured in L2Wire mode, packets from srcIP 0.0.0.0 are dropped.

Conditions:
L2Wire mode.

Impact:
All srcIP 0.0.0.0 packets are dropped silently.

Workaround:
Configure the virtual server to be in L2-forward mode.


785017-3 : Secondary blades go offline after new primary is elected

Component: TMOS

Symptoms:
Secondary active blades go offline.

Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.

For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.

Impact:
Cluster reduced to a single blade, which may impact performance.

Workaround:
None.


783165-1 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile

Component: Application Security Manager

Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.

Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.

Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.

Workaround:
Delete and add the whitelist after modifying the profile.


783113-7 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted


781985-2 : DNSSEC zone SEPS records may be wiped out from running configuration

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain circumstances, DNSSEC zone SEPS records may be wiped out from running configuration.

Conditions:
This occurs only with GTM configurations loaded by the command: tmsh load sys config gtm-only.

Impact:
SEPS records may be lost after a configuration reload.

Workaround:
None.


780745-3 : TMSH allows creation of duplicate community strings for SNMP v1/v2 access

Component: TMOS

Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string.

Conditions:
Duplicate access records are created in TMSH.

Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record.

Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database.

If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol.


780437-6 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


778817-3 : Invalid client request can cause un-captured exception on ASM container.

Component: iApp Technology

Symptoms:
Posting invalid message body content can cause restnoded to restart.

Conditions:
Post request with invalid data.

Impact:
ASM service disruption and loss of the state on in-process service requests.

Workaround:
NA


778513-1 : APM intermittently drops log messages for per-request policies

Component: TMOS

Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.

Conditions:
Using APM per-request policies, or ACCESS::log iRule commands.

Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.

Workaround:
No workaround is possible. When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.


777389-5 : In a corner case, for PostgreSQL monitor MCP process restarts

Component: TMOS

Symptoms:
MCP expects a monitoring response from SQL server and starts polling for data continuously, resulting in infinite loop.

Conditions:
In one of the corner cases of SQL monitoring, MCP expects to read monitoring data from the PostgreSQL server, but there is no data available to read.

Impact:
MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.

Workaround:
None.


776393-3 : Memory leak in restjavad causing restjavad to restart frequently with OOM

Component: TMOS

Symptoms:
Restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.

Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory. This is two-step process.

1. Update memory allocated to the control plane using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.

2. Run the following two commands, in sequence:
   tmsh modify sys db restjavad.useextramb value true
   bigstart restart restjavad


775797-3 : Previously deleted user account might get authenticated

Component: TMOS

Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.

Conditions:
-- User account configured as local user.
-- The user account is deleted later.

(Note: The exact steps to produce this issue are not yet known).

Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.

Workaround:
None.


774617-3 : SNMP daemon reports integer truncation error for values greater than 32 bits

Component: TMOS

Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.

Conditions:
Values greater than 32 bits sent to SNMP.

Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:

err snmpd[20680]: truncating integer value > 32 bits

Workaround:
No current workaround.


774257-4 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Component: Global Traffic Manager (DNS)

Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:

tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A

tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A

Conditions:
This occurs when running the following tmsh commands:

tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt

Impact:
The output type is printed twice

Workaround:
None.


771961-3 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core

Component: Access Policy Manager

Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.

Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.


769817-7 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.


769581-5 : Timeout when sending many large requests iControl Rest requests

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
  https://<$IP_address>/mgmt/shared/appsvcs/declare \
  -H 'Content-Type: application/json' \
  -d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
  https://<$IP_address>/mgmt/shared/appsvcs/task \
  -H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
  https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.


767737-4 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.


767341-1 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.

Component: TMOS

Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.

Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.

This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.

Filesystem error might be due to power loss, full disk or other reasons.

Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.

Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.

Another workaround is clean install, if possible/acceptable


767217-5 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.


767045-4 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


766593-5 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20

Component: Local Traffic Manager

Symptoms:
RESOLVE::lookup returns empty string.

Conditions:
Input bytes array is at length of 4, 16, or 20.

For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]

Impact:
RESOLVE::lookup returns empty string.

Workaround:
Use lindex 0 to get the first element of the array.

For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]


765365-2 : ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive

Component: Application Security Manager

Symptoms:
ASM blocks a legal request and fires CSRF false positive violations when csrf JavaScript code is injected into a page without an html tag.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF protection configured.
-- HTML pages learning features enabled.(BruteForce/WebScraping).
-- CSRF JavaScript code is injected into a page without an html tag.

Impact:
HTTP requests are blocked sometimes when they should not be.

Workaround:
To workaround this issue, configure asm internal and then restart asm, as follows:

/usr/share/ts/bin/add_del_internal add cs_resp_ingress_count 1
bigstart restart asm


764969-2 : ILX no longer supports symlinks in workspaces as of v14.1.0

Component: Local Traffic Manager

Symptoms:
The GUI and TMSH report an error message if a symlink is present, and the workspace does not run. The error appears similar to the following:
General database error retrieving information.
General error: 01070711:3: boost::filesystem::status: Permission denied: "/var/ilx/workspaces/Common/test_links1/tmp_file" in statement [SELECT COUNT(*) FROM dev_workspace WHERE name LIKE '%'].

Conditions:
-- An ILX workspace is in the configuration.
-- The workspace contains a symlink.
-- Install the relevant rpm package with --no-bin-links (e.g., npm install <package-name> --no-bin-links).

Impact:
The ILX module is not accessible via the GUI, and the workspace with the symlink cannot be run.

Workaround:
1. Remove the symlink.
2. Copy the file into the workspace.


762137-3 : Ping6 with correctly populated NDP entry fails

Component: Local Traffic Manager

Symptoms:
TMM NDP entries show correct info with neighbor discovery protocol (NDP) resolved but ping6 fails

Conditions:
This occurs only on a cluster setup. Other conditions that cause the issue are unknown.

Impact:
Ping6 fails for that address.

Workaround:
None.


760835-2 : Static generation of rolling DNSSEC keys may be missing when the key generator is changed

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP system may lose DNSSEC keys if the key generator is changed from rolling keys to static keys

Conditions:
DNSSEC key generation is changed from rolling to static.

Impact:
DNSSEC keys may be lost.

Workaround:
None.


760833-2 : BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner.

Conditions:
Generating a DNSSEC key.

Note: This is an intermittent issue.

Impact:
DNSSEC keys may not be synced.

Workaround:
None.


760752-3 : Internal sync-change conflict after update to local users table

Component: Device Management

Symptoms:
-- The 'top' command shows Java and mcpd becoming CPU intensive.
-- /var/log/audit shows many 'modify { user_role_partition { user_role_partition_user ...'
-- /var/log/restjavad-audit.0.log shows many REST API calls to 'http://localhost:8100/mgmt/shared/gossip' from the peer.

Conditions:
-- Create a new admin user with bash access on a device.

Impact:
High CPU usage (Java and mcpd) on control and analysis plane.

Workaround:
To work around this issue, follow these steps:

1. Sync from the device where the user was created.
2. Run the following command on all devices:
tmsh restart sys service restjavad

Although Java and mcpd will still show high CPU usage even after restart, waiting a few minutes enables the processes to return to normal.


760622-5 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt


760406-1 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync

Component: Local Traffic Manager

Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.

Conditions:
This might occur in either of the following scenarios:

Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.


Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.

Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.

-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.

In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.

-- The HA system performance becomes degraded due to SSL connection timeout.

Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.

-- Set device management sync type to Automatic with incremental sync.


760354-4 : Continual mcpd process restarts after removing big logs when /var/log is full

Component: TMOS

Symptoms:
Unit suddenly stops passing traffic. You might see errors similar to the following:

err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...

Conditions:
This might occur when when /var/log is full and then you remove big logs.

Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.

Workaround:
Fix the logs and reboot the BIG-IP system.


759737-3 : Control and Analysis Plane CPU usage statistics may be inaccurate

Component: TMOS

Symptoms:
CPU usage statistics reported for Control and Analysis planes are not always allocated appropriately between the two planes.

Conditions:
Non-Data plane processes consuming CPU cycles generate usage statistics that are then classified as Control or Analysis plane CPU usage.

Impact:
CPU usage statistics for Control and Analysis planes may not provide actionable data due to their inaccuracy.

Workaround:
None.


759671-2 : Unescaped slash in RE2 in user-defined signature should not be allowed

Component: Application Security Manager

Symptoms:
An unescaped slash in RE2 keyword in a user-defined signature caused a REST PATCH to the signature to have no effect.

Conditions:
A user-defined signature has an unescaped slash in RE2 keyword.

Impact:
REST PATCH to update the user-defined signature has no effect.

Workaround:
The slash in the signature keyword must be escaped by backslash.


759606-3 : REST error message is logged every five minutes on vCMP Guest

Component: TMOS

Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:

Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}

Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.

Impact:
There is stale stat information for vCMP guests running on secondary slots.

Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:

sys log-config filter Filter_RestError {
    level info
    message-id 01810007
    source guestagentd
}


758781 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.


758491-3 : When using Thales NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), the BIG-IP will not be able to use the keys

Component: Local Traffic Manager

Symptoms:
Ltm log showing SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:57106 -> 192.0.2.200:5607
warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log will show:

2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===

Conditions:
Fipskey.nethsm wrapper was used to create keys in any of the following scenarios:

1. Keys were created on earlier versions of BIG-IP software, and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm

Impact:
SSL handshake failures

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.


-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm

Where key_label is the rightmost string in the output of the Thales command: nfkminfo -l.


758041-1 : Pool Members may not be updated accurately when multiple identical DB monitors configured

Component: Local Traffic Manager

Symptoms:
When two or more DB monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical "send" and "recv" strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as "recv row" or "recv column" indicating where the specified "recv" string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.

As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected pool members members may be marked with the correct state.

Conditions:
This may occur when multiple DB monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored pool members using a DB monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each DB monitor with some unique value within the 'send' and 'recv' parameters.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}


757787-3 : Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI.

Component: TMOS

Symptoms:
When creating a new rule or modifying an existing rule in a LTM Policy using the WebUI, the operation fails and an error similar to the following example is returned:

Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().

Conditions:
-- The LTM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.

Impact:
Unable to make changes to existing LTM Policies.

Workaround:
Use the tmsh utility to make the necessary modifications to the LTM Policy. For example, the following command modifies an existing rule:

tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }


757167-3 : TMM logs 'MSIX is not supported' error on vCMP guests

Component: TMOS

Symptoms:
On vCMP guests, logs of 'MSIX is not supported' messages apppear in /var/log/tmm.

Conditions:
This occurs only on vCMP guests.

Impact:
MSIX is not supported on vCMP guests, but system operation and traffic passing are not impacted otherwise.

Workaround:
None.


757029-6 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.


756313-6 : SSL monitor continues to mark pool member down after restoring services

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
To restore the state of the member, remove it, and add it back to the pool.


756139-3 : Inconsistent logging of hostname files when hostname contains periods

Component: TMOS

Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:

-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.


Whereas other log files write the full name:

-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.

Conditions:
BIG-IP hostname contains periods or an FQDN:

[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
    hostname bigip1.example.com
}

Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.

Workaround:
None.


755976-4 : ZebOS might miss kernel routes after mcpd deamon restart

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.


755197-5 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.


754460-3 : No failover on HA Dual Chassis setup using HA score

Component: TMOS

Symptoms:
On a high availability (HA) set up of two chassis, an HA failover does not occur, despite HA score on Standby being greater than Active.

Conditions:
-- Multiple blades disabled.
-- Both active and standby chassis have same HA score.
-- Enabling blades on standby chassis.

Impact:
Although enabling blades on the standby chassis causes a higher HA score on the standby (which should cause a failover to occur), HA state remains the same on both chassis. HA failover is not occurring using HA score calculation.

Workaround:
None.


753715-2 : False positive JSON max array length violation

Component: Application Security Manager

Symptoms:
False-positive JSON max array length violation is reported.

Conditions:
-- JSON profile is used.
-- The violation is coming for non-array under certain conditions.

Impact:
The system reports a false-positive violation.

Workaround:
None.


753536-3 : REST no longer requires a token to login for TACACS use

Component: TMOS

Symptoms:
Configurations that previously used TACACS for authentication in order to make REST requests are no longer required to use a token for remote authentication. You can simply use username and password.

Conditions:
Use of remote authentication using TACACS.

Impact:
If you have scripts that automatically request tokens, you no longer need them.

Workaround:
None.


752228-2 : GUI Network Map to account for objects in a Disabled By Parent state

Component: TMOS

Symptoms:
When an object has a Disabled By Parent state, it is counted in the Unknown status instead of evaluating its actual Availability status.

Conditions:
Viewing objects with Disabled By Parent state in Network Map.

Impact:
The status shown in the map and summary view does not reflect the correct status.

Workaround:
Use the object list views to filter by status to see the correct status.


751586-3 : http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
translate-address disabled on a http2 virtual is getting ignored

Conditions:
http2 virtual and translate-address disabled configured

Impact:
The traffic is translated to the destination address to the pool member

Workaround:
none


751103-2 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop

Component: TMOS

Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.

Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config

Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)

Scripts are stopped until the prompt is answered.

Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).


In the case of this script, you can also delete the management route definitions to prevent the question from being asked.


750588-3 : While loading large configurations on BIG-IP systems, some daemons may core intermittently.

Component: TMOS

Symptoms:
When manually copying a large config file and running 'tmsh load sys config' on specific hardware BIG-IP platforms, multiple cores may be observed from different daemons.

Conditions:
This has been observed on i4800 platforms when the 'management' provisioning (corresponding to the provision.extramb DB key) is set to 500 MB or less.

Impact:
The mcp daemon may core and all daemons on the BIG-IP system may be restarted.

Workaround:
Set db key 'provision.extramb' to 1024 or greater.


746861-3 : SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated

Component: TMOS

Symptoms:
The SFP interfaces do not come up or flap up and down repeatedly on BIG-IP 2000/4000 on boot up when both SFP interfaces are populated.

When interface flaps state changes such as those below are logged in ltm log:
info pfmand[PID]: 01660009:6: Link: 2.1 is UP
info pfmand[PID]: 01660009:6: Link: 2.1 is DOWN

Conditions:
Both SFP interfaces, 2.1 and 2.2, on BIG-IP 2000/4000 are populated.

This is typically observed after an upgrade to an affected version.

Impact:
Traffic cannot be sent/received from these interfaces.

Workaround:
None.


746758-1 : Qkview produces core file if interrupted while exiting

Component: TMOS

Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.

Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.

Impact:
A core file is produced.

Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.


746348-4 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.


745465-4 : The tcpdump file does not provide the correct extension

Component: TMOS

Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.

Conditions:
Whenever tcpdump is generated and downloaded.

Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.

Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.


744743-2 : Rolling DNSSEC Keys may stop generating after BIG-IP restart

Component: Global Traffic Manager (DNS)

Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system restart.

Conditions:
BIG-IP system gets restarted by calling 'bigstart restart' command.

Impact:
Rolling DNSSEC keys can stop generating.

Workaround:
None.


743234-6 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons

Component: TMOS

Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.

Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'

Impact:
The SNMPv3 value does not take effect.

Workaround:
Restart the daemons after changing the EngineID:

restart /sys service snmpd
restart /sys service alertd

Note: The SNMP daemon should be restarted before the Alert daemon.


742753-5 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.


742549-3 : Cannot create non-ASCII entities in non-UTF ASM policy using REST

Component: Application Security Manager

Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.

Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.

Workaround:
Use UTF-8.


742105-3 : Displaying network map with virtual servers is slow

Component: TMOS

Symptoms:
The network map loads slowly when it contains lots of objects.

Conditions:
Load the network map in a configuration that contains 1000 or more objects.

Impact:
The network map loads very slowly.

Workaround:
None.


739618-3 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy

Component: Application Security Manager

Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF or MSP license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}


738032-3 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.

Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.

Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.

Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.


737322-3 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


737098-1 : ASM Sync does not work when the configsync IP address is an IPv6 address

Component: TMOS

Symptoms:
If the configsync IP address of the device is configured to be an IPv6 address, changes in ASM configuration do not synchronize across the cluster.

Conditions:
Devices in a Device Group have an IPv6 address set as their configsync IP address.

Impact:
ASM configuration does not synchronize across the Device Group.

Workaround:
Set the configsync IP address to be an IPv4 address and restart the asm_config_server process. To restart the asm_config_server process, run the following command:
pkill -f asm_config_server


730852-1 : The tmrouted repeatedly crashes and produces core when new peer device is added

Component: TMOS

Symptoms:
There is a tmrouted crash when new peer device is added.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.

Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).


726518-1 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.


726164-2 : Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system

Component: Global Traffic Manager (DNS)

Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system is on standby for a length of time

Conditions:
BIG-IP system is on standby for a length of time, in general, longer than twelve hours.

Impact:
Rolling DNSSEC keys can stop regenerating.

Workaround:
None.


724824-1 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync

Component: Local Traffic Manager

Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.

Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.

Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.

Impact:
Monitor status on the peer devices is reported incorrectly.

Workaround:
Any of the following three options will correct reporting status on the peer devices:

-- Restart bigd

-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.

-- Disable and then re-enable the FQDN node

Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.


720440-6 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.


719555-3 : Interface listed as 'disable' after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface


718796-5 : IControl REST token issue after upgrade

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.

Conditions:
-- Upgrading to version 13.1.0.x.
-- iControl REST.

Impact:
A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may loose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
      # bigstart restart restjavad.

   2) Update shared/authz/roles/iControl_REST_API_User userReference list to add repro user account using PUT:
      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Now, when you create a new user, the permissions should start in a healthy state.


718573-3 : Internal SessionDB invalid state

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
SessionDB is accessed in a specific way that results in an invalid state.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


718230-8 : Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented

Component: TMOS

Symptoms:
In certain circumstances, attaching a BIG-IP monitor type to a non-BIG-IP server with already defined virtual servers is allowed by the system when it should not be allowed.

Conditions:
Attempting to attach a BIG-IP monitor type to a non-BIG-IP server.

Impact:
The BIG-IP monitor can be added to a non-BIG-IP server without error. This causes a configuration load error, such as after a reboot, tmm restart, or tmsh load sys config, and results in an error message such as:

-- localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all gtm-only" - failed. -- Loading schema version: 12.1.3 Loading schema version: 12.1.5.1 01071033:3: Server (/Common/generic_server_object) contains monitor (/Common/bigiptest) which is an invalid type. Unexpected Error: Loading configuration process failed.

Workaround:
None.


717174-3 : WebUI shows error: Error getting auth token from login provider

Component: Device Management

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded


716140-3 : Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors

Component: TMOS

Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.

If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example:

snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime)

Conditions:
Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data:

Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x):

  usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x

Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data.

For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf:

  snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0.
  
  snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).

Workaround:
Use tmsh to configure SNMP users.


714642-2 : Ephemeral pool-member state on the standby is down

Component: Local Traffic Manager

Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.

Conditions:
Re-enabling a forced-down FQDN node on the primary system.

Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).

Workaround:
None.


714502-3 : bigd restarts after loading a UCS for the first time

Component: Local Traffic Manager

Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.

Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check

Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.

Workaround:
System runs as expected after the bigd restart, and the user need not take any action.


714216-4 : Folder in a partition may result in load sys config error

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current-partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current-partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.


714176-1 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Component: TMOS

Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.

Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.

Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.

Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.

1. Locate the dynad config in /config/bigip_base.conf file:

For example, the dynad config will look like:
sys dynad key {
    key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}

2. Modify the dynad configuration lines to:
sys dynad key {
    key "test"
}

3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config


713614-7 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Component: TMOS

Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.

Impact:
Virtual Server does not fail over with floating traffic group as expected.


713183-6 : Malformed JSON files may be present on vCMP host

Component: TMOS

Symptoms:
Malformed JSON files may be present on vCMP host.

Conditions:
All needed conditions are not yet defined.

- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.

Impact:
Some vCMP guests may not show up in the output of the command:
 tmsh show vcmp health

In addition, there might be files present named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.

Workaround:
None.


712241-3 : A vCMP guest may not provide guest health stats to the vCMP host

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
There is no functional impact to the guests or to the host, other than these lost tables.

-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

Workaround:
There is no workaround at this time.


710809-5 : Restjavad hangs and causes GUI page timeouts

Component: Device Management

Symptoms:
Restjavad stops responding, causing GUI page timeouts.

Conditions:
The conditions behind this issue are not known.

Impact:
restjavad is active, but all endpoints are nonresponsive.

Workaround:
Restart restjavad.


709952-4 : Disallow DHCP relay traffic to traverse between route domains

Component: Local Traffic Manager

Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.

Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.

Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.

Workaround:
There is no workaround at this time.


708803-3 : Remote admin user with misconfigured partition fallback to "All"

Component: TMOS

Symptoms:
When remote role groups are used to set user role and partition from the remote authentication server, and the server is configured to set a user to Administrator role with access to a particular partition, the user instead receives Administrator role on all partitions. Users with Administrator role on the BIG-IP are required to have all partition access.

Conditions:
Remote authentication with remote role groups. Remote authentication server configured to set a user to Administrator role with access to a particular partition.

Impact:
Administrator users have access to all partitions.

Workaround:
Change configuration on remote authentication server. Users with Administrator role need all partition access. Users who must be restricted to a particular partition should be given a more restrictive role.


706685-1 : Unable to log into BIG-IP GUI after partition is deleted

Component: TMOS

Symptoms:
The BIG-IP GUI no longer presents a login dialog if a GUI's session becomes invalidated while it is viewing a partition that has subsequently been deleted.

Conditions:
-- A GUI session is logged in and a non-/Common partition is selected.
-- The GUI session expires or is invalidated (producing the message 'Your login credentials are no longer valid').
-- While in that state, the selected partition is deleted via an SSH session.
-- A subsequent attempt is made to log into the GUI (in any browser).

Impact:
Unable to log into the BIG-IP GUI. The UI consists of a grey backdrop colour with a partially drawn login field. There is no way to enter text into the field, so there is no way to log in. You must use SSH to log into the device and restart the tomcat process.

In the browser's JavaScript console, the following message may be seen:

  Uncaught TypeError: Cannot read property 'style' of null at window.onload (login.jsp:35).

Workaround:
Use SSH to log into the device, and restart the tomcat process:
tmsh restart sys service tomcat


705768-2 : dynconfd may core and restart with multiple DNS name servers configured

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query while multiple DNS name servers are configured or the list of DNS name servers is changed.

Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.

Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.

Workaround:
This issue occurs rarely. There is currently no known workaround.


700639-2 : The default value for the syncookie threshold is not set to the correct value

Component: Local Traffic Manager

Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.

Conditions:
This issue may be encountered when a virtual server uses syncookies.

Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.

Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000


696348-5 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option

Component: Service Provider

Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:

[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]

Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option

Impact:
The commands still be executed during runtime but the warning message may confuse user.


692218-1 : Audit log messages sent from the primary blade to the secondaries should not be logged.

Component: TMOS

Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.

Conditions:
Multi-blade platform.

Impact:
Unnecessary messages in the log file.

Workaround:
None.


689147-3 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.


688231-3 : Unable to set VET, AZOT, and AZOST timezones

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.


675911-9 : Different sections of the WebUI can report incorrect CPU utilization

Solution Article: K13272442

Component: TMOS

Symptoms:
The following sections of the WebUI can report incorrect (i.e. higher than expected) CPU utilization:

- The "download history" option found in the Flash dashboard

- Statistics › Performance › Traffic Report (section introduced in version 12.1.0)

Values such as 33%, 66% and 99% may appear in these sections despite the system being potentially completely idle.

Conditions:
HT-Split is enabled (this is the default for platforms that support it).

Impact:
Incorrect CPU utilization is reported by multiple sections of the WebUI, which can confuse BIG-IP Administrators and cause unnecessary alarm.

Workaround:
You can obtain CPU history through various other means. One way is to use the sar utility.

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

Live CPU utilization also can be obtained through various other means. Including: the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.


673573-1 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
    'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.


671025-4 : File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured

Component: TMOS

Symptoms:
devmgmtd exhausting file descriptors when state-mirroring peer-address is misconfigured:
err devmgmtd[8301]: 015a0000:3: [evConnMgr.tcc:29 evIncomingConn] Incoming connection failed: Too many open files

Conditions:
State-mirroring peer-address is misconfigured or configured to a self-ip with port lockdown misconfigured.

Impact:
devmgmtd has too many open files causing iControl issues as it is unable to communicate with devmgmtd.

Workaround:
None.


662301-2 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Component: TMOS

Symptoms:
An error message appears in the GUI reading 'This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.' Examination of the configuration and license shows that there are no configuration error or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
Restart mcpd by running the following command:
bigstart restart mcpd


658943-3 : Errors when platform-migrate loading UCS using trunks on vCMP guest

Component: TMOS

Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use either of the following Workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.


658850-3 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP

Component: TMOS

Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.

If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.

Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate

Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.

Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>


654635-1 : FTP virtual server connections may rapidly reuse ephemeral ports

Solution Article: K34003145

Component: TMOS

Symptoms:
The BIG-IP system reuses ephemeral ports quickly, which might cause connections to fail, because those ports are in TIME-WAIT state on the server.

Conditions:
-- FTP active mode is used.
-- Virtual server source-port change.

-- Running on an affected platform:
--- BIG-IP 5000 series (C109)
--- BIG-IP 7000 series (D110)
--- BIG-IP 10000s/10050s/10200v/10250v (D113, D112)
--- B4300 / B4340N VIPRION blades (A108, A110)

Impact:
FTP active mode connections might fail.

Workaround:
There is no complete workaround. However, you can mitigate the issue using the default setting source-port=preserve on the virtual server.

As alternatives, you can also try the following:
-- Switching client traffic to Passive FTP.
-- Enabling TIME_WAIT reuse on the FTP server, if the operating system supports it.


646768-1 : VCMP Guest CM device name not set to hostname when deployed

Solution Article: K71255118

Component: TMOS

Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.

Impact:
The vCMP guest does not use the configured hostname.

Workaround:
-- In tmsh, run the following commands, in sequence:

 mv cm device bigip1 HOSTNAME
 save sys config

-- Rename the device name in the GUI.


646440-5 : TMSH allows mirror for persistence even when no mirroring configuration exists

Component: Local Traffic Manager

Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.

Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.

Impact:
A memory leak and degraded performance can occur when:

-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.

Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.

If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:

1. Access the BIG-IP Bash prompt.

2. List the Persistence profiles with the following command:
      tmsh list ltm persistence

3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.

4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled

5. Save the changes to the Persistence profiles:
tmsh save sys config


640842-5 : ASM end user using mobile might be blocked when CSRF is enabled

Component: Application Security Manager

Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.

Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.

Impact:
Client is blocked.

Workaround:
None.


625807-3 : tmm cored in bigproto_cookie_buffer_to_server

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>

Impact:
Traffic disrupted while tmm restarts.


621260-7 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.


617636-3 : LTM v11.6.x Errors in F5-BIGIP-LOCAL-MIB.txt prevent its compilation in NMS (Network Management System)

Solution Article: K15009669

Component: TMOS

Symptoms:
Error during compilation of MIB file F5-BIGIP-LOCAL-MIB.txt in NMS:

Unexpected token: in /.../mibs/F5-BIGIP-LOCAL-MIB.mib line no: 27738.

The above compilation error is caused by missing commas in F5-BIGIP-LOCAL-MIB.txt:
 
ltmFwRuleStatRuleStatType OBJECT-TYPE
    SYNTAX INTEGER {
        enforced(1)staged(2), <===== comma missing here
        active(3),
        overlapper(4)
    }
    MAX-ACCESS read-only
    STATUS current
    DESCRIPTION
        ""
    ::= { ltmFwRuleStatEntry 6 }

ltmFwPolicyRuleStatRuleStatType OBJECT-TYPE
    SYNTAX INTEGER {
        enforced(1)staged(2), <===== comma missing here
        active(3),
        overlapper(4)
    }
    MAX-ACCESS read-only
    STATUS current
    DESCRIPTION
        ""
    ::= { ltmFwPolicyRuleStatEntry 6 }

Conditions:
Compile F5-BIGIP-LOCAL-MIB.txt from 11.6.x versions in NMS.

Impact:
F5-BIGIP-LOCAL-MIB.txt fails to compile in NMS.

Workaround:
Correct syntax in the F5-BIGIP-LOCAL-MIB.txt file, as follows:

ltmFwRuleStatRuleStatType OBJECT-TYPE
        SYNTAX INTEGER {
                enforced(1),
                staged(2),
                active(3),
                overlapper(4)
        }
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
                ""
        ::= { ltmFwRuleStatEntry 6 }

ltmFwPolicyRuleStatRuleStatType OBJECT-TYPE
    SYNTAX INTEGER {
        enforced(1),
        staged(2),
        active(3),
        overlapper(4)
    }
    MAX-ACCESS read-only
    STATUS current
    DESCRIPTION
        ""
    ::= { ltmFwPolicyRuleStatEntry 6 }


615329-1 : Special Virtual IP configuration required for IPv6 connectivity on some Virtual Edition interfaces

Component: TMOS

Symptoms:
IPv6 virtual servers may not be reachable on specific Virtual Edition (VE) instances, based on the interfaces used by that instance.

Conditions:
VE with IPv6 virtual servers configured. The VE instance must have SR-IOV interfaces, or KVM virtio interfaces backed by macvtap.

Impact:
Special configuration procedure is required.

Workaround:
Follow the defined configuration procedure by explicitly listing the VLANs for which this VIP is enabled. For example, in TMSH:

'modify ltm virtual <name> vlans-enabled'
'modify ltm virtual <name> vlans add { <vlans> }'


593536-9 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Solution Article: K64445052

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.


587821-10 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.


583084-6 : iControl produces 404 error while creating records successfully

Solution Article: K15101680

Component: TMOS

Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.

Conditions:
Creating GTM topology record without using full path via iControl.

Impact:
Resulting code/information is not compatible with actual result.

For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.

Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.


580715-2 : ASM is not sending 64k remote logs over UDP

Component: Application Security Manager

Symptoms:
The following log messages appears in bd.log and asm.log: ASM configuration error: event code L3350 Failed to write to remote logger vs_name_crc 1119927693 LoggingAccount.cpp:3348`remote log write FAILED res = -3 <Failed to send remote message (remote server not responding)> errno <Message too long>

Conditions:
A remote logger with UDP and with max message length of 64k

Impact:
Missing logs in the remote logger.

Workaround:
Change the remote logger to TCP or (reduce the message length to 1k)


579219-5 : Access keys missing from SessionDB after multi-blade reboot.

Component: Access Policy Manager

Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.

Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.

Impact:
Some Access subkeys may be missing after the reboot.

Workaround:
Reboot the primary blade.


560682-3 : The REST Framework no longer works when downgrading from BIG-IP version 12.x or 13.x to 11.6.x or 11.5.x

Component: Device Management

Symptoms:
After activating an earlier software version (by downgrading from a later version, or any other means) from BIG-IP version 12.x or 13.x to 11.6.x or 11.5.x, the REST Framework no longer works.

At this time, iControl REST requests issued against the BIG-IP system return a 404 HTTP status code.

Additionally, the BIG-IP system logs messages similar to the following example to the /var/log/httpd/httpd_errors file:

Dec 3 15:57:51 localhost err httpd[14486]: [error] [client 192.168.94.48] File does not exist: /usr/local/www/mgmt

Conditions:
- Upgrading the BIG-IP system to version 12.x or 13.x and then activating a previous boot location containing 11.5.x or 11.6.x.

- Utilizing iControl REST.

Impact:
iControl REST does not work on the older software version.

Note: If you boot back into the version 12.x or 13.x slot, iControl REST functionality returns.

Workaround:
To recover from this issue and restore iControl REST functionality on the older software version, run the following command:

rm -fv /shared/lib/rpm/* && reboot


Note: On a VIPRION or vCMP system with multiple blades, you should run "clsh 'rm -fv /shared/lib/rpm/* && reboot'" instead, so that all blades are fixed and the system will work regardless of which blade becomes primary after the reboot.


554506-1 : PMTU discovery from management does not work

Solution Article: K47835034

Component: TMOS

Symptoms:
You encounter connectivity issues to management interface.

Conditions:
MTU on the intermediate route is less than the management interface's MTU and the response packets have the DF flag set.

Impact:
Connectivity issues to management interface.

Workaround:
None.


512490-11 : Increased latency during connection setup when using FastL4 profile and connection mirroring.

Component: Local Traffic Manager

Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Slight delay during connection setup.

Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.


499348-11 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
    tmsh modify sys db merged.method value slow_merge.


489960 : Memory type stats is incorrect

Component: WebAccelerator

Symptoms:
When tmm allocates memory, it adds up stats per memory type allocated. AAM is not properly marking memory type for strings objects, affecting other types of memory stats depending on configuration and release.

Conditions:
AAM is provisioned and there are virtuals in BIG-IP configuration which have web acceleration profiles associated with one or more AAM policies.

Impact:
Stats for some types of memory can be skewed causing troubleshooting issues.

Workaround:
None.


469724-3 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire

Component: TMOS

Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.

Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.

Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.

This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.

Workaround:
To work around this issue, activate the license from the command line:

When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.

For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:

get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ

You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue


438684-1 : Access Profile Type of SSO requires SSO configuration at create time

Component: Access Policy Manager

Symptoms:
If you start to create an Access Profile and you set the Profile Type to SSO, you cannot complete the configuration from the New Profile screen unless an SSO configuration already exists.

Conditions:
Attempt to create a new Access Profile of Type SSO without having an existing SSO to select.

Impact:
Cannot create a new Access Profile of Type SSO until an SSO Configuration has been created and then selected for use within Access Profile.

Workaround:
To work around this problem, you can create an SSO Configuration prior to creating the new Access Profile of Type SSO.


398683-4 : Use of a # in a TACACS secret causes remote auth to fail

Solution Article: K12304

Component: TMOS

Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.

Conditions:
TACACS secret contains the '#' character.

Impact:
TACACS remote auth fails.

Workaround:
Do not use the '#' character in the TACACS secret.


385013-2 : Certain user roles do not trigger a sync for a 'modify auth password' command

Component: TMOS

Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:

Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
  + guest
  + operator
  + application-editor
  + manager
  + certificate-manager
  + irule-manager
  + resource-admin
  + auditor

Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.

Workaround:
Force a full sync to the peer systems.


382363-3 : min-up-members and using gateway-failsafe-device on the same pool.

Solution Article: K30588577

Component: TMOS

Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.

Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.

Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.

Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.


353607-1 : cli global-settings { service number } appears to have no effect

Component: TMOS

Symptoms:
cli global-settings { service number } appears to have no effect.

Conditions:
cli global-settings { service number } command.

Impact:
Has no effect.

Workaround:
None.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************