Supplemental Document : BIG-IP 15.1.0 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.0

BIG-IP Analytics

  • 15.1.0

BIG-IP LTM

  • 15.1.0

BIG-IP Link Controller

  • 15.1.0

BIG-IP AFM

  • 15.1.0

BIG-IP PEM

  • 15.1.0

BIG-IP FPS

  • 15.1.0

BIG-IP DNS

  • 15.1.0

BIG-IP ASM

  • 15.1.0
Original Publication Date: 12/11/2019

BIG-IP Release Information

Version: 15.1.0
Build: 31.0

Known Issues in BIG-IP v15.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
807477 CVE-2019-6650 K04280042 ConfigSync Hardening
797885 CVE-2019-6649 K05123525 ConfigSync Hardening
796469 CVE-2019-6649 K05123525 ConfigSync Hardening
810557 CVE-2019-6649 K05123525 ASM ConfigSync Hardening
805837 CVE-2019-6657 K22441651 REST does not follow current design best practices
799617 CVE-2019-6649 K05123525 ConfigSync Hardening
799589 CVE-2019-6649 K05123525 ConfigSync Hardening
795197 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
794389 CVE-2019-6651 K89509323 iControl REST endpoint response inconsistency
771873 CVE-2019-6642 K40378764 TMSH Hardening
769589 CVE-2019-6974 K11186236 CVE-2019-6974: Linux Kernel Vulnerability
767373 CVE-2019-8331 K24383845 CVE-2019-8331: Bootstrap Vulnerability
759343-8 CVE-2019-6668 K49827114 MacOS Edge Client installer does not follow best security practices
758065 CVE-2019-6667 K82781208 TMM may consume excessive resources while processing FIX traffic
757023 CVE-2018-5743 K74009656 BIND vulnerability CVE-2018-5743
753975-1 CVE-2019-6666 K92411323 TMM may crash while processing HTTP traffic with AAM
810657 CVE-2019-6674 K21135478 Tmm core while using service chaining for SSLO
795797 CVE-2019-6658 K21121741 AFM WebUI Hardening
794413 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471
788773 CVE-2019-9515 K50233772 HTTP/2 Vulnerability: CVE-2019-9515
788769 CVE-2019-9514 K01988340 HTTP/2 Vulnerability: CVE-2019-9514
781449 CVE-2019-6672 K14703097 Increase efficiency of sPVA DoS protection on wildcard virtual servers
777737 CVE-2019-6671 K39225055 TMM may consume excessive resources when processing IP traffic
773673 CVE-2019-9512 K98053339 HTTP/2 Vulnerability: CVE-2019-9512
768981 CVE-2019-6670 K05765031 vCMP Hypervisor Hardening
761014 CVE-2019-6669 K11447758 TMM may crash while processing local traffic
758018 CVE-2019-6661 K61705126 APD/APMD may consume excessive resources
756458 CVE-2018-18559 K28241423 Linux kernel vulnerability: CVE-2018-18559
755674 CVE-2018-10883 K94735334 CVE-2018-10883: Linux kernel vulnerability
745103 CVE-2018-7159 K27228191 NodeJS Vulnerability: CVE-2018-7159
798249 CVE-2019-6673 K81557381 TMM may crash while processing HTTP/2 requests
793937 CVE-2019-6664 K03126093 Management Port Hardening
773653-8 CVE-2019-6656 K23876153 APM Client Logging
773649-8 CVE-2019-6656 K23876153 APM Client Logging
773641-8 CVE-2019-6656 K23876153 APM Client Logging
773637-8 CVE-2019-6656 K23876153 APM Client Logging
773633-8 CVE-2019-6656 K23876153 APM Client Logging
773621-8 CVE-2019-6656 K23876153 APM Client Logging
756571-1 CVE-2018-17972 K27673650 CVE-2018-17972: Linux kernel vulnerability
759536 CVE-2019-8912 K31739796 Linux kernel vulnerability: CVE-2019-8912
757617 CVE-2018-16864
CVE-2018-16865
CVE-2018-16866
K30683410 Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865, CVE-2018-16866
747060 CVE-2018-12384 K41738501 CVE-2018-12384: NSS Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
808225 2-Critical   Change in Default password policy for number of characters different between passwords
801861 2-Critical   iApp Templates are now marked as Deprecated
782529 2-Critical   iRules does not follow current design best practices
743946 2-Critical   Tmsh loads schema versions 12.x and earlier which are no longer supported
804273 3-Major   TMM is unable to redirect RRDAG'd traffic
802977 3-Major   PEM iRule crashes when more than 10 policies are tried to be set for a subscriber
790949 3-Major   MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
790897 3-Major   In the GUI, no warning messages are displayed for iRules
773793 3-Major   FPGA firmware L7 bandwidth performance increase for iSeries platforms
771705 3-Major   You may not be able to log into BIG-IP Cloud Edition if FSCK fails
769193 3-Major   Added support for faster congestion window increase in slow-start for stretch ACKs
760234 3-Major   Configuring Advanced shell for Resource Administrator User has no effect
759135 3-Major   AVR report limits are locked at 1000 transactions
757813 3-Major   Unable to use an iRule to classify traffic that has already been classified.
756269 3-Major   A new CLI command added to retrieve DoS vector stats
754875 3-Major   Enable FIPS in prelicensed VE images without requiring a reboot
751512 3-Major   CGN Inbound connections should not bypass AFM firewall rules
747013 3-Major   Add OCSP server support to IKEv2 negotiation for IPsec peer authentication
744937 3-Major K00724442 BIG-IP DNS and GTM DNSSEC security exposure
738330 3-Major   /mgmt/toc endpoint issue after configuring remote authentication
707276 3-Major   In-use, expired certificates now have a warning in the GUI
704552-3 3-Major   Support for ONAP site licensing
558976 3-Major   Improvement to cause tmm to core when mcpd exits
788269 4-Minor   Adding toggle to disable AVR widgets on device-groups
767989 4-Minor   DNSSEC RRSIG Inception Offset
763065 4-Minor   The monitor probing frequency has been adjusted because more than 20 synchronous monitors were detected.
617134 4-Minor   Encryption and authentication keys for IKEv2 are not logged


TMOS Fixes

ID Number Severity Solution Article(s) Description
819089-1 1-Blocking K63920829 Manually licensing a versioned VE license through the GUI fails to activate the license
809553-1 1-Blocking   ONAP Licensing - Cipher negotiation fails
778317 1-Blocking   IKEv2 HA after Standby restart has race condition with config startup
819009 2-Critical   Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.
818709 2-Critical   TMSH does not follow current best practices
817085 2-Critical   Multicast Flood Can Cause the Host TMM to Restart
814953 2-Critical   TMUI dashboard hardening
813517 2-Critical   The cron daemon not running after upgrade from pre-v14.1.0 versions to 15.0.x
810593 2-Critical   Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade
808129 2-Critical   Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.
807453 2-Critical   IPsec works inefficiently with a second blade in one chassis
806093 2-Critical   Unwanted LDAP referrals slow or prevent administrative login
800185 2-Critical   Saving a large encrypted UCS archive may fail and might trigger failover
796113 2-Critical   Unable to load 14.1.0 config on 15.0.0 for a virtual server using a port/address list
793045 2-Critical   File descriptor leak in net-snmpd while reading /shared/db/cluster.conf
792285 2-Critical   TMM crashes if the queuing message to all HSL pool members fails
789993 2-Critical   Failure when upgrading to 15.0.0 with config move and static management-ip.
789169 2-Critical   Unable to create virtual servers with port-lists from the GUI
788033-4 2-Critical   tpm-status may return "Invalid" after engineering hotfix installation
781377 2-Critical   tmrouted may crash while processing Multicast Forwarding Cache messages
780817-1 2-Critical   TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
777993 2-Critical   Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
777229 2-Critical   IPsec improvements to internal pfkey messaging between TMMs on multi-blade
775897 2-Critical   High Availability failover restarts tmipsecd when tmm connections are closed
774361 2-Critical   IPsec High Availability sync during multiple failover via RFC6311 messages
770953-2 2-Critical   'smbclient' executable does not work
769817-1 2-Critical   BFD fails to propagate sessions state change during blade restart
769581-3 2-Critical   Timeout when sending many large requests iControl Rest requests
769357 2-Critical   IPsec debug logging needs more organization and is missing HA-related logging
769341 2-Critical   HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs
769169-2 2-Critical   BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
767877 2-Critical   TMM core with Bandwidth Control on flows egressing on a VLAN group
767013 2-Critical   Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
762385-1 2-Critical   Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later
762205 2-Critical   IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
757722 2-Critical   Unknown notify message types unsupported in IKEv2
756402 2-Critical   Re-transmitted IPsec packets can have garbled contents
755716 2-Critical   IPsec connection can fail if connflow expiration happens before IKE encryption
751924 2-Critical   TSO packet bit fails IPsec during ESP encryption
749249 2-Critical   IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
747203 2-Critical   Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
746122 2-Critical   'load sys config verify' resets the active master key to the on-disk master key value
741676 2-Critical   Intermittent crash switching between tunnel mode and interface mode
820213 3-Major   'Application Service List' empty after UCS restore
817917 3-Major   TMM may crash when sending TCP packets
817725 3-Major   Bcm56xxd does not always generate a core file
814053 3-Major   Under heavy load, bcm56xxd can be killed by the watchdog
812929 3-Major   mcpd may core when resetting a DSC connection
810957 3-Major   Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
806985-1 3-Major   Installation issues when adding new blade v12.1.3 to VPR cluster v14.1.0.1 EHF
805557 3-Major   TMM may crash while processing crypto data
804537 3-Major   Check SAs in context callbacks
804477 3-Major   Log HSB registers when parts of the device becomes unresponsive
802889-1 3-Major   Problems establishing HA connections on DAGv2 chassis platforms
798949 3-Major   Config-Sync fails when Config-Sync IP configured to management IP
797609 3-Major   Creating or modifying some virtual servers to use an address or port list may result in a warning message
797221 3-Major   BCM daemon can be killed by watchdog timeout during blade-to-blade failover
795685 3-Major   Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
794501 3-Major   Duplicate if_indexes and OIDs between interfaces and tunnels
788949 3-Major   MySQL Password Initialization Loses Already Written Password
788557-3 3-Major   BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
788301 3-Major K58243048 SNMPv3 Hardening
783293 3-Major   Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window
783113-6 3-Major   BGP sessions remain down upon new primary slot election
782613 3-Major   Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
780601 3-Major   SCP file transfer hardening
778125 3-Major   LDAP remote authentication passwords are limited to fewer than 64 bytes
777261 3-Major   When SNMP cannot locate a file it logs messages repeatedly
775733 3-Major   /etc/qkview_obfuscate.conf not synced across blades
772497 3-Major   When BIG-IP is configured to use a proxy server, updatecheck fails
772117 3-Major   Overwriting FIPS keys from the HA peer with older config leads to abandoned key on FIPS card
770657 3-Major   On hardware platforms with ePVA, some good traffic is blocked when in L2 transparent mode and syn cookies are enabled
769029 3-Major   Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
766329 3-Major   SCTP connections do not reflect some SCTP profile settings
764873 3-Major   An accelerated flow transmits packets to a dated, down pool member.
762073 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
761993 3-Major   The nsm process may crash if it detects a nexthop mismatch
761753 3-Major   BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
761160 3-Major   OpenSSL vulnerability: CVE-2019-1559
761144 3-Major   Broadcast frames may be dropped
760680 3-Major   TMSH may utilize 100% CPU (single core worth) when set to be a process group leader and SSH session is closed.
760439 3-Major   After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
760259 3-Major   Qkview silently fails to capture qkviews from other blades
760164-2 3-Major   BIG-IP VE Compression Offload HA action requires modification of db variable
759735 3-Major   OSPF ASE route calculation for new external-LSA delayed
759654 3-Major   LDAP remote authentication with remote roles and user-template failing
759499 3-Major   Upgrade from version 12.1.3.7 to version 14.1.0 failing with error
759172 3-Major   Read Access Denied: user (gu, guest) type (Certificate Order Manager)
758527 3-Major   BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
758517 3-Major   Callback for Diffie Hellman crypto is missing defensive coding
758516 3-Major   IKEv2 auth encryption is missing defensive coding that checks object validity
758387 3-Major   BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
758119 3-Major K58243048 qkview may contain sensitive information
757862 3-Major   IKEv2 debug logging an uninitialized variable leading to core
757519 3-Major   Unable to login using LDAP authentication with a user-template
757357-2 3-Major   TMM may crash while processing traffic
756153 3-Major   Add diskmonitor support for MySQL /var/lib/mysql
754691 3-Major   During failover, an OSPF routing daemon may crash.
753860 3-Major   Virtual server config changes causing incorrect route injection.
751021 3-Major   One or more TMM instances may be left without dynamic routes.
749011 3-Major   Datasync may start background tasks during high disk IO utilization
748044-2 3-Major   RAID status in tmsh is not updated when disk is removed or rebuild finishes
743803 3-Major   IKEv2 potential double free of object when async request queueing fails
743758 3-Major   Support dynamic CRL check for clientSSL profile
738943 3-Major   imish command hangs when ospfd is enabled
738236 3-Major   UCS does not follow current best practices
726416 3-Major   Physical disk HD1 not found for logical disk create
726240 3-Major   'Cannot find disk information' message when running Configuration Utility
724109 3-Major   Manual config-sync fails after pool with FQDN pool members is deleted
721020 3-Major   Changes to the master key are reverted after full sync
718405 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
715379 3-Major   IKEv2 accepts asn1dn for peers-id only as file path of certificate file
701529 3-Major   Configuration may not load or not accept vlan or tunnel names as "default" or "all"
688399 3-Major   HSB failure results in continuous TMM restarts
683135 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
679901 3-Major   The iControl-REST timeout value is not configurable.
661640 3-Major   Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair.
648621 3-Major   SCTP: Multihome connections may not expire
601220 3-Major   Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
591732 3-Major   Local password policy not enforced when auth source is set to a remote type.
439399 3-Major K17483 Discrepancy between Throughput and Detailed Througput data
409062 3-Major K20008325 ArcSight HSL is not supported for most system daemons
818417 4-Minor   Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.
803993 4-Minor   Cannot process empty ltcfg field value: class name
789893 4-Minor   SCP file transfer hardening
776073 4-Minor   OOM killer killing tmmin system low memory condition as process OOM score is high
758706 4-Minor   Importing a cert with an expiration time of 'Dec 31 23:59:59 9999' causes errors in the GUI
757821 4-Minor   Strings in APM GUI: Do not use 'none' to mean 'empty value'
757747 4-Minor   IKEv2 ignores passive=true setting in ike-peer
756401 4-Minor   IKEv2 debug logging often omits SPI values that would identify the SAs involved
755018 4-Minor   Traffic processing may be stopped on VE trunk after tmm restart
751450 4-Minor   Ability to select both IKEv1 and IKEv2 in ike-peer config deprecated
723833 4-Minor   IPsec related routing changes can misfire, like changing tunnel mode to interface mode
706737-1 4-Minor   APM SAML inline SSO documentation
636189 4-Minor   Output of sysctl reports incorrect values of variables accept_redirects, send_redirects, and secure_redirects for TMM interfaces


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
816273 1-Blocking   L7 Policies may execute CONTAINS operands incorrectly.
759968-5 1-Blocking   Distinct vCMP guests are able to cluster with each other.
833173 2-Critical   SFP interfaces are flapping on 2xxx/4xxx on version 15.0.x
831325 2-Critical   HTTP PSM detects more issues with Transfer-Encoding headers
831161 2-Critical   An iRule before HTTP_REQUEST calling persist none can crash tmm
825561 2-Critical   TMM may core in a rare condition serving an HTTP response
824881 2-Critical   A rare TMM crash cause by the fix for ID 816625
824757 2-Critical   SSL traffic fails with Equinix netHSM on device restart
817417 2-Critical   Blade software installation stalled at Waiting for product image
816961 2-Critical   LB::detach iRule command may trigger TMM crash
816625 2-Critical   The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.
813561 2-Critical   MCPD crashes when assigning an iRule that uses a proc
811161 2-Critical   Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992
810801 2-Critical   TMM may core in a rare condition when tearing down a connection
810537 2-Critical   TMM may consume excessive resources while processing iRules
809165 2-Critical   TMM may crash will processing connector traffic
808301 2-Critical   TMM may crash while processing IP traffic
803845-1 2-Critical   When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown
800369 2-Critical   The fix for ID 770797 may cause a TMM crash
800305 2-Critical   VDI::cmp_redirect generates flow with random client port
799649 2-Critical   TMM crash
794153 2-Critical   TMM may core in a rare condition when handling an HTTP request
788813 2-Critical   TMM crash when deleting virtual-wire config
787825 2-Critical K58243048 Database monitors debug logs have plaintext password printed in the log file
778077 2-Critical   Virtual to virtual chain can cause TMM to crash
774913 2-Critical   IP-based bypass can fail if SSL ClientHello is not accepted
757578 2-Critical   RAM cache is not compatible with verify-accept
754525 2-Critical   Disabled virtual server accepts and serves traffic after restart
750702 2-Critical   TMM crashes while making changes to virtual wire configuration
823921 3-Major   FTP profile causes memory leak
818429 3-Major   TMM may crash while processing HTTP traffic
818097 3-Major   Plane CPU stats too high after primary blade failover in multi-blade chassis
816205 3-Major   IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side
815449 3-Major   BIG-IP closes connection when an unsized response is served to a HEAD request
815089 3-Major   On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
814761 3-Major   PostgreSQL monitor fails on second ping with count != 1
813673 3-Major   The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT
812497 3-Major   VE rate limit should not count packet that does not have a matched vlan or matched MAC address
811333 3-Major   Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile
810445 3-Major   PEM: ftp-data not classified or reported
809729 3-Major   When HTTP/2 stream is reset by a client, BIG-IP may not respond properly
806085 3-Major   In-TMM MQTT monitor is not working as expected
805017 3-Major   DB monitor marks pool member down if no send/recv strings are configured
802245 3-Major   When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.
801541 3-Major   tmm memory growth if high availability (HA) peer is unavailable
800101 3-Major   BIG-IP chassis system may send out duplicated UDP packets to the server side
798105 3-Major   Node Connection Limit Not Honored
797977 3-Major   Self-IP traffic does not preserve the TTL from the Linux host
796993 3-Major   Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
795501 3-Major   Possible SSL crash during config sync
795437 3-Major   Improve handling of TCP traffic for iRules
795261 3-Major   LTM policy does not properly evaluate condition when an operand is missing
795025 3-Major   Ssl_outerrecordtls1_0 config option is not honored
793929 3-Major   In-TMM monitor agent might crash during TMM shutdown
790205 3-Major   Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
788741 3-Major   TMM cores in the MQTT proxy under rare conditions
788325 3-Major K39794285 Header continuation rule is applied to request/response line
787853 3-Major   BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
787821 3-Major   httprouter may deadlock
787433 3-Major   SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed
785481 3-Major   A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
784713 3-Major   When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct
784565 3-Major   VLAN groups are incompatible with fast-forwarded flows
783617 3-Major   Virtual Server resets connections when all pool members are marked disabled
781849 3-Major   On-Demand Certificate Authentication agent for Per-Request Policy does not work with multiple Client SSL profiles that have the 'Default SSL Profile for SNI' option disabled and assigned to a single Virtual Server
781753 3-Major   WebSocket traffic is transmitted with unknown opcodes
781041 3-Major   SIP monitor in non default route domain is not working.
779633 3-Major   BIG-IP system reuses serverside TIME_WAIT connections irrespective of TMMs used
778517 3-Major   Large number of in-TMM monitors results in delayed processing
777269 3-Major   Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup
776521 3-Major   Connection information is needed when an SSL handshake aborts
776229 3-Major   iRule 'pool' command no longer accepts pool members with ports that have a value of zero
773821 3-Major   Certain plaintext traffic may cause SSLO to hang
773421 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
773229 3-Major   Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances
772545 3-Major   Tmm core in SSLO environment
770477 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
769801 3-Major   Internal tmm UDP filter does not set checksum
766169 3-Major   Replacing all VALN interfaces resets VLAN MTU to a default value
765517 3-Major   Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN
764897 3-Major   Connection mirroring fails over to primary address when it becomes available
763093 3-Major   LRO packets are not taken into account for ifc_stats (VLAN stats)
761477 3-Major   Client authentication performance when large CRL is used
761282 3-Major   SNAT pool may use wrong address after self addresses are added/modified
761185 3-Major K50375550 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
761112 3-Major   TMM may consume excessive resources when processing FastL4 traffic
761030 3-Major   tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
760550 3-Major   Retransmitted TCP packet has FIN bit set
759419 3-Major   HTTP2 monitors can be created
759385 3-Major   Records for an external data-group can be incorrectly managed
758992 3-Major   The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
758655 3-Major   TMC does not allow inline addresses with non-zero Route-domain.
758631 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
758006 3-Major   Thales nethsm-thales-rfs-install.sh script failing with / partition full
757827-5 3-Major   Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
756817 3-Major   ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks.
756510 3-Major   Improve log message when an SSL invalid profile is found
755727 3-Major   Ephemeral pool members not created after DNS flap and address record changes
754635 3-Major   When SSL persistence enabled, session cache size cannot be zero.
754218 3-Major   Stateless virtual servers does not work for non-standard load-balancing methods
754003 3-Major K73202036 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
751036 3-Major   Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
750278 3-Major   A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases
747907 3-Major   Persistence records leak while the HA mirror connection is down
747628 3-Major   BIG-IP sends spurious ICMP PMTU message to server
745923 3-Major   Virtual server may reset a connection with port zero when client sends ACK after a 4-way close
745663 3-Major   During CMP forward, nexthop data may miss at large packet split
738045 3-Major   HTTP filter complains about invalid action in the LTM log file.
726176 3-Major   platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
718790 3-Major   Traffic does not forward to fallback host when all pool members are marked down
718288 3-Major   MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated
714384 3-Major   DHCP traffic may not be forwarded when BWC is configured
710930 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
696735 3-Major   TCP ToS Passthrough mode does not work correctly
686059 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
685858 3-Major   Connection drops with Fast L4 profile that has loose init and syncookie enabled
668459 3-Major   Asymmetric transparent nexthop traffic only updates ingress interface
636842 3-Major K51472519 A FastL4 virtual server may drop a FIN packet when mirroring is enabled
629787 3-Major   vCMP hypervisor version mismatch may cause connection mirroring problems.
617929 3-Major   Support non-default route domains
601189 3-Major   The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
559004 3-Major   No support for server-side TLS SNI
830833 4-Minor   HTTP PSM blocking resets should have better log messages
791337 4-Minor   Traffic matching criteria fails when using shared port-list with virtual servers
787905 4-Minor   Improve initializing TCP analytics for FastL4
783969-1 4-Minor   An invalid SSL close_notify might be sent in some cases.
781837 4-Minor   [CPM] 'Use case sensitive string comparison' has no effect on datagroup match
781113 4-Minor   Support to enable/disable reusing serverside TIME_WAIT connections
774261 4-Minor   PVA client-side current connections stat does not decrease properly
774173 4-Minor   WebUI - Cipher Group preview causes high availability (HA) sync state to become Changes Pending
772297 4-Minor   LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
770641 4-Minor   Update BIG-IP with recently introduced HTTP status codes
769309 4-Minor   DB monitor reconnects to server on every probe when count = 0
767329 4-Minor   Mirrored persistence records are not identified in tmsh output
763197 4-Minor   Flows not mirrored on wildcard Virtual Server with opaque VLAN group
760683 4-Minor   RST from non-floating self-ip may use floating self-ip source mac-address
757777 4-Minor   bigtcp does not issue a RST in all circumstances
747585 4-Minor   TCP Analytics supports ANY protocol number
688397 4-Minor   Reset causes for HTTP/2 streams are not recorded
487884 4-Minor   SSL::collect, SSL::release iRule events might not work as expected in a mirroring configuration.
761318 5-Cosmetic   Opening libcryptoki-6.2.2-11.x86_64.rpm fails during SafeNet 6.2.2 client install
491303 5-Cosmetic   Cipher string text box does not resize itself


Performance Fixes

ID Number Severity Solution Article(s) Description
777937 1-Blocking   AWS ENA: packet drops due to bad checksum


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
807177 2-Critical   HTTPS monitoring is not caching SSL sessions correctly
744743 2-Critical   Rolling DNSSEC Keys may stop generating after BIG-IP restart
717306 2-Critical   Added ability to use Vip-targeting-Vip with DNS Cache server-side connections
704198 2-Critical K29403988 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
803645 3-Major   GTMD daemon crashes
802961 3-Major   The 'any-available' prober selection is not as random as in earlier versions
799657 3-Major   Name validation missing control characters for some GTM objects
783849 3-Major   DNSSEC Key Generations are not imported to secondary FIPS card
781985 3-Major   DNSSEC zone SEPS records may be wiped out from running configuration
781829 3-Major   GTM TCP monitor does not check the RECV string if server response string not ending with \n
779793 3-Major   [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor
778365 3-Major   dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
777245 3-Major   DNSSEC client-facing SOA zone serial does not update when DNSSEC related RR changes
774481 3-Major   DNS Virtual Server creation problem with Dependency List
772233 3-Major   IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
769385 3-Major   GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
761032 3-Major   TMSH displays TSIG keys
760835 3-Major   Static generation of rolling DNSSEC keys may be missing when the key generator is changed
760833 3-Major   BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner
758038 3-Major   Addition of receive status code to DNS HTTP/HTTPS monitors
757775 3-Major   Added DB variable to force setting RA bit in response from cache
746223 3-Major   DNSSEC: Initial Key Generations may take up to 5 seconds to appear when a new DNSSEC Key is created
726164 3-Major   Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system
719704 3-Major   'Error trying to access the database.' with ZoneRunner
712335 3-Major   GTMD may intermittently crash under unusual conditions.
708421 3-Major K52142743 DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
665117 3-Major K33318158 DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
775801 4-Minor   [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener
744280 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
813945 2-Critical   PB core dump while processing many entities
813389 2-Critical   TMM Crashes upon failure in Bot Defense Client-Side code
790349 2-Critical   merged crash with a core file
790089 2-Critical   ASM SPA JavaScript code causes a web page to hang upon parallel ajax requests.
784337 2-Critical   False positive header related violation
831661 3-Major   ASMConfig Handler undergoes frequent restarts
824101 3-Major   Request Log export file is not visible for requests including binary data
824037 3-Major   Bot Defense whitelists do not apply for IP 'Any' when using route domains
812341 3-Major   Patch or Delete commands take a long time to complete when modifying an ASM signature set.
808749 3-Major   Duplicate user-defined Signature Set based on Attack Type is created upon policy import
805353 3-Major   ASM reporting for WebSocket frames has empty username field
800453 3-Major   False positive virus violations
797781 3-Major   ASM does not inject JavaScript near <body> when the tag appears below 2 KB of the compressed page
795965-1 3-Major   BIG-IP does not close connection after deception blocking response page is sent
793149 3-Major   Adding the Strict-transport-Policy header to internal responses
792569 3-Major   Security URL name created from swagger file starts with double '/'
792341 3-Major   Google Analytics shows incorrect stats.
788705 3-Major   Clarification of JSON schema validator reference resolving support
786913 3-Major   Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7
785873 3-Major   ASM should treat 'Authorization: Negotiate TlR' as NTLM
785529 3-Major   ASM unable to handle ICAP responses which length is greater then 10K
783513 3-Major   ASU is very slow on device with hundreds of policies due to logging profile handling
781865 3-Major   Issues in IE8 when using bot defense browser JavaScript verification and SPA
781637 3-Major   ASM brute force counts unnecessary failed logins for NTLM
781605 3-Major   Fix RFC issue with the multipart parser
781069 3-Major   Bot Defense challenge blocks requests with long Referer headers
781021 3-Major   ASM modifies cookie header causing it to be non-compliant with RFC6265
778681 3-Major   Factory-included Bot Signature update file cannot be installed without subscription
778677 3-Major   Factory Search Engines are mistakenly converted to Bot Signatures upon upgrade
773553 3-Major   ASM JSON parser false positive.
771869 3-Major   Certain signatures can scan past input buffers limits
769997-2 3-Major   ASM removes double quotation characters on cookies
769981 3-Major   bd crashes in a specific scenario
767077 3-Major   Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error
767057 3-Major   In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server
764373 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
761231 3-Major K79240502 Bot Defense Search Engines getting blocked after configuring DNS correctly
758308 3-Major   Import/create policy may fail after failed upgrade UCS load
727107 3-Major   Request Logs are not stored locally due to shmem pipe blockage
726401 3-Major   ASM cannot complete initial startup with modified management interface on VE
725551 3-Major   ASM may consume excessive resources
707905 3-Major   Hundreds of cron-initiated ASM-config processes seem to be stuck
704077 3-Major   Request log shows Username N/A for the JSON authentication type Login page
699149 3-Major   'Can't associate Bot Defense ASM Profile' when creating iApp
674300 3-Major   The 'Illegal flow' violation occurs on requests to the same policy on non-synchronized devices
803445 4-Minor   When adding several mitigation exceptions, the previously configured actions revert to the default action
802877 4-Minor   Escaped slash in Parameter regular expression value fails regex validation
797821 4-Minor   Logging profiles on /Common cannot be configured with publishers on other folders
795769 4-Minor   Incorrect value of Systems in system-supplied signature sets
794253 4-Minor   Several relevant fields are not shown in Application Security remote logging profile
789817 4-Minor   In rare conditions info fly-out not shown
785253 4-Minor   Problems in reporting of disallowed URL
783589 4-Minor   No option to filter out bots with N/A anomaly category
783417 4-Minor   ASM CAPTCHA preview pages don't display the page properly
775833 4-Minor   Administrative file transfer may lead to excessive resource consumption
772473 4-Minor   Request reconstruct issue after challenge
768761 4-Minor   Improved accept action description for suggestions to disable signature/enable metacharacter in policy
767941 4-Minor   Gracefully handle policy builder errors
767469 4-Minor   Searching ASM Policy Attack Signatures via Rest API can return signatures that are not in the policy
766605 4-Minor   Bot Defense Profile created in Guided Configuration screen will not show the sub-path section of a its partition
765413 4-Minor   ASM cluster syncs caused by PB ignored suggestions updates
764653 4-Minor   ASM/AWAF : Automatic enforcement of HTTP Methods
762305 4-Minor   'exclusiveMaximum' and 'exclusiveMinimum' from swagger are not taken into account in param creation
761553 4-Minor   Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
761549 4-Minor   Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
761088 4-Minor   Remove policy editing restriction in the GUI while auto-detect language is set
760462 4-Minor   Live update notification is shown only for provisioned/licensed modules
759302 4-Minor   The same dynamic flow can not be added to different URLs
757470 4-Minor   Case insensitive flag is ignored on regular expression keywords in simplified Signature editor
756998 4-Minor   DoSL7 Record Traffic feature is not recording traffic
749184 4-Minor   Added description of subviolation for the suggestions that enabled/disabled them
702946-1 4-Minor   Added option to reset staging period for signatures
786897 5-Cosmetic   Rename of 'AMF Body' context to 'HTTP request body - unparsed payload' in request log
769061 5-Cosmetic   Improved details for learning suggestions to enable violation/sub-violation


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
812993 1-Blocking   Monpd process consumes considerable amount of RAM on systems with many virtual servers
817065 2-Critical   Avrinstall crashes and admd restarts in endless loop when APM provision is Minimal
756102 2-Critical   TMM can crash with core on ABORT signal due to non-responsive AVR code
833113-6 3-Major   Avrd core when sending large messages via https
808297 3-Major   AVR statistics are lost when performing an upgrade
805817 3-Major   Distributed reports fail when management address is used for config sync in a device group
797785 3-Major   AVR reports no ASM-Anomalies data.
792265 3-Major   Traffic logs does not include the BIG-IQ tags
781581 3-Major   Monpd uses excessive memory on requests for network_log data
773925 3-Major   Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files
771025 3-Major   AVR send domain names as an aggregate
768125 3-Major   AFM data is not reported if AVR is not provisioned.
760356 3-Major   Users with Application Security Administrator role cannot delete Scheduled Reports
758257 3-Major   Adding option to mask each AFM stats separately
758235 3-Major   Large user database size
753485-5 3-Major   AVR global settings are being overridden by HA peers


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
811965 2-Critical   Some VDI use cases can cause excessive resource consumption
811145 2-Critical   VMware View resources with SAML SSO are not working
797541 2-Critical K05115516 NTLM Auth may fail when user's information contains SIDS array
789085 2-Critical   When executing the ACCESS::session iRule command under a serverside event, tmm may crash
784989 2-Critical   TMM may crash with panic message: Assertion 'cookie name exists' failed
783233 2-Critical   OAuth puts quotation marks around claim values that are not string type
779177 2-Critical   Apmd logs "client-session-id" when access-policy debug log level is enabled
777173 2-Critical   Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
761373 2-Critical   Debug information logged to stdout
825805 3-Major   NTLM Auth may fail due to incorrect handling of EPM response
815753 3-Major   TMM leaks memory when explicit SWG is configured with Kerberos authentication
808169 3-Major   APM per-request policy continues evaluation even if variable assign agent is created with bad expression.
802381 3-Major   Localdb authentication fails
798261 3-Major   APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
794561 3-Major   TMM may crash while processing JWT/OpenID traffic.
788473 3-Major   Email sent from APM is not readable in some languages
788417 3-Major   Remote Desktop client on macOS may show resource auth token on credentials prompt
787477 3-Major   Export fails from partitions with '-' as second character
786173 3-Major   UI becomes unresponsive when accessing Access active session information
783817 3-Major   UI becomes unresponsive when accessing Access active session information
782673 3-Major   Importing local users CSV via UI shows a redundant error
782569 3-Major   SWG limited session limits on SSLO deployments
782401 3-Major   Importing CSV reports error message, though operation is successful
777165 3-Major   Occasional crash from sessiondump
775621 3-Major   urldb memory grows past the expected ~3.5GB
774633 3-Major   Memory leak in tmm when session db variables are not cleaned up
774301 3-Major   Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
774213 3-Major   SWG session limits on SSLO deployments
771905 3-Major   JWT token rejected due to unknown JOSE header parameters
769853 3-Major K24241590 Access Profile option to restrict connections from a single client IP is not honored for native RDP resources
768025 3-Major   SAML requests/responses fail with "failed to find certificate"
766577 3-Major   APMD fails to send response to client and it already closed connection.
765621 3-Major   POST request being rejected when using OAuth Resource Server mode
764709 3-Major   Session variable with trailing space might result in errors
761329 3-Major   APM per-request policy variable assign agent does not support secure variable assignment
760974 3-Major   TMM SIGABRT while evaluating access policy
759640 3-Major   Logon failure with Session Expired/Timeout
759638 3-Major   APM current active and established session counts out of sync after failover
759392 3-Major   HTTP_REQUEST iRule event triggered for internal APM request
759356 3-Major   Access session data cache might leak if there are multiple TMMs
759307 3-Major   Enhance oauth client failure error log message id:01490290.
757781 3-Major   Portal Access: cookie exchange may be broken sometimes
756932 3-Major   iRule command 'ACCESS::session data get -secure' can fail when evaluating empty variables
756394 3-Major   Portal Access: client-side URL rewriter incorrectly replaces '..' with 'f5-w-doubledot' in query
741222 3-Major   Install epsec1.0.0 into software partition.
721274 3-Major   ActiveX and Java based RDP resources are not support
697590 3-Major   APM iRule ACCESS::session remove fails outside of Access events
680855-1 3-Major   Safari 11 sometimes start more than one session
597955 3-Major   APM can generate seemingly spurious error log messages
816313 4-Minor   Per-request Policy customization is used for 'URL blocked' page
807509 4-Minor   SWG license does not get released for sessions created through iRules
804421 4-Minor   SAML attribute value when supplied with quotes "" around it causes error while displaying the list of SAML IDPs
799985 4-Minor   Profile import with reuse is failing in non-Common partition
793229 4-Minor   Portal Access: Lack of Split Tunneling information in dynamic windows/frames
781445 4-Minor   named or dnscached cannot bind to IPv6 address
778333 4-Minor   GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later
771545 4-Minor   Export access policy does not include apm log-setting config
770621 4-Minor   [Portal Access] HTTP 308 redirect does not get rewritten
759579 4-Minor   Full Webtop: 'URL Entry' field is available again
758089 4-Minor   Refreshing sessions fails with 'All[Read Only]' partitions
744476 4-Minor   Some SSO methods may work inappropriately when using OTP Generate agent
719589 4-Minor   GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic
698693 4-Minor   HTTP::uri does not work after ACCESS::respond
656799 4-Minor   APM Webtop max session timeout countdown reports incorrect value
617087 4-Minor   NTLM Machine Account page fails when using an Admin password containing spaces
602396 4-Minor   EPSEC Upload Package Button Is Greyed Out


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
792045 3-Major   Prevent WAM cache type change for small objects
751383 4-Minor   Invalidation trigger parameter values are limited to 256 bytes
748031 4-Minor   Invalidation trigger parameter containing reserved XML characters does not create invalidation rule


Service Provider Fixes

ID Number Severity Solution Article(s) Description
814097 2-Critical   Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
811105 2-Critical   MRF SIP-ALG drops SIP 183 and 200 OK messages
808525 2-Critical   TMM may crash while processing Diameter traffic
781725 2-Critical   BIG-IP systems might not complete a short ICAP request with a body beyond the preview
766405 2-Critical   MRF SIP ALG with SNAT: Fix for potential crash on next-active device
815529 3-Major   MRF outbound messages are dropped in per-peer mode
811745 3-Major   Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
811033 3-Major   MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
804313 3-Major   MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
782353 3-Major   SIP MRF via header shows TCP Transport when TLS is enabled
763157 3-Major   MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
761685 3-Major   Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
760370 3-Major   MRF SIP ALG with SNAT: Next active ingress queue filling
759370 3-Major   FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.
759077 3-Major   MRF SIP filter queue sizes not configurable
748355 3-Major   MRF SIP curr_pending_calls statistic can show negative values.
747995 3-Major   MBLB SIP dropping packets with unknown methods
746825 3-Major   MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls
788005 4-Minor   Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP)
787945 4-Minor   IVSERR_SENT_RESULT_LOG displays incorrect IVS name
786981 4-Minor   Pending GTP iRule operation maybe aborted when connection is expired
786565 4-Minor   MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded
760930 4-Minor   MRF SIP ALG with SNAT: Added additional details to log events
758485 4-Minor   Send Disconnect-Peer-Request message per RFC3588.5.4
688897 5-Cosmetic   Removing Insert Record Route option in GUI for sipsession object on SIP-ALG mode


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
791057 2-Critical   MCP may crash when traffic matching criteria is updated
778869 2-Critical   ACLs and other AFM features (e.g., IPI) may not function as designed
818309 3-Major   'tmsh list' / 'tmsh list security' hangs when AFM / Herculon DDoS Hybrid Defender are not provisioned
812481 3-Major   HSL logging may work unreliably for Management-IP firewall rules
811157 3-Major   Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
808893 3-Major   DNS DoS profile vectors do not function correctly
808889 3-Major   DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold
805881 3-Major   Cannot 'Reset Count' or search logs for firewall global policy in different partition
802865 3-Major   The iControl REST query request returning empty list for DoS Protected Objects
800209 3-Major   The tmsh recursive list command includes DDoS GUI-specific data info
793217 3-Major   HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
787969 3-Major   Validation error regarding disabling DoS Software Mode is unclear
781425-3 3-Major   Firewall rule list configuration causes config load failure
780837 3-Major   Firewall rule list configuration causes config load failure
777733 3-Major   DoS profile default values cause config load failure on upgrade
771173 3-Major   FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.
761345 3-Major   Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
761234 3-Major   Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached
757306 3-Major   SNMP MIBS for AFM NAT do not yet exist
756480 3-Major   Added ability in the Flow Inspector to search on serverside src/dst ip addresses
756474 3-Major   Packet tester tool in command line does not support tab completion on vlan name. Vlan name without partition is not supported either
738284 3-Major   Creating or deleting rule list results in warning message: Schema object encode failed
734691 3-Major   The autodosd process does not support multiple traffic-group
686043 3-Major   dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets
726472 4-Minor   Two ACL BLOBs saved in /var/pktclass/ directory use too much disk space there


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
814941 3-Major   PEM drops new subscriber creation if historical aggregate creation count reaches the max limit
783289 3-Major   PEM actions not applied in VE bigTCP.
781485 3-Major   PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition
741213 3-Major   Modifying disabled PEM policy causes coredump
806841 4-Minor   Segmentation fault when pem_sessiondump --detail with special character in session attribute


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
837269-2 3-Major   Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic
806825-1 3-Major   Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool
761517 4-Minor   nat64 and ltm pool conflict


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
821133 3-Major   Wrong wildcard URL matching when none of the configured URLS include QS
804185 3-Major   Some WebSafe request signatures may not work as expected
787601 3-Major   Unable to add 'Enforce' parameter if already configured in different URL
786953 3-Major   Wrong Data Manipulation titles
783565 3-Major   Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP
775013 3-Major   TIME EXCEEDED alert has insufficient data for analysis
771093 3-Major   Websafe Enhanced Data Manipulation not generating Alerts (XHR send rewrite)
770385 3-Major   Fingerprint iframe visible in page
760991 3-Major   DataSafe GUI is displayed when invalid FPS licenses keys are configured
759839 3-Major   Datasafe encrypts stored substitute value for xhr request and not the real value
759664 3-Major   Remove Event Listener support of edge case
758938 3-Major   Datasafe RTE causing login form to not be updated on subsequent login attempts
700384 3-Major   Allow param identification by arbitrary named attribute
795733 4-Minor   'Name in Request' parameter is placed in the wrong group
789045 4-Minor   Wrong Secure Attribute description


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
825597 3-Major   Cloud Security Services do not apply current best practices
824917 3-Major   Behavioral DoS dashboard disregards user access rights to virtual servers
803477 3-Major   BaDoS State file load failure when signature protection is off
767045-5 3-Major   TMM cores while applying policy


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
816529-4 3-Major   If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.
787965 3-Major   URLCAT by URI does not work if it contains port number
785605 3-Major   Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group
761273 3-Major   wr_urldbd creates sparse log files by writing from the previous position after logrotate.


Device Management Fixes

ID Number Severity Solution Article(s) Description
815649 3-Major   Named.config entry getting overwriting on SSL Orchestrator deployment
767613 3-Major   Restjavad can keep partially downloaded files open indefinitely


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
794285-1 1-Blocking   BIG-IQ reading AFM configuration fails with status 400
802449 2-Critical   Valid GTP-C traffic may cause buffer overflow
737558-2 2-Critical   Protocol Inspection user interface elements are active but do not work
795329 3-Major   IM installation fails if 'auto-add-new-inspections' enabled on profile
774881-1 3-Major   Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.

 

Cumulative fix details for BIG-IP v15.1.0 that are included in this release

837269-2 : Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic

Component: Carrier-Grade NAT

Symptoms:
When hosts send ICMP unreachable error messages and processed by the BIG-IP system, subsequent good UDP packets do not get the persistence LSN translation address.

Conditions:
-- Virtual server with FW NAT or CGNAT configuration to accept UDP traffic.
-- Client or/and server randomly sends ICMP unreachable messages.

Impact:
LSN persistence issues. UDP packets from the same client IP address may not get the same translation address every time, even though there exists a persistence entry in the table

Workaround:
None.

Fix:
Processing ICMP unreachable packets no longer causes FWNAT/CGNAT persistence issues with UDP traffic.


833173 : SFP interfaces are flapping on 2xxx/4xxx on version 15.0.x

Component: Local Traffic Manager

Symptoms:
SFP interfaces start flapping immediately after booting up 2xxx/4xxx platforms, and it takes some time to goes into an up/running state.

Conditions:
Happens on the following platforms with BIG-IP 15.0.x using the SFP interface:

2000s/2200v
4000s/4400v

Impact:
Interface are unusable until it stops flapping and goes into an up/running state.

Workaround:
There is no known mitigation except to wait for the interface to go into the up/running state.

Fix:
Enough time is provided for the SFP interface to complete initialization and go into the up/running state.


833113-6 : Avrd core when sending large messages via https

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash


831661 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.

Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations

Impact:
Control Plane instability and poor learning performance on the device.

Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.


831325 : HTTP PSM detects more issues with Transfer-Encoding headers

Component: Local Traffic Manager

Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.

Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.

Impact:
Traffic is not alarmed/blocked as expected.

Workaround:
None.

Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.


831161 : An iRule before HTTP_REQUEST calling persist none can crash tmm

Component: Local Traffic Manager

Symptoms:
During an iRule event before HTTP_RQUEST, e.g. on FLOW_INIT/CLIENT_ACCEPTED disabling persistence with 'persist none' can crash tmm.

Conditions:
An iRule event before HTTP_RQUEST, e.g., on FLOW_INIT/CLIENT_ACCEPTED disabling persistence with 'persist none'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash.


830833 : HTTP PSM blocking resets should have better log messages

Component: Local Traffic Manager

Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.

Conditions:
This occurs under either of these conditions:

-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.

Impact:
The reset reason given is not descriptive, making troubleshooting difficult.

Workaround:
None.

Fix:
The reset reason used when rejecting HTTP PSM traffic is more descriptive.


825805 : NTLM Auth may fail due to incorrect handling of EPM response

Component: Access Policy Manager

Symptoms:
NTLM passthrough authentication may stop working after upgrade.

Conditions:
-- NTLM authentication configured.
-- Upgraded to a BIG-IP software version that contains the implementation for the Microsoft Internet Explorer feature, 'Enhanced protected mode' (EPM).
-- There are more than two protocol sequence towers included in the EPM response.

Impact:
APM end users cannot login.

Workaround:
None.

Fix:
The system can now parse EPM response as expected.


825597 : Cloud Security Services do not apply current best practices

Component: Anomaly Detection Services

Symptoms:
The built-in endpoint configuration does not apply current best practices.

Conditions:
Default endpoint configuration.

Impact:
CSC do not apply current best practices.

Workaround:
None.

Fix:
The built-in endpoint configuration now applies current best practices.


825561 : TMM may core in a rare condition serving an HTTP response

Component: Local Traffic Manager

Symptoms:
Sometimes when HTTP server receives a POST request, it can serve a response prior the whole request payload is arrived. When a response is chunked in some occasions TMM may fail to process it correctly.

Conditions:
-- The BIG-IP system has a virtual server configured with HTTP profile.
-- POST request is processing.
-- A chunked response is served before the whole request is received.
-- A Security Policy is applied to the virtual server.

Impact:
TMM cores, failover condition occurs, and traffic processing can be interrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system now properly handles early chunked responses and does not allow TMM to core for this reason.


824917 : Behavioral DoS dashboard disregards user access rights to virtual servers

Component: Anomaly Detection Services

Symptoms:
For users that have access to particular partition(s) only, the Behavioral DoS dashboard shows data for all virtual servers, including virtual servers in partitions that this user does not have access to.

Conditions:
-- logged into the GUI as a user which only has access to one partition
-- viewing the Behavioral DoS dashboard
-- The device has virtual servers on partitions to which the current user has no access.

Impact:
User can see BADOS statistics data related to restricted partitions.

Workaround:
None

Fix:
Added a mechanism for getting ADM real time data only for virtual servers accessible by the user.


824881 : A rare TMM crash cause by the fix for ID 816625

Component: Local Traffic Manager

Symptoms:
In rare scenarios involving HTTP unchunking and plugins, the TMM may crash.

Conditions:
The fix for ID 816625 fixed HTTP unchunking and some plugins, dynamically removing the unchunking logic when required.

Other plugin behavior may in addition abort the unchunking logic in an unexpected way. This causes a double-abort, and triggers a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.


824757 : SSL traffic fails with Equinix netHSM on device restart

Component: Local Traffic Manager

Symptoms:
SSL traffic with Equinix netHSM keys fails if TMM process is restarted or device is restarted.

Conditions:
This issue occurs when following conditions are met:

1. Virtual server configured with SSL profile containing Equinix netHSM keys.
2. Device or TMM process is restarted

Impact:
SSL traffic fails.

Workaround:
Manually restart the pkcs11d process:

tmsh restart sys service pkcs11d

Fix:
SSL traffic with Equinix netHSM keys no longer fails if TMM process is restarted or device is restarted.


824101 : Request Log export file is not visible for requests including binary data

Component: Application Security Manager

Symptoms:
Request Log export file is not visible.

Conditions:
Request Log export file contain request with binary data

Impact:
Cannot get data from Request Log export file.

Workaround:
None.


824037 : Bot Defense whitelists do not apply for IP 'Any' when using route domains

Component: Application Security Manager

Symptoms:
When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.

Conditions:
-- Bot Defense profile is enabled.
-- Whitelist is configured for IP 'Any' (for URL or GEO),
-- Sending a request that matches the whitelist using route domains.

Impact:
Request will be mitigated.

Workaround:
For url whitelist only:
Add micro service to the bot defense profile, configure:
1. Add required URL.
2. Specify service type 'Custom Microservice Protection'.
3. Set the 'Mitigation and Verification' setting as required (relevant for logging only).
4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'.
5. Set the microservice 'Enforcement Mode' to 'Transparent'.

This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).

Fix:
Enabling IP 'Any' on route domains now works as expected.


823921 : FTP profile causes memory leak

Component: Local Traffic Manager

Symptoms:
When a FTP profile is added to a virtual server, TMM runs with memory leak and eventually system has to terminate connections.

Conditions:
A FTP profile is installed on virtual server and the inherit-parent-profile parameter is enabled or isession is also included on the FTP virtual.

Impact:
TMM runs with memory leak and eventually system has to terminate connections.

Workaround:
Disable the inherit-parent-profile option if fastL4 data-channel is adequate.

Fix:
Fix the internal memory cleanup function bug.


821133 : Wrong wildcard URL matching when none of the configured URLS include QS

Component: Fraud Protection Services

Symptoms:
Wildcard URLs has a flag (include_query_string) which indicates if the matching should include traffic URL's QS or not

For example, if the traffic URL is '/path?a=b' and configured URL is '/path*b':

1. if include QS enabled, URL is matched
2. otherwise, no match (since matching against '/path' only)

if there are no configured URLs with "Include Query String" enabled, matching may be wrong

Conditions:
1. Wildcard URL configured in anti-fraud profile (URL name contains an asterisk)
2. None of the configured URLs has "Include Query String" enabled
3. Traffic URL contains a query-string

Impact:
URL is incorrectly matched (when it either shouldn't be matched at all or should match another configured URL). Features/signatures might not work as expected.

Workaround:
Configure at least one URL with "Include Query String" enabled

Fix:
FPS should match query string correctly (according to configuration)


820213 : 'Application Service List' empty after UCS restore

Component: TMOS

Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.

Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the iAppLX package.

Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.

Workaround:
Run the following command before restoring the UCS file:

clear-rest-storage


819089-1 : Manually licensing a versioned VE license through the GUI fails to activate the license

Solution Article: K63920829

Component: TMOS

Symptoms:
The BIG-IP system does not activate a versioned BIG-IP VE (VE) license using the manual licensing process through the GUI.

Conditions:
Any VE license installed using the manual method that contains Exclusive_version for versioning.

Impact:
The BIG-IP system does not go active, as the license does not activate properly.

Workaround:
Use the CLI to paste the license file into /config/bigip.license then reload the license using 'reloadlic' in the bash shell.

Fix:
The system prevents using manual license installs through the GUI for versioned VE licenses.


819009 : Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.

Component: TMOS

Symptoms:
The multicast routing protocols are implemented by pimd and mribd daemons. mribd daemon crashes in a specific configuration when debug logging is enabled for this daemon.

Conditions:
1) Dynamic Routing bundle is enabled and PIM protocol is enabled on a route domain.
2) High availability (HA) group/pair with floating self IP address is configured.
3) PIM neighbors are configured for each peer in high availability (HA) group/pair.
4) One of the peers in high availability (HA) is configured to use floating self IP address as an IP address for PIM protocol.

This is done using the 'ip pim use-floating-address' command in the PIM configuration in imish:
# ip pim use-floating-address

5) Multicast routing is configured in imish:
# ip multicast-routing

6) Debug logging for mribd is enabled:
# debug ip mrib all
# debug ipv6 mrib all
---
Note: Although steps 3 and 4 are optional, a practical configuration makes no sense without them.

Impact:
Dynamic routing daemon mribd crashes. Advanced routing not available while mribd restarts.

Workaround:
None.

Fix:
Dynamic routing daemon mribd no longer crashes when mribd debug logging is enabled.


818709 : TMSH does not follow current best practices

Component: TMOS

Symptoms:
Under certain conditions, TMSH does not follow current best practices when processing come commands.

Conditions:
Administrative user with TMSH access

Impact:
TMSH does not follow current best practices.

Workaround:
None.

Fix:
TMSH now follows current best practices.


818429 : TMM may crash while processing HTTP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic.

Conditions:
HTTP profile active.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes HTTP traffic as expected.


818417 : Flowspecd starts with message: Shm segment not found in /etc/ha_table/ha_table.conf.

Component: TMOS

Symptoms:
During system boot, the flowspecd daemon emits a message 'Shm segment not found in /etc/ha_table/ha_table.conf', and heartbeat monitoring is disabled for flowspecd.

Conditions:
Flowspecd daemon is running.

Impact:
No heartbeat monitoring for flowspecd daemon.

Workaround:
Manually edit the file /etc/ha_table/ha_table.conf and insert a line at the end:
ha segment path: /flowspecd

Fix:
Missing line in /etc/ha_table/ha_table.conf added causing flowspecd to start cleanly and undergo a heartbeat monitoring.


818309 : 'tmsh list' / 'tmsh list security' hangs when AFM / Herculon DDoS Hybrid Defender are not provisioned

Component: Advanced Firewall Manager

Symptoms:
The 'tmsh list security' command hangs when ASM is provisioned and AFM or Herculon DDoS Hybrid Defender are licensed, but not provisioned.

Conditions:
This occurs when AFM and/or Herculon DDoS Hybrid Defender are licensed but not provisioned.

Impact:
The tmsh command hangs when running any of following commands:

- tmsh show running-config
- tmsh show running-config security
- tmsh show running-config security presentation tmui virtual-list
- tmsh list
- tmsh list security
- tmsh list security presentation tmui virtual-list

Workaround:
None.

Fix:
The tmsh list security command no longer hangs when ASM is provisioned and AFM/Herculon DDoS Hybrid Defender is not provisioned.


818097 : Plane CPU stats too high after primary blade failover in multi-blade chassis

Component: Local Traffic Manager

Symptoms:
The data, control, and analysis plane stats are too high as reported by tmsh show sys performance system detail.

Conditions:
The primary blade in a multi-blade chassis fails over to another blade.

Impact:
The plane CPU stats are too high.

Workaround:
Remove the /var/tmstat/blade/statsd file on the previous primary blade and restart merged on that blade.

Fix:
The plane CPU stats are now cleared on a secondary blade after failover.


817917 : TMM may crash when sending TCP packets

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash being type SIGFPE, with the following panic message:

Failed assert: xnet_lib.c:795: Valid tx packet

Conditions:
-- Virtual Edition

Impact:
TMM crash leading to a failover event.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this is the 'sock' driver; in releases 13.1.0 through 14.0.x, the 'unic' driver is the alternative.

Use one of the following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

-- Commands for Releases 14.1.0 and later:

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed


-- Commands for releases 13.1.0 through 14.0.0:

  # echo "device driver vendor_dev 1af4:1000 unic" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'unic']

  # tmctl -dblade -i tmm/device_probed

Fix:
TMM processes large packets as expected.


817725 : Bcm56xxd does not always generate a core file

Component: TMOS

Symptoms:
Certain 'assertion' failures in the bcm56xxd software will exit cleanly instead of generating a core file.

Conditions:
Assertion failures in the Broadcom SDK library.

Impact:
No core file generated.

Fix:
Modify assertion code to always produce a core file.


817417 : Blade software installation stalled at Waiting for product image

Component: Local Traffic Manager

Symptoms:
On a chassis system where the active/primary blade is running version 14.1.0 or later and a new blade is inserted that has version 14.0.0 or lower, the secondary blades fail to receive the updated images and the installation stalls. The primary blade reports 'Waiting for product image' when running the tmsh show sys software status command.

Conditions:
Primary blade running version 14.1.0 or above.
Secondary running an earlier version is inserted.

Impact:
Newly inserted blade does not synchronize volumes with the primary blade and cannot be used.

The tmsh show sys software status command reports that one or more blades are in 'waiting for product image' status indefinitely.

Workaround:
Ensure all blades are running the same version. This can be accomplished manually by running the following command at the command prompt (this example is for new blade inserted at slot #3):

scp /shared/images/* slot3:/shared/images


817085 : Multicast Flood Can Cause the Host TMM to Restart

Component: TMOS

Symptoms:
A vCMP host tmm is restarted.

Conditions:
The vCMP host is processing heavy multicast traffic.

Impact:
The host TMM restarts and traffic stops for the guests.

Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:

# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm

The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.

Fix:
The host TMM no longer restarts.


817065 : Avrinstall crashes and admd restarts in endless loop when APM provision is Minimal

Component: Application Visibility and Reporting

Symptoms:
During upgrade, avrinstall crashes, and then admd restarts repeatedly.

Conditions:
This occurred with the following provisioning:

-- APM: Minimal
-- ASM: Minimal

Impact:
Avrinstall crashes, and admd restarts in an endless loop. No stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
Increase the APM provision to Nominal.

Fix:
Fixed an avrinstall crash related to low memory.


816961 : LB::detach iRule command may trigger TMM crash

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV crash.

Conditions:
LB::detach is run during a HTTP transaction.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not write iRules that may execute LB::detach while a HTTP transaction is in progress.

Fix:
TMM does not crash even if LB::detach is run during HTTP transaction.


816625 : The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.

Component: Local Traffic Manager

Symptoms:
The TMM crashes while passing traffic.

Conditions:
This occurs rarely on a Virtual Server configured with HTTP profile that has HTTP response chunking enabled.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM no longer crashes in a rare scenario involving HTTP unchunking and plugins.


816529-4 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Component: Traffic Classification Engine

Symptoms:
URLCAT lookups to Custom DB return Unknown result.

Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time

Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.

Workaround:
None.

Fix:
Wr_urldbd restores connection to Custom DB after restart.


816313 : Per-request Policy customization is used for 'URL blocked' page

Component: Access Policy Manager

Symptoms:
When per-request Access Policy includes Reject Ending agent, it may show 'URL blocked' page to client.
It is expected that this page uses customization settings from corresponding per-request Access Policy, but it uses customization settings from Access Profile.

Conditions:
Per-request Access Policy with Reject Ending agent and customized 'logout' page.

Impact:
Incorrect customization settings may be used.

Fix:
Now 'URL blocked' page shown for Reject Ending agent in per-request Access Policy uses customization settings from this per-request Access Policy.


816273 : L7 Policies may execute CONTAINS operands incorrectly.

Component: Local Traffic Manager

Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.

The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.

Conditions:
Multiple CONTAINS conditions are used on the same virtual server.

Impact:
The wrong policy actions may be triggered.

Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.

Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.


816205 : IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side

Component: Local Traffic Manager

Symptoms:
ICMP protocol 50 unreachable messages are not forwarded from the server-side to the client-side when a SNAT Virtual Server handles ESP flows that are not encapsulated in UDP port 4500 (RFC 3948). Other ICMP messages related to the server-side ESP flow may be similarly affected.

Conditions:
-- BIG-IP system is forwarding ESP (protocol 50) packets.
-- Virtual Server is configured with a SNAT pool or automap.
-- The server-side IPsec peer sends ICMP protocol errors in response to the ESP packets.

Impact:
ICMP packets arriving on the server-side are not forwarded to the client-side.

Workaround:
Option 1:
-- Enable NAT Detection (RFC 3947) on the IPsec peers.

NOTE: NAT Detection (RFC 3947) is the correct way to implement IPsec peers when network address translation occurs between the two IPsec peers.

Option 2:
-- Remove NAT from the Virtual Server.
-- Set the following sys db values:

# tmsh modify sys db ipsec.lookupip value "enable"
# tmsh modify sys db ipsec.lookupspi value "disable"

NOTE: The sys db settings in option 2 do not resolve the ICMP issue if NAT is configured on the Virtual Server.

Fix:
ICMP protocol 50 unreachable messages from the server-side are forwarded to the client-side.


815753 : TMM leaks memory when explicit SWG is configured with Kerberos authentication

Component: Access Policy Manager

Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.

Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.

Impact:
TMM sweeper enters aggressive mode and reaps connections.

Workaround:
None.


815649 : Named.config entry getting overwriting on SSL Orchestrator deployment

Component: Device Management

Symptoms:
When topology or general settings are re-deployed, named.config is modified, and entries which do not belong to SSL Orchestrator are overwritten.

Conditions:
This occurs when topology or system settings are re-deployed.

Impact:
Content of named.conf file is lost/overwritten.

Workaround:
Modify named.conf manually or using zoneRunner (DNS :: Zones : ZoneRunner : named Configuration) after SSL orchestrator deployment.


815529 : MRF outbound messages are dropped in per-peer mode

Component: Service Provider

Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.

Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.

Impact:
Outbound traffic with the same destination address may be dropped at random.

Workaround:
Change the peer connection mode to 'Per TMM'.

Fix:
Multiple outbound messages to the same destination address are no longer randomly dropped.


815449 : BIG-IP closes connection when an unsized response is served to a HEAD request

Component: Local Traffic Manager

Symptoms:
When HTTP response has neither Content-Length nor Transfer-Encoding and has a body, BIG-IP closes a connection to designate end of the response body. HTTP protocol allows to send HEAD request instead of GET request to obtain a response headers only (without). BIG-IP erroneously closes a connection when a response to HEAD request lacks both Content-Length and Transfer-Encoding.

Conditions:
BIG-IP has a virtual server configured to use an HTTP profile.
The server response does not include the Content-Length or Transfer-Encoding headers in response to a HEAD request, and both client and server sides expects the communication to continue over the same connection.

Impact:
Connection closes and a client may not repeat the corresponding GET request on another connection.

Fix:
Connection keeps opened when an unsized response provided to a HEAD request.


815089 : On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations

Component: Local Traffic Manager

Symptoms:
If you have a system with no VLANs configured, and you attempt to create virtual servers or SNATs that have the same address/port combinations, you will be able to do so without validation errors.

Conditions:
-- A BIG-IP system with no VLANs configured.
-- Creating virtual servers or SNATs that have identical address/port combinations.

Impact:
An invalid configuration is allowed.

Workaround:
None.

Fix:
The system now prevents this invalid configuration.


814953 : TMUI dashboard hardening

Component: TMOS

Symptoms:
The TMUI dashboard does not comply with current best practices.

Conditions:
TMUI dashboard accessed by authenticated administrative user.

Impact:
The TMUI dashboard does not comply with current best practices.

Workaround:
None.

Fix:
The TMUI dashboard now complies with current best practices.


814941 : PEM drops new subscriber creation if historical aggregate creation count reaches the max limit

Component: Policy Enforcement Manager

Symptoms:
PEM subscriber create fails, usually seen across multiple high availability (HA) failover events

Conditions:
When the aggregate subscriber create reaches the maximum subscriber limit per tmm which is configured using sys db, sys db statemirror.mirrorsessions

Impact:
Unable to bringup any more subscribers

Workaround:
Restart tmm when the limits are reached

Fix:
PEM subscriber creation no longer fails after multiple failover events.


814761 : PostgreSQL monitor fails on second ping with count != 1

Component: Local Traffic Manager

Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.

When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:

Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
    at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
    at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
    at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
    at java.lang.Thread.run(Thread.java:748)

Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.

Impact:
Unable to monitor the health of postgresql server pool members accurately.

Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.

Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.


814097 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.

Component: Service Provider

Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.

Conditions:
Converting the transport of SIP messages with the Generic Message router.

Impact:
Any code that waits for the SERVER_CONNECTED event will not run.

Fix:
SERVER_CONNECTED event is raised.


814053 : Under heavy load, bcm56xxd can be killed by the watchdog

Component: TMOS

Symptoms:
bcm56xxd crashes, and the device fails over on heartbeat error:

warning sod[7244]: 01140029:4: HA daemon_heartbeat bcm56xxd fails action is restart.
notice sod[7244]: 010c006c:5: proc stat: [0] pid:12482 comm:(bcm56xxd) state:S utime:16612520 stime:879057 cutime:11 cstime:21 starttime:1601425044 vsize:2189299712 rss:527927 wchan:18446744073709551615 blkio_ticks:0 [-1] pid:12482 comm:(bcm56xxd) state:S

Conditions:
-- HA configured.
-- Programming the DAG while it is under heavy load (i.e., a large number of objects that have to be programmed into the switches).

Impact:
The bcm56xxd daemon may restart and produce a core file. It then continues trying to program the DAG.

This causes a system to go offline and stop processing traffic.

Workaround:
None.

Fix:
The bcm56xxd daemon no longer crashes while the DAG is being programmed.


813945 : PB core dump while processing many entities

Component: Application Security Manager

Symptoms:
PB core dump.

Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).

This is a very rarely occurring scenario.

Impact:
PB core dump and restart.

Workaround:
None.

Fix:
PB core dump no longer occurs.


813673 : The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT

Component: Local Traffic Manager

Symptoms:
A typical configuration of the HTTP Explicit Proxy includes four virtual servers:
-- Two virtual servers for the Explicit Proxy, one IPv4, one IPv6.
-- Two general-purpose virtual servers: one IPv4, one IPv6.

The general-purpose virtual servers allow handling of CONNECT tunneling over the HTTP-tunnel interface.

Unfortunately, if an IPv6 client tries to CONNECT to an IPv4 destination, it fails, returning a 503 status error.

This is due to the IPv6 general-purpose virtual server not being found when performing the destination lookup.

Conditions:
-- The HTTP explicit proxy is used on an IPv6 address.
-- 'default-connect-handling deny' is configured on the explicit proxy HTTP profile.
-- IPv4 and IPv6 general-purpose virtual servers exist on the HTTP-tunnel interface.
-- The client connects, and uses CONNECT to proxy to an IPv4 address.

Impact:
The client will not be able to CONNECT through the explicit proxy to an IPv4 address.

Workaround:
None.

Fix:
Mismatched IPv6 to IPv4 scenarios are supported with the HTTP Explicit Proxy.


813561 : MCPD crashes when assigning an iRule that uses a proc

Component: Local Traffic Manager

Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.

Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.

Impact:
MCPD will crash, unable to use a desired iRule.

Workaround:
None

Fix:
iRules using proc can be assigned to a Virtual Server without crashing MCPD.


813517 : The cron daemon not running after upgrade from pre-v14.1.0 versions to 15.0.x

Component: TMOS

Symptoms:
After upgrading to v15.0.x, the system cron daemon is not running, which causes periodic system operations not to run.

This includes, but is not limited to:

-- SSL/TLS ephemeral key generation.
-- Log rotation.
-- SSL certificate.

Conditions:
Upgrade BIG-IP system from pre-v14.1.0 to 15.0.x.

Impact:
The crond daemon is down, making any process dependent on crond to not work on the system:

-- The SSL connection mirroring does not work as expected.
-- Script scheduling does not work.

Workaround:
Enable and start crond:

1. systemctl enable crond
2. systemctl start crond

Fix:
The system now ensures that the cron daemon (crond) is running consistently after upgrades.


813389 : TMM Crashes upon failure in Bot Defense Client-Side code

Component: Application Security Manager

Symptoms:
On some cases, when Bot Defense Client-Side code is running on the browser, it causes TMM to crash.

Conditions:
-- Bot Defense is enabled with any JS browser verification (before or after access).
-- Surfing using a browser to an html page.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Adding sanity test so TMM will not crash.


812993 : Monpd process consumes considerable amount of RAM on systems with many virtual servers

Component: Application Visibility and Reporting

Symptoms:
Monpd process consumes a considerable amount of RAM (several gigabytes). The RAM usage grows constantly within the first 24 hours. This occurs because of the collection of ADM (BADOS) real-time statistics in monpd memory for last 24 hours per virtual server.

Conditions:
Many virtual servers are defined in the system. The memory consumption depends on the number of virtual servers.

Impact:
Excessive memory consumption reduces available RAM for other system daemons.

Workaround:
None.

Fix:
AVR now reports ADM (BADOS) real-time statistics only for virtual servers with BADOS profiles enabled.


812929 : mcpd may core when resetting a DSC connection

Component: TMOS

Symptoms:
In rare circumstances mcpd may core when resetting its DSC connection.

Conditions:
The exact conditions are not known for this to occur. The BIG-IP system must be in a Device Service Cluster, and must have configuration sync enabled. It might be related to when an Administrative BIG-IP user makes manual changes to the device trust group that would cause the trust to be broken (and optionally, re-established).

Impact:
mcpd cores and restarts. This results in a failover to the next active peer.

Workaround:
None.

Fix:
The system now prevents mcpd from coring when it resets it DSC connection.


812497 : VE rate limit should not count packet that does not have a matched vlan or matched MAC address

Component: Local Traffic Manager

Symptoms:
Virtual Edition (VE) Rate limit counts packets that are not intended for BIG-IP.

Conditions:
-- Rate-limited license in BIG-IP Virtual Edition (VE)
-- Promiscuous mode is enabled

Impact:
If you do not have an unlimited license for a Virtual Edition device, you cannot use VLAN tags or MAC Masquerading without a greatly increased risk of running out of licensed bandwidth. Even if you are not using any service, BIG-IP counts all traffic seen on the interface against the license. Due to VMWare's switch design you have to expose the device to all of the traffic to use those two features.


812481 : HSL logging may work unreliably for Management-IP firewall rules

Component: Advanced Firewall Manager

Symptoms:
HSL logging related to Management-IP firewall rules can periodically freeze and corresponding log messages can be lost.

Conditions:
No special conditions, this can happen intermittently on any setup.

Impact:
HSL log messages related to Management-IP firewall rules are missed.

Workaround:
None.

Fix:
HSL logging related to Management-IP firewall rules no longer halts intermittently, and all corresponding log messages are present in the log.


812341 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.

Component: Application Security Manager

Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.

Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.

Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.

Workaround:
None.

Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.


811965 : Some VDI use cases can cause excessive resource consumption

Component: Access Policy Manager

Symptoms:
Under certain conditions, APM may consume excessive resources while processing VDI traffic.

Conditions:
APM is used as VDI proxy.

Impact:
Excessive resource usage, potentially leading to a failover event.

Workaround:
None.

Fix:
APM now processes VDI traffic as expected.


811745 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.

Fix:
Mirror connections no longer disconnect during a failover.


811333 : Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails and the following error is present in /var/log/ltm log:

01070312:3: Invalid keyword 'sslv2' in ciphers list for profile /Common/serverssl-insecure-compatible
Unexpected Error: Loading configuration process failed.

Conditions:
-- BIG-IP system with SSLv2 as ciphers option in SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.

Impact:
The config is not loaded, and upgrade fails.

Workaround:
If you are encountering this after upgrading, run the following commands from the bash prompt:

1. Backup the configuration:
#cp /config/bigip.conf /config/bigip_backup.conf

2. List the occurrences of 'sslv2' in the bigip.conf:
#more bigip.conf | grep -i sslv2

3. Remove the SSLv2 references:
#sed -i "s/\!SSLv2://g" /config/bigip.conf

4. Check to ensure there are no 'sslv2' references:
#more bigip.conf | grep -i sslv2

5. Verify the configuration:
#tmsh load sys config verify

6. Try loading the configuration:
#tmsh load sys config

Fix:
SSLv2 validation is removed from the configuration and upgrade succeeds.


811161 : Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992

Component: Local Traffic Manager

Symptoms:
TMM cores when creating a virtual server.

Conditions:
ISO build that includes the fix for ID 718790 or ID 783617.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Handle case where mcp virtual address tags come in different orders.


811157 : Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself

Component: Advanced Firewall Manager

Symptoms:
"Global Staged Default Action" message is logged into the firewall log for ICMP traffic targeted to Self-IP or Virtual Server destination address, even though this traffic can never be affected by Global Default Actions.

The "Global Staged Default Action" counter is also incremented.

Conditions:
Logging is enabled for Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "enabled" (this sys db has value "disabled" by default).

There are no special conditions for the "Global Staged Default Action" counter increment.

Impact:
Misleading messages are logged into the firewall log.
The "Global Staged Default Action" counter is incorrectly incremented.

The traffic itself is not affected and there are no other negative effects except the incorrect log message and counter update.

Workaround:
There is no workaround regarding the "Global Staged Default Action" counter increment.

For preventing the misleading log message disable logging of Global Staged Default Action by setting the sys db tm.fw.stagedglobaldefaultrule.log to value "disabled".

Fix:
The "Global Staged Default Action" message is not logged and corresponding counter is not incremented for ICMP traffic targeted to Self-IP or Virtual Server destination address.


811145 : VMware View resources with SAML SSO are not working

Component: Access Policy Manager

Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.

Conditions:
VMware View resource is configured with SAML SSO method.

Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.

Workaround:
None.

Fix:
Can now successfully use VMware View resources with SAML SSO.


811105 : MRF SIP-ALG drops SIP 183 and 200 OK messages

Component: Service Provider

Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.

Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address

Impact:
SIP calls are unable to establish media connections.

Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"

Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.


811033 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used

Component: Service Provider

Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.

Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.

Impact:
Messages are forwarded to an incorrect endpoint.

Workaround:
None.

Fix:
For all bi-directional persistence records the transport protocol of the connection is not used in the key used to store the record.


810957 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core

Component: TMOS

Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.

Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.

Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.

Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:

tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>

Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.


810801 : TMM may core in a rare condition when tearing down a connection

Component: Local Traffic Manager

Symptoms:
HTTP or HTTP2 virtual server receives a request and tries to create a connection to the server. If this connection establishment fails, the connection to the client is torn down. This core occurs when trying to abort the clientside connection.

Conditions:
-- A virtual server with HTTP profile is created.
-- HTTP2 profile may or may not be present on the virtual server.
-- An httprouter profile is present on the virtual server.
-- Connection establishment with the server fails.

Impact:
TMM cores, failover condition occurs, and traffic processing can be interrupted while tmm restarts.

Workaround:
None.

Fix:
A TMM core no longer occurs under these conditions.


810657 : Tmm core while using service chaining for SSLO

Solution Article: K21135478


810593 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
VCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5 and all intervening versions up to, but not including, v13.1.3, to any higher version

Impact:
VCMP guests at state 'INOPERATIVE' and do not pass traffic.

Workaround:
None.


810557 : ASM ConfigSync Hardening

Solution Article: K05123525


810537 : TMM may consume excessive resources while processing iRules

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing iRules.

Conditions:
HTTP VS enabled.
iRule using HTTP_PROXY_REQUEST configured.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
TMM now consumes resources as expected.


810445 : PEM: ftp-data not classified or reported

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.

Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.

Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.

Workaround:
None.

Fix:
Ftp-data is now correctly classified and reported. Note that the 'inherit-parent-profile' in the FTP profile must be enabled.


809729 : When HTTP/2 stream is reset by a client, BIG-IP may not respond properly

Component: Local Traffic Manager

Symptoms:
When a client resets the HTTP/2 stream, the BIG-IP system may have several DATA frames ready to send. It drops these frames but does not account back those in a connection-send window. It can reduce this window to the value when no DATA frames are sent over this connection until the client updates the send window.

Conditions:
-- BIG-IP system has a virtual server.
-- HTTP/2 profile is assigned to it.

Impact:
For any subsequent request after the send window loses enough size, DATA frames with payload are not sent to the client over the affected HTTP/2 connection.

Workaround:
None.

Fix:
BIG-IP systems correctly handle dropping DATA frames accounting back their lengths in a connection-send window.


809553-1 : ONAP Licensing - Cipher negotiation fails

Component: TMOS

Symptoms:
Cipher negotiation fails between the BIG-IP and a third-party license server.

Conditions:
This occurs when BIG-IP is deployed in a custom ONAP environment that uses a third-party license server.

Impact:
TLS negotiation fails.

Workaround:
Change the order of ciphers.
Enable only ECDHE ciphers.


809165 : TMM may crash will processing connector traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may crash will processing connector traffic.

Conditions:
Virtual service with Connector profile enabled.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now handles connector traffic as expected.


808893 : DNS DoS profile vectors do not function correctly

Component: Advanced Firewall Manager

Symptoms:
Clients report that DNS TXT queries are not working. In /var/log/ltm, you see the following error:

DOS attack start was detected for vector TXT query DOS.

Conditions:
This can occur when DNS profile DoS vectors are enabled. It can be encountered after upgrading.

Impact:
DNS DoS detection and mitigation is not functioning correctly.

Workaround:
None.

Fix:
DNS DoS profile vectors are now detected correctly.


808889 : DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold

Component: Advanced Firewall Manager

Symptoms:
Incorrect hw_offload status for DoS vector or signature in tmctl dos_stat after the attack has stopped.

Conditions:
BIG-IP system with DoS-accelerated vectors support (SPVA support).

Impact:
DoS vector/signature stays hardware-accelerated.

Workaround:
After attack, change the state for DoS vector/signature to detect-only. Then return vector state to mitigate.

Fix:
Hardware-acceleration status for vector/signature status is updated based on observed traffic.


808749 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import

Component: Application Security Manager

Symptoms:
A duplicate user-defined Signature Set is created upon policy import when the Set has a filter using Attack Type.

Conditions:
A policy using a user-defined Signature Set with a filter using Attack Type is exported.

Impact:
A duplicate user-defined Signature Set is created upon policy import.

Workaround:
The policy can be modified to use the original Set, and the duplicated set can then be deleted.

Fix:
Duplicate user-defined Signature Set based on Attack Type is no longer created upon policy import.


808525 : TMM may crash while processing Diameter traffic

Component: Service Provider

Symptoms:
Under certain conditions, TMM may crash while processing Diameter traffic.

Conditions:
Virtual server with Diameter profile enabled.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes Diameter traffic as expected.


808301 : TMM may crash while processing IP traffic

Component: Local Traffic Manager

Symptoms:
TMM crash with 'Assertion "l4hdr set" failed' panic message in /var/log/tmm* log.

Conditions:
Packet filter is enabled.

Impact:
TMM crash leading to a failover event.

Workaround:
Disable the packet filter.

Fix:
TMM handles IP traffic as expected.


808297 : AVR statistics are lost when performing an upgrade

Component: Application Visibility and Reporting

Symptoms:
After performing an upgrade on an offline/standby machine, AVR statistics were gone. This was done on a device-group configuration in this way:

1. sync configuration
2. take UCS backup
3. make the standby unit forced offline.
4. install a new boot location on the standby unit.
5. Switchboot the standby unit from the newly installed location.
6. The standby unit comes online with the new version.
7. Release the standby from offline, becoming standby.
8. Make a failover, now the standby running on the new version becomes active.
9. Force new standby (previously active and on the old version) offline
10. Install the new version on the current standby unit
11. Switchboot the current standby.
12. Release offline the current standby.
13. Now both units are on the new version

Conditions:
Using AVR statistics and performing an upgrade on a machine that is not in the state of 'active' and 'online'.

Impact:
AVR statistics are not being backed-up and/or restored when performing an upgrade on a machine.

Workaround:
On the 'from' version (i.e., before starting the upgrade process), do the following:

$ cp /usr/share/avr/bin/avr_db_backup.sh /shared/avr_db_backup.sh.orig
$ cp /usr/share/avr/bin/avr_db_restore.sh /shared/avr_db_restore.sh.orig
$ mount -o remount -rw /usr
$ sed -i 's/clsh/clsh --color=all/g' /usr/share/avr/bin/avr_db_backup.sh
$ sed -i 's/clsh/clsh --color=all/g' /usr/share/avr/bin/avr_db_restore.sh
$ mount -o remount -r /usr

** Before proceeding with the upgrade, double check that the only difference between the original files (/shared/avr_db_backup.sh.orig & /shared/avr_db_restore.sh.orig) and the modified versions is 'clsh --color=all'. If this is the only change, you may proceed and start with the upgrade process.

Fix:
Fixed the scripts that do the backup process.


808225 : Change in Default password policy for number of characters different between passwords

Component: TMOS

Symptoms:
DoD STIG requires that there be an 8-character difference between old and new passwords; the current default is 5.

Conditions:
Changing passwords.

Impact:
When you change a BIG-IP password, the new password must have 8 characters different from the old.

Workaround:
None.

Fix:
Default is changed from 5 to 8.

Behavior Change:
Change in Default password policy for number of characters that must be different from previous passwords. The default number of characters that must differ has changed from 5 to 8.


808169 : APM per-request policy continues evaluation even if variable assign agent is created with bad expression.

Component: Access Policy Manager

Symptoms:
APM per-request policy contains variable assign agent with an incorrect expression, e.g., 'return {aa}}}'.

When traffic is passed through a virtual server containing such a per-request policy, traffic processing continues past the variable assign agent, and the client connection is reset later.

Conditions:
-- APM per-request policy contains a variable assign agent with an incorrect expression, e.g.,'return {aa}}}'.
-- Traffic is passed through a virtual server containing such a per-request policy.

Impact:
APM per-request policy continues evaluation past variable assign agent and fails at random events, resulting in a RST sent to client.

Workaround:
Fix the expression in variable assign agent used in APM per-request policy attached to virtual server.

Fix:
APM per-request policy does not evaluate past the variable assign agent, if the expression in the variable assign agent is incorrect.


808129 : Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.

Component: TMOS

Symptoms:
BIG-IP 14.1.0.3 on AWS license does not complete from BIG-IQ.

Conditions:
-- Using BIG-IQ.
-- Attempting to license BIG-IP 14.1.0.3 on AWS.

Impact:
Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.

Workaround:
Restart restjavad on the BIG-IP system.

Fix:
Can now use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.


807509 : SWG license does not get released for sessions created through iRules

Component: Access Policy Manager

Symptoms:
Requests get blocked/reset as SWG license does not get released for sessions created through iRules

Conditions:
SWG iRules is used to create APM/SWG session with per-request policy having category lookup agent.

Impact:
Requests get blocked/reset.

Workaround:
None

Fix:
SWG license gets released for sessions created through irules.


807477 : ConfigSync Hardening

Solution Article: K04280042


807453 : IPsec works inefficiently with a second blade in one chassis

Component: TMOS

Symptoms:
Under high availability (HA) configurations, a secondary blade does not receive mirrored updates for security associations (SAs).

When a new ike-peer is created, if that peer's IP address is handled by a secondary blade, all IKE negotiation packets are dropped after forwarding between primary and secondary blades.

But an ike-peer that is present from the start is mistakenly assigned to a primary blade, and thus works correctly.

Conditions:
-- More than one blade: a secondary blade in addition to a primary blade.

-- Remote ike-peer IP addresses that happen to hash to a secondary blade by the BIG-IP system disaggregation (DAG) mechanism.

-- Configuration for Active-Standby, which works on Active but fails to mirror SAs to Standby, when the IP address would be handled by a secondary blade.

Impact:
After failover from Active to Standby, missing SAs that could not be mirrored are renegotiated, causing tunnel outage until new negotiation concludes.

After adding a new ike-peer that should negotiate on a secondary blade, all IKE packets vanish, so no tunnel is ever created for such an ike-peer.

In high availability (HA) configurations, tunnels re-establish after renegotiation, for tunnels that would be assigned to a secondary blade. This works, but undercuts the benefit of high availability (HA) for tunnels other than those on a primary blade.

Workaround:
For a new ike-peer assigned to a secondary blade, restart tmm or the blade, and when the system comes back up, this peer is handled on the primary blade.

Note: Although this peer can then create a tunnel, any secondary blade is unused by IPsec.

Fix:
Assignment of blade ownership is now correct after a restart, even when blades are slowly discovered incrementally, or added dynamically after a system has come up.

HA mirroring works, and SAs are present after failover.

Tunnels are negotiated on secondary blades, so ike-peer instances with IP addresses handled on a secondary blade function as well as those on a primary blade.


807177 : HTTPS monitoring is not caching SSL sessions correctly

Component: Global Traffic Manager (DNS)

Symptoms:
In situations where a cached SSL session cannot be used, there are conditions where the information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Conditions:
When using GTM HTTPS monitoring.

Impact:
Information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Workaround:
Restart big3d by running the following command:

bigstart restart big3d


806985-1 : Installation issues when adding new blade v12.1.3 to VPR cluster v14.1.0.1 EHF

Component: TMOS

Symptoms:
A newly inserted blade fails to upgrade on a Viprion system.

Conditions:
The issue is seen only on VIPRION chassis when the primary blade is running engineering hotfix (EHF) v14.1.0.1 EHF 0.17.7 and newly inserted blade is configured with v12.1.3.

Impact:
Unable to upgrade the new blade in VIPRION chassis.

Workaround:
Ensure the active volume on the primary blade contains a version other than an EHF, and the other volume is installed with the EHF, then insert the new blade in the chassis.


806841 : Segmentation fault when pem_sessiondump --detail with special character in session attribute

Component: Policy Enforcement Manager

Symptoms:
Segmentation fault. No impact to traffic.

Conditions:
Configure session with special character in its attribute. Pem_sessiondump --detail of the session causes it to crash.

Impact:
pem_sessiondump --detail returns segmentation fault.

Fix:
Allocated stack space for variable in the required function.


806825-1 : Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool

Component: Carrier-Grade NAT

Symptoms:
Configure translate-address disabled under Virtual with LTM pool configured.

In the NAT44 case, LTM pool is used as next-hop and packets are L2 forwarded to LTM pool members without destination address translated.

In NAT64 case, packets are dropped if there is no route available to reach the IPv4 destinations (derived from original IPv6 destination). Packets are not L2 forwarded to LTM pool members.

Conditions:
-- Virtual server with LTM pool configured.
-- CGNAT LSN pool configured.
-- Translate-address disabled.

Impact:
If there is no route available to reach the destination, NAT64 packets are dropped.

Workaround:
Configure default gateways/routes to reach the IPv4 destination in NAT64 case.

Fix:
Aligned the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool.

Use LTM pool as next hop for L2 forwarding the NAT64 packets when translate-address is disabled.


806093 : Unwanted LDAP referrals slow or prevent administrative login

Component: TMOS

Symptoms:
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.

Conditions:
-- LDAP/Active Directory 'system-auth' authentication configured.
-- The Active Directory enables LDAP referrals (the default).
-- There are a large number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).

Impact:
BIG-IP system may accept LDAP referrals that it is unable to process, resulting in authentication timeouts/failures.

Workaround:
To temporarily disable the referrals, edit one of the configuration files /etc/nslcd.conf or /config/bigip/auth/pam.d/ldap/system-auth.conf, and add the following line:

referrals no

Restart nslcd service to apply change:

systemctl restart nslcd

Note: This change is not persistent and will be lost whenever MCPD re-loads the configuration, or when other changes are made to system-auth configuration values.

Fix:
Changes to LDAP referrals value in configuration are now saved, so this issue no longer occurs.


806085 : In-TMM MQTT monitor is not working as expected

Component: Local Traffic Manager

Symptoms:
The monitoring probes are not being sent out to the network. Regardless of the monitor config and sys db variable.

Conditions:
Configuring the in-TMM MQTT monitor.

Impact:
Pool members with attached MQTT monitor state is incorrectly shown as DOWN.

Workaround:
None.

Fix:
In-TMM MQTT monitor now works as expected.


805881 : Cannot 'Reset Count' or search logs for firewall global policy in different partition

Component: Advanced Firewall Manager

Symptoms:
In GUI Firewall active policy page, 'Reset Count' and 'search logs' buttons are disabled when you are in a different partition then the rule's source partition.

Conditions:
-- An active policy is in a different partition from the one you are in.
-- Security :: Network Firewall : Active Rules.
-- Select a rule.
-- Attempt to reset count.

Impact:
Count cannot be reset; the button is grayed out.

Workaround:
To enable the buttons, change to the partition used for creating that specific policy.

Fix:
You can now reset the count or search logs even if they are in a different partition.


805837 : REST does not follow current design best practices

Solution Article: K22441651


805817 : Distributed reports fail when management address is used for config sync in a device group

Component: Application Visibility and Reporting

Symptoms:
In system where a device group uses the management interface, reporting statistics for device group does not work. The following error appears in /var/log/avr/monpd.log:

REPORTER|ERROR|Nov 04 14:24:38.017|32640|../src/reporter/handlers/distributed/DistributedReportRunnerHandler.cpp:processCallStatusMessage:1921| Map reduce call failed. Can't collect report data from the cluster members..

Conditions:
-- Device group is used.
-- The configsync.allowmanagement DB variable is set to 'enable'.
-- Management IP address is used as the config sync address of the device group.

Impact:
AVR statistics report for device group does not work.

Workaround:
Use a self IP address for device groups instead of the management IP address.

Fix:
AVR statistics are now reported for device groups under these conditions.


805557 : TMM may crash while processing crypto data

Component: TMOS

Symptoms:
While processing cryptographic data using Intel QAT hardware, TMM may crash with a SIGSEGV.

Conditions:
Intel QAT hardware present
Hardware acceleration enabled

Impact:
TMM crash resulting in a failover event.

Fix:
TMM now processes QAT-accelerated cryptographic traffic as expected.


805353 : ASM reporting for WebSocket frames has empty username field

Component: Application Security Manager

Symptoms:
When using ASM to inspect and report WebSocket frames, the username field is always reported as empty or absent.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- WebSocket profile attached to a virtual server.
-- ASM logging profile attached to a virtual server.
-- WebSocket traffic inspected by ASM and logged as event log message or remote logger message.

Impact:
Poor visibility of current logged-in user in the event log for WebSocket frames.

Workaround:
None.

Fix:
ASM populates username field for logged WebSocket frames


805017 : DB monitor marks pool member down if no send/recv strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.

Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).


804537 : Check SAs in context callbacks

Component: TMOS

Symptoms:
Crypto operations can crash.

Conditions:
Any crypto operation involving an ike-sa or a child-sa.

Impact:
Tunnel outage due to core, lasting until restart and renegotiation.

Workaround:
None.

Fix:
Fixed a crash related to crypto operations and SAs.


804477 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.


804421 : SAML attribute value when supplied with quotes "" around it causes error while displaying the list of SAML IDPs

Component: Access Policy Manager

Symptoms:
When you create a new or edit an existing SAML IDP and provide SAML attribute value surrounded by quotation marks ("" ), the existing list of SAML IDPs will not be displayed.

Conditions:
SAML IDP attribute value provided is surrounded by "".

Impact:
GUI does not display the list of existing SAML IDPs.

Workaround:
Do not provide SAML attributes with "" surrounding the attribute values.

If there are any attributes with "" surrounding, delete them using TMSH.


804313 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None

Fix:
Message sweeper interval value now loads correctly.


804273 : TMM is unable to redirect RRDAG'd traffic

Component: TMOS

Symptoms:
TMM cannot redirect RRDAG traffic in vCMP guest. This can affect GTP traffic.

Conditions:
Send UDP traffic to vCMP guest using RRDAG cmp-hash.

Impact:
Traffic is pinned to tmm.0.

Workaround:
None.

Fix:
A new db variable has been added:

dag.rrdag.redirect enable|disable

The default value is disable.

Enabling this db variable allows the BIG-IP system to evenly disaggregate UDP traffic that has low entropy in ports in hardware in vCMP mode. In vCMP guests, the BIG-IP system can redirect UDP traffic using non-default cmp hash.

Behavior Change:
A new db variable has been added:

dag.rrdag.redirect enable|disable

The default value is disable.

Enabling this db variable allows the BIG-IP system to evenly disaggregate UDP traffic that has low entropy in ports in hardware in vCMP mode. In vCMP guests, the BIG-IP system can redirect UDP traffic using non-default cmp hash.


804185 : Some WebSafe request signatures may not work as expected

Component: Fraud Protection Services

Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected

Conditions:
There is at least one wildcard URL configured by the request signature update file.

Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).

Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.

Fix:
FPS now correctly handles signature-based wildcard URL's priority.


803993 : Cannot process empty ltcfg field value: class name

Component: TMOS

Symptoms:
You see the following in /var/log/ltm:

bigip1.localdomain notice mcpd[8154]: 01b00001:5: Cannot process empty ltcfg field value: class name (trapsess) field name ()

This message is issued when snmp trap destinations are configured without pass phrases. It is not an error and the log message can be ignored.

Conditions:
Configuring SNMP trap destinations.

Impact:
Meaningless logs.

Fix:
The log message has been removed.


803845-1 : When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown

Component: Local Traffic Manager

Symptoms:
Standby is passing traffic when a virtual wire is configured.

Conditions:
-- Virtual wire configured in high availability (HA).

Impact:
Standby device is forwarding traffic traffic when it should not, causing a loop and subsequent network shutdown.

Workaround:
None.

Fix:
The Standby device no longer passes traffic through virtual wire when it should not.


803645 : GTMD daemon crashes

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.

Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.

Impact:
The gtmd process restarts and produces a core file.

Workaround:
None.


803477 : BaDoS State file load failure when signature protection is off

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.

Conditions:
Restart of admd when signature protection is off.

Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.

Workaround:
Turn on signatures detection.

Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.


803445 : When adding several mitigation exceptions, the previously configured actions revert to the default action

Component: Application Security Manager

Symptoms:
After adding a new item to the mitigation exception list, you can also change its mitigation action. If you do not save the changes and then add more new exception items, the mitigation actions of the previously added items return to their default value actions.

Conditions:
-- Add mitigation exception to the Bot Configuration.
-- Change mitigation action on that new exception.
-- Add new items to exception list without first saving.

Impact:
Mitigation action exceptions might be saved with their default value actions instead of the actions you configured.

Workaround:
After adding a group of exception items and editing their actions, save the Bot Configuration properties before adding any new mitigation exception items.

Fix:
When adding several mitigation exceptions, the previously configured actions no longer revert to the default action.


802977 : PEM iRule crashes when more than 10 policies are tried to be set for a subscriber

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
Using an iRule to apply more than 10 referential policies for a subscriber.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system validates the number of policies before setting them to a subscriber.

In this release, iRule behavior does not result in a tmm core dump, but the number of policies that can be simultaneously applied to a subscriber through an iRule is limited to 7.

Behavior Change:
In previous releases, the system did not prevent using an iRule to apply more than 10 referential policies for a subscriber. In those cases, however, tmm crashed and generated a core.

In this release, the BIG-IP system validates the number of policies before setting them to a subscriber. iRule behavior does not result in a tmm core dump, but the number of policies that can be simultaneously applied to a subscriber through an iRule is limited to 7.


802961 : The 'any-available' prober selection is not as random as in earlier versions

Component: Global Traffic Manager (DNS)

Symptoms:
Some big3d instances can be periodically busier than other big3d instances.

Conditions:
-- When 'any-available' is selected for either the prober-preference or prober-fallback options.
-- A large number of monitors are defined.

Impact:
When the 'any-available' prober option is used, the selection of big3d probers may not be as random as in BIG-IP software versions prior to v13.0.0.

Workaround:
None.


802889-1 : Problems establishing HA connections on DAGv2 chassis platforms

Component: TMOS

Symptoms:
High availability (HA) mirroring does not work correctly on VIPRION B4400 blades.

Conditions:
- VIPRION B4400 chassis platform with multiple blades.
- HA mirroring is enabled.

Impact:
HA mirroring does not work

Workaround:
None.

Fix:
HA connections on VIPRION B4400 chassis platforms are correctly established.


802877 : Escaped slash in Parameter regular expression value fails regex validation

Component: Application Security Manager

Symptoms:
A Parameter with a backslash-escaped slash in regular expression cannot be created.

Conditions:
You attempt to create a Parameter with a backslash-escaped slash in a regular expression, for example, "aaaa\/bbb".

Impact:
The parameter fails to be created due to regular expression validation.

Workaround:
Specify the regular expression for the Parameter with slash unescaped (without the preceding backslash).

Fix:
A Parameter with a backslash-escaped slash in regular expression can be created successfully.


802865 : The iControl REST query request returning empty list for DoS Protected Objects

Component: Advanced Firewall Manager

Symptoms:
DoS Protection profiles are not displayed in the GUI, but they are visible when using the tmsh command:

tmsh list security dos profile | grep "security dos profile"

Conditions:
This is encountered in Security :: DoS Protection : Protection Profiles.

Impact:
DoS Protected Objects are not included in the REST endpoint /mgmt/tm/security/presentation/tmui/virtual-list, so the GUI cannot display the DoS Protected Objects

Workaround:
Use tmsh.

Fix:
DoS Protected Objects are now visible in the GUI


802449 : Valid GTP-C traffic may cause buffer overflow

Component: Protocol Inspection

Symptoms:
Valid GTP-C traffic may cause buffer overflow with incrementing sequence numbers.

Conditions:
Valid GTP traffic with incrementing sequence number will cause memory corruption/core when processed through IPS library.

Impact:
TMM Crash/core. Traffic disrupted while tmm restarts.

Workaround:
The only workaround is to disable protocol inspection or remove GTP service from all protocol-inspection profiles.


802381 : Localdb authentication fails

Component: Access Policy Manager

Symptoms:
In Active / Standby setup, user authentication fails after failover occurs.

Conditions:
-- APM configured in Active / Standby setup.
-- Per-session policy configured with Localdb Auth .
-- Failover occurs.

Impact:
APM end users are unable to authenticate.

Workaround:
Restart localdbmgr on the new active device, using the following command:
# bigstart restart localdbmgr

Fix:
In Active / Standby setup, user authentication no longer fails after failover occurs, so APM end users are able to authenticate.


802245 : When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.

Component: Local Traffic Manager

Symptoms:
The last provided cipher suite in the list is chosen if HTTP/2 is negotiated and not matched.

Conditions:
-- HTTP/2 negotiation is enabled.
-- The provided cipher suites are not matched.

Impact:
The lest secure cipher suite would be selected.

Workaround:
Put the most secure cipher suite in the end of the list.

Fix:
Now the most secure cipher suite is selected regardless of the order in the list.


801861 : iApp Templates are now marked as Deprecated

Component: TMOS

Symptoms:
All iApp templates have been marked as deprecated.

Conditions:
This is encountered in the iApps :: Application Services : New Application Service screen.

Impact:
If you wish to use these deprecated templates, select the "Show deprecated templates" checkbox.

Behavior Change:
In this release, all iApp templates have been marked as deprecated. They are still accessible in the GUI in the iApps tab, but you will need to choose "Show deprecated templates" in order to see them.


801541 : tmm memory growth if high availability (HA) peer is unavailable

Component: Local Traffic Manager

Symptoms:
tmm memory utilization growth.

Conditions:
The next-active device in the high availability (HA) configuration is down, and either of the following:
-- Persistence mirroring is configured.
-- Connection mirroring of a virtual server with a persistence profile is configured.

Impact:
Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.

Workaround:
Disable persistence and/or connection mirroring if the standby device will be down for an extended period of time.

Fix:
tmm memory no longer grows if high availability (HA) peer is unavailable.


800453 : False positive virus violations

Component: Application Security Manager

Symptoms:
False positive ASM virus violations.

Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM. ASM reports a virus when the antivirus reply is timed out.

Impact:
False positive blocking or violation reporting.

Workaround:
The EnableASMByPass internal parameter setting can be configured to allow the antivirus server to not reply, so it won't issue a violation when it occurs.

/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm

Notes:
When the internal is enabled, asm will also bypass huge HTTP requests (when they come on multiple connections) instead of reseting them.


800369 : The fix for ID 770797 may cause a TMM crash

Component: Local Traffic Manager

Symptoms:
In rare situations the TMM may crash after the original fix for ID 770797 is applied.

Conditions:
HTTP2 is used on the client-side of a virtual server without an MRF http_router profile.

The original fix for ID 770797 is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The fix for ID 770797 has been altered to prevent the TMM from crashing in rare situations.


800305 : VDI::cmp_redirect generates flow with random client port

Component: Local Traffic Manager

Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.

Conditions:
-- VDI::cmp_redirect iRule command used

Impact:
Client port is not the same as the original client port.

Fix:
The VDI::cmp_redirect iRule command now uses the same port.


800209 : The tmsh recursive list command includes DDoS GUI-specific data info

Component: Advanced Firewall Manager

Symptoms:
DDoS GUI-specific data is included when running the command: tmsh recursive list. This irrelevant information might cause confusion.

Conditions:
This occurs when the AFM module is enabled

Impact:
Extra, irrelevant data is provided in output, which can cause confusion.

Workaround:
This always happens as long as AFM is enabled. You can deprovision the AFM module to disable this command.

Fix:
DDoS GUI-specific data is now filtered out when running the command: tmsh recursive list.


800185 : Saving a large encrypted UCS archive may fail and might trigger failover

Component: TMOS

Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:

# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

-- If saving UCS is automated you may find related errors in /var/log/audit:

err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))

-- Other services might be restarted due to lack of memory, which might result in failover.

--System management via config utility or command line may be sluggish while UCS saves.

Conditions:
-- Large encrypted UCS files and low free host memory.

-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.

Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.

The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.

Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.

Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)

If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.

Fix:
Saving a large UCS file no longer fails.


800101 : BIG-IP chassis system may send out duplicated UDP packets to the server side

Component: Local Traffic Manager

Symptoms:
On a BIG-IP chassis based system, a single UDP packet on the client side flow may be duplicated and sent out to the server side.

Conditions:
When the UDP flow has been idle for more than 10 minutes and L2 entries for the flow in the broadcom switch have aged out.

Impact:
Duplicated server side egress packets may cause server side processing error.

Fix:
BIG-IP no longer sends out duplicated UDP egress packets on the server side.


799985 : Profile import with reuse is failing in non-Common partition

Component: Access Policy Manager

Symptoms:
Profile exported from non-Common partition fails to import with reuse in other non-Common partition.

Conditions:
1. Profile exported from a partition other than the Common partition.
2. Profile has potentially shareable elements in the non-Common partition.
3. Profile is imported into a different, non-Common partition.

Impact:
Profile exported from non-Common partition fails to import with reuse.

Note: This is a very rarely occurring configuration.

Workaround:
Import the profile without reuse.

Fix:
Importing is now successful under these conditions.


799657 : Name validation missing control characters for some GTM objects

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, big3d fails to mark the resource up due to XML parsing error.

The following GTM objects are susceptible to this control character issue:
- gtm datacenter
- gtm prober-pool
- gtm device
- gtm application
- gtm region entry
- gtm virtual server
- gtm server
- gtm link
- gtm pool

Conditions:
A GTM object with a control character in the name.

Impact:
The resource whose name having those control characters will not be marked up with big3d error messages:

warning big3d[5729]: 012b2004:4: XML parsing error not well-formed (invalid token) at line 21.

Workaround:
Remove control characters prior to creating GTM objects.


799649 : TMM crash

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV crash due to memory corruption.

Conditions:
HTTP Security profile attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the HTTP Security profile.

Fix:
HTTP Security profile does not cause TMM crash.


799617 : ConfigSync Hardening

Solution Article: K05123525


799589 : ConfigSync Hardening

Solution Article: K05123525


798949 : Config-Sync fails when Config-Sync IP configured to management IP

Component: TMOS

Symptoms:
Device Group Sync Fails with error in the GUI: 01070712:3: Caught configuration exception (0), Failed to sync files.

Conditions:
Config-Sync IP configured to management IP:
sys db configsync.allowmanagement value enable

Impact:
Config-Sync of file objects such as SSL certificates fails.

Workaround:
None.

Fix:
Config-Sync has been updated to allow synchronization of file objects over the mgmt port.


798261 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server

Component: Access Policy Manager

Symptoms:
The following logs showed up in APM log and user session was terminated.

Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.

The SET command failed because it incorrectly attempted to create session variable in all traffic groups.

Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.

Impact:
User sessions will be terminated

Workaround:
Disable virtual address spanning.

Fix:
N/A


798249 : TMM may crash while processing HTTP/2 requests

Solution Article: K81557381


798105 : Node Connection Limit Not Honored

Component: Local Traffic Manager

Symptoms:
Connection limits on nodes are not honored.

Conditions:
A node with connection limits set.

Impact:
More traffic will pass to the node than the limit is supposed to allow.

Workaround:
Modify the node's limit after the node is created and it will start honoring the limit.

Fix:
The node's limit is now honored.


797977 : Self-IP traffic does not preserve the TTL from the Linux host

Component: Local Traffic Manager

Symptoms:
The Egress traffic from TMM has IP TTL set to 255 instead of keeping the TTL from the Linux host.

Conditions:
IP/IPv6 TTL for host traffic.

Impact:
Tools like traceroute do not work because Linux host rejects the packets.

Workaround:
Adjust TTL verification restrictions

Fix:
IP TTL is preserved.


797885 : ConfigSync Hardening

Solution Article: K05123525


797821 : Logging profiles on /Common cannot be configured with publishers on other folders

Component: Application Security Manager

Symptoms:
Security logging profiles created on the /Common folder cannot be configured with publishers which exist on other folders, when creating or editing them from the GUI.

Conditions:
Attempting to create security logging profiles on a folder different from the folder of the publisher, and the logging profile is on /Common.

Note: In general, this setup is not advisable. Folders under /Common could be synced using a different device group than /Common with less devices. This might cause sync failures when receiving objects in /Common which point to objects on different folders. It is better to create the publishes on /Common, and have the security logging profiles on other folders.

Impact:
Unable to create security logging profiles with sub folder configuration from the GUI.

Workaround:
It is possible to create this configuration from TMSH or REST API to work around the problem.

Fix:
Security logging profiles can now be created on /Common while referencing publishers on other folders.


797785 : AVR reports no ASM-Anomalies data.

Component: Application Visibility and Reporting

Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\

Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.

Impact:
AVR reports no ASM-Anomalies data.

Workaround:
None.


797781 : ASM does not inject JavaScript near <body> when the tag appears below 2 KB of the compressed page

Component: Application Security Manager

Symptoms:
Possible CSRF false positive or AJAX blocking page is not shown for the pages where the <body> tag appears below 2 KB of the compressed page.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF or AJAX blocking page configured in the ASM policy.

Impact:
-- ASM blocks requests without CSRF token.
-- ASM does not show CSRF blocking page pop-up.

Workaround:
1. Change the internal parameter value:
/usr/share/ts/bin/add_del_internal add max_len_search_html_tag 4096
2. Restart ASM:
bigstart restart asm

Fix:
max_len_search_html_tag default value has changed from 2048 to 4096, so this issue no longer occurs.


797609 : Creating or modifying some virtual servers to use an address or port list may result in a warning message

Component: TMOS

Symptoms:
Creating or modifying a virtual server with TCP or UDP profiles to use an address or port list may result in an error similar to:

01070096:3: Virtual server /Common/vs lists profiles incompatible with its protocol.

Conditions:
-- Configure virtual server using a TCP or UDP profile.
-- Attempt to attach an address or port list to the virtual server.

Impact:
Unable to configure a virtual server to use an address or port list.

Workaround:
Create a traffic-matching-criteria object manually, and associated it with the virtual server.

Note: The protocol of the traffic-matching-criteria object must match that of the virtual server.

Fix:
Now, the system adjusts the protocol of the traffic-matching-criteria object to match that of the virtual server.


797541 : NTLM Auth may fail when user's information contains SIDS array

Solution Article: K05115516

Component: Access Policy Manager

Symptoms:
NTLM authentication fails when the authentication response contains a nonempty sid_and_attributes array. This will most likely occur when a user is a member of universal groups from a trusted domain.

Conditions:
- NTLM front-end authentication is configured.
- The authentication response contains nonempty sid_and_attributes array (most likely user is a member of universal groups from trusted domain)

Impact:
Users are unable to log in through the BIG-IP.

Warning messages similar to the following can be found in /var/log/apm logfile:

warning eca[11436]: 01620002:4: [Common] 192.168.0.1:60294 Authentication with configuration (/Common/server1.testsite.com) result: user01@USER01 (WORKSTATION): Fail (UNEXP_006C0065)

warning nlad[11472]: 01620000:4: <0x2b4d27397700> client[46]: DC[172.29.67.112]: schannel[0]: authentication failed for user 'user01', return code: 0x006c0065

NOTE: the return code is not necessary 0x006c0065 or 0x00000007. It can be any value. However, the larger the size of SIDS and Attributes array. The more likely the error value will be 0x00000007

Workaround:
None.


797221 : BCM daemon can be killed by watchdog timeout during blade-to-blade failover

Component: TMOS

Symptoms:
The BCM daemon deletes entries from tables during blade to blade failover. If tables are very large, the entry-by-entry deletion may take too long, such that the daemon is restarted by the watchdog timeout.

Conditions:
Very large L2 tables during blade-to-blade failover.

Impact:
There is a BCM core file on the primary blade after the failover.

Workaround:
None.

Fix:
The system now maintains the watchdog while deleting large tables, so this issue no longer occurs.


796993 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability

Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.


796469 : ConfigSync Hardening

Solution Article: K05123525


796113 : Unable to load 14.1.0 config on 15.0.0 for a virtual server using a port/address list

Component: TMOS

Symptoms:
If there is a Virtual server configured with port/address list on v14.1.0 and try to load the same config into v15.0.0 it will fail with the following error

01070096:3: Virtual server %s profiles incompatible with its protocol.

Conditions:
Create a virtual server with port/address list and load the configuration on to v15.0.0.

Impact:
Config loading failing.


795965-1 : BIG-IP does not close connection after deception blocking response page is sent

Component: Application Security Manager

Symptoms:
Connection does not close after deception blocking page is sent.

Conditions:
Configure ASM deception iRule.

Impact:
Connections are left open until timeout occurs.

Workaround:
None.

Fix:
BIG-IP now closes the connection after deception blocking response page is sent.


795797 : AFM WebUI Hardening

Solution Article: K21121741


795769 : Incorrect value of Systems in system-supplied signature sets

Component: Application Security Manager

Symptoms:
In properties of system-supplied Attack Signature Sets, the field "Systems" is always displayed with value All.

For example, for Generic Detection Signatures the "Systems" field should be: System Independent, General Database, Various systems

Instead, "Systems" is set to "All".

Conditions:
Only for system-supplied signature sets, while user-defined signatures sets are displayed with correctly assigned Systems.

Impact:
Misleading value of Systems

Workaround:
N/A

Fix:
Correct value of "Systems" is displayed for system-supplied signature sets


795733 : 'Name in Request' parameter is placed in the wrong group

Component: Fraud Protection Services

Symptoms:
'Name in Request' parameter is placed in 'Application Layer Encryption' instead of being displayed as a general attribute.

Conditions:
- License FPS/DataSafe
- Navigate to URL properties on a profile.
- Select Parameters under URL Configuration.
- Select Filter Columns :: Name in Request :: Apply Filter.

Impact:
Name in Request appears in the General section, it should be displayed in the Application Layer Encryption group.

Workaround:
None.

Fix:
'Name in Request' setting moved outside 'Application Layer Encryption' group.


795685 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer

Component: TMOS

Symptoms:
If BIG IP receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on BIG IP is causing the bgpd crash (show ip bgp neighbor).

Conditions:
Receive a BGP notification for OUT_OF_RESOURCES from its BGP peer and then try to display the BGP peer information.

Impact:
bgdp crashes

Fix:
All the supporting BGP notification should have the corresponding message to display in show commands.


795501 : Possible SSL crash during config sync

Component: Local Traffic Manager

Symptoms:
During config sync, it's possible that cipher group processing will crash.

Conditions:
-- SSL is configured.
-- Config sync is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Cipher group processing has been fixed to avoid this error.


795437 : Improve handling of TCP traffic for iRules

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM stops processing TCP traffic when processed by an iRule

Conditions:
-- TCP profile is configured
-- Invalid packet construction

Impact:
TMM may crash, leading to a failover event.

Workaround:
None.

Fix:
TMM handles TCP traffic for iRule as expected.


795329 : IM installation fails if 'auto-add-new-inspections' enabled on profile

Component: Protocol Inspection

Symptoms:
IPS IM package installation fails. IPS log /var/log/pi_hitless_upgrade shows following message:

Error during switching: unsupported type for timedelta seconds component: tuple.

Conditions:
-- IM package should contain compliance check related to a specific service (e.g., HTTP).

-- At the time of IM package installation, there is an IPS profile with following parameters:
  + The 'auto-add-new-inspections' property set to 'on'.
  + Contains a service related to compliance checks, for example:

    * Presence on the following services causes an issue with the BIG-IP v14.1.0 IM:
HTTP, SIP, IMAP

    * Presence on the following services causes an issue with the BIG-IP v15.0.0 IM:
HTTP, SIP, IMAP, GTP, Diameter

Impact:
IPS IM package is not installed.

Workaround:
1. Before IM package installation, set the profile property 'auto-add-new-inspections' to 'off' (disable).
2. Install IM package.
3. Manually add compliance checks from the IM package to profile. Compliance checks names appear similar to the following:
-- pi_updates_14.0.0-20190607.2216.im
-- pi_updates_14.0.0-20190607.2216.im

Fix:
IM installation now succeeds when 'auto-add-new-inspections' is enabled on a profile.


795261 : LTM policy does not properly evaluate condition when an operand is missing

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an LTM policies mechanism to process traffic based on a set of rules. A rule may include a number of conditions and a number of actions to execute when the conditions are satisfied. Conditions use operands to evaluate. When an operand is missing, the BIG-IP system may fail to properly evaluate the condition.

Conditions:
-- A virtual server is configured with an LTM policy.
-- The policy contains a rule with a condition which has an operand and a negative matching type like 'not equals' or 'not starts-with', etc. (e.g., http-referer host not contains { www.example.com }).
-- A processing entity (like HTTP request, etc.) is missing an operand or has an empty value (e.g., header 'Referer' is missing from the request).

Impact:
The policy is improperly evaluated on the processing entity and may produce incorrect results when load balancing a request and/or serving a response.

Workaround:
You can use either workaround:

-- Convert rules into a 'positive' (lacking of negative matching type) whenever possible.

-- Use iRules instead of a policy (might impact performance).

Fix:
The BIG0IP system no longer incorrectly evaluates conditions in LTM policy rules when their operands are missing in a processing entity.


795197 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426


795025 : Ssl_outerrecordtls1_0 config option is not honored

Component: Local Traffic Manager

Symptoms:
Support for the Ssl_outerrecordtls1_0 config option was intentionally removed starting 14.1.0.1. The value TRUE is assumed irrespective of the actual configured value.

Conditions:
This occurs in normal operation.

Impact:
This option must be set to FALSE for the BIG-IP system to be able to communicate with a few non-compliant SSL servers. Communication with such servers fails otherwise.

Workaround:
None.

Fix:
Support for the config option has been added back.


794561 : TMM may crash while processing JWT/OpenID traffic.

Component: Access Policy Manager

Symptoms:
Under certain conditions, TMM may crash while processing JWT/OpenID traffic.

Conditions:
APM provisioned and configured.
JWT/OpenID session enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes JWT/OpenID traffic as expected.


794501 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.


794413 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


794389 : iControl REST endpoint response inconsistency

Solution Article: K89509323


794285-1 : BIG-IQ reading AFM configuration fails with status 400

Component: Protocol Inspection

Symptoms:
When the BIG-IQ tries to read the AFM configuration, using REST, the operations fails with status 400, if AFM is provisioned but the Protocol Inspection module is not licensed.

Conditions:
-- AFM provisioned on BIG-IP system.
-- Protocol Inspection module is not licensed.

Impact:
The operations fails with status 400. BIG-IQ cannot read AFM configuration if Protocol Inspection module is not licensed.

Workaround:
License Protocol Inspection.


794253 : Several relevant fields are not shown in Application Security remote logging profile

Component: Application Security Manager

Symptoms:
When Storage Format is 'User-Defined' and request/query_string/headers fields is selected, relevant advanced length settings are not shown.

Conditions:
-- Select 'User-Defined' storage format, and at least one of the request/query_string/headers fields.
-- Compare with settings available with 'Field-List' storage format with the same fields selected.

Impact:
There is no way in the GUI to configure advanced length settings for the 'User-Defined' storage format.

Workaround:
Use tmsh to accomplish this.

Fix:
Advanced length settings are now shown both for the 'User-Defined' and 'Field-List' storage formats.


794153 : TMM may core in a rare condition when handling an HTTP request

Component: Local Traffic Manager

Symptoms:
When an HTTP or HTTP2 virtual server receives a request, it may try to send this request on an existing connection to the server. This core occurs if the clientside and serverside connections are on two different TMMs.

Conditions:
-- A virtual server with HTTP profile is created.
-- HTTP2 profile may or may not be present on the virtual server.
-- An httprouter profile is present on the virtual server.
-- Multiple TMMs are serving the traffic.

Impact:
TMM cores, failover condition occurs, and traffic processing can be interrupted while tmm restarts.

Workaround:
None. This issue is not seen with a single TMM, however, this condition may not be really enforceable.

Fix:
The BIG-IP system now reuses the serverside connection when the conditions are suitable. If not a new serverside connection is created to handle the request.


793937 : Management Port Hardening

Solution Article: K03126093


793929 : In-TMM monitor agent might crash during TMM shutdown

Component: Local Traffic Manager

Symptoms:
A crash due to assertion in the in-TMM monitor agent occurs while TMM is shutting down.

Conditions:
In-TMM monitors are active and TMM shuts down, e.g., for BIG-IP reboot.

Impact:
There is no functional impact because TMM was shutting down anyway.

Workaround:
Turn off all in-TMM monitors before rebooting the BIG-IP system.

Fix:
TMM does not crash due to in-TMM monitor activities during shutdown.


793229 : Portal Access: Lack of Split Tunneling information in dynamic windows/frames

Component: Access Policy Manager

Symptoms:
URLs in iframes windows are rewritten, even though split tunneling is configured to not rewrite some URLs.

Conditions:
1. Configure portal access with split tunneling in rewrite profile:

-- Bypass List:
   - https://fiction.domain/*

-- Rewrite List:
   - http://*/*
   - https://*/*

2. Use portal access to open a window that contains an iFrame.

Impact:
Link in main window is not rewritten. Link in iframe is rewritten.

Workaround:
Custom iRule can be used.

Fix:
Neither link (in the main window and in the iframe) is rewritten.


793217 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation

Component: Advanced Firewall Manager

Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.

Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.

Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.

Workaround:
Configure the rate-limit to be 10% more than what is desired.

Fix:
HW DoS now shows mitigation more accurately.


793149 : Adding the Strict-transport-Policy header to internal responses

Component: Application Security Manager

Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.

Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.

Impact:
Responses arrives to the browser without the Strict-transport-Policy header.

Workaround:
Create an iRule to add the header to the response.

Fix:
Adding a BigDB parameter (asm.strict_transport_policy) which allows to add the header to all internal responses. Default is disabled.


793045 : File descriptor leak in net-snmpd while reading /shared/db/cluster.conf

Component: TMOS

Symptoms:
Net-snmpd is leaking the file descriptors during the SNMP traps add/delete via tmsh.

Observe that the file descriptors used by snmpd increase using 'ls -l /proc/$(pidof snmpd)/fd'

Following error is logging into /var/log/daemon.log
err snmpd[5160]: /proc/stat: Too many open files

Conditions:
Perform add/delete on SNMP traps via tmsh.

Impact:
Failure of snmpd operations on BIG-IP systems.

Workaround:
None.

Fix:
No longer leaks file descriptors in net-snmpd while reading /shared/db/cluster.conf.


792569 : Security URL name created from swagger file starts with double '/'

Component: Application Security Manager

Symptoms:
Open API Security policy created from swagger file has URLs with double forward slash '/' at URL name when 'basePath' has the '/' character at the end of the value.

Conditions:
The 'basePath' entry value in a swagger file has a '/' character at the end.

Impact:
Security policy URL has wrong name.

Workaround:
None.

Fix:
Double '/' at connection between 'basePath' and 'path' is now replaced by a single slash '/' character.


792341 : Google Analytics shows incorrect stats.

Component: Application Security Manager

Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).

Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.

Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.

Fix:
ASM now handles the backend's response to fix up document.referrer for tools that read this property.


792285 : TMM crashes if the queuing message to all HSL pool members fails

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.


792265 : Traffic logs does not include the BIG-IQ tags

Component: Application Visibility and Reporting

Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.

Conditions:
When AVR collects traffic data and sending it BIG-IQ.

Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.

Workaround:
None.

Fix:
Traffic logs now include the BIG-IQ tags.


792045 : Prevent WAM cache type change for small objects

Component: WebAccelerator

Symptoms:
Transfer stalls.

Conditions:
- AAM is provisioned.
- Small object cache is configured.
- Response is a few bytes less than the small object threshold.

Impact:
Transfer stalls.

Workaround:
None.

Fix:
WAM serves small objects from cache successfully.


791337 : Traffic matching criteria fails when using shared port-list with virtual servers

Component: Local Traffic Manager

Symptoms:
The system reports an error:

01b90011:3: Virtual Server /Common/vs1's Traffic Matching Criteria /Common/vs1_tmc_obj illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs2 destination address, source address, service port.

Conditions:
-- Creating virtual servers with shared object port-list.
-- Using the same port in another virtual server with different protocol with overlapping sources and destination IP address.

Impact:
Config validation failure prevents configuration changes.

Workaround:
Use different IP addresses and ports.


791057 : MCP may crash when traffic matching criteria is updated

Component: Advanced Firewall Manager

Symptoms:
MCP may crash when traffic matching criteria is updated, either directly or as the result of a configuration sync operation.

Conditions:
The specific root cause is unknown, although the crash is related to the update of traffic matching criteria.

Impact:
mcpd restarts. This results in a failover (when DSC is in use) or a halt to traffic processing (when DSC is not in use) while mcpd is restarting.

Workaround:
None.


790949 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.

Component: Service Provider

Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.

For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.

Some documented and actual default values have changed across releases.

Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.

Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.

Impact:
Depending on the protocol, the limits might not take effect as configured.

Incorrect documentation and/or lack of validation could lead to configuring an invalid value.

Workaround:
None.

Fix:
Default values of MRF router profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' are validated and applied as documented.

The default value in an MRF router profile is as documented for the protocol.

Documentation is consistent for tmsh '?' help, the 'help' command, and the GUI.

A value of 0 may not be configured; if an old configuration with a value of 0 is loaded, the value is automatically converted to the default value.

Behavior Change:
Default values of MRF router profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' are validated and applied as documented.

The default value in an MRF router profile is as documented for the protocol.

Documentation is consistent for tmsh '?' help, 'help' command, and GUI.

A value of 0 may not be configured; if an old configuration with a value of 0 is loaded, the value is automatically converted to the default value.


790897 : In the GUI, no warning messages are displayed for iRules

Component: Local Traffic Manager

Symptoms:
In the GUI no warning messages are displayed for iRules that fail due to syntax issues.

Conditions:
Using iRules that have non-fatal issues that are not caught in the GUI.

Impact:
The GUI does not display warning messages in response to iRules syntax issues that cause failures.

Note: The same conditions do provide warning messages displayed in tmsh when configured through the CLI.

Workaround:
None.

Fix:
You can now configure the BIG-IP system to treat iRule Tcl warnings as errors. This is enabled by setting the rule.validation DB key to 'extreme', as follows:

tmsh modify sys db rule.validation value extreme

Behavior Change:
The BIG-IP system now has the ability to translate iRule Tcl warnings into errors by setting the 'rule.validation' DB key to 'extreme'. This level of validation prevents a rule from being updated until the warnings are addressed.

This behavior is not enabled by default. To enable the ability, use the command:
tmsh modify sys db rule.validation value extreme


790349 : merged crash with a core file

Component: Application Security Manager

Symptoms:
merged crash and restart.

Conditions:
A tmstat sync operation is occurring in the background.

Impact:
Statistical data is not available for system utilities/graphs while merged restarted. There is no other impact beside the appearance of the core file.

Workaround:
None.

Fix:
merged core scenario fix.


790205 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when adding routes to child domains.


790089 : ASM SPA JavaScript code causes a web page to hang upon parallel ajax requests.

Component: Application Security Manager

Symptoms:
A web page hangs when parallel AJAX requests being sent.

Conditions:
-- ASM provisioned.
-- Single Page Application (SPA) enabled Bot Defense, DoS, or ASM Policy.
-- Bot Defense, DoS, or ASM Policy attached to a virtual server.
-- A web page sends two or more parallel AJAX requests.

Impact:
Web-page processing halts; endless loading image is posted.

Workaround:
The issue was introduced in the May-2019 live-update file. Rolling back to the Apr-2019 file avoids the issue.

Fix:
ASM SPA JavaScript code has been fixed and avoids endless stack traversing.


789993 : Failure when upgrading to 15.0.0 with config move and static management-ip.

Component: TMOS

Symptoms:
Upgrade to 15.0.0 from earlier version fails.

Conditions:
This happens when upgrading to 15.0.0 from earlier versions with static management-ip (dhclient.mgmt set to disabled).

Impact:
As the config move fails, the Management IP address might not be correct on the newly installed 15.0.0 device.

Workaround:
Keep DHCP enabled before upgrading or reset the management-ip after upgrade.

Fix:
Failure when upgrading to 15.0.0 with config move and static management-ip.


789893 : SCP file transfer hardening

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
Administrative user with SCP access.

Impact:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Workaround:
None.

Fix:
The SCP file transfer system now follows current best practices.


789817 : In rare conditions info fly-out not shown

Component: Application Security Manager

Symptoms:
When the question mark icon ('?') is close to the right upper corner of the page, the info fly-out is not shown when the question mark icon is clicked.

Conditions:
This can occur under the following conditions:
-- On Security :: Application Security screens that display a question mark for a help icon.
-- The ? icon is close to the right upper corner of the page.
-- Clicking the question mark icon to open the fly-out menu.

Impact:
Info fly-out not shown.

Workaround:
Change page size so that the ? icon is not in the right upper corner.

Fix:
Fly-out is shown correctly in all cases.


789169 : Unable to create virtual servers with port-lists from the GUI

Component: TMOS

Symptoms:
Using the GUI to create a virtual server with a port-list or address-list fails with the following error:

01070096:3: Virtual server <virtual server name> lists profiles incompatible with its protocol.

Conditions:
- The virtual server is created with an ip-protocol set to a value other than 'any'.

- A port-list or address-list is used.

Impact:
Virtual server creation fails.

Workaround:
Create the configuration in tmsh.

1. Create an LTM traffic-matching-criteria object to define the port-list and/or address list. The protocol on the traffic-matching-criteria must be set to the protocol that the virtual server will use.

2. Create the LTM virtual server, and set the traffic-matching-criteria to the name of the traffic-matching-criteria object.

Fix:
While creating virtual server with port-list from the GUI, a traffic-matching-criteria is created internally and mapped to the virtual server. This ensures that the traffic-matching-criteria object uses the same ip-protocol as the virtual server.


789085 : When executing the ACCESS::session iRule command under a serverside event, tmm may crash

Component: Access Policy Manager

Symptoms:
Executing the ACCESS::session iRule command inside a serverside event, e.g., SERVER_CONNECTED, may cause tmm to crash.

Conditions:
ACCESS::session iRule command invoked under a serverside event, for example:

when SERVER_CONNECTED {
 log local0. "[ACCESS::session data get session.user.sessionid]"
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes during the execution of ACCESS::session iRule on a serverside event, e.g. SERVER_CONNECTED.


789045 : Wrong Secure Attribute description

Component: Fraud Protection Services

Symptoms:
The GUI description of Secure Attribute is incorrect.

Conditions:
-- Provision and license FPS
-- Viewing the description of Secure Attribute

Impact:
The description is incorrect. The correct description is 'Sets the status of the Secure Attribute on all FPS cookies.'

Workaround:
None.

Fix:
Modified the Secure Attribute description.


788949 : MySQL Password Initialization Loses Already Written Password

Component: TMOS

Symptoms:
In some cases, the MySQL root password initialization is not complete. A re-attempt to restart MySQL fails.

Conditions:
-- MySQL startup script is interrupted.
-- Setting the root password fails.

Impact:
Processes may fail to connect to MySQL server.

Workaround:
None.

Fix:
Corrected MySQL startup script so it can recover if an earlier attempt to set the root password fails.


788813 : TMM crash when deleting virtual-wire config

Component: Local Traffic Manager

Symptoms:
Tmm crashes.

Conditions:
This can occur when deleting a virtual-wire config

Impact:
Traffic disrupted while tmm restarts.

Fix:
The fix should prevent the crashes.


788773 : HTTP/2 Vulnerability: CVE-2019-9515

Solution Article: K50233772


788769 : HTTP/2 Vulnerability: CVE-2019-9514

Solution Article: K01988340


788741 : TMM cores in the MQTT proxy under rare conditions

Component: Local Traffic Manager

Symptoms:
TMM may core in the MQTT proxy under unknown conditions.

Conditions:
-- MQTT proxy in use.
-- It is not known what other conditions are required to cause this issue.

Impact:
TMM cores. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores in the MQTT proxy.


788705 : Clarification of JSON schema validator reference resolving support

Component: Application Security Manager

Symptoms:
The JSON schema validation feature released in 15.0.0 supports only the following reference-resolving functionality:

-- Support of local references and definitions (in-file or in secondary schema file) during schema load.
-- An external reference is fully matched against the base ID of a secondary file, up to the fragment identifier, after which it is internally resolved within the secondary file.

The validator does not support the following:
-- Network fetching of external schema files.
-- Assumptions regarding filesystems, such as matching file name to ID.
-- Internal or external base ID modification. Each schema must contain a root base ID, and fragments are only resolved internally; fragments containing IDs are not supported.

Conditions:
-- Attempted upload of JSON schema files.
-- JSON schema validation on uploaded schema.
-- Schema contains unsupported references which validator is unable to resolve.

Impact:
Schema files cannot be uploaded and used for JSON traffic validation.

Workaround:
Schema can be modified in any of the following ways:

-- Definition of all references in main schema file.
-- Use of full path in all references and IDs.
-- Use of supported types of references such as full path followed by fragment identifier and internal path.


788557-3 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.


In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.

Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.


788473 : Email sent from APM is not readable in some languages

Component: Access Policy Manager

Symptoms:
Email sent from APM is not readable in some languages.

Conditions:
APM administrator has configured Email Agent in the per-session policy.

Impact:
Users receiving the email in certain languages cannot read the email.

Workaround:
None.

Fix:
Email clients can now properly decipher APM emails.


788417 : Remote Desktop client on macOS may show resource auth token on credentials prompt

Component: Access Policy Manager

Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.

This behavior is observed only with Remote Desktop Client v10.x for macOS.

Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.

Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Workaround:
Apply the following iRule:

Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.

when HTTP_RESPONSE_RELEASE {
    catch {
        set locationUri [HTTP::header Location]
        if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
                $locationUri contains "username=s:f5_apm"} {
            HTTP::header Location \
                [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
        }
    }
}

Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.


788325 : Header continuation rule is applied to request/response line

Solution Article: K39794285

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.


788301 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.


788269 : Adding toggle to disable AVR widgets on device-groups

Component: Application Visibility and Reporting

Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.

It occurs more frequently when manual config sync is enabled.

It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.

Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.

Impact:
Devices go into a non-synced state.

Workaround:
None.

Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.

Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.


788033-4 : tpm-status may return "Invalid" after engineering hotfix installation

Component: TMOS

Symptoms:
When installing certain engineering hotfixes, tpm-status may return "System Integrity: Invalid".

Conditions:
Engineering hotfix installed.

Impact:
System integrity check fails.

Workaround:
None.

Fix:
System integrity check now works as expected on system with engineering hotfixes installed.


788005 : Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP)

Component: Service Provider

Symptoms:
The SIP RFC states that if converting a message from a reliable transport to an unreliable transport, the proxy must guarantee delivery.

Conditions:
A adminstator required conversion of SIP messages from TCP to UDP and was willing to forgo the delivery requirement.

Impact:
A system db variable was added to disable the TCP to UDP protection.

Workaround:
None

Fix:
A DB variable has been added, Tmm.Sp.Sip.AllowTcpUdpConversion, possible values are enable|disable, the default value is disable. Enabling the DB variable enables the protection blocking TCP to UDP conversion for SIP messages.


787969 : Validation error regarding disabling DoS Software Mode is unclear

Component: Advanced Firewall Manager

Symptoms:
You encounter an error message: This platform does not support DoS hardware capability, which is needed to disable this sys db variable.

Conditions:
-- This can be encountered during system start, or when loading a UCS file.
-- The error is logged if the DB variable Dos.ForceSWDos is set to false on a platform that does not support hardware DoS capability.

Impact:
Error is logged but it is unclear that the error means that the db variable Dos.ForceSWDos is set to false, but the device does not have hardware DoS capability.

Workaround:
None.

Fix:
The validation message has been revised to include db variable in question.


787965 : URLCAT by URI does not work if it contains port number

Component: Traffic Classification Engine

Symptoms:
If absolute URI contains port number then URLCAT returns the result: Uncategorized.

Conditions:
Create new connection using CONNECT <absolute_uri> method.

Impact:
AFM rules configured with use of categorization do not work as intended.

Workaround:
Add URI with port number to custom Feed List.

Fix:
URLCAT works if request URI contains port number.


787945 : IVSERR_SENT_RESULT_LOG displays incorrect IVS name

Component: Service Provider

Symptoms:
Internal virtual server (IVS) logs an incorrect name when it sends a result code back to the primary virtual server.

Conditions:
-- DB variable log.ivs.level value of 'notice' or above.
-- IVS configured with a service that sends a result callback (such as ICAP).

Impact:
Log message can be confusing, and prevents filtering logs based on IVS name.

Workaround:
None.

Fix:
Log message displays correct IVS name.


787905 : Improve initializing TCP analytics for FastL4

Component: Local Traffic Manager

Symptoms:
TCP analytics for FastL4 might stay uninitialized under specific circumstances.

Conditions:
System clock advances while initializing TCP analytics for FastL4.

Impact:
TCP analytics for FastL4 might stay uninitialized for a while and miss some analytics data.

Workaround:
N/A

Fix:
Initialization of TCP analytics for FastL4 is improved.


787853 : BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
1. Create two virtual servers with multiple nodes. Set ICMP echo as all or selective/all.
2. Ping from client to virtual address.
3. Bring down nodes.
4. ping fails from client to virtual address as expected
5. Bring up nodes and make sure all virtual servers are online.
6. Start ping from client to virtual address.

Impact:
The BIG-IP system might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP system may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP system might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
Update virtual address ICMP setting to any or selective/any.

Fix:
This issue has been fixed.


787825 : Database monitors debug logs have plaintext password printed in the log file

Solution Article: K58243048

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.


787821 : httprouter may deadlock

Component: Local Traffic Manager

Symptoms:
The httprouter proxy may get into a state where it closes the TCP window, and never reopens it.

Conditions:
The HTTP MRF Router is used. This configuration is typically used with the HTTP2 Full Proxy when you use the httprouter profile.

A very large amount of data arrives from the server in a short amount of time after connection setup.

Impact:
Traffic on a HTTP2 stream, or HTTP 1 connection blocks. Eventually, the connection will be killed by the sweeper.

Fix:
The HTTP MRF Router will not get into a state where the TCP window is permanently closed.


787601 : Unable to add 'Enforce' parameter if already configured in different URL

Component: Fraud Protection Services

Symptoms:
If two or more URLs are configured with 'Application Type = Mobile', is is not possible to add the 'Enforce' parameter to more than one URL.

Also, the 'Mobile Encryption Parameter' option is automatically checked if already checked in another URL.

Conditions:
1. License FPS and MobileSafe.
2. Add two or more URLs with 'Application Type = Mobile'.

Impact:
Data sent from MobileSafe SDK may not be encrypted.

Workaround:
Use TMSH to configure these settings.

Fix:
The 'Enforce' parameter is now added correctly, and the 'Mobile Encryption Parameter' is not checked automatically, which is correct functionality.


787477 : Export fails from partitions with '-' as second character

Component: Access Policy Manager

Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.

Conditions:
Partition with '-' as second character in the name.

Impact:
Unable to export policy from given partition

Workaround:
Rename partition without '-' as the second character.

Fix:
Export is working as expected in this scenario.


787433 : SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed

Component: Local Traffic Manager

Symptoms:
When stapling the OCSP response (and hence OCSP certificate) to the SSL client, the issuer that appears on the OCSP certificate mismatches with what is configured in the client SSL profile as the forward proxy CA cert.

Conditions:
The issue is seen when all the below conditions are met.
-- The BIG-IP system is using SSLO or SSL forward proxy.
-- The client hello sent from the SSL client includes the status request extension. This means that it requests BIG-IP system to staple the OCSP response.
-- The forward proxy CA cert in the client SSL profile is modified.

Impact:
In SSLO or SSL forward proxy mode, the server cert and the OCSP response the BIG-IP system sends to the SSL client should be both signed (issued) by the forward proxy CA cert configured at the client SSL profile. If they are signed by different issuers, it may not pass some of the validation check performed by the SSL client and might lead to SSL client's terminating the SSL handshake.

Workaround:
To updates and regenerates the OCSP signer information, after modifying the forward proxy CA cert, run the command:
bigstart restart tmm

Fix:
The issuer appearing on the OCSP response always matches the forward proxy CA cert configured at the client SSL profile.


786981 : Pending GTP iRule operation maybe aborted when connection is expired

Component: Service Provider

Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.

Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.

Impact:
GTP iRule may not be completely executed.

Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.

Fix:
When connection is expired, pending iRule operations in GTP iRule events are now completed.


786953 : Wrong Data Manipulation titles

Component: Fraud Protection Services

Symptoms:
The Data Manipulation labels in Automatic Transactions say 'Request Data Manipulation Score' and 'Request Data Manipulation Maximum Score', but they should say 'Data Manipulation Score' and 'Data Manipulation Maximum Score'.

Conditions:
-- FPS is licensed and provisioned.
-- Viewing Automatic Transactions.

Impact:
Labels are misleading. Here are the proper definitions:

Data Manipulation Score: The score added to the total alert score if the system detects data manipulation in parameter values or in the Ajax payload. See the online help for more details.

Data Manipulation Maximum Score: The value entered here limits the total combined score that can be added to an alert when the BIG-IP system detects that data manipulation occurred on two or more parameters. See the online help for more details.

Workaround:
None.

Fix:
Modified titles: removed the word 'Request'.


786913 : Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7

Component: Application Security Manager

Symptoms:
Upgrade fails when upgrading from 13.0.x or under if the config includes an LTM Policy (CPM) which modifies a DoS Application Profile.

Conditions:
-- LTM Policy is configured to specify a DoSL7 profile name.
-- Upgrade is from version 13.0.x or earlier.

Impact:
Upgrade failure.

Workaround:
1. Manually edit the /config/bigip.conf file, and place all of the 'security dos profile' objects before any 'ltm policy' objects.
2. Load the config.

Fix:
Upgrade no longer fails when using an LTM Policy which specifies a DoSL7 profile name.


786897 : Rename of 'AMF Body' context to 'HTTP request body - unparsed payload' in request log

Component: Application Security Manager

Symptoms:
Current context name of 'AMF Body' does not clearly describe the log issue.

Conditions:
When a violation is raised in the context of an unparsed body.

Impact:
'AMF Body' in the log message does not clearly indicate the associated context.

Workaround:
None.

Fix:
Confusing context name 'AMF Body' has been changed to 'HTTP request body - unparsed payload' to more accurately describe the context.


786565 : MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded

Component: Service Provider

Symptoms:
When a message is created using the GENERICMESSAGE::message create iRule command during the CLIENT_DATA event, if the TCP payload buffer is not cleared before the event completes, the data in the payload buffer is forwarded to the generic message filter disrupting its statemachine.

Conditions:
-- A message is created using GENERICMESSAGE::message create iRule command during CLIENT_DATA event.
-- TCP payload buffer is not cleared before the event completes.

Impact:
The data in the payload buffer is forwarded to the generic message filter disrupting its statemachine. Subsequent messages are not forwarded.

Workaround:
To fix the problem, add the following to CLIENT_DATA:
TCP::payload replace 0 [TCP::payload length] ""

Fix:
Data left in the TCP payload buffer is now ignored and does not negatively impact the filter.


786173 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in the GUI becoming unresponsive. The Access :: Overview :: Active Sessions page in the Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Fix:
The solution for the reported issue is handled by the fix provided for ID 783817. ID 786173 fixes a null pointer exception that might occur in the specific case of a certain missing session variable, which is relevant only in BIG-IP releases 14.1.0 or later.


785873 : ASM should treat 'Authorization: Negotiate TlR' as NTLM

Component: Application Security Manager

Symptoms:
When an authentication request with Authorization: Negotiate arrives to ASM. ASM does not count it as a login attempt. As a result brute force protection isn't applied.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual sever.
-- Login URL configured in ASM policy.
-- Brute force protection enabled in ASM policy.

Impact:
Brute force attack checking can be skipped if the backend server authorization type is NTLM but the client sends 'Authorization: Negotiate TlR'.

Workaround:
Use iRule which changes 'Authorization: Negotiate TlR' to NTLM on the client side (before ASM) and sets is back to the original value on the server side (after ASM)

Fix:
After the fix ASM treats 'Authorization: Negotiate TlR' as NTLM, while the 'TlR' is a sign of NTLM usage.


785605 : Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group

Component: Traffic Classification Engine

Symptoms:
If Feed List is created on Standby unit, it will not be synchronized to other units in Traffic Group, and will become unusable.

Conditions:
-- Create Feed List on a Standby unit.
-- Attempt to use URLCAT with Custom DB.

Impact:
URL Categorization based on Custom DB does not work.

Workaround:
Create Feed List on the Active unit and synchronize to Standby.

Fix:
Feed Lists can now be used if created on a Standby unit.


785529 : ASM unable to handle ICAP responses which length is greater then 10K

Component: Application Security Manager

Symptoms:
ASM drops ICAP and HTTP connections when a multipart request arrives to the ASM enforcer and then forwarded to the ICAP server for virus inspection, and the ICAP server replies with a large (greater then 10 KB) response.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Antivirus service IP and port defined in the BIG-IP GUI under Options :: Integrated Services.
-- Antivirus protection enabled in the ASM policy.

Impact:
ASM drops ICAP and HTTP connections.

Workaround:
Configure the ICAP server to send back responses smaller than 10 KB.

Fix:
There is new ASM internal parameter introduced to make the ICAP response buffer size configurable within the ASM enforcer. The maximum response buffer size is 250 KB. To set the variable, issue the following commands, in sequence:

-- /usr/share/ts/bin/add_del_internal add icap_response_buff_size 250000
-- bigstart restart asm


785481 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached

Component: Local Traffic Manager

Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.

Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.

Impact:
Reset packets are not sent back to clients when they should be.

Workaround:
None.

Fix:
Packets that match a BIG-IP object but fail due to connection limits will now be rejected with an RST.


785253 : Problems in reporting of disallowed URL

Component: Application Security Manager

Symptoms:
Parameters that were configured to be sensitive, are not masked

Conditions:
-- Disallowed URL is configured
-- A request is sent with sensitive parameters in post data.

Impact:
Sensitive data is not masked.

Workaround:
None.

Fix:
When a disallowed URL is configured and a request is sent with sensitive parameters in post data, the sensitive data is now masked.


784989 : TMM may crash with panic message: Assertion 'cookie name exists' failed

Component: Access Policy Manager

Symptoms:
TMM crashes with SIGFPE panic

panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.

Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.

Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.


784713 : When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct

Component: Local Traffic Manager

Symptoms:
When SSL forward proxy is configured, or for SSLO, if OCSP or CRL is set on the serverside, the certificate that signs the OCSP response on the clientside does not have the correct Authority Key Identifier (AKID).

Conditions:
Configure SSL forward proxy or enable SSLO and enable OCSP or CRL on serverside/server SSL profiles.

Impact:
Incorrect AKID X509 extension for the OCSP signer certificate on the clientside. Depending on browsers/clients, this may result in the browsers/clients to not be able to use the stapled OCSP response.

Workaround:
None.

Fix:
After the fix, the OCSP signer certificate has the correct AKID X509 extension.


784565 : VLAN groups are incompatible with fast-forwarded flows

Component: Local Traffic Manager

Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.

Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.

Impact:
Some connections may fail.

Workaround:
None.

Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.


784337 : False positive header related violation

Component: Application Security Manager

Symptoms:
The system reports a false-positive, header-related violation.

Conditions:
-- A custom header is added to the system.
-- A header related violation is turned on.

Impact:
The system reports a false-positive violation.

Workaround:
None.


783969-1 : An invalid SSL close_notify might be sent in some cases.

Component: Local Traffic Manager

Symptoms:
If a clienthello is not fully received and parsed, any alert sent might be invalid (show an invalid version number).

Conditions:
-- A virtual server has a client-ssl profile.
-- The 'unclean-shutdown' option is disabled.
-- The virtual server receives an incomplete clienthello before shutting down.

Impact:
There is no functional impact, although alerts sent might show an invalid version number.

Workaround:
Enable unclean-shutdown (which is enabled by default).


783849 : DNSSEC Key Generations are not imported to secondary FIPS card

Component: Global Traffic Manager (DNS)

Symptoms:
When new DNSSEC Key Generations are generated by FIPS card, the Generation is not imported to secondary FIPS card.

Conditions:
BIG-IP has a GTM sync group with FIPS cards in sync. New DNSSEC Key Generation is created.

Impact:
New DNSSEC Key Generation is not imported to secondary FIPS card, but the generation is synced within GTM sync group.

Workaround:
N/A

Fix:
DNSSEC Key Generation is not imported to secondary FIPS card over creation


783817 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

The following error messages shows up in TMM log:

-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.


783617 : Virtual Server resets connections when all pool members are marked disabled

Component: Local Traffic Manager

Symptoms:
The BIG-IP system immediately responds with a RST against a SYN when all pool members are marked disabled by a monitor.

Conditions:
All the pool members are marked disabled by a monitor or administratively.

Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.

Workaround:
None.


783589 : No option to filter out bots with N/A anomaly category

Component: Application Security Manager

Symptoms:
Some of the bots has N/A for anomaly category. There is no way to filter them in Bot Traffic or on Bot Requests screens.

Conditions:
There are bot requests/bots with N/A for the anomaly category.

Impact:
No way to filter them in Bot Traffic or on Bot Requests screens.

Workaround:
None.

Fix:
Added option to filter by the N/A anomaly category.


783565 : Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP

Component: Fraud Protection Services

Symptoms:
Upgrade support for DB variable to attach AJAX payload to vToken cookie sets 'send in alerts' flag configured on parameters without checking whether automatic transaction detection is turned on on the URL.

Conditions:
-- BIG-IP version 13.1.x or 14.0.x
-- A protected URL is configured with automatic transaction detection turned off.
-- A parameter on that URL is configured with all flags turned off.
-- The DB variable antifraud.internalconfig.flag1 is set to 'enabled' value.
-- Upgrade to 13.1.x or later (with load config) started.

Impact:
After upgrade, the configuration fails to load due to an error during schema change validation

Workaround:
-- Set the DB variable antifraud.internalconfig.flag1 value to 'disabled' before the upgrade.
-- Configure 'send in alerts' flag on the parameters manually.

Fix:
Now upgrade support takes into consideration the automatic transaction detection flag on URL and sets 'send in alerts' flag on URL parameters only for URLs with automatic transaction detection turned on.


783513 : ASU is very slow on device with hundreds of policies due to logging profile handling

Component: Application Security Manager

Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.

Impact:
The ASU process takes hours to complete.

Workaround:
None.


783417 : ASM CAPTCHA preview pages don't display the page properly

Component: Application Security Manager

Symptoms:
The CAPTCHA image and corresponding icons are not shown in the window showing CAPTCHA message.

Conditions:
1. Go to Security ›› Application Security : Policy :
   Response Pages.
2. Go to CAPTCHA section.
3. Press on 'show' button.
4. Preview of the CAPTCHA is not displayed properly.
5. Go To CAPTCHA Fail section.
6. Press on 'show' button.
7. Preview of the CAPTCHA Fail is also not
   displayed properly

Impact:
The CAPTCHA preview cannot be seen properly by the user.

Workaround:
This only affects the preview.

Fix:
Images are shown properly after fix.


783293 : Special chars < > & displayed incorrectly in BIG-IP GUI logon banner window

Component: TMOS

Symptoms:
If you try to enter any of these three characters: < > & (greater than, less than, ampersand) into GUI Preference page or TMSH sys global-settings configuration, they are displayed as escape chars in the GUI window correspondingly as: &lt; &gt; &amp;.

Conditions:
Entering one of these three characters into GUI banner text settings: < > &.

Impact:
At GUI Logon page, the page displays with the following characters: &lt; &gt; &amp; instead of the specified characters: < > &.

Workaround:
None.

Fix:
You can now use < > & characters for GUI logon banner text, and the system displays those characters in the GUI logon window.


783289 : PEM actions not applied in VE bigTCP.

Component: Policy Enforcement Manager

Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.

Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.

Impact:
PEM policies do not get applied.

Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).


783233 : OAuth puts quotation marks around claim values that are not string type

Component: Access Policy Manager

Symptoms:
When you define a claim to use with OAuth, and the claim-type setting is set to something other than String, the claim value is treated as a string anyway and encapsulated in quotation marks.

Conditions:
-- OAuth is configured.
-- The oauth claim value being used is not of type string (i.e. array, or boolean, or number)

Impact:
The claim value is encapsulated in quotation marks and processed as a string.

Workaround:
None.

Fix:
OAuth no longer puts quotation marks around claim values that are not string type.


783113-6 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted

Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.


782673 : Importing local users CSV via UI shows a redundant error

Component: Access Policy Manager

Symptoms:
Importing a local user CSV via the GUI generates an error

ERROR common.Facade:error - com.f5.tmui.util.ajax.cli.CliHandlerException: CliHandler: Local User Database: CliHandler: Command failed with error:

Conditions:
-- Importing a local user CSV file via the GUI
-- CSV file is missing a linefeed on the last line

Impact:
Import is successful, but an error is shown on the UI

Fix:
Fixed an error when processing the CSV file from the GUI


782613 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp

Component: TMOS

Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.

Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.

Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.

Workaround:
None.


782569 : SWG limited session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG limited session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections that use custom category lookup (beyond the SWG limited session limit).

Impact:
SSLO fails to connect when the SWG limited session limit is reached.

Workaround:
None.

Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a custom category only lookup, an SWG limited license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with custom category lookup only.


782529 : iRules does not follow current design best practices

Component: Local Traffic Manager

Symptoms:
iRules does not follow current design best practices.

Conditions:
iRules does not follow current design best practices.

Impact:
iRules does not follow current design best practices.

Workaround:
None.

Fix:
iRules now follows current design best practices.

Behavior Change:
Database variable 'tmm.tcl.rule.connect.allow_loopback_addresses' was created to toggle whether or not to allow loopback addresses; TRUE will restore previous behavior and enable loopback connections.

Default value is FALSE.


782401 : Importing CSV reports error message, though operation is successful

Component: Access Policy Manager

Symptoms:
Importing CSV of users into the APM localdb reports an exception in both theG UI and /var/log/webui.log:

ERROR common.Facade:error - com.f5.tmui.util.ajax.cli.CliHandlerException: CliHandler: Local User Database: CliHandler: Command failed with error:

However, the system actually creates the users, and they are visible on refresh.

Conditions:
CSV import of users into the APM localdb via the GUI.

Impact:
GUI suggests failure even thought localdbmgr actually creates the users. The users are visible on refresh, so although the error appears, there is no impact to functionality.

Workaround:
None. This is cosmetic.

Fix:
The error message for TMUI and in the logs has been improved to show both the return code and the error message printed by the CLI command. If there is no output, the message reports that instead of leaving the reason blank. This should help with debugging.


782353 : SIP MRF via header shows TCP Transport when TLS is enabled

Component: Service Provider

Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.

Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.

Impact:
The via header is not correct and violates the SIP RFC.

Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:

when SIP_REQUEST_SEND {
    if { [clientside] } {
        SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0

    }
}

Fix:
The via headers show the correct text (e.g., SIP/2.0/TLS) when an SSL Client Profile is enabled on a SIP Message-Routing virtual server.


781985 : DNSSEC zone SEPS records may be wiped out from running configuration

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain circumstances, DNSSEC zone SEPS records may be wiped out from running configuration.

Conditions:
This occurs only with GTM configurations loaded by the command: tmsh load sys config gtm-only.

Impact:
SEPS records may be lost after a configuration reload.

Workaround:
None.

Fix:
DNSSEC zone SEPS records are no longer lost from running configuration in response to the command: tmsh load sys config gtm-only.


781865 : Issues in IE8 when using bot defense browser JavaScript verification and SPA

Component: Application Security Manager

Symptoms:
When using JavaScript verification with a Single Page Application (SPA) on Microsoft Internet Explorer version 8 (IE8) on Windows 7, there is an error message in the browser console which can cause whitepage or crash.

Conditions:
-- Bot defense profile is attached.
-- Browser Verification is 'Verify Before Access' or 'Verify After Access' (Blocking and Detection Only).
-- Single Page Application is enabled
-- Navigating to an HTML page using IE8 over Windows 7 OS, and sending ajax requests.

Impact:
Browser gets whitepage or crashes.

Workaround:
None.

Fix:
IE8 is no longer supported in Single Page Application mode. whitepage and crashes are fixed, but the SPA mechanism will not work.


781849 : On-Demand Certificate Authentication agent for Per-Request Policy does not work with multiple Client SSL profiles that have the 'Default SSL Profile for SNI' option disabled and assigned to a single Virtual Server

Component: Local Traffic Manager

Symptoms:
After the client certificate has been provided, the browser waits for a response within a few minutes and then displays the error 'Page cannot be displayed'. At the same time you can watch the following informational messages in the /var/log/apm events log file:
info tmm[12245]: 01870000:6: /Common/app1.example.com:Common:dd1d4e4f: Executed agent (/Common/app1.example.com_On-Demand-CRLDP_ondemand_cert_auth_act_ondemand_cert_auth_ag) with return status (Need more data)

Conditions:
BIG-IP system is configured as Identity Aware Application Proxy for multiple application access, that may require On-Demand Client Certificate Authentication by using different Client SSL profiles.

The following is a sample scenario:

-- There are 3 web-application (app1.example.com, app2.example.com, app3.example.com) that are located behind the BIG-IP system configured as Identity Aware Application Proxy (by means of using Per-Request Access policy).
-- app1.example.com and app2.example.com are configured to require On-Demand Client Certificate Authentication as primary authentication method.
-- Each application requires a separate Client SSL profile with separate Client Authentication options specified.
-- Client SSL profile for app1.example.com application has 'Default for SNI' option enabled.

In this case, all authentication requests to app2.example.com fail, even if a trusted certificate is provided.

Impact:
On-Demand Certificate Authentication fail, even if a trusted client certificate is provided.

Workaround:
Use a single Client SSL profile with a single certificate, where the Subject Alternative Name extension lists fully qualified domain names of all applications, protected by Identity Aware Application Proxy.


781837 : [CPM] 'Use case sensitive string comparison' has no effect on datagroup match

Component: Local Traffic Manager

Symptoms:
The 'Use case sensitive string comparison' setting in Policy options does not have any effect on policy matching when used in combination with a datagroup.

Conditions:
Policy's datagroup and case sensitivity options are used together.

Impact:
Datagroup matching cannot be toggled using the case sensitivity matching.

Workaround:
Add matched strings directly into the traffic policy rule condition to perform case insensitive matching.

Note: Datagroup matching using case insensitivity is not supported.

Fix:
The GUI is changed to reflect that case sensitivity is not supported with datagroups. A warning is also issued in /var/log/ltm if such a configuration is still selected.


781829 : GTM TCP monitor does not check the RECV string if server response string not ending with \n

Component: Global Traffic Manager (DNS)

Symptoms:
GTM TCP monitor marks resource down.

Conditions:
TCP server respond string not ending with '\n'.

Impact:
Available resources are marked down.

Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.

If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.


781753 : WebSocket traffic is transmitted with unknown opcodes

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.

Conditions:
A request logging profile is configured on a WebSocket virtual server.

Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.

-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.

Workaround:
Remove the request logging profile.


781725 : BIG-IP systems might not complete a short ICAP request with a body beyond the preview

Component: Service Provider

Symptoms:
An ICAP request (REQMOD or RESPMOD) body goes out to the ICAP server as far as a preview. If the server responds 100-continue, only a single chunk of the remaining payload might be sent to the server. Eventually the connection times out.

Conditions:
-- An ICAP profile is configured with a preview.
-- The HTTP request or response to be modified has a body that is more than one chunk longer than the preview length, yet short enough to be completely buffered in BIG-IP system before the preview is sent to the ICAP server.
-- The ICAP server responds with 100-continue.

Impact:
Only the first chunk of payload is sent after the preview, and eventually the connection times out.

Workaround:
None.

Fix:
The BIG-IP system now sends the complete ICAP request to the server, and the transaction completes normally.


781637 : ASM brute force counts unnecessary failed logins for NTLM

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings

Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM


781605 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
false positive or false negative attack signature match on multipart payload.

Conditions:
very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

Fix:
Multi part parser issue was fixed.


781581 : Monpd uses excessive memory on requests for network_log data

Component: Application Visibility and Reporting

Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:

err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child

Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.

Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.

Workaround:
None.

Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.

Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.


781485 : PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition

Component: Policy Enforcement Manager

Symptoms:
PEM spm_local_cache could get leaked on the STANDBY chassis.

Conditions:
-- If the high availability (HA) cluster switches to ACTIVE-ACTIVE mode during its lifetime.
-- PEM running in a Traffic-group configuration.

Impact:
Memory on the STANDBY chassis get leaked.

Workaround:
None.

Fix:
Fixed a potential PEM spm_local_cache leak on the STANDBY chassis.


781449 : Increase efficiency of sPVA DoS protection on wildcard virtual servers

Solution Article: K14703097


781445 : named or dnscached cannot bind to IPv6 address

Component: Access Policy Manager

Symptoms:
In some scenarios, the named process cannot bind to IPv6 addresses. This occurs because the dnscached process listens to the wildcard IPv6 address port 53 (i.e., :::53) so it cannot respond to queries sent to IPv6 addresses.

Following message is reported in ltm log:

err named[16593]: binding TCP socket: address in use.

Conditions:
-- The named and dnscached processes are not running.
-- The dnscached process is started first.
-- The named process is started later.

Impact:
The named process does not respond to the queries that are sent to IPv6 addresses at port 53.

Workaround:
1) Stop both named and dnscached process.
2) Edit the startup script for dnscached to start in IPv4-only mode.
   2a) On BIG-IP system, open the file /etc/bigstart/startup/dnscached.
   2b) Add "-4" to the command line option of dnscached.
3) Restart the processes:
bigstart restart named dnscached

Fix:
The dnscached startup script has been modified to start in IPv4-only mode, so it does not listen on any IPv6 address.


781425-3 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' has a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

-- BBN-RCC-MON
-- NVP-II
-- DCN-MEAS
-- OSPFIGP
-- CRUDP

Impact:
The system fails to load the configuration.

Workaround:
Manually edit the configuration file: /config/bigip_base.conf

1. Replace the ip-protocol name from rule-list configuration:

-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.

2. Save the file.
3. Issue the command:
 tmsh load sys config.

The configuration now loads without syntax errors.


781377 : tmrouted may crash while processing Multicast Forwarding Cache messages

Component: TMOS

Symptoms:
Under certain conditions, tmrouted may crash while processing Multicast Forwarding Cache (MFC) messages.

Conditions:
tmrouted processing MFC messages.

Impact:
tmrouted crash, leading to a failover event.

Workaround:
None.

Fix:
tmrouted now processes MFC messages as expected.


781113 : Support to enable/disable reusing serverside TIME_WAIT connections

Component: Local Traffic Manager

Symptoms:
Currently, the serverside connections in TIME_WAIT state are reused for new serverside connections (by default) before TIME_WAIT expires. A mechanism is required to disable reusing the TIME_WAIT connections if needed.

Conditions:
A new serverside connection request is made that matches an existing TIME_WAIT connection and connection is reused.

Impact:
BIG-IP system behavior on reusing TIME_WAIT connections is configurable based on the tmm.reuse.ss.timewaitconns sys db.

tmm.reuse.ss.timewaitconns: enabled (the default)
-- A new serverside connection request comes for a TIME_WAIT serverside connection.
-- Connection is reused.

tmm.reuse.ss.timewaitconns: disabled
- A new serverside connection request comes for a TIME_WAIT serverside connection
- "Port in use" error is returned

Workaround:
There is no workaround at this time.

Fix:
A mechanism to enable/disable reusing TIME_WAIT connections on serverside is provided via a sys db.


781069 : Bot Defense challenge blocks requests with long Referer headers

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix:
Challenges with long Referer headers no longer block legitimate clients.


781041 : SIP monitor in non default route domain is not working.

Component: Local Traffic Manager

Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available.

Conditions:
SIP pool members in non default route domain.

Impact:
SIP service unavailable.


781021 : ASM modifies cookie header causing it to be non-compliant with RFC6265

Component: Application Security Manager

Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
1. No space after the semicolon
2. A cookie with no value is sent without the equals sign

Conditions:
-- ASM Security Policy is used
-- Request includes an ASM cookie

Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false

Fix:
ASM now strips the ASM cookies from the request in a way that is compliant with RFC6265.


780837 : Firewall rule list configuration causes config load failure

Component: Advanced Firewall Manager

Symptoms:
'tmsh load sys config' reports a syntax error.

The syntax error is reported on 'security firewall rule-list rule' configuration.

Conditions:
This occurs only if any of the rule-list rule ip-protocol contains one of the following protocols:

Note: You can see the mismatched protocol names in the /etc/protocols listing file (column 1 and column 3 differ):

bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
ospf 89 OSPFIGP # Open Shortest Path First IGP
crdup 127 CRUDP # Combat Radio User Datagram

Impact:
The system fails to load the configuration.

Workaround:
Manually edit the configuration file: /config/bigip_base.conf

1. Replace the ip-protocol name from rule-list configuration:

-- Change BBN-RCC-MON to bbn-rcc.
-- Change NVP-II to nvp.
-- Change DCN-MEAS to dcn.
-- Change OSPFIGP to ospf.
-- Change CRUDP to crudp.

2. Save the file.
3. Issue the command:
 tmsh load sys config.

The configuration now loads without syntax errors.


780817-1 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

  + VIPRION B4300, B4340, and B44xx blades.
  + BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.


780601 : SCP file transfer hardening

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
Administrative user with SCP access.

Impact:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Workaround:
None.

Fix:
The SCP file transfer system now follows current best practices.


779793 : [LC] Error Message "Cannot modify the destination address of monitor" for destination * bigip_link monitor

Component: Global Traffic Manager (DNS)

Symptoms:
Using BIG-IP Link Controller (LC), every 10 seconds, the system logs messages similar to the following example:
-- err mcpd[5570]: 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec.
-- err mcpd[5570]: 01071488:3: Remote transaction for device group /Common/gtm to commit id 1 6681134264373087063 /Common/ELC002.kbn.mlit.go.jp 0 failed with error 0107082c:3: Cannot modify the destination address of monitor /Common/_user_gslbMonitor_bigipLink_fast_60sec..

Conditions:
-- A bigip_link monitor with destination * written in bigip_gtm.conf.
-- That monitor is associated with a link.
-- The following command is run on one of the sync group peers:
tmsh load /sys config gtm-only.

Impact:
LC system failing to load configuration.

Workaround:
Run this command on the LC system that is logging the error message:
tmsh load /sys config gtm-only


779633 : BIG-IP system reuses serverside TIME_WAIT connections irrespective of TMMs used

Component: Local Traffic Manager

Symptoms:
When reusing a serverside TIME_WAIT connection, the BIG-IP system:
-- Establishes the new connection if clientside/serverside connections are on the same TMM.
-- Sends a RST 'Unable to obtain local port' if clientside/serverside connections are on different TMMs.

Conditions:
This happens in two scenarios:
Scenario 1:
-- A new serverside connection is requested that matches an existing TIME_WAIT connection (e.g., by using source-port preserve-strict in the virtual server)

-- Clientside/serverside connections are on the same TMM.

Scenario 2:
-- Clientside/serverside connections are on different TMMs.

Impact:
BIG-IP system behavior is inconsistent. In one case, BIG-IP establishes the connection. In the other case, BIG-IP resets the connection.

Workaround:
None.

Fix:
BIG-IP system reuses serverside TIME_WAIT connections irrespective of clientside/serverside being on the same TMM/different TMMs.


779177 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Component: Access Policy Manager

Symptoms:
Apmd logs the "client-session-id" when access-policy debug log level is enabled.

Conditions:
-- APM is provisioned and licensed.
-- Per-session policy is attached to virtual server.
-- Access-policy log level set to Debug.

Impact:
Client session ID is available in debug log files and may be visible to authenticated administrators

Workaround:
None.

Fix:
Apmd now no longer logs the client-session-id when access-policy debug log level is enabled.


778869 : ACLs and other AFM features (e.g., IPI) may not function as designed

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.

Conditions:
AFM provisioned and configured.
TCP mitigations active.

Impact:
AFM features do not function as designed.

Workaround:
None.

Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.


778681 : Factory-included Bot Signature update file cannot be installed without subscription

Component: Application Security Manager

Symptoms:
After upgrade, the factory-included Bot Signature update file cannot be installed without subscription, even if it is already installed.

Conditions:
Device is upgraded to 14.1.0 from previous version, and does not have a Bot Signatures subscription.

Impact:
The factory-included Bot Signature update file cannot be installed.


778677 : Factory Search Engines are mistakenly converted to Bot Signatures upon upgrade

Component: Application Security Manager

Symptoms:
When upgrading to 14.1.0 or later, factory-defined Search Engines are mistakenly converted to Bot Signatures upon upgrade.

Conditions:
The user upgrades to 14.1.0 from previous version.

Impact:
Factory-defined Search Engines are mistakenly converted to Bot Signatures.

Workaround:
The unnecessary Bot Signatures can be deleted after upgrade.


778517 : Large number of in-TMM monitors results in delayed processing

Component: Local Traffic Manager

Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
Monitor target may appear down when responding correctly.
Monitor may continue to run after removed from pool / member / node.
Increased monitoring load on server.

Workaround:
Disable in-tmm monitors.

Fix:
Large numbers of in-TMM monitors are processed in a timely fashion.


778365 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service

Component: Global Traffic Manager (DNS)

Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.

Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.

Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.

Fix:
RTT metrics are collected only when the DNS service is present otherwise zero RTT values are returned.


778333 : GUI/CLI max-in-progress discrepancy occurs after upgrade from v11.x to v13.x or later

Component: Access Policy Manager

Symptoms:
If there is an access profile that was created using BIG-IP v11.x or earlier, with a default value of max-in-progress(0), when the configuration is upgraded to v13.x or later, the GUI shows max-in-progress as 128, but at the CLI and in the database, the actual value is 0.

Conditions:
In versions earlier than v13.x, the field 'Max In Progress Sessions Per Client IP' was set to 0 by default; from v13.x, the value is 128.

Impact:
There is a max-in-progress discrepancy between the GUI and the CLI.

Workaround:
During upgrade validation, manually add 'Max In Progress Sessions Per Client IP' to user_spec if it was set to the default value.

The upgrade then treats the field as a customized value, so the discrepancy disappears.

Fix:
The discrepancy is fixed: the GUI shows the value as 0 and marks as customized value. If you upgrade an access profile created using v11.x or earlier with max-in-progress(0) default value, the upgrade to v13.x or later is successful.


778317 : IKEv2 HA after Standby restart has race condition with config startup

Component: TMOS

Symptoms:
A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.

Conditions:
The loss of mirrored SAs requires this sequence of events:
-- A system becomes standby after failover; then is restarted.
-- During restart, HA manages to run before IPsec configuration.
-- SAs unsupported by current config are lost despite mirroring.
-- After another failover, the newly active system is missing SAs.

Impact:
A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system.

The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.

Workaround:
None.

Fix:
A config-ready condition was added, allowing HA mirroring to wait for this after restart, so SAs can be mirrored with the necessary supporting configuration present. Configuration from daemons mcpd and tmpisecd cooperate to signal the config-ready condition after configuration is done.


778125 : LDAP remote authentication passwords are limited to fewer than 64 bytes

Component: TMOS

Symptoms:
The LDAP remote authentication password is limited to fewer than 64 bytes.

Conditions:
Configured for remote authentication with a password is longer than or equal to 64 bytes.

Impact:
Unable to login as remote-user with long password.

Workaround:
Set password that is shorter than 64 bytes.


778077 : Virtual to virtual chain can cause TMM to crash

Component: Local Traffic Manager

Symptoms:
when using a virtual to virtual chain using the virtual irule command a specific packet might core tmm.

Conditions:
a virtual to virtual chain using the virtual irule command

Impact:
TMM crash leading to a failover event.

Workaround:
none

Fix:
TMM now processes virtual to virtual chains as expected


777993 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same

Component: TMOS

Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.

Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.

Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.

Workaround:
None.

Fix:
Egress TCP/UDP traffic with same L4 source port and destination port is now evenly distributed among trunk ports.


777937 : AWS ENA: packet drops due to bad checksum

Component: Performance

Symptoms:
-- Lower throughput and tps.
-- High availability (HA) heartbeat is getting dropped, resulting in an active-active configuration.

Conditions:
AWS Elastic Network Adapter (ENA) NIC is in use.

Impact:
Performance degradation and invalid HA configuration.

Workaround:
On the BIG-IP system, turn off checksum offloading in on TX as follows:

modify sys db tm.tcpudptxchecksum value Software-only

Important: This workaround negatively affects NICs other than ENA. Therefore, the workaround is recommended exclusively when ENA is the only dataplane NICs in use in the BIG-IP system.

Fix:
AWS ENA: no packet drops due to bad checksum.


777737 : TMM may consume excessive resources when processing IP traffic

Solution Article: K39225055


777733 : DoS profile default values cause config load failure on upgrade

Component: Advanced Firewall Manager

Symptoms:
Upon upgrading from 12.1.x, the config fails to load with an error similar to the following:

01071aa6:3: Dos DNS query data bad actor can not be enabled if per-source detection/limit pps is less than 1% of the Dos vector (a) rate threshold setting for sub-profile (PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP) of Dos profile (/Common/PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP).

Conditions:
-- AFM configured.
-- One or more SIP or DNS vectors are configured with the rate_threshold values set to the default in 12.x.
  + For SIP, the rate_threshold value in 12.x is 30000.
  + For DNS, the rate_threshold value in 12.x is 50000.

Impact:
During upgrade, the BIG-IP system fails to convert these thresholds to the new default value of 'infinite'. After upgrade, the configuration fails to load.

Workaround:
Manually edit the profile to disable bad-actor, or change the DNS and SIP default rate_threshold value to 'infinite', then config can be loaded.

For example, in this affected configuration for DNS:

dns-query-vector {
    a {
        allow-advertisement disabled
        ...
        rate-increase 500
        rate-limit 250000
        rate-threshold 50000 <<---
    }


Change it to this:

dns-query-vector {
    a {
        allow-advertisement disabled
        ...
        rate-increase 500
        rate-limit 250000
        rate-threshold infinite
    }

At that point, the configuration should load successfully.

Fix:
DNS and SIP default rate_threshold value of 50000 and 30000 of 12.1.x are now converted to default value of 'infinite' during upgrade, so the configuration loads as expected.


777269 : Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup

Component: Local Traffic Manager

Symptoms:
The Address Resolution Protocol is used to allow IP endpoints to advertise their L2 (Ethernet MAC) addresses, and to query their network peers to request needed associations. Typically, TMM will immediately broadcast an ARP announcing its IP-MAC association (sometimes called a "gratuitous" ARP), so that switches can begin directing traffic to the self-ip immediately.

When BIGIP-VE starts with interfaces provided by some hypervisors, it may not immediately know the MAC address assigned to the interface until several milliseconds after the interface is created. In these cases, the gratuitous ARP will contain the MAC address 00:98:76:54:32:10, which is a valid but incorrect MAC address.

Normally, this is harmless, because the correct MAC address is immediately announced once it is known. However, it may be possible for a L2 switch upstream from multiple BIGIP-VE instances to believe a L2 loop has developed, and block one or both ports through which it saw the gratuitous ARPs.

Conditions:
BIG-IP VE, version 13.0.0 or later, running with the virtio driver on an OpenStack-compatible hypervisor.

Impact:
If an upstream switch sees gratuitous ARPs from multiple downstream BIG-IP instances on the same L2 LAN, it might block connectivity to one or more ports through which the gratuitous ARPs are seen. The self IP may appear to have connectivity for some time after it comes up, before connectivity is blocked at the upstream switch.

Fix:
Gratuitous ARPs sent with an incorrect MAC address are no longer broadcast.


777261 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.


777245 : DNSSEC client-facing SOA zone serial does not update when DNSSEC related RR changes

Component: Global Traffic Manager (DNS)

Symptoms:
In certain cases, a DNSSEC client-facing SOA zone serial does not always update when DNSSEC-related resource records change.

Conditions:
A DNSSEC-related resource record changes.

Impact:
A DNSSEC client-facing SOA zone serial may not always update.

Workaround:
None.

Fix:
The system now updates the client-facing SOA for various changes of DNSSEC zone.


777229 : IPsec improvements to internal pfkey messaging between TMMs on multi-blade

Component: TMOS

Symptoms:
There is no known performance degradation. This work eliminates unnecessary duplication of internal messages.

Conditions:
- IPsec tunnel configured.
- Multi-blade system.

Impact:
Extra logging in the TMM log due to duplicated internal messaging.

Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.

Fix:
Duplication of inter-tmm messaging has been eliminated.


777173 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error

Component: Access Policy Manager

Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed

This is result of a license check added for HTTP header transformation.

Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp

Impact:
Administrator is not able to use the iApp to configure Citrix vdi access

Workaround:
Adding LTM module license will resolve the error.

Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.


777165 : Occasional crash from sessiondump

Component: Access Policy Manager

Symptoms:
When displaying large binary keys, the sessiondump command can crash due to a buffer overrun.

Conditions:
-- Running the following command:
sessiondump --allkeys

-- Large binary keys exist.

Impact:
The sessiondump command crashes; requested keys are not displayed.

Workaround:
None.

Fix:
Sessiondump now displays large binary keys without crashing.


776521 : Connection information is needed when an SSL handshake aborts

Component: Local Traffic Manager

Symptoms:
When an SSL handshake aborts, sometimes the resulting log message does not contain connection information. This makes it difficult to trace the cause of the abort.

Conditions:
An SSL handshake aborts.

Impact:
It is difficult to determine the cause of the aborted SSL handshake.

Fix:
All SSL handshake abort messages now contain the connection information.


776229 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.

Fix:
No longer blocking access to pool members that use port number 0 (zero) from iRule 'pool' commands.


776073 : OOM killer killing tmmin system low memory condition as process OOM score is high

Component: TMOS

Symptoms:
When BIG-IP system running under low memory situation, Out-Of-Memory killer more likely selects tmm to kill and release the resources.

Conditions:
BIG-IP version 13.0.x or later installed and system running with low memory.
AFM provisioned makes the tmm process more likely to be selected by the oom killer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Adjust OOM score of "tmm" process through oom_score_adj proc setting.

echo "-500" > /proc/<pid_of_tmm>/oom_score_adj

Fix:
OOM score for "tmm" process is adjusted such that OOM killer will not prioritize "tmm" during system low memory condition.


775897 : High Availability failover restarts tmipsecd when tmm connections are closed

Component: TMOS

Symptoms:
All security associations (SAs) can be deleted when tmipsecd restarts as a result of closing tmm connections during failover from active to standby.

Conditions:
When failover happens for high availability (HA), tmipsecd aims to close tmm connections when on standby, because tmm must connect instead to the daemon running in the active system. But a side effect of this restarts tmipsecd, resulting in deletion of all SAs when tmipsecd came back up.

Impact:
tmipsecd restarts. All IPsec tunnels experience an interruption of service until new SAs are negotiated.

Workaround:
None.

Fix:
Now tmipsecd no longer restarts when the tmm connections are closed in response to failover from active to standby.


775833 : Administrative file transfer may lead to excessive resource consumption

Component: Application Security Manager

Symptoms:
Under certain conditions, administrative users transferring files to BIG-IP may trigger excessive resource consumption.

Conditions:
-- Authenticated administrative access.
-- File transfer initiated by user.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
File transfers now consume resources as expected.


775801 : [GTM] [GUI] 'Route Advertisement' checked but not saved when creating GTM listener

Component: Global Traffic Manager (DNS)

Symptoms:
'Route Advertisement' is not enabled even if you check the checkbox.

Conditions:
Creating GTM listener using the GUI.

Impact:
'Route Advertisement' is not enabled.

Workaround:
After the listener is created, modify the listener in the GUI and check the checkbox for 'Route Advertisement', and save.


775733 : /etc/qkview_obfuscate.conf not synced across blades

Component: TMOS

Symptoms:
By default, sensitive data, such as SSL keys, are excluded from QKView files. However, in some cases you may want to include sensitive information in the QKView file, so it must be obfuscated it for security purposes. (Note: For information on how to configure this feature, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.)

In high availability (HA) configurations, the /etc/qkview_obfuscate.conf file is not copied to secondary blades on chassis platforms during sync operations.

Conditions:
-- Run qkview.
-- Upload qkview file to iHealth.

Impact:
Potentially sensitive information could be uploaded to iHealth or F5 Support. This occurs because qkview acts differently if there is an obfuscate.conf on the active by automatically gathering the same information on the blades, but not obfuscating that sensitive data.

Workaround:
Manually copy /etc/qkview_obfuscate.conf to all blades.

Note: Do not upload sensitive data to iHealth or F5 Support. If you are obfuscating data, make sure to complete this step for every blade.

Fix:
/etc/qkview_obfuscate.conf is now synced across all blades.


775621 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.

Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.


775013 : TIME EXCEEDED alert has insufficient data for analysis

Component: Fraud Protection Services

Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.

Conditions:
Viewing alert logs for time-exceeded messages.

Impact:
Makes troubleshooting and/or analysis difficult.

Workaround:
None.

Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.


774913 : IP-based bypass can fail if SSL ClientHello is not accepted

Component: Local Traffic Manager

Symptoms:
IP-based bypass can fail for SSL stream if the client sends a ClientHello that is not accepted by the BIP-IP system.

Conditions:
Client's SSL ClientHello message is not accepted by the BIG-IP system.

Impact:
Connection drop.

Workaround:
None.

Fix:
Check SSL bypass policy before parsing ClientHello message.


774881-1 : Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.

Component: Protocol Inspection

Symptoms:
Protocol Inspection profiles can be added to a virtual server but are not applied to traffic.

To add a Protocol Inspection profile now it is required to have an AFM standalone license or to have an add-on AFM license, which includes Protocol Inspection module. Otherwise a error message is shown.

Conditions:
-- AFM is licensed as an add-on module without Protocol Inspection feature.

-- Protocol Inspection profile is configured and added to a virtual server or referenced in a firewall rule.

Impact:
It might appear that the configured Protocol Inspection profile attached to a virtual server or referenced in a firewall rule should work, but in fact, it is not applied to the actual traffic.

Workaround:
None.

Fix:
An error message is shown when trying to apply a Protocol Inspection profile to a virtual server or to a firewall rule having no Protocol Inspection license.


774633 : Memory leak in tmm when session db variables are not cleaned up

Component: Access Policy Manager

Symptoms:
There are some session db variables created as part of the split session proxy that have an indefinite timeout. If there is an error path or a failure with an inline service, the delete never gets called and these session keys build up over time, causing memory to leak in tmm.

Conditions:
SSLO setup with a service connector that fails.

Impact:
tmm eventually runs out of memory and generates a core file.

Workaround:
None.

Fix:
Variables have been set with a timeout so that they don't leak memory if the inline service fails.


774481 : DNS Virtual Server creation problem with Dependency List

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.

Workaround:
You can use either of the following workarounds:

-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.


774361 : IPsec High Availability sync during multiple failover via RFC6311 messages

Component: TMOS

Symptoms:
After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.

Conditions:
When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.

Impact:
IPsec tunnels experience a temporary outage until new security associations are negotiated.

Workaround:
No workaround is known at this time.

Fix:
The following changes have been applied to RFC6311 messages:
-- Values are now passed in bigendian network byte order.
-- BIG-IP is willing to send messages after multiple failovers.
-- Active always syncs with standby before putting IDs into messages.


774301 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:

err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.

-- This is also applicable to any SAML requests/responses that are signed:
   a) SAML Authentication Request
   b) SAML Assertion
   c) SAML Artifact Response
   e) SAML SLO Request/Response

Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.

Workaround:
None.

Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.


774261 : PVA client-side current connections stat does not decrease properly

Component: Local Traffic Manager

Symptoms:
When FTP is used with bigproto, the PVA client-side current connections stat does not decrease after connections are closed.

Conditions:
-- Use an FTP virtual server.
-- End user clients connect to the virtual server.

Impact:
An incorrect stat for client-side current connections will be reported for 'tmsh show sys pva-traffic global' and 'tmctl pva_stat'.

Example:

config # tmsh show sys pva-traffic global

-------------------------------------------------
Sys::PVA
-------------------------------------------------
PVA Traffic ClientSide ServerSide
  Bits In 23.6K 219.7K
  Bits Out 219.7K 23.6K
  Packets In 40 335
  Packets Out 335 40
  Current Connections 295 0 <-----
  Maximum Connections 296 8
  Total Connections 335 40

Miscellaneous
  Cur PVA Assist Conns 0
  Tot PVA Assist Conns 335
  HW Syncookies Generated 0
  HW Syncookies Detected 0

config # tmsh show sys conn all-properties

Really display 1000 connections? (y/n) y
Sys::Connections
Total records returned: 0 <--------- No connections; this is the correct state.

Workaround:
This issue does not occur when 'inherit parent profile' is enabled on the FTP profile used by the virtual server.

Fix:
The client-side current connections stat is decreased when connections are closed. 'tmsh show sys pva-traffic global' and 'tmctl pva_stat' now show accurate data.


774213 : SWG session limits on SSLO deployments

Component: Access Policy Manager

Symptoms:
SWG session limits are enforced on SSLO deployments that enable Explicit proxy authentication.

Conditions:
-- SSLO with Explicit proxy authentication is deployed.
-- Many concurrent SSLO connections (beyond the SWG session limit).

Impact:
SSLO fails to connect when the SWG session limit is reached.

Workaround:
None.

Fix:
If there is an SSLO profile paired with either an APM or SSLO per-request policy on a virtual server, and the operation has done a hostname only lookup, an SWG license is no longer consumed. This answers the case where there is auth (APM) on one virtual server, and the transparent virtual server is SSLO with hostname Category Lookup only.


774173 : WebUI - Cipher Group preview causes high availability (HA) sync state to become Changes Pending

Component: Local Traffic Manager

Symptoms:
In the GUI, editing a cipher group without submitting causes the high availability (HA) configuration sync state to become 'Changes Pending'.

Conditions:
Edit cipher group in GUI without submitting.

Impact:
HA sync state becomes 'Changes Pending' even though you have not submitted the changes.

Workaround:
Edit and preview cipher group using tmsh:

tmsh modify ltm cipher group
tmsh show ltm cipher group

Fix:
Editing cipher group in the GUI without submitting no longer causes high availability (HA) sync status to change to 'Changes Pending'.


773925 : Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files

Component: Application Visibility and Reporting

Symptoms:
For unknown reasons, sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB table files. MySQL starts reporting error 24 in its error log:

190228 8:21:17 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_FW_NAT_TRANS_DEST_H.frm' (errno: 24)
190228 8:45:36 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)
190228 9:12:22 [ERROR] mysqld: Can't open file: './AVR/AVR_STAT_ASM_NETWORK_T.frm' (errno: 24)

Conditions:
-- Statistics are collected locally on the BIG-IP system (that is, the BIG-IP system is not associated with a BIG-IQ device).
-- There is a considerable amount of traffic.

Impact:
Statistic reports stop working. In some cases DB becomes corrupted.

Workaround:
In /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter from 2500 to 5000.
2. Add the following parameter (right after 'open_files_limit'):
   table_open_cache=2000
3. Restart MySQL:
   bigstart restart mysql

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
Embed MariaDB configuration change into the standard BIG-IP versions.


773821 : Certain plaintext traffic may cause SSLO to hang

Component: Local Traffic Manager

Symptoms:
SSLO relies on SSL hudfilter to detect non-SSL traffic; but certain plaintext can be mistaken as SSL traffic, which can cause a hang.

Conditions:
Initial plaintext traffic resembles SSLv2 hello message or has less than enough bytes for SSL to process.

Impact:
SSLO hangs, unable to bypass traffic.

Workaround:
None.

Fix:
Improve SSL hello parser.


773793 : FPGA firmware L7 bandwidth performance increase for iSeries platforms

Component: TMOS

Symptoms:
iSeries i5xx0, i7xx0, i10xx0, i11xx0 and i15xx0 platforms with high performance license (x800) upgraded from a previous release to v15.1.0 use different FPGA firmware with increased L7 bandwidth performance.

Conditions:
-- iSeries i5xx0, i7xx0, i10xx0, i11xx0 and i15xx0 platforms with high performance license (x800).
-- Upgraded to v15.1.0.

Impact:
Two new TurboFlex profile options are added and the FPGA firmware for the turboflex-adc or turboflex-security profiles has changed to the increased L7 Bandwidth FPGA firmware. During system upgrade, an extra reboot occurs automatically to make the new FPGA firmware active.

Note: When fresh install of the v15.1.0 release is performed on an iSeries platform and licensed with the high performance license (x800), the system defaults to the turboflex-base profile, and you must explicitly select the turboflex-adc or turboflex-security profile to get the benefit of the increased L7 Bandwidth FPGA firmware.

Workaround:
None.

Behavior Change:
The i5xx0, i7xx0, i10xx0, i11xx0 and i15xx0 platforms with the high performance license (x800) use the newly introduced increased L7 Bandwidth FPGA firmware for the turboflex-adc and turboflex-security profiles when upgraded to 15.1.0. In addition, these platforms support two new TurboFlex profiles options (turboflex-adc-v1 and turboflex-security-v1) in the v15.1.0 release. You can switch to the previous (L7/L4 balanced) FPGA firmware by selecting the turboflex-adc-v1 or turboflex-security-v1 profile.

Note: When a fresh install of the v15.1.0 release is performed on an iSeries platform and licensed with the high performance license (x800), the system defaults to the turboflex-base profile, and you must explicitly select the turboflex-adc or turboflex-security profile to get the benefit of the increased L7 Bandwidth FPGA firmware.


773673 : HTTP/2 Vulnerability: CVE-2019-9512

Solution Article: K98053339


773653-8 : APM Client Logging

Solution Article: K23876153


773649-8 : APM Client Logging

Solution Article: K23876153


773641-8 : APM Client Logging

Solution Article: K23876153


773637-8 : APM Client Logging

Solution Article: K23876153


773633-8 : APM Client Logging

Solution Article: K23876153


773621-8 : APM Client Logging

Solution Article: K23876153


773553 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.


773421 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.


773229 : Replacing a virtual server's FastL4 profile can cause traffic to fail in specific circumstances

Component: Local Traffic Manager

Symptoms:
If a virtual server starts with a FastL4 profile with an idle_timeout of zero, and this profile is then replaced with one that has a non-zero idle_timeout, it can cause traffic to fail with a 'No flow found for ACK' error in the RST packet (if DB variable tm.rstcause.pkt is enabled) or logged (if DB variable tm.rstcause.log is enabled).

Conditions:
-- There is a virtual server configured with a FastL4 profile with an idle-timeout setting of zero ('immediate').
-- The FastL4 profile is replaced with one that has a non-zero idle-timeout setting.

Impact:
Traffic no longer passes through the virtual server properly.

Workaround:
To avoid this issue, if you need to change the FastL4 profile in this manner, delete and recreate the entire virtual server rather than replace the profile.

Impact of workaround: This results in a traffic disruption for that virtual server.

If the issue has already occurred, the only way to recover is to restart TMM

Impact of workaround: This also results in a traffic disruption, this time a general one.

Fix:
Replacing a virtual server's FastL4 profile no longer causes traffic to fail in this scenario.


772545 : Tmm core in SSLO environment

Component: Local Traffic Manager

Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.

Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.


772497 : When BIG-IP is configured to use a proxy server, updatecheck fails

Component: TMOS

Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.

Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.

Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.

Workaround:
You can use either of the following workarounds:

I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:

1. Locate the following section in the script:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
     SSL_hostname => $service_name,

2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,


II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
 # sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck

Fix:
Update Check now works, even when run on a BIG-IP system that is behind a proxy server.


772473 : Request reconstruct issue after challenge

Component: Application Security Manager

Symptoms:
False positive on Content-Type header in GET request.

Conditions:
After challenge is completed, the server responds to the reconstructed request with a 302-redirect.

Impact:
The BIG-IP adds to the next request (GET request) a Content-Type header.

Workaround:
There is no workaround at this time.

Fix:
The BIG-IP no longer reconstructs the next request after a redirect.


772297 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.

Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.


772233 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Component: Global Traffic Manager (DNS)

Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.

The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.

Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.

Impact:
RTT metric is not set at all.

Workaround:
Use collection protocols - ICMP instead.

Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.


772117 : Overwriting FIPS keys from the HA peer with older config leads to abandoned key on FIPS card

Component: TMOS

Symptoms:
A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system.

An abandoned key appears similar to the following:

[root@big8:Active:Standalone] config # tmsh show sys crypto fips
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (1)
ID MOD.LEN(bits)
d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP
        /Common/fffff.key

e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned

Conditions:
The issue is seen when all the following conditions are met:
1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards.
2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name.
3. HA sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).

Impact:
It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.

Workaround:
Manually delete the abandoned key from the FIPS card using the following command.

tmsh delete sys crypto fips key <key-id>

For example, for the abandoned key specified earlier, use the following command:
tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"

Fix:
Now, the overwritten key is successfully removed, so there is no longer an abandoned key present on the FIPS card.


771905 : JWT token rejected due to unknown JOSE header parameters

Component: Access Policy Manager

Symptoms:
JWT token rejected and OAuth Scope Agent fails.

Conditions:
When JWT access token contains unregistered JSON Object Signing and Encryption (JOSE) header parameters (e.g., nonce).

Impact:
Unregistered JOSE header parameters causes JWT access token to be rejected. OAuth Scope Agent fails.

Workaround:
None.

Fix:
If an unregistered parameter in the JOSE header is present in the JWT token, the system ignores the parameter instead of rejecting the token.


771873 : TMSH Hardening

Solution Article: K40378764


771869 : Certain signatures can scan past input buffers limits

Component: Application Security Manager

Symptoms:
A momentary decrease in system performance or a (rare) bd crash.

Conditions:
This rarely occurring issue might be encountered during normal operation of ASM.

Impact:
Slowdown or crash followed by a failover.

Workaround:
None.

Fix:
Fixed an issue with signature checking.


771705 : You may not be able to log into BIG-IP Cloud Edition if FSCK fails

Component: TMOS

Symptoms:
During BIG-IP Cloud Edition bootup, if FSCK fails and requires manual intervention to recover, you may not be able to proceed. This occurs because login requires the password for root, which is not typically set.

Conditions:
-- BIG-IP Cloud Edition.
-- FSCK failure on bootup requires manual intervention to recover.

Impact:
Cannot log in to BIG-IP Cloud Edition.

Important: There is no way to recover if the FSCK failure has already occurred. You must begin the BIG-IP Cloud Edition configuration again. You should implement the Workaround to prevent the issue from occurring.

Workaround:
To prevent the issue from occurring, run the following command for every filesystem:
tune2fs -i 0 <file system>


Following is a list of file systems (replace '1' with the relevant slot number if the active slot is not 1):

/dev/vg-db-vda/set.1.root
/dev/mapper/vg--db--vda-set.1._var
/dev/mapper/vg--db--vda-set.1._usr
/dev/mapper/vg--db--vda-set.1._config
/dev/mapper/vg--db--vda-dat.share
/dev/mapper/vg--db--vda-dat.log
/dev/mapper/vg--db--vda-dat.appdata

Fix:
FSCK is disabled BIG-IP Virtual Edition (VE) for both cloud and hypervisor configurations, so this issue no longer occurs.

Note: Disabling FSCK in virtual machines is considered standard operating procedure. In BIG-IP VE, FSCK is disabled upon the image creation and during live install of the full ISO. It is disabled for all file systems on all slots (boot locations). Although it is not recommended, you can manually reenable FSCK in Linux, in particular, using tune2fs to set the FSCK schedule, and updating /etc/fstab to allow it.

Behavior Change:
FSCK is now disabled in BIG-IP Virtual Edition (VE) for both cloud and hypervisor, preventing failure during bootup. FSCK disablement also persists during a downgrade. F5 Networks does not recommend reenabling FSCK. However, you can reenable it in Linux by updating /etc/fstab, so you can use tune2fs to set the FSCK schedule.


771545 : Export access policy does not include apm log-setting config

Component: Access Policy Manager

Symptoms:
If there is an access policy that uses APM log-settings, the BIG-IP system does not export that log-setting configuration when exporting the access policy. Later when you try to import this access policy into a different BIG-IP system that does not have the corresponding log-settings, import fails.

The following error occurs when attempting to import:

# ng_import --logfile profile_Common_simple-ap-01.conf.tar.gz simple-ap-01
Import error: 01070734:3: Configuration error: Log settings /Common/debug-log-settings associated with profile /Common/simple-ap-01 does not exist.
Unexpected Error: Loading configuration process failed.

Conditions:
When importing the access policy into an APM configuration that does not have corresponding log-settings.

Impact:
Import fails and reports an error.

Workaround:
Create an APM log-setting configuration with the same name using:
tmsh create apm log-setting debug-log-settings

Fix:
A Warning Banner has been added to create objects referenced by access profile before import.


771173 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>


771093 : Websafe Enhanced Data Manipulation not generating Alerts (XHR send rewrite)

Component: Fraud Protection Services

Symptoms:
XHR send rewrite alert is not fired.

Conditions:
Protect page and configure parameter to work with EDI.
Changing parameter values from Chrome console by rewrite AJAX send won't trigger an alert

Impact:
CRC not calculated as expected

Workaround:
Configure parameter as wildcard.

Fix:
N/A


771025 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.

Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.


770953-2 : 'smbclient' executable does not work

Component: TMOS

Symptoms:
Service Message Block (SMB) monitor is not functional.

Conditions:
This occurs under all conditions.

Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.

Workaround:
None.

Fix:
'smbclient' executable is runnable and SMB monitoring is working.


770657 : On hardware platforms with ePVA, some good traffic is blocked when in L2 transparent mode and syn cookies are enabled

Component: TMOS

Symptoms:
Good traffic gets blocked under L2 transparent mode if syn cookie protection is enabled.

Conditions:
-- In L2 transparent mode.
-- Syn cookie protection is enabled
-- ePVA offloading is enabled.
-- BIG-IP platform contains the embedded Packet Velocity Acceleration (ePVA) chip.

Impact:
Some good traffic gets blocked.

Workaround:
None.

Fix:
-- For releases 15.0.x and earlier, ePVA offloading is now disabled if syn cookie is turned on.

-- Starting release 15.1.0, ePVA offloading works as expected with syn cookies.


770641 : Update BIG-IP with recently introduced HTTP status codes

Component: Local Traffic Manager

Symptoms:
When HTTP server responds, it includes a status code in a response line. The BIG-IP system may handle a response in various way depending on a status code. If a code is unknown, the BIG-IP system may improperly handle the response.

Conditions:
-- A virtual server is configured with HTTP profile.
-- Another HTTP-based is in use or an iRule is looking for HTTP::status.

Impact:
A response can be improperly handled, and a web page can be rendered incorrectly or not be served at all.

Workaround:
None.

Fix:
The BIG-IP system is updated with a list of recently added status codes that allows proper handling of such responses.


770621 : [Portal Access] HTTP 308 redirect does not get rewritten

Component: Access Policy Manager

Symptoms:
Requests with URLs that are not rewritten in web application.

Conditions:
HTTP response from the backend with 308 redirect.

Impact:
HTTP Status Code 308 (Permanent Redirect) is not supported. Unexpected web application operation.

Workaround:
Use a custom iRule to rewrite the request.

Fix:
HTTP Status Code 308 (Permanent Redirect) is now supported; Location header is now rewritten.


770477 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.

Fix:
Allow both signaling mechanism in client_hello.


770385 : Fingerprint iframe visible in page

Component: Fraud Protection Services

Symptoms:
border of the iFrame is visible at the bottom of the page

Conditions:
iFrame was set to "none" to make it invisible we need to change it to display: none

Impact:
iFrame takes space in the DOM

Workaround:
BLFN:
function(c){
var uAgent = window.navigator.userAgent.toLowerCase();
if(uAgent.indexOf('chrome') !== -1){
C.A.B.P = false;
}
(function hideIFrame() {
      try {
           var cssString = "iframe[src *= DkKH4pReUF2dxMQdi] { display: none; }";
           var style = document.createElement('style');
           style.type = 'text/css';
           if (style.styleSheet) {
                 style.styleSheet.cssText = cssString;
           } else {
           style.appendChild(document.createTextNode(cssString));
           }
           if (document.getElementsByTagName('head')[0]) {
           document.getElementsByTagName('head')[0].appendChild(style);
           } else {
                 setTimeout(hideIFrame, 200);
           }
      } catch (er) {}
})();
}

Fix:
N/A


769997-2 : ASM removes double quotation characters on cookies

Component: Application Security Manager

Symptoms:
ASM removes the double quotation characters on the cookie.

Conditions:
Cookie sent that contains double quotation marks.

Impact:
The server returns error as the cookie is changed by ASM.

Workaround:
Set asm.strip_asm_cookies to false using the following command:

tmsh modify sys db asm.strip_asm_cookies value false

Fix:
ASM no longer removes the double quotation characters on the cookie.


769981 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803


769853 : Access Profile option to restrict connections from a single client IP is not honored for native RDP resources

Solution Article: K24241590

Component: Access Policy Manager

Symptoms:
When launching a native RDP resource (desktop/application) from APM Webtop, APM provides an RDP file to the browser and the browser invokes the native RDP client to launch the resource with the parameters specified in the RDP file.

When Access profile option 'Restrict to Single Client IP' option is enabled, user should only be allowed to launch the resource from the client that initiated the request.

Conditions:
-- APM Webtop is configured with native RDP resource.
-- 'Restrict to Single Client IP' option is enabled in Access Profile.

Impact:
RDP file provided by APM can be used for launching the RDP resource on a client machine that did not initiate the APM session.

Workaround:
None.

Fix:
When Access Profile option 'Restrict to Single Client IP' is enabled, APM restricts native RDP resource launch from the client that initiated the APM session.


769817-1 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.

Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.


769801 : Internal tmm UDP filter does not set checksum

Component: Local Traffic Manager

Symptoms:
An internal tmm UDP filter does not set checksum for outgoing UDP packets.

Conditions:
-- An internal tmm UDP filter is in use.

Impact:
Even though a UDP packet with no checksum is permitted, it could cause some problems with some firewalls/servers.

Workaround:
For internal tmm udp filters, add the following to the UDP profile in use:

no_cksum 0

Fix:
Internal tmm UDP filters set checksum for outgoing UDP packets.


769589 : CVE-2019-6974: Linux Kernel Vulnerability

Solution Article: K11186236


769581-3 : Timeout when sending many large requests iControl Rest requests

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
  https://<$IP_address>/mgmt/shared/appsvcs/declare \
  -H 'Content-Type: application/json' \
  -d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
  https://<$IP_address>/mgmt/shared/appsvcs/task \
  -H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
  https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.

Fix:
Changes to handle the new transaction iControl Rest creation process creation properly when the existing process was killed with a timeout operation.


769385 : GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message

Component: Global Traffic Manager (DNS)

Symptoms:
GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message:

err mcpd[7649]: error: crypto codec New token is smaller with added values.

Conditions:
Two or more GTM devices with internal FIPS modules are configured with DNSSEC keys with 'use-fips internal' set, and GTM config sync between the devices is configured and enabled.

Impact:
DNSSEC keys are not imported into the FIPS cards of devices that receive the key via a synchronization from another device.

Workaround:
None.


769357 : IPsec debug logging needs more organization and is missing HA-related logging

Component: TMOS

Symptoms:
After a failover between active and standby systems, the internal mechanisms that support high availability (HA) cannot be examined and diagnosed using logs generated with log-level set to debug or better.

Conditions:
-- log-level set to debug or better.
-- Failover between active and standby systems.
-- Viewing logs.

Impact:
Any problems involving HA cannot be diagnosed from logs after failover. What logging does appear tends to be verbose, unclear, and often difficult to correlate with specific security associations.

Workaround:
None.

Fix:
IPsec logging has been partially restructured, with some logging under control of bitflags that can be enabled or disabled via commands added to the description string of any ipsec-policy instance.

Logging for HA now appears when log-level is debug, provided lowercase bitflags for 'h' and 'a' are also enabled. For example, this would do so:

tmsh create net ipsec ipsec-policy dummy description " env { cmd='flag +ha' }"


769341 : HA failover deletes outstanding IKEv2 SAs along with IKEv1 SAs

Component: TMOS

Symptoms:
High availability (HA) failover from active to next-active device should delete existing IKEv1 SAs because the IKEv1 racoon daemon terminates on standby. But it should not also delete the IKEv2 SAs at the same time, and it does.

Conditions:
This occurs during failover.

Impact:
The deletes IKEv2 SAs mirrored for HA. In the event of rapid failover and failback, this issue might result in missing SAs on the active device.

Workaround:
None.

Fix:
The BIG-IP system no longer deletes IKEv2 SAs upon failover from active to standby, at the same time IKEv1 SAs are deleted.


769309 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).


769193 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.


769169-2 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring

Component: TMOS

Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.

Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.

Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.

Lot of process terminated/re-created messages in restjavad logs.

Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.

Fix:
The system now handles the queue so that there is time for BIG-IP system to recover and become responsive.


769061 : Improved details for learning suggestions to enable violation/sub-violation

Component: Application Security Manager

Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.

Conditions:
There are learning suggestions to enable violations/sub-violation in the policy

Impact:
Misleading suggestion details.

Workaround:
None.

Fix:
The misleading word 'Matched' was removed from the title.


769029 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh

Component: TMOS

Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.

During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.

Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.

Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:

01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.

After some time this /var/system/tmp/tmsh permission is updated automatically.

Workaround:
So that the script does not remove tmsh directory, but deletes 1-day old tmp files under /var/system/tmp/tmsh, update the last line of /etc/cron.daily/tmpwatch as follows:

tmpwatch --nodirs 1d /var/system/tmp

Fix:
/var/system/tmp/tmsh creation from non-admin users now manages permissions without error.


768981 : vCMP Hypervisor Hardening

Solution Article: K05765031


768761 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy

Component: Application Security Manager

Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).

Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.

Impact:
Action description can be difficult to understand.

Workaround:
None.

Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.


768125 : AFM data is not reported if AVR is not provisioned.

Component: Application Visibility and Reporting

Symptoms:
When AVR isn't provisioned, AFM related measures aren't reported.

Conditions:
AFM is provisioned, but AVR is not.

Impact:
Missing data in final report

Workaround:
N/A

Fix:
Added explicit test for AFM provision in AVR's dos visibility.


768025 : SAML requests/responses fail with "failed to find certificate"

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.

Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.

-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.

-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.

Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.


767989 : DNSSEC RRSIG Inception Offset

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNSSEC key is used to generate an RRSIG record for the first time, the inception time of the record is set to the current BIG-IP system time. If the system that validates that signed DNS response has a clock skew towards the past relative to the BIG-IP system, then that system will see the RRSIG as if it was generated for a future timestamp and is not yet valid.

Conditions:
-- DNSSEC is used to sign responses for a particular DNS zone.
-- The clock of the validating resolver is running behind the clock of the BIG-IP system.

Impact:
This may cause validation of a DNSSEC response to fail if the validator finds that there are no valid RRSIG records signing the response.

Workaround:
None.

Fix:
This fix causes all generated RRSIG records to have their inception time backdated by exactly 1 hour.

Behavior Change:
The inception time of all RRSIG records is backdated by exactly 1 hour. The time that the RRSIG record is generated and the time it expires is unchanged. The RRSIG inception time will appear as 1 hour before the RRSIG was generated.


767941 : Gracefully handle policy builder errors

Component: Application Security Manager

Symptoms:
Policy Builder (pabnagd) restarts when it encounters an error, and logs errors to /var/log/asm:

crit perl[24868]: 01310027:2: ASM subsystem error (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads (required: 2, found: 0).

Conditions:
This occurs when policy builder encounters an error.

Impact:
Temporary loss of connectivity with ASM and Policy Builder.

Workaround:
None.

Fix:
The system now handles Policy Builder errors gracefully and reduces Policy Builder down time upon connectivity loss with ASM.


767877 : TMM core with Bandwidth Control on flows egressing on a VLAN group

Component: TMOS

Symptoms:
TMM cores during operation.

Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group

Impact:
Traffic disrupted while tmm restarts.


767613 : Restjavad can keep partially downloaded files open indefinitely

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain opened, the total number of available file handles for the process decreases and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

Fix:
The restjavad process will internally clear the file handles of such partially downloaded files if being untouched for past 2 hours.


767469 : Searching ASM Policy Attack Signatures via Rest API can return signatures that are not in the policy

Component: Application Security Manager

Symptoms:
When you make a Rest API call to /mgmt/tm/asm/policies/euMwbEcwgGlvVz1Gb0XZCA/signatures?$select=enabled,performStaging,inPolicy&$filter=signature/attackType/name%20eq%20%27Buffer%20Overflow%27%20, ASM responds with some signatures that are not in the policy.

Conditions:
Using ASM REST to search for policy attack signatures by an attribute of the signatures themselves. Example:
GET /mgmt/tm/asm/policies/euMwbEcwgGlvVz1Gb0XZCA/signatures?$filter=signature/attackType/name%20eq%20%27Buffer%20Overflow%27

Impact:
Unexpected signatures are returned via the search.

Workaround:
Add 'inPolicy eq true' to the search filter.

Fix:
The default filter of 'inPolicy eq true' is now correctly applied when searching for policy signatures by signature attributes.


767373 : CVE-2019-8331: Bootstrap Vulnerability

Solution Article: K24383845


767329 : Mirrored persistence records are not identified in tmsh output

Component: Local Traffic Manager

Symptoms:
Listing persistence records in a chassis with intra-chassis mirroring using 'tmsh show ltm persistence persist-records all-properties' does not distinguish the mirrored record from the active record.

Conditions:
-- Intra-chassis mirroring is configured.
-- Mirroring in the persistence profile or virtual server is configured.

Impact:
The output is confusing and potentially misleading, by implying that a persistence key is owned by two different TMMs.

Workaround:
None.


767077 : Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error

Component: Application Security Manager

Symptoms:
Loading Live Update file (ASM Signature Update (ASU)) which has been truncated may complete incorrectly or fail with an unusual error when using REST:
Failed loading /ts/var/tmp/sigfile.tmp.18625/botsigs/200099916/13.1.0.xml (a HASH reference"

Conditions:
Loading an ASU that has been truncated.

Impact:
ASU loading may complete incorrectly or fail with an unexpected error.

Workaround:
Download the appropriate Live Update file from downloads.f5.com and manually load it on the device.

For more information, see K82512024: Managing BIG-IP ASM Live Updates (14.1.x) available at https://support.f5.com/csp/article/K82512024.


767057 : In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server

Component: Application Security Manager

Symptoms:
An ASM policy is suddenly detached from a virtual server and deactivated.

Conditions:
-- sync-only device group.
-- ASM sync enabled.
-- A policy is used on device ASM-A (attached to virtual server/device group).
-- The same policy is not used on device ASM-B (not attached to virtual server/device group).

Impact:
Inactive policy is synced to the peer, resulting in ASM being unassigned from the Virtual Server.

Workaround:
To prevent Policy Sweeper from deactivating any ASM policy, create a non-functioning device group and attach the unused ASM policies to that device group.


767045-5 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


767013 : Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150 and B2250 blades. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.


766605 : Bot Defense Profile created in Guided Configuration screen will not show the sub-path section of a its partition

Component: Application Security Manager

Symptoms:
In the Bot Profile Properties screen, if a profile is made and deployed through the Guided Configuration screen, the "Partition / Path" field will show only the Partition, without the Sub-path part, which makes it difficult to know the origin of the Bot Profile.

Conditions:
1. Create and deploy Bot Defense profile through Guided Configuration screen, i.e. 'bot1'.

2. Go to Security ›› Bot Defense : Bot Defense Profiles screen. Hover over a link of 'bot1', you will see the full path of the profile: '/Common/bot1.app/bot1'. When you click the link, you will see 'Common' in the field of 'Partition / Path' instead of 'Common/bot1.app'.

Impact:
It's not possible to determine that the profile has been created from the Guided Configuration screen.

Workaround:
Hover over the profile name in Security ›› Bot Defense : Bot Defense Profiles screen and look for its full-path.

Fix:
Partition/Path field now includes the Partition followed by the sub-path.


766577 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.


766405 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.

Fix:
Device no longer cores.


766329 : SCTP connections do not reflect some SCTP profile settings

Component: TMOS

Symptoms:
The effective receive-chunks, transmit-chunks, in-streams, and out-streams parameters in SCTP traffic do not match the settings from the configured SCTP profile:

  -- The in-streams setting alters both the in-streams parameter and the tx-chunks parameter.
  -- The out-streams setting alters both the out-streams parameter and the rx-chunks parameter.
  -- The tx-chunks setting has no effect.
  -- The rx-chunks setting has no effect.

Conditions:
An SCTP virtual server is configured.

Impact:
Unexpected SCTP parameters are negotiated on SCTP connections.

Workaround:
None.

Fix:
The SCTP profile settings are now used during SCTP connection negotiation.


766169 : Replacing all VALN interfaces resets VLAN MTU to a default value

Component: Local Traffic Manager

Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.

Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.

Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.

Workaround:
There are two workarounds:

-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.

Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.


765621 : POST request being rejected when using OAuth Resource Server mode

Component: Access Policy Manager

Symptoms:
POST request is rejected.

Conditions:
-- Using OAuth Resource Server access type.
-- Client sends a large POST body.

Impact:
The request is rejected.

Workaround:
Increase the tmm.access.maxrequestbodysize sys db variable to be larger than the POST body size.

Fix:
The system now supports larger POST requests in OAuth Resource Server mode.


765517 : Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN

Component: Local Traffic Manager

Symptoms:
When two virtual servers are created and they have same address list but different incoming VLANs, Traffic Match Criteria validation fails.

Conditions:
Create 2 virtual servers and they have same address list but different incoming VLANs.

Impact:
System validation fails.

Workaround:
Use non-overlapping address lists.


765413 : ASM cluster syncs caused by PB ignored suggestions updates

Component: Application Security Manager

Symptoms:
Frequent syncs occurring within an ASM device group.

Conditions:
Several (updating) suggestions are marked 'ignored'.

Impact:
Syncs appear in the logs (no actual performance degradation).

Workaround:
-- Remove the Ignored Suggestions. (Note: These might be re-added and you must refrain from clicking the Ignore button).

-- Remove the Ignored Suggestions and uncheck the Learn flag for the violation that causes it. (Note: The impact is that the system does not learn this violation anymore, so any future suggestions to amend the policy for that violation will not be created.)

Fix:
Policy Builder (PB) no longer updates Ignored Suggestions, so unnecessary sync operations no longer occur.


764897 : Connection mirroring fails over to primary address when it becomes available

Component: Local Traffic Manager

Symptoms:
In a BIG-IP high availability (HA) configuration with connection mirroring, where the system has failed over to a secondary mirroring address, the system will fail back over to the primary address once it becomes available again.

Conditions:
-- Two BIG-IP devices configured for HA.
-- Connection mirroring enabled.
-- Have a primary and secondary mirroring address.
-- Primary address is down, then comes online.

Impact:
Mirrored connections on the peer unit are cleared when the failover back to the primary mirroring address occurs.

Workaround:
None.

Fix:
Mirroring address remains on the secondary system (until a failover causes it to switch back to the primary).


764873 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only


764709 : Session variable with trailing space might result in errors

Component: Access Policy Manager

Symptoms:
Dynamic ACL was not applied. This issue occurs because of a trailing space in session variables, for example, including a trailing space character in the 'session.ldap.last.attr.st' session variable in VPE.

When this occurs, the resulting content in /config/bigip.conf (and in the running config) is as follows:

apm policy agent dynamic-acl /Common/resource_assign_macromac_1_act_dynamic_acl_ag {
    entries {
        0 {
            acl /Common/DYNAMIC-ACL
            source "session.ldap.last.attr.st "
        }
    }
}

Conditions:
-- Using Dynamic ACL.
-- Creating/editing session variables such that they include training spaces.
-- Load the config.

Impact:
Dynamic ACL is not applied, and it is very difficult to determine the issue.

Workaround:
Avoid inputting spaces or tabs in session variables.

Fix:
Trailing spaces and tabs in session variables are now trimmed.


764653 : ASM/AWAF : Automatic enforcement of HTTP Methods

Component: Application Security Manager

Symptoms:
ASM does not automatically learn/enforce on HTTP Methods.

Conditions:
Policy Builder learning mode is set to Automatic.

Impact:
There are still some suggestions that are defined as 'manual-only' and they require manual acceptance.

Workaround:
Manually accept the suggestions.

Fix:
Introduced Fully Automatic mode. When enabled, all suggestions are accepted automatically, even suggestions defined as 'manual-only' suggestions.


764373 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.

Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.


763197 : Flows not mirrored on wildcard Virtual Server with opaque VLAN group

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration using an opaque VLAN group and a default (wildcard, 0.0.0.0/0) virtual server configured for connection mirroring, the standby device does not create the mirrored connection.

Conditions:
-- VLAN group configured and set to opaque.
-- db vlangroup.forwarding.override is set to 'disable'.
-- Default virtual server configured for all ports (destination 0.0.0.0/0 :0) with connection mirroring.

Impact:
In the event of a failover, connections that are expected to be mirrored will fail, which can cause traffic loss and client disruption.

Workaround:
None.


763157 : MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped

Component: Service Provider

Symptoms:
Processing the response to an outbound request at the same time as an inbound request message on the same connection could cause internal state generated to be confused and the inbound request to be dropped.

Conditions:
Processing the response to an outbound request at the same time as an inbound request message on the same connection.

Impact:
The inbound request will be dropped.

Workaround:
None.

Fix:
The internal state generated is no longer confused so the inbound request is no longer dropped.


763093 : LRO packets are not taken into account for ifc_stats (VLAN stats)

Component: Local Traffic Manager

Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.

Conditions:
LRO is enabled and used for incoming packets.

Impact:
ifc_stats are incorrect for incoming octets and packets.

Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm


763065 : The monitor probing frequency has been adjusted because more than 20 synchronous monitors were detected.

Component: Global Traffic Manager (DNS)

Symptoms:
You see the following logged to /var/log/ltm:

notice gtmd[23555]: 011ae106:5: The monitor probing frequency has been adjusted because more than 20 synchronous monitors were detected.

Conditions:
This can occur during normal operation of GTM.

Impact:
There is no impact and the system is operating normally; this is a debug message that is logged at the Notice level.

Fix:
Log message has been changed to log at the debug log level.

Behavior Change:
Change the log level from notice to debug for log "The monitor probing frequency has been adjusted because more than %d synchronous monitors were detected."


762385-1 : Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later

Component: TMOS

Symptoms:
When multiple attributes in a list match multiple roles, the wrong role may be assigned. Alternatively, authentication may fail when check-roles-group is disabled.

Conditions:
LDAP server replies with a list of attributes (e.g., list of memberOf) where more than one match existing role.

Impact:
BIG-IP assigns the user to the last attribute in the list that matches a role, potentially yielding a more restrictive set of permissions.

Authentication may fail when check-roles-group is disabled.

Workaround:
None.

Fix:
The correct remote-role is now assigned using LDAP authentication after upgrade to 15.1.x.


762305 : 'exclusiveMaximum' and 'exclusiveMinimum' from swagger are not taken into account in param creation

Component: Application Security Manager

Symptoms:
Parameters generated from swagger with "exclusiveMaximum" or 'exclusiveMinimum' may not have accurate min/max setting when added to policy

Conditions:
Parameters in swagger file specifies numeric values for 'exclusiveMaximum' or 'exclusiveMinimum' instead of true/false.

Impact:
Min/max value enforcement for parameter may be incorrect when it is loaded.

Workaround:
Manually update the min/max values.


762205 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
  [I] [PROTO_ERR]: unexpected critical payload (type 43)
  Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.

Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.


762073 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.

Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.


761993 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.

Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.


761753 : BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs

Component: TMOS

Symptoms:
When UDP checksum is 0 (zero), a BIG-IP device with an x520 NIC causes the packets to be marked as 'checksum failed'.

Conditions:
-- Using BIG-IP Virtual Edition (VE).
-- VE is using x520 VF.

Impact:
UDP Packets with 0 checksum are dropped.

Workaround:
None.

Fix:
UDP checksum failed packets are marked by the ixvf driver as 'not checksummed by hardware'. This makes software re-verify checksum instead of relying on hardware-indicated checksum pass/fail.


761685 : Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set

Component: Service Provider

Symptoms:
Systems desiring to create a unique connection per connection client may silently end up with clients sharing an outgoing connection if routing uses a virtual server as the outgoing connection transport definition, and the virtual server has the source-port attribute set to preserve-strict.

Conditions:
-- Routing using a virtual server as the transport definition for the outgoing connection.
-- The virtual server has the source-port attribute set to preserve-strict.

Impact:
Systems desiring to create a unique connection per connection client may silently end up sharing an outgoing connection.

Workaround:
None.

Fix:
Per-client mode is now maintained when routing to a virtual server, even when preserve-strict is selected.


761553 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic

Component: Application Security Manager

Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:

X requests triggered this suggestion from date:time until date:time.

Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.

-- The format of the time in 'from date:time until date:time' is difficult to parse.

Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.

Impact:
Text might be misleading.

Workaround:
None.

Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic


761549 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging

Component: Application Security Manager

Symptoms:
Accept and Stage action is available, even for entities that are in staging already.

Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.

Impact:
Action that is not relevant is shown.

Workaround:
None.

Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging


761517 : nat64 and ltm pool conflict

Component: Carrier-Grade NAT

Symptoms:
When a pool is assigned to a virtual server with nat64, the destination address is changed to the one of the pool, regardless if address translation is enabled or not.

Conditions:
vs with nat64 and pool configured.

Impact:
nat64 does not happen, even if the translate-address option is set to disable.

Workaround:
none

Fix:
When a nat64 virtual server has a pool and translate-address is disabled, the pool is utilized but nat64 is performed.


761477 : Client authentication performance when large CRL is used

Component: Local Traffic Manager

Symptoms:
Search for revoked certificate is done serially on the BIG-IP system. This causes performance impact when a large CRL (e.g., one with ~60 KB entries) is used.

Conditions:
-- Client authentication configured with a CRL containing a large number of entries (~60 KB).
-- Associated with virtual server.
-- Client connection requests arrive to be authenticated.

Impact:
CRL checking spikes up TMM CPU usage. Performance may be impacted.

Workaround:
None.


761373 : Debug information logged to stdout

Component: Access Policy Manager

Symptoms:
There is debug information logged to stdout

-- err mcpd[6943]: 01071392:3: Background command '/usr/libexec/mdmsyncmgr -o restore' failed.
-- err mcpd[6943]: 01071703:3: Postprocess action (/usr/libexec/mdmsyncmgr -o restore) failed with exit code (9).

Conditions:
Whenever logging config is changed.

Impact:
Log messages are seen when logged in via a terminal.

Workaround:
None.

Fix:
These redundant message no longer occur.


761345 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.

Fix:
Additional config-sync is not required in these conditions.


761329 : APM per-request policy variable assign agent does not support secure variable assignment

Component: Access Policy Manager

Symptoms:
APM per-request policy variable assign agent does not support secure assignment of variable(s).

Conditions:
Variable assignment agent is used in APM per-request policy and Secure option is selected from dropdown in variable assignment entry.

Impact:
Variables are not saved securely and are seen in plaintext.

Workaround:
None.

Fix:
Variable assign agent in APM per-request policy can securely assign variables after fix.


761318 : Opening libcryptoki-6.2.2-11.x86_64.rpm fails during SafeNet 6.2.2 client install

Component: Local Traffic Manager

Symptoms:
When using verbose mode, SafeNet installation script emits the following benign error message:
error: open of libcryptoki-6.2.2-11.x86_64.rpm failed.

Even though the error is harmless, it is disturbing to have the false negative.

Conditions:
Install SafeNet 6.2.2 on the BIG-IP system.

Impact:
This error message is benign, so you can safely ignore it.

Workaround:
You can either ignore this error message or turn off the verbose option of SafeNet installation script.

Fix:
There is now a new SafeNet client tar ball to replace the Luna_6.2.2_Client_Software.tar, so this error message no longer occurs..


761282 : SNAT pool may use wrong address after self addresses are added/modified

Component: Local Traffic Manager

Symptoms:
Traffic sent on different networks using a SNAT pool may select a SNAT IP address that is not on the local network.

Conditions:
-- SNAT pool configured with two or more addresses on different networks.
-- Self IP addresses are added/modified such that:
   - Before the modification, two or more addresses in the SNAT pool are on the same network.
  - After the modification, the addresses in the SNAT pool are on different networks.

Impact:
The incorrect source address might impact network traffic.

Workaround:
Remove and re-add the members in the SNAT pool.


761273 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.

Component: Traffic Classification Engine

Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.

Conditions:
System rotates log files.

Impact:
Some automated systems might not be able to read log file.

Workaround:
None.

Fix:
Log file preserves text file type after log rotation.


761234 : Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached

Component: Advanced Firewall Manager

Symptoms:
If you create a virtual server with a single address ('Host' in the GUI) for both its source and destination, then configure the virtual server's security policy with a logging profile, and then (after creating the virtual server) modify the source or destination to use a traffic matching condition, the system reports no error when updating the configuration.

Conditions:
Attempting to use a virtual server with a security policy attached that uses a logging profile with an address list as the virtual server's source or destination.

Impact:
An invalid configuration is not caught. When later loading the configuration, the system reports a validation error, and the configuration does not load.

Workaround:
None.

Fix:
An error is now generated under these conditions.


761231 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Solution Article: K79240502

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.


761185 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550


761160 : OpenSSL vulnerability: CVE-2019-1559

Component: TMOS

Symptoms:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Conditions:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Impact:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

Workaround:
None.

Fix:
Update OpenSSL to 1.0.2s.


761144 : Broadcast frames may be dropped

Component: TMOS

Symptoms:
Under certain conditions, broadcast Ethernet frames may be dropped.

Conditions:
Multi-blade systems.
Stand-alone appliances and VE systems are not affected.
Single-blade vCMP guests are not affected.

Impact:
Dropped Ethernet frames.

Workaround:
None.

Fix:
Broadcast frames are now processed as expected.


761112 : TMM may consume excessive resources when processing FastL4 traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources when processing FastL4 traffic

Conditions:
-- FastL4 profile enabled.
-- loose-init enabled.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
Disable loose-init in environments where it is not needed.

Fix:
TMM now processes FastL4 traffic as expected


761088 : Remove policy editing restriction in the GUI while auto-detect language is set

Component: Application Security Manager

Symptoms:
While policy language was set to auto-detect, the policy editing was not allowed.

Conditions:
Create a new policy and set the language to auto-detect.

Impact:
While policy language was set to auto-detect, the policy editing was not allowed.

Workaround:
The policy language must be set to something other than auto-detect to allow user to edit the policy from GUI. However, policy editing is possible using REST API.

Fix:
The GUI restriction was removed. User can modify the policy while the language is set to auto-detect.


761032 : TMSH displays TSIG keys

Component: Global Traffic Manager (DNS)

Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.

Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.

Impact:
Displaying TSIG keys is a security exposure.

Workaround:
None.

Fix:
TMSH no longer displays TSIG keys when listing configuration.


761030 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route

Component: Local Traffic Manager

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.

Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.

Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.

Workaround:
None.

Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.


761014 : TMM may crash while processing local traffic

Solution Article: K11447758


760991 : DataSafe GUI is displayed when invalid FPS licenses keys are configured

Component: Fraud Protection Services

Symptoms:
When DataSafe license is installed and invalid FPS license keys are configured, DataSafe GUI is displayed instead of FPS GUI with a license error message.

Conditions:
- License DataSafe.
- Configure invalid FPS license keys (license.antifraud.*).

Impact:
The incorrect GUI is displayed. This is a cosmetic error. The system functions as expected.

Workaround:
Setting database variable: license.antifraud.id = "<null>"

Fix:
The correct GUI is displayed.


760974 : TMM SIGABRT while evaluating access policy

Component: Access Policy Manager

Symptoms:
TMM cores while evaluating access policy.

Conditions:
-- Secure Web Gateway is configured and in use.
-- An access policy is being evaluated.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an iRule similar to the following:

when ACCESS_POLICY_COMPLETED {
    set res [ACCESS::session data get "session.policy.result"]

    if {[string compare $res "in_progress"] == 0} {
     log local0.notice "rejecting"
      reject
    }
    log local0.notice "result :$res"
}

Fix:
TMM no longer cores under these conditions.


760930 : MRF SIP ALG with SNAT: Added additional details to log events

Component: Service Provider

Symptoms:
Subscriber name is not included in debug log events for temporary subscriber registration creation and deletion.

Conditions:
debug log events for temporary subscriber registration creation and deletion.

Impact:
No functional impact, but the associated MRF SIP ALG with SNAT issue might be difficult to debug.

Workaround:
None.

Fix:
Subscriber ID is now included in the log events.


760835 : Static generation of rolling DNSSEC keys may be missing when the key generator is changed

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP system may lose DNSSEC keys if the key generator is changed from rolling keys to static keys

Conditions:
DNSSEC key generation is changed from rolling to static.

Impact:
DNSSEC keys may be lost.

Workaround:
None.


760833 : BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner.

Conditions:
Generating a DNSSEC key.

Note: This is an intermittent issue.

Impact:
DNSSEC keys may not be synced.

Workaround:
None.


760683 : RST from non-floating self-ip may use floating self-ip source mac-address

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.

Fix:
The system now uses the correct source mac-address under these conditions.


760680 : TMSH may utilize 100% CPU (single core worth) when set to be a process group leader and SSH session is closed.

Component: TMOS

Symptoms:
TMSH does not correctly handle absence of input stream after closing interactive SSH session and remains active in an infinite loop using 100% CPU.

Conditions:
If TMSH is a process group leader, it will not be killed when the parent shell is terminated upon SSH session close.

This is a rare case, as TMSH must be deliberately promoted to a process group leader, e.g., with the 'setsid' command.

Usually the shell process is a group leader and, when it is terminated upon SSH session close, it kills its child processes, including TMSH.

Impact:
The equivalent of one CPU core is utilized to 100% by the TMSH process. It may be mostly scheduled on one core or spread over multiple control plane cores.

Workaround:
TMSH should not be intentionally promoted to a process group leader.

You can kill all TMSH processes using the command:

killall -9 tmsh

Warning: This command kills both abandoned and in-use TMSH processes. The latter can include other users' TMSH shells, and even system-level processes invoking the TMSH utility internally. Killing all TMSH processes can lead to various unexpected failures. You can use the 'top' command to see which TMSH process is using high CPU (e.g., 90% or more), and kill just those, as those are the likely zombie processes.

You can kill specific TMSH processes using the command:

kill -9 <pid>

Where <pid> is the process ID of the TMSH instance to kill.

Fix:
I/O error handling in TMSH has been corrected, so it no longer ignores absence of input stream which led to infinite loop.


760550 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.


760462 : Live update notification is shown only for provisioned/licensed modules

Component: Application Security Manager

Symptoms:
Live update notification in the left top corner of the screen was shown even when you cannot install updates, e.g., no permissions or no license/provisioning.

Conditions:
-- There is update for non-provisioned/licensed module.
-- Attempt to install the update.

Impact:
A notification appears and it cannot be removed.

Workaround:
None.

Fix:
Live update notification is now shown only for provisioned/licensed modules.


760439 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.


760370 : MRF SIP ALG with SNAT: Next active ingress queue filling

Component: Service Provider

Symptoms:
When running MRF SIP ALG with SNAT, the ingress queue may fill, causing messages to be dropped on the next-active device.

Conditions:
-- The active device determines that an operation can be skipped because the details are already discovered processing a previous message.
-- The next-active device has not yet processed the previous message and is not able to skip the operation.

Impact:
Mirroring state is lost for the connection.

Workaround:
None.

Fix:
When the connection is mirrored, the processing operation is not skipped on either the active or next-active device.


760356 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.

Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports


760259 : Qkview silently fails to capture qkviews from other blades

Component: TMOS

Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.

Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.

-- Execute qkview on another blade, verify that no warnings or errors are produced.

Impact:
There is no warning that the qkview failed for a given blade.

Workaround:
There is no workaround other than running the qkview on the actual blade.


760234 : Configuring Advanced shell for Resource Administrator User has no effect

Component: TMOS

Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.

Conditions:
Configuring Advanced shell for Resource Administrator User.

Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.

Workaround:
None.

Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.

Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.


760164-2 : BIG-IP VE Compression Offload HA action requires modification of db variable

Component: TMOS

Symptoms:
When TMM detects a compression offload device hang it does not invoke the configured high availability (HA) action.

Conditions:
This occurs when the following conditions exist:
-- BIG-IP Virtual Edition (VE) Cryptographic Offload is licensed.
-- BIG-IP VE VM has been assigned QuickAssist Virtual Functions (VFs).
-- A QuickAssist endpoint associated with one of the VFs hangs.
-- BIG-IP VE executes compression operations.

Impact:
The configured HA action does not occur when a compression offload device hangs. Clients compression requests eventually time out.

Workaround:
Disable the pfmand by running the following commands:
    tmsh modify sys db pfmand.healthstatus value disable
    tmsh save sys config

The configured HA action will now occur when a compression offload device hangs.

Note: The pfmand daemon is not needed for BIG-IP VE, so disabling the db variable has no impact for BIG-IP VE configurations.


759968-5 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
-- Distinct vCMP guests are able to cluster with each other.

-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac

Check the 'rebroad_mac' field for duplicate mac addresses.

vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------

Conditions:
-- It is not yet clear under what circumstances the issue occurs.

-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.


To disable the db variable on the affected guest use the following procedure:

1. stop sys service clusterd
2. modify sys db clusterd.communicateovertmmbp value false
3. start sys service clusterd
4. save sys conf

Afterwards, the affected guest may still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask.

Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.


759839 : Datasafe encrypts stored substitute value for xhr request and not the real value

Component: Fraud Protection Services

Symptoms:
FPS end Users report they are unable to log in to an application.

Conditions:
-- Datasafe enabled.
-- A parameter is set to be encrypted in the settings.
-- The page contains a custom encryption function which manipulates the value before sending it.

Impact:
Client logins fail.

Workaround:
Disable Substitute value.

Fix:
Added the ability to encrypt [CUSTOM_FUNC](real field), so this issue no longer occurs.


759735 : OSPF ASE route calculation for new external-LSA delayed

Component: TMOS

Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.

Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.

Impact:
Delay of route update from external LSA.

Workaround:
Manually clear ip ospf process.

Fix:
OSPF ASE route calculation from external LSA are happening as normal.


759664 : Remove Event Listener support of edge case

Component: Fraud Protection Services

Symptoms:
In cases where the protected input field is not located under the form tag, the Remove Event Listener removes the malicious event listeners of the input field, but the field itself is missing in the traffic (that is being sent on submit).

Conditions:
Protected inputs located outside of the form tag.

For example:

<form>
  ...
</form>
<input name="username">

Impact:
In an edge-case situation, the entered values are not sent when submitting the form.

Workaround:
None.

Fix:
Remove Event Listener feature now supports cases where an input field is not inside the form.


759654 : LDAP remote authentication with remote roles and user-template failing

Component: TMOS

Symptoms:
The directory server that performs authentication requests refuses a query for authorization (user attributes), which prevents the BIG-IP user from logging on with remote authentication.

BAD_NAME errors are usually present in LDAP communication.

Conditions:
-- Configure LDAP remote authentication with remote roles and a user template.
-- As a remote user, attempt to logon.

Impact:
The query request sent to the directory server is refused because the password is not included in the request, and the server does not accept an anonymous bind request. The refused request prevents a lookup of the user account attributes on the directory server. As a result, the BIG-IP user cannot logon.

Workaround:
Remove user-template. bind-dn must be used to authenticate against LDAP server.


759640 : Logon failure with Session Expired/Timeout

Component: Access Policy Manager

Symptoms:
When 'Session Expired/Timeout' window popup is produced on the Logon Page via the Edge Client for macOS and then 'Start new session' link is clicked, this results in BIG-IP APM server categorizing uimode as Full Browser (0) for the new session. If your Access Policy logic has a uimode check where Full Browser mode results in no Network Access resource, logon failure can occur.

Conditions:
-- Logon form configured with additional fields other than username, password, and soft token fields.
-- Session times out when user is in logon page.

Impact:
Access Policy branch logic decision-making based on uimode. On macOS, Edge Client is detected as Full Browser (uimode 0) by APM. If your Access Policy logic has a uimode check where Full Browser mode results in no Network Access resource, logon failure can occur.

Workaround:
None.

Fix:
On macOS, Edge Client is no longer detected as Full Browser (uimode 0) by APM.


759638 : APM current active and established session counts out of sync after failover

Component: Access Policy Manager

Symptoms:
The 'tmsh show apm license' command shows that the current established session count is much larger than the current active session count. In the extreme case, current established session count can reach the maximum allowed, and the system reports the ERR_TOOBIG error in the apm log.

err tmm3[12351]: 01490581:3: (null):Common:00000000: Access stats encountered error: SessionDB operation failed (key: tmm.license.global_estab_stats.f26de3c7, ret: ERR_TOOBIG).

Conditions:
This counter out-of-sync period happens right after failover and lasts for five minutes.

Impact:
There is no impact to user sessions. Only the connection counts are impacted.

Workaround:
None.


759579 : Full Webtop: 'URL Entry' field is available again

Component: Access Policy Manager

Symptoms:
'URL Entry' field is no longer visible from full webtop.

Conditions:
Using Portal Access full webtop screen.

Impact:
It is not possible to open Portal Access session with arbitrary URL from full webtop screen.

Workaround:
None.

Fix:
Now 'URL Entry' field can be enabled and used on full webtop.


759536 : Linux kernel vulnerability: CVE-2019-8912

Solution Article: K31739796


759499 : Upgrade from version 12.1.3.7 to version 14.1.0 failing with error

Component: TMOS

Symptoms:
Upgrade from version 12.1.3.7 to version 14.1.0 fails. Running 'tmsh show sys software' shows the following message:
 failed (Could not access configuration source; sda,n)

Conditions:
1. Install BIG-IP version 12.1.3.7 in new volume.
2. From 12.1.3.7, try to install 14.1.0 in new volume.

Impact:
Upgrade fails.

Workaround:
To work around this issue, delete the 14.1.0 volume and try the installation again.

The second installation of 14.1.0 succeeds in this scenario.


759419 : HTTP2 monitors can be created

Component: Local Traffic Manager

Symptoms:
The HTTP2 protocol is not supported as a built-in monitor type.

Conditions:
A pool of HTTP2 servers needs to be monitored.

Impact:
HTTP2 servers cannot be monitored.

Workaround:
It may be possible to create an external monitor.

SSL or TCP monitors may approximate the wanted functionality.

Fix:
It is now possible to create built in monitors that inspect HTTP2 traffic.


759392 : HTTP_REQUEST iRule event triggered for internal APM request

Component: Access Policy Manager

Symptoms:
Requests for the internal APM renderer for logo customization trigger the HTTP_REQUEST iRule event.

Conditions:
Customized logo in Access Profile

Impact:
HTTP_REQUEST event will be raised for requests for the customized logo in the Access Profile.

Workaround:
Inside the HTTP_REQUEST event, if it is necessary to not take a certain action on a customized logo, it is possible to check that the URL does not equal the URL for the logo (it should start with '/public/images/customization/' and contain the image name).


759385 : Records for an external data-group can be incorrectly managed

Component: Local Traffic Manager

Symptoms:
The system does not use data-group records added directly to external data-groups, although you can use tmsh and iControl to directly modify external data-group.

Conditions:
-- There is an external data-group configured and the name of that external data-group as an internal data-group when adding records to the data-group.

-- Using tmsh or iControl.

Impact:
This results in data-group records that exist but which the configuration does not use.

Workaround:
Do not use the 'ltm data-group internal' configuration path to add records to an external data-group. Manage records in an external data-group via the external data-group's file.

Fix:
The system now disallows internal data-group commands on external data-group types.


759370 : FIX protocol messages parsed incorrectly when fragmented between the body and the trailer.

Component: Service Provider

Symptoms:
FIX message has successfully parsed header part (iRule event FIX_HEADER triggered), but is eventually discarded as incomplete (no iRule event FIX_MESSAGE).

Conditions:
FIX message fragmented between body part and the trailer (tag 10).

Impact:
FIX protocol messages are not forwarded.

Workaround:
Assure FIX protocol packet size does not exceed MTU value.

Fix:
Message parsing improved to correctly handle fragmented packets.


759356 : Access session data cache might leak if there are multiple TMMs

Component: Access Policy Manager

Symptoms:
Due to asynchronicity in the TMM subsystem, it is possible that the session data cache might be created after the session is terminated. As a result, that session data cache never gets released.

Conditions:
-- Transparent SWG.
-- The BIG-IP system has more than one TMM.

Impact:
TMM memory might be exhausted eventually.

Workaround:
None.


759343-8 : MacOS Edge Client installer does not follow best security practices

Solution Article: K49827114


759307 : Enhance oauth client failure error log message id:01490290.

Component: Access Policy Manager

Symptoms:
The log message for id:01490290 does not include JSON Web Token (JWT) information.

Conditions:
This occurs when none of the configured JWK keys match the received JWT token.

Impact:
Without JWT information in the log message, it is very difficult to debug which token caused the error.

Workaround:
None.

Fix:
Added JWT Header in the error log message indicating which token caused the error.


759302 : The same dynamic flow can not be added to different URLs

Component: Application Security Manager

Symptoms:
When you try to add a dynamic flow that already exists for a different URL, the system reports an error message:
This dynamic flow already exists in policy.

Conditions:
1) Create default policy with /aaa and /bbb URLs.
2) Add dynamic flow with "RegExp Value"="a" to /aaa URL.
3) Try to add the same dynamic flow to /bbb URL.

Impact:
You are unable to add the dynamic flow to /bbb URL.

Workaround:
You can add the dynamic flow using the REST API.

Fix:
The dynamic flow, which already exists for a different URL can now be added to a second URL using the GUI


759172 : Read Access Denied: user (gu, guest) type (Certificate Order Manager)

Component: TMOS

Symptoms:
GUI guest user is supposed to see Key properties (which includes cert order manager association details) and Certificate Order Manager object itself, but reports an error:
-- General database error retrieving information.
-- err mcpd[6586]: 01070823:3: Read Access Denied: user (gu) type (Certificate Order Manager)

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Guest user attempts to view Key properties (including cert order manager association details) and Certificate Order Manager object information.

Impact:
Certificate Manager role does not allow users to create certificates. They can upload and delete certificates, but when trying to create one, the GUI stays blank and the logs show a Read Access Denied error.

Workaround:
None.


759135 : AVR report limits are locked at 1000 transactions

Component: Application Visibility and Reporting

Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.

Conditions:
Using AVR reports for more than 1000 transactions.

Impact:
Unable to create reports with more than 1000 rows.

Workaround:
None.

Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.

For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.

For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000


759077 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.

Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.


758992 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.

Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.


758938 : Datasafe RTE causing login form to not be updated on subsequent login attempts

Component: Fraud Protection Services

Symptoms:
After a failed login attempt to an app using a web form, subsequent log in attempts fail.

Conditions:
This can occur when Datasafe is in use.

Impact:
Datasafe end users are unable to log in after an initial failed login attempt.

Workaround:
None.

Fix:
Fixed an issue with end users being unable to log in to a web application after a failed login attempt.


758706 : Importing a cert with an expiration time of 'Dec 31 23:59:59 9999' causes errors in the GUI

Component: TMOS

Symptoms:
General database error retrieving information when loading the SSL certificate management page:

Certificate Management : Traffic Certificate Management : SSL Certificate List.

Conditions:
Import a certificate that has an expiration date of 'Dec 31 23:59:59 9999 GMT' into the BIG-IP system.

Note: Some of these certificates are generated by Cisco Expressway.

Impact:
Error message is posted. Unable to manage certificates in the GUI.

Workaround:
Adjust the timezone to GMT and restart tomcat using the following commands:

tmsh modify sys ntp timezone GMT
bigstart restart tomcat

Fix:
GUI now shows appropriate time in local timezone for certificates with expiration time of 'Dec 31 23:59:59 9999'.


758655 : TMC does not allow inline addresses with non-zero Route-domain.

Component: Local Traffic Manager

Symptoms:
When trying to create a traffic-matching-criteria with inline addresses with non-zero Route-domain, receive an error:

TMC(/Common/tmc333) and addresses within the address list have different route domain.

Conditions:
Attempting to creating a traffic-matching-criteria with inline address (source or destination) and non-zero route-domain, e.g.:

create ltm traffic-matching-criteria tmc333 destination-address-inline 111.111.111.194 source-address-inline 0.0.0.0 route-domain 100

Impact:
Cannot create the traffic-matching-criteria.

Workaround:
None.

Fix:
You can now create a traffic-matching-criteria with inline addresses with non-zero Route-domain.


758631 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.


758527 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.


758517 : Callback for Diffie Hellman crypto is missing defensive coding

Component: TMOS

Symptoms:
Destruction of objects during Diffie Hellman crypto callback does not first check for object validity.

Conditions:
Async callback for Diffie Hellman crypto call when objects no longer look valid.

Impact:
IPsec tunnels down during tmm core in rare cases.

Workaround:
No work around is known at this time.

Fix:
Add defensive coding to forestall action when objects look invalid.


758516 : IKEv2 auth encryption is missing defensive coding that checks object validity

Component: TMOS

Symptoms:
Auth signature crypto callback does not check objects for validity before encryption.

Conditions:
Encryption during auth signature callback processing for IKE_AUTH.

Impact:
IPsec tunnels go down when tmm cores in rare situations.

Workaround:
No workaround is known at this time.

Fix:
Add defensive coding that checks object validity during auth encryption.


758485 : Send Disconnect-Peer-Request message per RFC3588.5.4

Component: Service Provider

Symptoms:
Following a connection close, the system continues sending Device Watchdog Request (DWR) messages to the pool member instead of sending a Disconnect Peer Request (DPR) event when a pool member is disabled/forced offline.

Conditions:
-- MRF Diameter is configured.
-- Connection close occurs.

Impact:
The BIG-IP system does not comply with the RFC for the event of connection close.

Workaround:
None.

Fix:
The BIG-IP system now sends DPR instead of DWR in the event a pool member is force-offline.


758387 : BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it

Component: TMOS

Symptoms:
In STP 'passthru' mode, any packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as an STP bridge protocol data unit (BPDU), and is flooded to the VLAN.

Conditions:
-- The BIG-IP system is configured for STP 'passthru' mode
-- The BIG-IP system receives a packet with MAC 01-80-c2-00-00-00.

Impact:
A packet that is not an STP BPDU, but is sent to the same destination MAC address may be flooded as if it was a BPDU.

Workaround:
None.


758308 : Import/create policy may fail after failed upgrade UCS load

Component: Application Security Manager

Symptoms:
Import/create ASM policy may fail after a failed upgrade UCS load.

Conditions:
An upgrade UCS load ends in failure.

Impact:
Import/create ASM policy may fail.

Workaround:
As a workaround, the policy import schema from the current version can be copied:

----------------------------------------------------------------------
/bin/cp -f /ts/var/schema/negsig/common.xsd /ts/var/schema/negsig/common.xsd.pre_overwrite
/bin/cp -f /ts/share/*.xsd /ts/var/schema
/bin/cp -f /ts/share/negsig/*.xsd /ts/var/schema/negsig
[[ $(stat -c%s "/ts/var/schema/negsig/common.xsd.pre_overwrite") -gt $(stat -c%s "/ts/var/schema/negsig/common.xsd") ]] && /bin/cp -f /ts/var/schema/negsig/common.xsd.pre_overwrite /ts/var/schema/negsig/common
----------------------------------------------------------------------

This can be performed safely at any time, and does not require ASM restart.


758257 : Adding option to mask each AFM stats separately

Component: Application Visibility and Reporting

Symptoms:
If the AFM stats are enabled, the BIG-IP system logs ACL, DoS L3 firewall events, IP Reputation, DNS, and SIP stats, and you are unable to mask any of them. It might cause performance issues.

Conditions:
-- AFM provisioned.
-- AFM stats enabled.

Impact:
All AFM stats are collected (ACL, DoS L3 firewall events, IP Reputation, DNS, SIP). There is no way to specify a subset of stats to collect.

Workaround:
None.


758235 : Large user database size

Component: Application Visibility and Reporting

Symptoms:
The username table in the AVR DB reaches a huge size, you observe high I/O wait and high CPU utilization.

Conditions:
AVR configuration with a very large number of different users.

Impact:
High I/O wait on the device. It might cause tmm core dues to tmm not getting enough CPU. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The following command disables the collection of the username (which prevents this issue):

tmsh mod sys db avr.collapseasmhttpusername value disable


758119 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


758089 : Refreshing sessions fails with 'All[Read Only]' partitions

Component: Access Policy Manager

Symptoms:
While trying to refresh Access :: Overview : Active Sessions in the GUI, you get an error 'No Access'.

Conditions:
This occurs when a user with operator level or higher attempts to refresh the Overview tab under Access in the GUI while in the 'All[Read Only]' partition.

Impact:
'No Access' page error after clicking on Refresh button.

Workaround:
Use the Refresh button of the browser to refresh the entire page.

Fix:
When logged in as operator/admin, you can now refresh the page in 'All' partition without error.


758065 : TMM may consume excessive resources while processing FIX traffic

Solution Article: K82781208


758038 : Addition of receive status code to DNS HTTP/HTTPS monitors

Component: Global Traffic Manager (DNS)

Symptoms:
This feature adds an additional status code match option for the DNS HTTP/HTTPS monitors to act as a gating check for the current receive-string-match functionality.

Conditions:
-- Configure a DNS HTTP/HTTPS monitor with receive status code and receive string parameter selected.
-- Assign this monitor to a DNS resource, either pool member or virtual server.

Impact:
Resource becomes available or unavailable depending on whether the server response contains the status code or receive string defined in the monitor.

Workaround:
This is a new feature.

Fix:
Receive status code feature adds an additional status code match option for DNS HTTP/HTTPS monitors to act as a gating check for the current receive-string-match functionality. This is a new parameter in these monitors and is used to mark a virtual server or pool member available or not available.


758018 : APD/APMD may consume excessive resources

Solution Article: K61705126


758006 : Thales nethsm-thales-rfs-install.sh script failing with / partition full

Component: Local Traffic Manager

Symptoms:
nethsm-thales-rfs-install.sh fails with errors
 / partition full or /shared/nfast/bin/anonkneti: No such file or directory

Conditions:
Installing Thales RFS using the script:
nethsm-thales-rfs-install.sh.

Impact:
Failed Thales RFS installation.

Workaround:
Modify nethsm-thales-rfs-install.sh script as follows.
Replace:

    mkdir -p /shared/nfast
    for tar_file in $nfast_agg_tar $nfast_ctls_tar $nfast_user_tar $nfast_pkcs11_tar
    do
        tar -C / -xvf $nfast_path$tar_file

with

    mkdir -p /shared/nfast
    for tar_file in $nfast_agg_tar $nfast_ctls_tar $nfast_user_tar $nfast_pkcs11_tar
    do
        tar -C /shared/nfast -xvf $nfast_path$tar_file --strip-components=2


757862 : IKEv2 debug logging an uninitialized variable leading to core

Component: TMOS

Symptoms:
Logging an internal error might result in core.

Conditions:
When ike_sa variable is uninitialized.

Impact:
Loss of tunnels due to core.

Workaround:
None.

Fix:
Ike_sa is now initialized to hold a valid value before logging takes place.


757827-5 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:
1. Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
2. DNS queries to resolve these FQDN names occur almost simultaneously.
3. The BIG-IP version in use contains the fix for ID 726319.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and will not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default fqdn interval value of 3600 seconds, such downtime would last approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter fqdn interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.

Fix:
When using FQDN nodes and pool members, ephemeral pool members will be created as expected following a configuration-load or BIG-IP reboot operation.

However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.


757821 : Strings in APM GUI: Do not use 'none' to mean 'empty value'

Component: TMOS

Symptoms:
In TMSH, 'none' is a special keyword for attributes of type string that is interpreted as an empty value. However, in the APM user interface, if you type 'none' for any field expecting a string value, it is not considered empty.

Conditions:
Occurs when typing 'none' as a string value throughout the APM GUI.

Impact:
The configuration does not operate as expected.

Workaround:
Leave fields blank if you want them to be empty in the APM GUI.

Do not use 'none' to mean 'empty' for any field requiring a string in the APM GUI.


757813 : Unable to use an iRule to classify traffic that has already been classified.

Component: Traffic Classification Engine

Symptoms:
If network has already been classified (for example as icmp), then re-classifying it in an iRule will fail.

Conditions:
-- CLASSIFY::application used in CLIENT_ACCEPTED iRule
-- Traffic arrives that has already been classified

Impact:
iRule fails to re-classify the traffic.

Fix:
A bigdb variable has been added, tmm.gpa.srdb.defer_finalization. The default value is false. If set to true, it will allow an iRule to reclassify traffic that has already been classified.

Behavior Change:
A new bigdb variable has been added, called tmm.gpa.srdb.defer_finalization. The default value is false. If set to true, it will allow you to reclassify traffic that has already been classified.


757781 : Portal Access: cookie exchange may be broken sometimes

Component: Access Policy Manager

Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.

Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.

Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.

Workaround:
None.

Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.


757777 : bigtcp does not issue a RST in all circumstances

Component: Local Traffic Manager

Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED

Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule

Impact:
TCP RST is not sent, and the SYN is silently dropped.

Workaround:
none

Fix:
bigtcp virtuals send now a TCP RST if needed.


757775 : Added DB variable to force setting RA bit in response from cache

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, a response from Transparent cache may not have the RA (Recursion Available) bit set.

Conditions:
The issue takes place under the following conditions:
-- Response going from a transparent cache.
-- The msg sub-cache does not contain the query.
-- The rrset sub-cache does contain the query.

Impact:
A response from Transparent cache does not have RA bit set.

Workaround:
The following iRule resolves the issue:

When DNS_RESPONSE {
     DNS::header ra 1
}

Fix:
Added new DB variable dnscache.forcerecursionavailablebit which, when enabled, forces setting the RA bit in responses coming from any type of cache.


757747 : IKEv2 ignores passive=true setting in ike-peer

Component: TMOS

Symptoms:
An IKEv2 ike-peer object can be configured in passive mode, but passive mode does not work.

Conditions:
An ike-peer has passive set to true.

Impact:
The ike-peer can still initiate an IKE tunnel negotiation. Passive mode does not work, and the BIG-IP system is the initiator.

Workaround:
None.


757722 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.

Fix:
All unknown notify types are now logged and then ignored.


757617 : Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865, CVE-2018-16866

Solution Article: K30683410


757578 : RAM cache is not compatible with verify-accept

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.


757519 : Unable to login using LDAP authentication with a user-template

Component: TMOS

Symptoms:
User cannot login using remote LDAP authentication. This occurs because LDAP with user-template uses user-template username as DN for search.

Conditions:
LDAP authentication configuration includes user-template, which is not a valid DN.

Impact:
Remote LDAP authentication users are unable to login.

Workaround:
You can use either of the following workarounds:

-- Create a specific user for bind by configuring bind-dn and bind-pw and remove user-template.

-- Switch to local authentication.


757470 : Case insensitive flag is ignored on regular expression keywords in simplified Signature editor

Component: Application Security Manager

Symptoms:
The case insensitive flag is not applied on regular expression keywords created using the simplified Signature editor.

Conditions:
A regular expression signature keyword is created and set to be case insensitive.

Impact:
The signature keyword is enforced as case sensitive.

Workaround:
The regular expression can be specified as case insensitive by prepending with "(?i)".

Fix:
The case insensitive flag takes effect correctly on regular expression keywords in simplified Signature editor.


757357-2 : TMM may crash while processing traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing traffic.

Conditions:
-- BIG-IP Virtual Edition (VE) using virtio interfaces with direct descriptors.

Impact:
TMM crash, leading to a failover event.

Workaround:
To work around this issue, use this procedure:

1a. For BIG-IP systems running versions earlier than 14.1.0, add the following line to /config/tmm_init.tcl:
device driver vendor_dev 1af4:1000 unic

1b. For BIG-IP systems running v14.1.0 and later, add the following line to /config/tmm_init.tcl:
device driver vendor_dev 1d0f:ec20 sock

2. Restart tmm using the following command:
bigstart restart tmm

Note: You might need to manually remove that line from /config/tmm_init.tcl after upgrading.

Fix:
TMM now processes traffic as expected.


757306 : SNMP MIBS for AFM NAT do not yet exist

Component: Advanced Firewall Manager

Symptoms:
SNMP MIBS for AFM NAT do not yet exist.

Conditions:
This occurs in normal operation.

Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.

Workaround:
None.


757023 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656


756998 : DoSL7 Record Traffic feature is not recording traffic

Component: Application Security Manager

Symptoms:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile does not record traffic during attacks: TCP Dump files are not being created in the /shared/dosl7/tcpdumps/ directory as expected.

Conditions:
-- Enabling 'Record Traffic During Attacks' in the DoS Application Profile.
-- DoSL7 Attacks are detected.

Impact:
Attack traffic is not being recorded as expected.

Workaround:
None.

Fix:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile correctly records traffic during attacks.


756932 : iRule command 'ACCESS::session data get -secure' can fail when evaluating empty variables

Component: Access Policy Manager

Symptoms:
Use of the iRule command 'ACCESS::session data get -secure <empty variable>' might fail intermittently, which might result in BIG-IP traffic processing failures and a Tcl error logged in /var/log/ltm:

err tmm2[22011]: 01220001:3: TCL error: /Common/sp_irule <HTTP_REQUEST> - variable lookup failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data get -secure "session.saml.last.attr.name.foo"".

Conditions:
Use of -secure flag to get data from an empty variable from ACCESS::session inside iRules.

Impact:
Connection drop.

Workaround:
Use an iRule catch statement.

Fix:
The system now checks for empty variable value before attempting decryption.


756817 : ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks.

Component: Local Traffic Manager

Symptoms:
Special IP address handling as per RFC6890 is done correctly in the routing protocols. There is a possibility of martian addresses getting announced or allowed addresses restricted (e.g., 128.0.0.0/16 and 191.255.0.0/16).

This impacts all components using dynamic routing.

Conditions:
-- Network advertisements in BGP, etc., allow martian addresses and restrict allowed network-space as per RFC6890, for example, 128.0.0.0/16 and 191.255.0.0/16, 223.255.255.0/24 are blocked.
-- In IPv6 loopback addressed are allowed, so ::/128 (unspec) and ::1/128 (loopback) addresses are allowed.
-- Some DSlite address ranges are not handled correctly.

Impact:
Martian addresses are allowed. Non-martian addresses are blocked.

Workaround:
None.

Fix:
Ensure that martian addresses like IPv6 (::/128 - unspec, ::1/128 - loopback) are not used.

Note: Although 128.0.0.0/16, 191.255.0.0/16, 223.255.255.0/24 are no longer martian addresses, they still cannot be used.


756571-1 : CVE-2018-17972: Linux kernel vulnerability

Solution Article: K27673650


756510 : Improve log message when an SSL invalid profile is found

Component: Local Traffic Manager

Symptoms:
When an SSL alert is sent, the profile name is printed but not the name of the virtual. If this is a heavily used profile, it makes tracing difficult.

Conditions:
An SSL alert is sent and logged.

Impact:
Difficult to identify which virtual server / profile combination was used.

Fix:
When an SSL alert is sent, the name of the associated profile and virtual server are included in the log.


756480 : Added ability in the Flow Inspector to search on serverside src/dst ip addresses

Component: Advanced Firewall Manager

Symptoms:
You are unable to search on serverside source/destination IP addresses using Flow Inspector.

Conditions:
This occurs when using Flow Inspector, a debug tool in AFM.

Impact:
You are unable to search server-side source/destination IP addresses.

Workaround:
Use tmsh:
tmsh show sys connection

Fix:
Added ability in the Flow Inspector to search on serverside src/dst IP addresses.


756474 : Packet tester tool in command line does not support tab completion on vlan name. Vlan name without partition is not supported either

Component: Advanced Firewall Manager

Symptoms:
Packet tester tool does not support tab completion and partition for VLAN name.

Conditions:
-- Run the tmsh packet tester tool with no partition on the VLAN name.
-- Try tab completion for the VLAN name in the tmsh command.

Impact:
If partition is not entered, the result from packet tester is wrong. Tab completion does not work.

Workaround:
Add the partition name to the VLAN name when running the tool.

Fix:
VLAN name without partition is now supported. Tab completion works as expected.


756458 : Linux kernel vulnerability: CVE-2018-18559

Solution Article: K28241423


756402 : Re-transmitted IPsec packets can have garbled contents

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.

Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.


756401 : IKEv2 debug logging often omits SPI values that would identify the SAs involved

Component: TMOS

Symptoms:
Debug logging for IPsec often has no clear identification of which SA was involved during some logged events.

Conditions:
When you examine logs in either /var/log/tmm or /var/log/ipsec.log to debug IPsec activity.

Impact:
You might have trouble analyzing what happened from logs when the SA involved in an event is not identified.

Workaround:
None.

Fix:
More logged lines now include SPI values to identify the SA involved, especially in error cases.


756394 : Portal Access: client-side URL rewriter incorrectly replaces '..' with 'f5-w-doubledot' in query

Component: Access Policy Manager

Symptoms:
Via Portal Access, web-application generates requests
on which '..' in the query portion of URL is replaced by 'f5-w-doubledot'.

Conditions:
Client-side JavaScript code produces a URL with '..' in query part.

Impact:
Web-application does not function as expected.

Workaround:
Use a custom iRule to workaround this issue.

Fix:
The issue is fixed.


756269 : A new CLI command added to retrieve DoS vector stats

Component: Advanced Firewall Manager

Symptoms:
Given a attack vector name or partial name, CLI command is not able to query matched attack vector information.

Conditions:
This is a description of missing functionality. It happens under all conditions.

Impact:
There is no CLI command to query for matched attack vector information.

Workaround:
All attack vector information for a given context (virtual server) can be queried using existing tmsh commands, then they need to filter out the specific attack vectors by writing scripts or filtering program.

Fix:
Given a attack vector name or partial name, there is now a CLI command provided to query matched attack vector information directly:

list security presentation tmui attack-list XXXX

XXXX is vector name or partial name.

Behavior Change:
This release introduces a new tmsh command:
list security presentation tmui attack-list XXXX

This command enables you to query attack information based on attack vector full name (or partial name).

Existing CLI commands are not impacted by this change.


756153 : Add diskmonitor support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.


756102 : TMM can crash with core on ABORT signal due to non-responsive AVR code

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.

Conditions:
Non-responsive AVR code. No other special conditions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


755727 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755716 : IPsec connection can fail if connflow expiration happens before IKE encryption

Component: TMOS

Symptoms:
IKEv2 negotiation fails, and tmm log shows the following error:

notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context

Conditions:
Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.

Impact:
IKE Negotiation fails, so an SA cannot be established.

Workaround:
None.

Fix:
Missing connection context is now replaced, so IKE negotiation can continue.


755674 : CVE-2018-10883: Linux kernel vulnerability

Solution Article: K94735334


755018 : Traffic processing may be stopped on VE trunk after tmm restart

Component: TMOS

Symptoms:
Trunk interface members might be missing from tmm after tmm restart on BIG-IP Virtual Edition (VE).

Conditions:
-- Using trunks on VE.
-- tmm restarts.

Impact:
No traffic processing after tmm restart.

Workaround:
Remove the interfaces from the trunk and re-add them:
    # tmsh modify net trunk <trunk name> interfaces none
    # tmsh modify net trunk <trunk name> interfaces add { <interface1> <interface2> }

Fix:
Traffic processing on trunks is stable after tmm restart.


754875 : Enable FIPS in prelicensed VE images without requiring a reboot

Component: Local Traffic Manager

Symptoms:
Must reboot a FIPS-enabled PAYG-Best BIG-IP Virtual Edition (VE) image to see the FIPS prompt.

Conditions:
-- Using FIPS.
-- Using PAYG-Best.
-- Using VE.

Impact:
Must reboot the system to see the FIPS prompt.

Workaround:
Reboot the system to see the FIPS prompt.

Fix:
This release enables FIPS in prelicensed VE images without requiring a reboot.

Behavior Change:
You no longer need to reboot a FIPS-enabled PAYG-Best VE image to see the FIPS prompt.


754691 : During failover, an OSPF routing daemon may crash.

Component: TMOS

Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.

Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any

2) OSPF router with this access-list:
router ospf 1
 ospf router-id 10.14.0.11
 bfd all-interfaces
 network 10.14.0.0/16 area 0.0.0.1
 distribute-list 199 in
!

-- The device with this configuration is in the standby state.
-- A failover occurs.

Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.

Workaround:
None.

Fix:
An ospfd daemon no longer crashes during a failover.


754635 : When SSL persistence enabled, session cache size cannot be zero.

Component: Local Traffic Manager

Symptoms:
LTM will reset the connection if SSL persistence enabled + session cache size is set to zero.

Conditions:
User can set the session cache size to zero when SSL persistence is enabled.

Impact:
LTM will reset the connection is no session ID sent when SSL persistence is enabled.

Workaround:
Do not set the session cache size to zero when SSL persistence is enabled.

Fix:
The profile validation should validate the session cache size setting when SSL persistence is enabled.


754525 : Disabled virtual server accepts and serves traffic after restart

Component: Local Traffic Manager

Symptoms:
Disabled virtual servers accept traffic after being upgraded to an affected version, or after restarting.

Conditions:
1. A virtual server is configured on pre-v14.1.0.
2. Disable the virtual server.
3. Either upgrade to an affected version, or restart the system.

Impact:
The virtual server remains 'Disabled', but it accepts and processes traffic.

Workaround:
To correct the behavior, manually enable/disable the virtual server.

Fix:
Disabled virtual servers no longer process traffic after a restart.


754218 : Stateless virtual servers does not work for non-standard load-balancing methods

Component: Local Traffic Manager

Symptoms:
Load-balancing does not work properly for stateless virtual servers with ratio-member load balancing, least-connection methods.

Conditions:
Stateless virtual server with ratio-member load balancing or least-connection load balancing method.

Impact:
Traffic is processed only with a single pool member. Ratio-load balancing does not work properly.

Workaround:
Use the default round-robin load balancing method.


754003 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate

Solution Article: K73202036

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036

Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036

Impact:
For more information please see: https://support.f5.com/csp/article/K73202036

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K73202036


753975-1 : TMM may crash while processing HTTP traffic with AAM

Solution Article: K92411323


753860 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.


753485-5 : AVR global settings are being overridden by HA peers

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).

Conditions:
Configuring HA for systems connected to BIG-IQ.

Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- A common symptom is the 'Stats Last Collection Date' shows up as Dec 31, 1969 or Jan 01, 1970, depending the timezone configuration of the device
-- The 'Stats Last Collection Date' shows up as '--'
-- The BIG-IP systems incorrectly identify themselves to BIG-IQ.
-- The BIG-IP systems report to the wrong DCD.
-- The BIG-IP systems report to DCD, even if they are not configured to report at all.
-- The BIG-IP systems do not report at all, even if they are configured to report.

Note: This bug is tightly related to BIG-IQ Bug ID 757423.

Workaround:
None.

Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.


751924 : TSO packet bit fails IPsec during ESP encryption

Component: TMOS

Symptoms:
Internal error when an unexpected packet bit for TCP segment offload manages to reach crypto code for ESP in IPsec, when this is not expected.

Conditions:
Traffic passing through ESP encapsulation for an IPsec tunnel when the TSO bit (for TcpSegmentationOffload) is set on the packet involved.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Now we ensure the TSO bit is cleared, so it doesn't cause ESP crypto code to fail, when it cannot be handled correctly.


751512 : CGN Inbound connections should not bypass AFM firewall rules

Component: Advanced Firewall Manager

Symptoms:
CGNAT inbound connections to an lsn-pool member IP address that are supposed to match a AFM firewall rule do not trigger a policy action.

Conditions:
-- AFM Provisioned.
-- Inbound connection matches firewall rule.

Impact:
Inbound connection's packet always bypass firewall rules.

Workaround:
None.

Fix:
AFM Firewall policy is now enforced on inbound connections as default behavior.

Added sys db variable afm.inbound_conn.enforce_policies to disable AFM policy enforcement on inbound connection.

Behavior Change:
A new sys db variable has been added, afm.inbound_conn.enforce_policies, to disable AFM policy enforcement on inbound connections. It can be set to enable or disable, and the default is enable.


751450 : Ability to select both IKEv1 and IKEv2 in ike-peer config deprecated

Component: TMOS

Symptoms:
Multiple values (v1/v2) for the IKE version attribute can lead to inconsistent handling of IPsec tunnel negotiation and can lead to unexpected errors, depending on which peer is the Initiator. Additionally, setting both values has lead to an indeterminate state in the BIG-IP system internal configuration.

Conditions:
Both v1 and v2 are selected as the IKE version in the ike-peer configuration object.

Impact:
An indeterminate configuration state can exist after changing from both versions to just one.

Workaround:
An indeterminate configuration state after changing from both versions to just one can normally be cleared by restarting tmipsecd (bigstart restart tmipsecd) but may require a reboot the BIG-IP system in order to clear the TMM state.

Fix:
Ike peer version can take only one value now:
-- In the GUI, you can set the version by selecting one option through radio buttons (either v1 or v2).
-- In TMSH, You can specify the the version using the 'replace-all-with' option. When trying to set more than one value, an error message is displayed.


751383 : Invalidation trigger parameter values are limited to 256 bytes

Component: WebAccelerator

Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.

Conditions:
-- AAM policy with invalidation trigger.
-- Invalidation trigger request with parameter value larger than 256 bytes.

Impact:
All content on target policy node is invalidated rather than the specific content targeted.

Workaround:
None.

Fix:
Invalidation trigger parameter values can now be up to 8K bytes in size.


751036 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Component: Local Traffic Manager

Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.

Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.

Impact:
Virtual server status reports unavailable, even though it should be available.

Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.


751021 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.

Fix:
All TMM instances across all blades now properly learn dynamic routes.


750702 : TMM crashes while making changes to virtual wire configuration

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
This can occur when deleting a virtual-wire configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


750278 : A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases

Component: Local Traffic Manager

Symptoms:
For certain high-throughput applications running over SSL (for instance, video streaming), it may be desirable for the BIG-IP system to reset both flows as soon as possible once one side has sent a FIN but the peer side is continuing to send data.

This situation can be undesirable (as it is wastes bandwidth) given that at this point the BIG-IP system is no longer proxying data but just dropping all remaining ingress packets (as SSL does not support half-closed TCP connections).

Conditions:
This issue occurs when the following conditions are met:

- A standard virtual server with the client SSL and server SSL profiles in use.

- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

- The peer side ignores the FIN and continues to send data.

Impact:
Even if the SSL alert-timeout option was set to its lowest allowed value (1 second), given a large number of connections in this specific state, the wasted bandwidth can reach considerable levels.

Workaround:
None.

Fix:
The SSL alert-timeout option now supports the 'Immediate' value, which makes the BIG-IP system reset both flows after 1/1000 second.


749249 : IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP

Component: TMOS

Symptoms:
IPsec tunnels fail to establish and CPUs go to 100%.

Conditions:
- IPsec tunnels configured.
- System has multiple blades.

Impact:
The CPU exhaustion may cause system instability.

The tmm logs may contain large numbers of messages similar to the following:

-- notice SA is not in LARVAL state when receives PFKEY UPDATE: src=50.1.1.53 dst=40.1.1.50 spi=0xc9cd688 proto=0x32 dir=0x1:IN reqid=0.0:0:0x10c81 state=1

Workaround:
For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.

Fix:
An internal control-plane messaging loop has been fixed.


749184 : Added description of subviolation for the suggestions that enabled/disabled them

Component: Application Security Manager

Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.

Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.

Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.

Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.

Fix:
Added description of subviolation for the suggestions that enabled/disabled them.


749011 : Datasync may start background tasks during high disk IO utilization

Component: TMOS

Symptoms:
Datasync daemon runs background tasks only when CPU and RAM resources are available. However, there is no check for when the disk IO is busy. When the disk IO is heavily used but CPU and RAM are available, the background tasks may start causing the disk IO to be used even heavier, affecting performance.

Conditions:
- Client-side ASM/FPS features are enabled.
- Other conditions causing high disk IO usage on the device.

Impact:
- High disk IO causing occasional performance degradation
- On extreme cases, datasyncd may miss its heartbeat and cause a failover

Workaround:
None


748355 : MRF SIP curr_pending_calls statistic can show negative values.

Component: Service Provider

Symptoms:
Certain irregular SIP message patterns may produce an erroneous curr_pending_calls value that can drop below zero and underflow.

Conditions:
Uncommon message flows like re-transmitted INVITE or OK responses can trigger the issue, which may be brought about at times by lost packets when using UDP.

Impact:
SIP curr_pending_calls may show incorrect values.


748044-2 : RAID status in tmsh is not updated when disk is removed or rebuild finishes

Component: TMOS

Symptoms:
'tmsh show sys raid' shows stale information

When the RAID status changes because a disk fails, is pulled without being removed from the RAID, or when RAID rebuild completes, the new status is not updated to be visible in tmsh.

Log messages, SNMP traps and alerts associated with the change in RAID status do not appear.

Conditions:
-- Platforms that support RAID running 14.0.0 or later.
-- Running the command: tmsh show sys raid.

Impact:
'tmsh show sys raid' output might show disk as ok when it has actually failed, or may show the disk as rebuilding when it is actually ok.

Workaround:
From a bash shell run the command 'array' to see the correct state of the RAID.

If a disk has failed or been removed, the following tmsh commands remove the disk from the RAID:

tmsh mod sys raid array <arrayName> remove <DiskName>


748031 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule

Component: WebAccelerator

Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.

Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters

Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.

Workaround:
No workaround exists.

Fix:
The reserved XML characters are now properly escaped and the invalidation rule is created as expected.


747995 : MBLB SIP dropping packets with unknown methods

Component: Service Provider

Symptoms:
Traffic sent to a MBLB SIP LB is dropped if the SIP method is unknown.

Conditions:
Packets encountered SIP methods not already known to the BIG-IP system.

Impact:
Packet is dropped.

Workaround:
None.


747907 : Persistence records leak while the HA mirror connection is down

Component: Local Traffic Manager

Symptoms:
Memory might leak on the active unit while the high availability (HA) mirror connection is down.

Conditions:
-- The persistence configured that requires its state to be stored stored on the BIG-IP system.
-- Mirroring is configured on the persistence profile or the virtual server.
-- Mirror connection is down, for example, next active is down/offline/unavailable.

Impact:
Memory leak until the HA mirror connection is up. Once mirror connection is up, the system releases the memory.

Workaround:
-- Disable persistence while HA mirror connection is down (e.g., performing maintenance).
-- Disable session mirroring for iRules.
-- Use persistence that does not requires its state to be stored on the BIG-IP system.
-- Restore HA connection.

Fix:
Persistence records no longer leak memory while the HA mirror connection is down.


747628 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.

Conditions:
-- The server side allows timestamps and the client side does not negotiate them.

-- The client-side MTU is lower than the server-side MTU.

-- There is no ICMP message on the client-side connection.

Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).

Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.


747585 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.

Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.


747203 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Component: TMOS

Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Impact:
NATT/ESP tunnel flows can end with a RST reset.

Workaround:
None.

Fix:
In the ESP proxy, The system now clears a bit in packet metainformation related to forwarding, so a decrypted packet such as SYN/ACK can reach the last tmm needed.


747060 : CVE-2018-12384: NSS Vulnerability

Solution Article: K41738501


747013 : Add OCSP server support to IKEv2 negotiation for IPsec peer authentication

Component: TMOS

Symptoms:
There is no support for OCSP in IPsec.

Conditions:
When and IPsec ike-peer uses certificates, the name of a locally defined OCSP cert-validator object can be specified in new attribute ocsp-cert-validator, so the OCSP server is contacted during IKE negotiation, to authenticate the peer's certificate.

Impact:
If a peer is not using certificates, nothing happens.

But if using certificates, the ike-peer's certificate is authenticated with the OCSP server, using asynchronous HTTP request during the middle of the IKE_AUTH exchange in IKEv2.

Success permits new SA (security association) creation, while failure causes IKEv2 negotiation failure, denying an SA.

Workaround:
None, this is a code improvement.

Fix:
IKEv2 negotiation of SAs in IPsec now supports OCSP for certificate authentication. This requires the definition of and OCSP cert-validator in configuration, followed by adding the name of this object to attribute ocsp-cert-validator in the ike-peer configuration definition.

Note: You can use this feature with IKEv2 but not IKEv1.

Behavior Change:
You can now add the name of an OCSP cert-validator to ike-peer in IPsec, to make a peer's certificate require authentication by OCSP before IKE negotiation succeeds and an SA (security association) is created.

For docs on the new ocsp-cert-validator attribute see this help info:
tmsh help net ipsec ike-peer

For docs on how to create an instance of the OCSP object, see this help info:
tmsh help sys crypto cert-validator ocsp

The name must include the partition prefix. For example, If you create an instance named 'my_ocsp_srv' in the Common partition, then set ocsp-cert-validator like this:

tmsh modify net ipsec ike-peer peer_ocsp ocsp-cert-validator /Common/my_ocsp_srv

This new attribute is only used when 1) the ike-peer also uses certificates, and 2) an instance of OCSP cert-validator with that name is found in configuration.

When creating the OCSP object instance, you likely want a shorter timeout in order to minimize the effect of caching responses from the OCSP server. For example:

tmsh create sys crypto cert-validator ocsp my_ocsp_srv dns-resolver my_dns timeout 4 cache-timeout 5 cache-error-timeout 5 responder-url http://10.100.145.64:8888 clock-skew 900

The cache-timeout and cache-error-timeout values cannot be smaller than timeout, so adding one second to the timeout value is suggested.

Note if the responder-url has and explicit IP address, as shown above in the example, then a DNS resolver will not actually be used, so you can provide a dummy:

tmsh create net dns-resolver my_dns forward-zones add { net { nameservers add { 10.20.20.100:53 } } } route-domain 0

The IP address given for my_dns above does not matter, because it will not be used. So my_dns merely serves to satisfy OCSP cert-validator creation, which requires either a dns-resolver or a proxy-server-pool in the command line.

If an ike-peer uses certificates, and attribute ocsp-cert-validator is the name of a configured OCSP cert-validator instance, then during IKEv2 negotiation, the OCSP server will be contacted to authenticate the remote peer's certificate, during the IKE_AUTH exchange. This happens right after the AUTH signature payload is authenticated. If the OCSP server returns good status, negotiation succeeds and a new SA is created. Otherwise, for example if the OCSP says the peer's certificate has been revoked, then negotiation fails because the peer is not authenticated.

Note: IKEv1 is not supported in this behavior change.


746825 : MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls

Component: Service Provider

Symptoms:
When a temporary registration is created for an unsubscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.

Conditions:
-- If nonregister-subscriber-callout attribute is enabled in the siprouter-alg profile.
-- An unregistered client device places an outgoing call. At this point, a temporary registration is created. This temporary registration lives for the life of the call.
-- During the lifetime of the temporary registration, if the connection from the client is closed, it is not possible for an external device to reach the client device.

Impact:
The callee of an outgoing call initiated by an unregistered SIP device cannot end the call.

Workaround:
There is no workaround at this time.

Fix:
When a temporary registration is created, an ephemeral listener is created to receive SIP commands to be forwarded to the client device.


746223 : DNSSEC: Initial Key Generations may take up to 5 seconds to appear when a new DNSSEC Key is created

Component: Global Traffic Manager (DNS)

Symptoms:
Initial Key Generations may take up to 5 seconds to appear when a new DNSSEC Key is created.

Conditions:
The user creates a new DNSSEC Key.

Impact:
The initial DNSSEC Key Generation may take up to 5 seconds to appear in the configuration

Workaround:
There is no workaround at this time.


746122 : 'load sys config verify' resets the active master key to the on-disk master key value

Component: TMOS

Symptoms:
Master key is reset to an older value which may differ from the 'active' value.

Conditions:
Configuration is validated via 'tmsh load sys config verify'.

Impact:
Configuration elements may be encrypted with a different key leading to a corrupt configuration state. If the configuration is saved, future loads will fail.

Workaround:
None.

Fix:
Verification loads do not override the 'active' master-key.


745923 : Virtual server may reset a connection with port zero when client sends ACK after a 4-way close

Component: Local Traffic Manager

Symptoms:
Virtual sends a reset of port zero.

Conditions:
Here is an observed sequence for the problem to happen:
1. Three way handshake initiated by client to VIP.
2. Client actively closing the connection - 4 way close
3. Client continues to send ACK after 4 way close

Impact:
Virtual does a wrong reset.

Workaround:
There is no workaround at this time.


745663 : During CMP forward, nexthop data may miss at large packet split

Component: Local Traffic Manager

Symptoms:
At splitting large package, nexthop data is used for the first small packet but missed in the subsequent packets.

Conditions:
CMP forward of host LRO packet (e.g., FTP data-channel)

Impact:
heavy packet loss, re-transmissions and delays


745103 : NodeJS Vulnerability: CVE-2018-7159

Solution Article: K27228191


744937 : BIG-IP DNS and GTM DNSSEC security exposure

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442

Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442

Impact:
For more information please see: https://support.f5.com/csp/article/K00724442

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:

-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.

These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.

When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.

When using these variables:

-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.


744743 : Rolling DNSSEC Keys may stop generating after BIG-IP restart

Component: Global Traffic Manager (DNS)

Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system restart.

Conditions:
BIG-IP system gets restarted by calling 'bigstart restart' command.

Impact:
Rolling DNSSEC keys can stop generating.

Workaround:
None.

Fix:
Rolling DNSSEC Keys no longer stop regenerating after BIG-IP restart


744476 : Some SSO methods may work inappropriately when using OTP Generate agent

Component: Access Policy Manager

Symptoms:
Password-based single sign-on (SSO) methods (such as HTTP basic, NTLM, Form Based) may not work because the OTP Generate agent overwrites the session.logon.last.password session variable with the one-time password.

Conditions:
Access policy contains 'OTP Generate' agent and the Access Profile has an assigned SSO method.

Impact:
Some SSO methods may not work as expected.

Workaround:
1. Use a 'Variable Assign' agent to store the APM end user's password in a temporary session variable.
2. Use that as the source in the SSO credential mapping agent.

Fix:
This release adds an 'OTP Source' field in the v1 (per-session) OTP verify agent.


744280 : Enabling or disabling a Distributed Application results in a small memory leak

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.

Fix:
Enabling or disabling a Distributed Application no longer results in a memory leak.


743946 : Tmsh loads schema versions 12.x and earlier which are no longer supported

Component: TMOS

Symptoms:
BIG-IP systems support directly upgrading to a new version from the previous two major BIG-IP versions.
Thus, upgrading to BIG-IP version 15.x from BIG-IP version 13.x, 14.x or 15.x is supported.

Similarly, tmsh and iControl REST interfaces allow a previous version to be specified, to interpret commands and format responses according to the specified schema versions.
Thus, schema versions 13.x, 14.x and 15.x are supported by tmsh and iControlREST.

However:
Affected versions of BIG-IP version 15.x still load unsupported 12.x and 11.x tmsh schema versions.
Affected versions of BIG-IP version 14.x still load unsupported 11.x tmsh schema versions.

Conditions:
This occurs on affected versions of BIG-IP.

Impact:
Instances of tmsh consume more memory (averaging approximately 16MB per instance on BIG-IP version 15.1.0) due to loading unsupported 12.x and 11.x schemas.
If a large number of tmsh instances are loaded (due to a large number of users logged in, and particularly a large number of remotely-authenticated users), tmsh memory consumption can contribute to out-of-memory conditions.

Workaround:
None.

Fix:
Schema versions 12.x and 11.x are no longer loaded by tmsh or available via iControlREST, except for the following versions:
11.5.0, 11.5.4, 11.5.5, 12.0.0, 12.1.0

Behavior Change:
This may impact you if you are running BIG-IP version 15.1.0 or later and attempting to use tmsh schema versions or iControl REST API versions 12.x or 11.x, such as:

-- Setting the current tmsh version to a 12.x or 11.x version:
tmsh modify cli version active 12.1.3

-- Attempting to load a configuration saved in a Single Configuration File (SCF) from a 12.x or 11.x version:
tmsh load sys config file my_saved_12.1.3_config.scf

-- Specifying a 12.x or 11.x version when making iControl REST API calls:
curl -sk -u admin:admin GET https://<mgmt.ip.address>/mgmt/tm/sys/console?ver=12.1.3

Note: This restriction does not affect upgrading from 12.x or 11.x versions, or loading configuration from a UCS file for such versions:
tmsh load sys ucs my_saved_12.1.3_config.ucs

This is because UCS files include a backup of the tmsh schema version under which they were saved, which is then imported as needed when loading the configuration from the UCS file.


743803 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


743758 : Support dynamic CRL check for clientSSL profile

Component: TMOS

Symptoms:
Although dynamic CRL checks for server SSL profile are supported in earlier releases, CRL checks for client SSL profiles are not. The operation fails if you try to assign a CRL validator object to a client SSL profile:
tmsh modify ltm profile client-ssl cssl crl my_crl

Conditions:
When trying to assign a CRL validator to a client SSL profile.

Impact:
Unable to dynamically verify the revocation status of the SSL certificate from the client side.

Note: The static CRL file configuration still works. But without the (dynamic) CRL validator configuration, it cannot automatically fetch, check, and cache CRL files for certificates received.

Workaround:
You can partially work around this by developing scripts to keep changing the static CRL file configuration, for example:

tmsh modify ltm profile client-ssl cssl crl-file /shared/xxx.crl

Fix:
Now you can configure a CRL validator object for a client SSL profile. The object automatically fetches, checks, caches, updates, and manages the CRL files, based on the CRL URLs on the SSL certificates whenever a certificate is received, so you no longer need to download, manage, and change the CRL files yourself.


741676 : Intermittent crash switching between tunnel mode and interface mode

Component: TMOS

Symptoms:
Changing the policy mode for an IPsec tunnel can crash when switching back and forth between tunnel mode and interface mode.

Conditions:
Changing mode in ipsec-policy from tunnel to interface, or vice versa.

Impact:
A tmm restart, after a core, interrupts all IPsec tunnel service until new SAs are negotiated to replace the old ones.

Workaround:
Start with desired mode, tunnel or interface, and avoid changing the value from one to the other.

Fix:
Changing mode between tunnel and interface now works as expected.


741222 : Install epsec1.0.0 into software partition.

Component: Access Policy Manager

Symptoms:
On some hardware configurations, after the BIG-IP software upgrade, epsec1.0.0 install fails.

Conditions:
-- Upgrade from earlier versions to BIG-IP 14.1.0.
-- Attempting to install epsec1.0.0.

Note: This occurs on only some hardware platforms, including the following:
  + BIG-IP 4000
  + BIG-IP i2800 series
  + BIG-IP Virtual Edition
  + BIG-IP vCMP Guest

Impact:
Unable to install or use software check with APM endpoint inspection.

Workaround:
There is no workaround other than upgrading to a fixed version of the software.

Fix:
The epsec1.0.0 installation is now performed into active BIG-IP software volume (/var), so this issue no longer occurs.


741213 : Modifying disabled PEM policy causes coredump

Component: Policy Enforcement Manager

Symptoms:
TMM undergoes core dump after a disabled policy has a new rule added.

Conditions:
-- Add a rule to disabled PEM policy.
-- Enable the PEM policy, and this policy is applied by PCRF.
-- Traffic is generated for this subscriber.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Modify a PEM policy only when the policy is enabled.


738943 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon


738330 : /mgmt/toc endpoint issue after configuring remote authentication

Component: TMOS

Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.

Conditions:
When remote auth is configured.

Impact:
Cannot configure remote authentication.

After configuring remote authentication, you can login to the mgmt/toc area with the admin user, but using a remote auth user ended up with 'You are not authorized to use this resource'.

Workaround:
On BIG-IP versions since 14.1.0.6 and 13.1.1.5:

Enable 'Fallback to Local' in the remote auth config section on the BIG-IP system:
tmsh modify auth source fallback true.

Both local BIG-IP user 'admin' and LDAP user are now able to authenticate and access https://XX.XX.XX.XX/mgmt/toc.

On other versions of BIG-IP software, there is no workaround.

Fix:
When source type is set to a remote auth method, login now succeeds. If the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.

Behavior Change:
This release allows fallback to local authentication. When the authentication source type is set to a remote authentication source, if the remote server is unavailable, authentication now falls back to local authentication, if authentication source fallback is set to true.


738284 : Creating or deleting rule list results in warning message: Schema object encode failed

Component: Advanced Firewall Manager

Symptoms:
"Schema object encode failed: No foreign keys found for nested object" warning message is logged into /var/log/ltm while creating or deleting the rule list.

Jul 25 05:44:49 localhost.localdomain warning icr_eventd[4778]: 01a10008:4: Schema object encode failed: No foreign keys found for nested object with tag 17547

Conditions:
Observed when creating or deleting rule list in /var/log/ltm

tmsh create security firewall rule-list rule-list1
tmsh delete security firewall rule-list rule-list1

Impact:
The warning message has no impact on functionality and can be ignored.

Fix:
Log message has been changed to log at the debug level.


738236 : UCS does not follow current best practices

Component: TMOS

Symptoms:
Under certain conditions,

Conditions:
Administrative access to system status data

Impact:
UCS save operations do not follow current best practices.

Workaround:
None.

Fix:
UCS save operations now follow current best practices.


738045 : HTTP filter complains about invalid action in the LTM log file.

Component: Local Traffic Manager

Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
 
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)

Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.

Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):

when HTTP_REQUEST {
    HTTP::collect
    NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
    HTTP::release
}
when HTTP_REQUEST_SEND {
        log local0. "Entering HTTP_REQUEST_SEND"
}

-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.

Impact:
The second request gets reset, and the system logs errors in the LTM log file.

Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.


737558-2 : Protocol Inspection user interface elements are active but do not work

Component: Protocol Inspection

Symptoms:
Protocol Inspection (PI) user interface options are present, but are not applied to traffic.

Protocol Inspection (PI) now requires the presence of either an add-on subscription or an AFM standalone license for any of the features to work. A 'Good' or 'Better' license does not activate the PI features. The Configuration Utility still allows you to configure inspection profiles, compliance checks, and signatures, but they are not applied to traffic. There is no feedback that they are not applied.

Conditions:
-- AFM licensed and provisioned through 'Good' or 'Better' license, but no add-on subscription license for Protocol Inspection. Alternately, AFM licensed as an add-on module to another module (typically LTM).

-- PI profile configured and applied to a virtual server or referenced in a firewall rule in an active firewall policy.

Impact:
If you previously had Protocol Inspection configured without the add-on license installed, the features are no longer applied to traffic until the add-on license is obtained. However, the GUI options remain active.

Workaround:
None.


734691 : The autodosd process does not support multiple traffic-group

Component: Advanced Firewall Manager

Symptoms:
The autodosd process supports only the default traffic-group 'traffic-group-1'.

Conditions:
This issue occurs when there are multiple traffic-groups in high availability (HA) environment.

Impact:
The autodosd process works only for the default traffic-group traffic-group-1.

Workaround:
None.

Fix:
The autodosd process now supports multiple traffic-group in high availability (HA) environment.


727107 : Request Logs are not stored locally due to shmem pipe blockage

Component: Application Security Manager

Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:

----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.

Messages similar to the following appear in pabnagd.log:

Conditions:
Request Logs are not stored locally due to shmem pipe blockage.

Impact:
Event logs stop logging locally.

Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd

Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.


726472 : Two ACL BLOBs saved in /var/pktclass/ directory use too much disk space there

Component: Advanced Firewall Manager

Symptoms:
Two ACL BLOB files are saved in /var/pktclass/ directory in order to provide ACL persistence in the case of BIG-IP system restart. For large ACL configurations, these files can require more space than available on some platforms.

Conditions:
Large ACL configuration.

Impact:
Blob compilation fails.

Workaround:
Reallocate filesystem, so /var volume can accommodate two large BLOB files. This workaround may be not available on some platforms.

Fix:
Only one BLOB file is saved in /var/pktclass/ directory. Filesystem reallocation is never required.


726416 : Physical disk HD1 not found for logical disk create

Component: TMOS

Symptoms:
The blade error 'Physical disk HD1 not found for logical disk create' occurred preceding a CPU reboot on a VIPRION 2250 blade.

/var/log/ltm shows messages similar to the following:

-- debug chmand[3370]: 012a0007:7: mcp_logical_disk mcp_create received
-- debug chmand[3370]: 012a0007:7: logical_disk create received: name[HD1] media[general_use_ssd]
-- err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create
-- debug chmand[3370]: 012a0007:7: other mcp_create (tag=8124) messages
-- debug chmand[3370]: 012a0007:7: mcp_physical_disk mcp_create received
-- debug chmand[3370]: 012a0007:7: physical_disk create received: serial number[BTDV466121NK840JVN] name[HD1]

Notice that physical_disk HD1 was created right after logical_disk HD1 was created. BIG-IP system operations expect the reverse, i.e., physical_disk HD1 should be created first.

Note: These messages are visible only when you have the sys db log.libhal.level set to DEBUG and run the following command:

tmsh modify sys db log.libhal.level value "Debug"

Conditions:
The exact conditions that result in this issue are still being investigated.

Impact:
This occurs because the Logical disk was created before the physical one. The system posts the following error:
err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create.

The system is forced to reboot. Traffic disrupted while the system restarts.

Workaround:
There is no workaround.


726401 : ASM cannot complete initial startup with modified management interface on VE

Component: Application Security Manager

Symptoms:
The management interface is needed during initial ASM config and startup. This value is hardcoded in an ASM config file as the default 'eth0' instead of being discovered dynamically based on the device configuration.

So if the management interface is configured to be on a different interface than eth0 and this config file is not changed to reflect that, ASM fails to start.

Conditions:
-- Running BIG-IP Virtual Edition (VE).
-- The management interface is configured to be on a different interface than eth0.
-- The config file (/etc/ts/common/image.cfg) does not reflect that change.

Impact:
ASM fails to start.

Workaround:
Modify the config file (/etc/ts/common/image.cfg) to match the non-default interface (e.g., eth1 instead of eth0).

Fix:
The management interface is now discovered dynamically during startup instead of relying on a hardcoded default.


726240 : 'Cannot find disk information' message when running Configuration Utility

Component: TMOS

Symptoms:
When running the Configuration Utility in the GUI, after clicking Next on the License screen, the GUI reports an error and you are unable to proceed: Cannot find disk information.

Conditions:
The conditions that trigger this are unknown; in one scenario, it was observed after running 'tmsh load sys config default', suspending the BIG-IP Virtual Edition (VE) guest, and then restarting it and running the Configuration Utility.

Impact:
You are unable to proceed through the configuration utility.

Workaround:
If this occurs, reboot the device, and the error will fix itself.


726176 : platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Component: Local Traffic Manager

Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.

Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.


726164 : Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system

Component: Global Traffic Manager (DNS)

Symptoms:
Rolling DNSSEC Keys may stop generating when a BIG-IP system is on standby for a length of time

Conditions:
BIG-IP system is on standby for a length of time, in general, longer than twelve hours.

Impact:
Rolling DNSSEC keys can stop regenerating.

Workaround:
None.

Fix:
Rolling DNSSEC Keys no longer stop regenerating after a length of time on the standby system.


725551 : ASM may consume excessive resources

Component: Application Security Manager

Symptoms:
While processing certain types of responses, ASM may consume excessive resources.

Conditions:
-- ASM provisioned and enabled.
-- Response-side features are enabled (e.g., the default learn from responses and learn server tech or data guard is Enforced, etc.).

Impact:
Excessive resource consumption, potentially leading to a delay in traffic processing or a failover event.

Workaround:
None.

Fix:
ASM now processes traffic as expected.


724109 : Manual config-sync fails after pool with FQDN pool members is deleted

Component: TMOS

Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.

Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually

Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP

Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.

Workaround:
The workaround for this issue is to use auto-sync.


723833 : IPsec related routing changes can misfire, like changing tunnel mode to interface mode

Component: TMOS

Symptoms:
IPsec config changes that rely upon interface mode tunnels, which are driven by routes with associated tunnel VLANs, can sometimes fail to pass traffic after a config change altering routes, or altering the number of tunnels involved.

Conditions:
- Changing tunnel mode to interface mode.
- Adding or removing routes for interface mode IPsec tunnels.
- Deleting an IPsec tunnel object.

Impact:
An IPsec tunnel outage may occur before a system restart, which looks like absence of proper routing config, but which is due to inconsistent update when changes affect routing used by IPsec tunnels in interface mode. In some cases, a tmm core can occur which interrupts service briefly until restarted.

Workaround:
Typically saving before bigstart restart gets routing config related to IPsec back into working order.

Fix:
Tunnel and nexthop dependencies are now managed more exactly for routing changes that affect IPsec.


721274 : ActiveX and Java based RDP resources are not support

Component: Access Policy Manager

Symptoms:
Starting with release 15.1.0, APM Webtop does not support ActiveX and Java based RDP resources. This feature was removed in BIG-IP APM release 14.1.0.

Conditions:
APM policy exposes ActiveX or Java based RDP resources

Impact:
Starting with release 15.1.0, RDP resources can be accessed only using native RDP clients. Native RDP support was added in APM release 13.0.0.

When upgrading from older BIG-IP releases where ActiveX or Java RDP resources are supported, and the configuration contains such resources, following actions are taken:

-- These resources are converted to Native RDP resources.
-- The converted resources are then removed from the 'Resource Assign' and 'Advanced Resource Assign' agents. These are the only agents that currently have RDP resources.

The converted Native RDP resources are removed from the agents because Native RDP requires additional configuration (e.g., a server SSL profile) for using it in a policy. Hence the administrator must manually re-add the converted RDP resources (along with required profiles) to make them available to APM end users.

Workaround:
None.

Fix:
RDP resources can be accessed using native RDP clients.


721020 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.


719704 : 'Error trying to access the database.' with ZoneRunner

Component: Global Traffic Manager (DNS)

Symptoms:
ZoneRunner does not display records with '%' characters in RDATA field. The GUI reports 'Error trying to access the database.'

Conditions:
The '%' character is present in the RDATA field.

Impact:
ZoneRunner cannot display SPF macros in records with the '%' character present in them. This causes 'Error trying to access the database.' when the Web GUI attempts to display the record or when attempting to add such a record the following errors would be displayed:

-- Some fields below contain errors. Correct them before continuing.
-- Bad Characters. Only the following special characters are allowed: period, asterisk, forward slash, dash, colon, underscore, question mark, equals, at sign, comma, ampersand and double quote (.*/-:_?=@,&")

Workaround:
You can create records with SPF macros in BIND, but ZoneRunner rerports errors when trying to access them.

Fix:
The '%' character is now allowed in TXT records so that SPF macros do not report errors anymore.


719589 : GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic

Component: Access Policy Manager

Symptoms:
GUI and CLI category lookup test tool (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup) can return different categories compared to the actual data-plane traffic

Conditions:
Access Policy, Secure Web Gateway : Database Settings : URL Category Lookup or command line lookup using 'urldb -c' construction.

Impact:
Some websites may be categorized differently depending on whether or not the IP is passed in. Correct category may not be returned.

Workaround:
None.


718790 : Traffic does not forward to fallback host when all pool members are marked down

Component: Local Traffic Manager

Symptoms:
Traffic does not get forwarded to fallback hosts.

Conditions:
-- HTTP Profile configured with Fallback Host.
-- All the pool members are marked administrative down.

Impact:
Traffic does not get forwarded.

Workaround:
Pick a monitor working properly for the pool.


718405 : RSA signature PAYLOAD_AUTH mismatch with certificates

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.

Fix:
BIG-IP systems now correctly build -- and verify -- AUTH payloads for RSA signatures and DSS, which should match other vendors and succeed, resulting in IKEv2 tunnels being created using certificates.

The DSS signature is no longer DER encoded, and the RSA signature now includes the 15-byte DER prefix (mandated by RFC3447, page 42) before the 20-byte SHA1 digest is signed by RSA.


718288 : MCPD might crash on secondary blades when DNSSEC client-facing SOA zone serial not updated

Component: Local Traffic Manager

Symptoms:
In certain cases, a DNSSEC client-facing SOA zone serial does not always update when DNSSEC-related resource records change. That might cause MCPD to crash on secondary blade.

Conditions:
A DNSSEC-related resource record changes.

Impact:
A DNSSEC client-facing SOA zone serial may not always update. That might cause MCPD crash on secondary blade. Traffic disrupted while MCPD restarts.

Workaround:
None.

Fix:
The system now updates the client-facing SOA for various changes of DNSSEC zone.


717306 : Added ability to use Vip-targeting-Vip with DNS Cache server-side connections

Component: Global Traffic Manager (DNS)

Symptoms:
A Vip-targeting-vip setup for DNS Cache is not possible, as unbound connections does not match to existing VIPs.

Conditions:
Virtual Server with same IP address as outbound DNS Cache server-side connections.

Impact:
Unable to perform Vip-targeting-Vip configurations with DNS Cache connections

Workaround:
None.

Fix:
Added the ability to have DNS Cache server-side connections match to VIPs for VIP-targeting-VIP scenarios with the DB Variable DNSCache.MatchWildcardVip.


715379 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file

Component: TMOS

Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.

Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.

Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.

Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.

Fix:
The BIG-IP now understands three different ways to express asn1dn inside the peers-id-value string: hexadecimal, distinguished name (DN), and (as a fallback default only) the literal content of the peers-id-value string unchanged. This last is not recommended since it will not be valid asn1dn.

Parsing rules are the following:
* A string containing equal sign ('=') is assumed a DN.
* Otherwise a string is hexadecimal, if it contains only hex digits as well as any number of optional spaces and octothorpes ('#'). Spaces and '#' bytes are ignored, so only hex digits get converted to binary.
* Any string parsed as neither DN nor hex is kept as is.

Note: An example DN (distinguished name) from rfc1779 is "CN=Steve Kille, O=ISODE Consortium, C=GB". This is the sort of input converted to asn1dn when the value contains at least one equal sign.


714384 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.

Fix:
DHCP traffic is now forwarded when BWC is configured,


712335 : GTMD may intermittently crash under unusual conditions.

Component: Global Traffic Manager (DNS)

Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.

Conditions:
-- A pool member is added to the system.
-- There is an unexpected failure to create the associated statistics row.

Impact:
GTMD restarts. Global traffic functionality is not available while GTMD is restarting.

Workaround:
There is no workaround at this time.

Fix:
GTMD no longer intermittently crashes when a pool member is added to the system, but there is an unexpected failure to create the associated statistics row.


710930 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail

Component: Local Traffic Manager

Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.

Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.

Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.

Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.


708421 : DNS::question 'set' options are applied to packet, but not to already parsed dns_msg

Solution Article: K52142743

Component: Global Traffic Manager (DNS)

Symptoms:
For certain types of iRules, using the DNS command DNS::question for type AAAA, when the DNS transparent cache is involved in the filter, the type can be reverted.

Conditions:
-- DNS transparent cache.

-- Using an iRule similar to the following:
when DNS_REQUEST {
   DNS::question type AAAA
}

Impact:
When the packet goes to the pool, the type is reverted.

Workaround:
Enable gslb or dnsx on the profile.


707905 : Hundreds of cron-initiated ASM-config processes seem to be stuck

Component: Application Security Manager

Symptoms:
In a very rare scenario, hundreds of cron-initiated ASM-config processes seem to be stuck waiting for a lock.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Hundreds of cron-initiated ASM-config processes seem to be stuck waiting for a lock.

Workaround:
Restart ASM.

Fix:
Only a single cron-initiated ASM-config process runs at a time.


707276 : In-use, expired certificates now have a warning in the GUI

Component: TMOS

Symptoms:
If your BIG-IP device is using an expired certificate, you will now see a warning banner in the GUI.

Conditions:
This is encountered if your device is using an expired certificate.

Impact:
There is no functional impact.

Workaround:
You can see all expired certificates on the system by running the following tmsh command:

tmsh run sys crypto check-cert

Fix:
System management GUI shows a prominent warning when an expired SSL certificate is in use.

Behavior Change:
Now, the system identifies in-use, expired SSL certificates and shows a prominent warning in management GUI. By default, this feature is enabled.

You can configure this feature by using the following TMSH option:

tmsh modify sys global-settings gui-expired-cert-alert enabled/disabled


706737-1 : APM SAML inline SSO documentation

Component: TMOS

Symptoms:
Internal multi-domain SSO does not work when the authentication cookie scope is host.

Conditions:
SSO configuration is assigned to an access profile for multi-domain SSO, and one of the following:
-- There is no SSO configured for the requested authentication domain.
-- The request does not map to configured authentication domains.

Impact:
Internal multi-domain SSO does not work.

Workaround:
You can use either of the following workarounds:
-- Configure the application cookie scope as 'Domain'.
-- Configure the SP-connector sp-location as 'External.

Fix:
BIG-IP APM can be configured as a SAML IdP to provide inline SSO for SPs not directly reachable by the client. For additional configuration details, see K06743491--Overview of BIG-IP APM SAML inline SSO :: https://support.f5.com/csp/article/K06743491.


704552-3 : Support for ONAP site licensing

Component: TMOS

Symptoms:
ONAP site licensing not supported.

Conditions:
-- Attempting to use ONAP site licensing

Impact:
BIG-IP system does not license.

Workaround:
None.

Fix:
Ported ONAP site licensing support to this version of the software.

Behavior Change:
This version of the software supports ONAP site licensing.


704198 : Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance

Solution Article: K29403988

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.

Conditions:
Modify the monitor for GTM objects using tmsh with replace-all-with.

Impact:
There is an leaked/extra monitor instance. Restarting the secondary slot results in a restart loop.

Workaround:
Impact of workaround: Might change the primary slot.

Restart services using the following command:
# bigstart restart


704077 : Request log shows Username N/A for the JSON authentication type Login page

Component: Application Security Manager

Symptoms:
Login parameters in form of JSON parameters are not recognized for logging and protection.

Conditions:
The request log shows username N/A for JSON login parameters.

Impact:
The request log shows Username N/A and cannot track the username.

Workaround:
None.

Fix:
JSON login parameters are now recognized in ASM logging and protection.


702946-1 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.


701529 : Configuration may not load or not accept vlan or tunnel names as "default" or "all"

Component: TMOS

Symptoms:
As a result of a known issue, configurations containing vlan or tunnels named "default" or "all" are no longer accepted.

Conditions:
Attempting to configure this will result in a log message similar to the following:

root@(f5-ve)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net tunnels tunnel default profile ppp
01070712:3: Cannot create tunnel 'default' in rd1 - ioctl failed: Invalid argument

Impact:
A configuration that contained this in earlier versions and upgraded to the affected version will fail to load.

Workaround:
Change or rename all instances of vlans and/or tunnels named "default" or "all"


700384 : Allow param identification by arbitrary named attribute

Component: Fraud Protection Services

Symptoms:
It is not possible to configure an arbitrary selector. Only name/id is allowed.

Conditions:
This is encountered when you want to configure alerts based on arbitrary selectors in the web page.

- Create new antifraud profile.
- Create new protected URL.
- In parameters create new parameter and configure CSS selector (input[attr="custom"]).
- Check 'Selector' checkbox.

Impact:
You are unable to configure an arbitrary selector.

Workaround:
No workaround is available.

Fix:
A selector can now use a protected parameter other than id/name.


699149 : 'Can't associate Bot Defense ASM Profile' when creating iApp

Component: Application Security Manager

Symptoms:
When creating an iApp, an error appears in the log:
Configuration error: Can't associate Bot Defense ASM Profile (/Common/NEW_APP.app/ASM_NEW_APP_policy) folder does not exist.

Conditions:
This can occur while deploying certain iApps.

Impact:
The iApp successfully deploys, but an error is logged to /var/log/ltm. This is a cosmetic error message, and you can safely ignore it.

Workaround:
None.

Fix:
The 'Can't associate Bot Defense ASM Profile' error no longer occurs when creating iApps.


698693 : HTTP::uri does not work after ACCESS::respond

Component: Access Policy Manager

Symptoms:
After evaluating the URI, the ACCESS::respond command deletes the old URI when creating the header block for the response. If HTTP::uri is used, an error is logged to /var/log/ltm:

err tmm3[20848]: 01220001:3: TCL error: /Common/myapp.app/myrule <ACCESS_ACL_ALLOWED> - ERR_ARG (line 7) invoked from within "HTTP::uri"

Conditions:
An iRule similar to the following example:

when ACCESS_ACL_ALLOWED {
  if { [HTTP::uri] == "/" } {
    log local0. "Redirecting to /test/"
    ACCESS::respond 302 Location "https://[HTTP::host]/test/"
   }
   log local0. "Redirected [HTTP::uri]"
 }

Impact:
Connection is reset and an error is logged in /var/log/ltm. There is no documentation indicating this functionality.

Workaround:
None.

Fix:
There is now documentation that HTTP::uri does not work after ACCESS::respond.


697590 : APM iRule ACCESS::session remove fails outside of Access events

Component: Access Policy Manager

Symptoms:
ACCESS::session remove fails

Conditions:
iRule calling ACCESS::session remove outside of Access events.

Impact:
APM iRule ACCESS::session remove fails to remove session

Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.


696735 : TCP ToS Passthrough mode does not work correctly

Component: Local Traffic Manager

Symptoms:
For Standard virtual server with a TCP profile, when using ToS passthough, the ToS value is not passed from the server to the client-side.

  ip-tos-to-client pass-through
  link-qos-to-client pass-through

Conditions:
- Standard virtual server.
- TCP profile configured with ToS passthrough.

Impact:
ToS is not passed to the client.

Workaround:
None.

Fix:
ToS is now passed correctly from the server to the client-side.


688897 : Removing Insert Record Route option in GUI for sipsession object on SIP-ALG mode

Component: Service Provider

Symptoms:
Insert Route record option is not a configurable parameter for the sipsession profile in SIP-ALG mode; however, the option still appears in the GUI.

Conditions:
Attempting to use the Insert Route record option when in SIP-ALG mode.

Impact:
If Insert Route record option is configured through iRule as SIP-ALG mode attribute, the iRule may no longer function properly.

Workaround:
Although the option is visible in the GUI, configuring it has no effect.

Fix:
Insert Route record option is not a configurable parameter for the sipsession profile in SIP-ALG mode, hence this option has been removed from GUI.


688399 : HSB failure results in continuous TMM restarts

Component: TMOS

Symptoms:
The TMM is continually restarted due to lack of HSB PDE device. When this issue occurs, HSB errors may be present in the TMM log files, prior to a TMM core (SIGSEGV).

Conditions:
It's unknown how this issue occurs.

Impact:
TMM continually restarts until the unit is rebooted. Traffic disrupted while tmm restarts. The reboot appears to clear the condition.

Workaround:
Manually reboot the unit.


688397 : Reset causes for HTTP/2 streams are not recorded

Component: Local Traffic Manager

Symptoms:
The reset causes for HTTP2 streams are not recorded in statistics.

Conditions:
An HTTP/2 stream is reset for some reason.

Impact:
It may be difficult to debug HTTP/2 issues.

Workaround:
None.

Fix:
HTTP/2 stream reset reasons are now recorded within the 'net rst-cause' stats table when reset cause logging is enabled via the tm.rstcause.log BIGdb variable.


686059 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members.
- STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.


686043 : dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets

Component: Advanced Firewall Manager

Symptoms:
ICMP/ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for
'ICMP frame too large' DoS vector.

Conditions:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is received.
-- ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is received.

Impact:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not dropped.
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for 'ICMP frame too large' DoS vector.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not dropped.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not counted in stats for 'ICMP frame too large' DoS vector.

Workaround:
None.

Fix:
ICMP/ICMPv6 fragmented packets are now dropped if their size is larger than dos.maxicmpframesize/dos.maxicmp6framesize. Drops are counted for 'ICMP frame too large' DoS vector stats.


685858 : Connection drops with Fast L4 profile that has loose init and syncookie enabled

Component: Local Traffic Manager

Symptoms:
- Client connection failures
- Traffic fails to get forwarded
- TMM crashes

Conditions:
Following FastL4 features are simultaneously enabled:
- Loose Initiation
- Syncookies

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable Loose Initiation and/or Syncookies

Fix:
Added a warning message to TMSH and the FastL4 page of the GUI if Loose Initiation and Syncookies are both enabled.


683135 : Hardware syncookies number for virtual server stats is unrealistically high

Component: TMOS

Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.

These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.

Conditions:
Virtual server with hardware syncookie protection enabled.

Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.

Workaround:
Disable the TCP Synflood vector in mitigate mode.

Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.


680855-1 : Safari 11 sometimes start more than one session

Component: Access Policy Manager

Symptoms:
In Safari 11 after session is finished and being restarted by "Click here to establish a new session" more than one session appears. It looks like Safari 11 beta and release bug.

Conditions:
Safari 11 beta and official release
Policy with webtop
Several passes from start to finish

Impact:
At certain point browser is reaching max sessions per IP and hangs on webtop.

Workaround:
Don't use Safari 11 for now

Fix:
We're expecting this bug fixed in future builds of Safari


679901 : The iControl-REST timeout value is not configurable.

Component: TMOS

Symptoms:
Updating a large (75 KB or more records) data-group results in errors. This occurs because the communication between icrd_child and restjavad times out, and consequently the system raises errors. The default timeout is set to 60 seconds.

Conditions:
Using iControl Rest to update a data-group that contains 75 KB or more records.

Impact:
The operation times out and there is no way to configure the iControl Rest timeout value.

Workaround:
None.

Fix:
The iControl-REST timeout value is now configurable. Options have been added to two config files to alter the timeouts of restjavad and iControl Rest.

-- The config file for restjavad is /etc/rest.common.properties. The value that needs to be changed is 'rest.java.socket.timeout'.
-- The file for iControlRest is /etc/icrd.conf. The value that needs to be changed is 'socketIdleSeconds'.


674300 : The 'Illegal flow' violation occurs on requests to the same policy on non-synchronized devices

Component: Application Security Manager

Symptoms:
The 'Illegal flow' violation occurs on requests to the same policy on non-synchronized devices when subsequent requests are handled by a different device.

Conditions:
Traffic is handled for the same policy by different devices that are not synchronized.

Impact:
'Illegal flow' violation is triggered.

Workaround:
To workaround the issue, it is possible to align the differing account_id values by saving ASM configuration on one device, and loading on the other device.

Important: This overwrites the full ASM configuration, and should be done only if all ASM policies are identical on both devices. No part of LTM configuration is changed by this action, however.

This is the same mechanism used internally by ASM device group sync.

To save the full ASM configuration:

----------------------------------------------------------------------
perl -MF5::ConfigSync -MF5::DbUtils -e 'F5::ConfigSync->new(dbh => F5::DbUtils::get_dbh())->save_to_file(filename => shift)' /var/tmp/full_asm_config.tgz
----------------------------------------------------------------------

To load the full ASM configuration:

----------------------------------------------------------------------
perl -MF5::ConfigSync -MF5::BigipVersionUtils -MF5::DbUtils -e 'F5::ConfigSync->new(dbh => F5::DbUtils::get_dbh(), ucs_version => F5::BigipVersionUtils::bigip_version())->load_from_file(filename => shift)' /var/tmp/full_asm_config.tgz
----------------------------------------------------------------------


668459 : Asymmetric transparent nexthop traffic only updates ingress interface

Component: Local Traffic Manager

Symptoms:
When transparent nexthop traffic from server to client uses a different VLAN group than client-to-server traffic, the server-to-client traffic is sent out the VLAN group that handles the client-to-server traffic. The destination MAC address on the server-to-client traffic is preserved even though the VLAN group is not.

Conditions:
-- Transparent nexthop virtual server configured.
-- VLAN-keyed connections disabled.
-- Asymmetric traffic between two VLAN groups.

Impact:
Return traffic may be transmitted on a VLAN group with a destination MAC that does not match any host on that group.

Workaround:
None.

Fix:
When vlan-keyed connections is disabled and transparent nexthop is in use, each packet received will be sent the VLAN group which received it, even if this doesn't match the VLAN group passing traffic in the other direction. This is preferred behavior.


665117 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping

Solution Article: K33318158

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Server status flapping from red-green-red.

Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.

Impact:
Server status flaps from red to green and back.

Workaround:
Check Transparent for these monitors.


661640 : Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair.

Component: TMOS

Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.

Conditions:
Fast failover of PIM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.

Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.

Workaround:
None. This is an improvement request.

Fix:
This release provides improved fast failover of PIM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) pair.


656799 : APM Webtop max session timeout countdown reports incorrect value

Component: Access Policy Manager

Symptoms:
Max session timeout countdown timer on APM end user's webtop is reset when refreshing the webtop

Conditions:
'Maximum Session Timeout' setting at Access :: Profiles/Policies is configured as less than default (7 days).

Impact:
End user's APM webtop can render incorrect value for Max session timeout countdown timer.

Workaround:
None.

Fix:
Max session timeout countdown timer reflects correct value when APM webtop is refreshed.


648621 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.


636842 : A FastL4 virtual server may drop a FIN packet when mirroring is enabled

Solution Article: K51472519

Component: Local Traffic Manager

Symptoms:
A FastL4 virtual server may drop a FIN packet when mirroring is enabled.

Conditions:
- The virtual server uses the FastL4 profile.
- The virtual server performs mirroring.
- The tm.fastl4_ack_mirror db key is enabled (default).
- The client or the server sends a FIN packet, immediately followed by a RST packet.

Impact:
The BIG-IP system forwards the RST packet but not the FIN packet.

As the RST sent by one of the TCP endpoints would have its sequence number increased by 1 to account for the FIN packet, the other TCP endpoint may not accept the RST as the FIN packet was never seen.

This issue is exacerbated if the FIN packet also carries application data (for example, if it is actually a FIN,PSH,ACK packet). In this case, the other TCP endpoint never sees the application data contained within the packet, and the sequence number in the RST will be off by more than just 1.

Ultimately this can cause application failures and also the two connection flows to stall for some time.

Workaround:
To workaround this issue you can either:

1) Disable mirroring for the virtual server (but this comes with a loss of functionality, which may not be acceptable).

or

2) Disable the tm.fastl4_ack_mirror db key (but this would affect all FastL4 virtual servers performing mirroring on the box).

Fix:
A FastL4 virtual server no longer drops a FIN packet when mirroring is enabled.


636189 : Output of sysctl reports incorrect values of variables accept_redirects, send_redirects, and secure_redirects for TMM interfaces

Component: TMOS

Symptoms:
The output of sysctl can make it appear that TMM-based interfaces support route-adjustment functionality upon receipt of ICMP redirect messages, but TMM does not.

Conditions:
Running the sysctl command with the variables accept_redirects, send_redirects, and secure_redirects.

Impact:
Security scanners mark this as a problem that exposes a man-in-the-middle issue, but that is not the case; TMM does not update the routing cache upon receipt of these messages.

Workaround:
None.

Fix:
Disabling specific sysctl variables that do not apply to TMM interfaces


629787 : vCMP hypervisor version mismatch may cause connection mirroring problems.

Component: Local Traffic Manager

Symptoms:
Connections may not be mirrored correctly when vCMP hypervisors use different software versions.

Conditions:
Mirroring for a pair of vCMP guest is enabled.
vCMP hypervisors use different DAG software versions.

Impact:
Connections are mirrored incorrectly.

Workaround:
Use the same hypervisor software version when mirroring is configured for a pair of vCMP guests.

Fix:
Mirroring connection isn't established anymore when vCMP hypervisors use different DAG software versions.


617929 : Support non-default route domains

Component: Local Traffic Manager

Symptoms:
Some connections are reset

Conditions:
This occurs when the device is configured with non-default route domains when connecting to other tmms over the backplane

Impact:
Traffic processing failure

Workaround:
None


617134 : Encryption and authentication keys for IKEv2 are not logged

Component: TMOS

Symptoms:
BIG-IP provides no option to log the negotiated IKEv2 keys for debugging purposes.

Conditions:
This is encountered if you are trying to troubleshoot or debug IKEv2.

Impact:
Debugging protocol problems is impeded when encrypted packets cannot be examined for problems.

Workaround:
No workaround is known at this time.

Fix:
When ike-daemon log level is set to debug, and a log publisher is also attached, encryption and authentication keys are logged in tmm log files as well as ipsec.log. This mainly appears in the form of IKE protocol packets displayed in human readable form after decryption. This includes all negotiated keys, unless you have explicitly requested suppression of keys in logs by changing the value of sys db variable ipsec.debug.logkeys to prevent such display.

Behavior Change:
When ike-daemon log level is set to debug, and a log publisher is also attached, encryption and authentication keys are logged in tmm log files as well as ipsec.log. This mainly appears in the form of IKE protocol packets displayed in human readable form after decryption. This includes all negotiated keys, unless you have explicitly requested suppression of keys in logs by changing the value of sys db variable ipsec.debug.logkeys to prevent such display.


617087 : NTLM Machine Account page fails when using an Admin password containing spaces

Component: Access Policy Manager

Symptoms:
Creating a new NTLM machine account under Access Policy :: Access Profiles : NTLM : Machine Account fails when admin password contains any number of white spaces in it.

Conditions:
-- NTLM Machine Account configuration.
-- NTLM Machine Account admin password contains spaces.

Impact:
New NTLM Machine Account configuration cannot be created.

Workaround:
There is no workaround other than not using white spaces in the NTLM Machine Account admin password.

Fix:
White space is now an allowed character in the NTLM Machine Account admin password.


602396 : EPSEC Upload Package Button Is Greyed Out

Component: Access Policy Manager

Symptoms:
The EPSEC upload package button is greyed out when there are multiple traffic groups.

Conditions:
-- Multiple traffic groups are configured.
-- Viewing the 'Upload Package' button on the System :: Software Management : Antivirus Check Updates : Package Status.

Impact:
'Upload Package' button is greyed out. Cannot upload packages for Antivirus Check Update.

Workaround:
Delete one of the traffic groups till the button is available.

Fix:
EPSEC Upload button is not disabled when there are multiple traffic groups. Enabling/Disabling works correctly.


601220 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade

Component: TMOS

Symptoms:
When a multi-blade VIPRION deployment first starts up or recovers from a chassis-wide force-offline/release-offline event, multi-blade trunks seem to leak packets that ingressed on one blade, out the same trunk's member interfaces on other blades.

Conditions:
-- Multi-blade VIPRION deployment.
-- Chassis-wide reboot or force-offline/release-offline event occurs.

Impact:
This is a very intermittent issue that is not reproducible and happens for only a few milliseconds. This may temporarily impact the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.

Note: This is not an F5-specific problem. It occurs on every stack switch hardware under these conditions.

Workaround:
There is no workaround.

Fix:
Multi-blade trunks no longer leak packets from one blade to another blade in the chassis.


601189 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.

Conditions:
-- Fastl4 VS.
-- syncookie mode.

Impact:
TCP packet are sent out of order.

Workaround:
None.

Fix:
The BIG-IP system no longer sends TCP packets out of order in Fastl4 in syncookie mode.


597955 : APM can generate seemingly spurious error log messages

Component: Access Policy Manager

Symptoms:
Internally detected issues can trigger a series of error log messages. The logs look alarming, but can be considered diagnostic in the case there is an actual behavioral issue that needs to be analyzed.

The system reports the following messages in /var/log/apm:
-- err tmm1[11197]: 01490514:3: 00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_slowpath_security_check, Line: 6648
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_sanitize_uri, Line: 16406
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type, Line: 11219
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_classify_req, Line: 3308
-- err tmm8[18022]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 2311

Conditions:
An internal software API call triggers an unexpected result.

Impact:
Logs might give the appearance of many issues, even if there are no behavioral anomalies.

Workaround:
None.


591732 : Local password policy not enforced when auth source is set to a remote type.

Component: TMOS

Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.

2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None.


559004 : No support for server-side TLS SNI

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is unable to perform server-side SNI without using an iRule.

Conditions:
-- Server-side pool members are configured to use TLS SNI.
-- More than one valid server name exists.

Impact:
You must write an iRule that dynamically selects a server SSL profile based on the client host header.

Workaround:
None.

Fix:
A new parameter has been added to the virtual server called 'serverssl-use-sni'. If multiple server SSL profiles are configured, and serverssl-use-sni is enabled, then the server SSL profile whose server-name matches the SNI extension in ClientHello will be selected.

In the example below, server SSL profile s.1 will be used by default, unless the client connects using the SNI 'valid-client', in which case profile s.2 will be used.

ltm profile server-ssl s.1 {
    app-service none
    cipher-group none
    ciphers ECDHE-RSA-AES128-SHA256
    server-name none
    sni-default true
}
ltm profile server-ssl s.2 {
    app-service none
    cipher-group none
    ciphers DHE-RSA-AES256-GCM-SHA384
    server-name valid-client
    session-ticket enabled
}
ltm virtual tls {
    destination 10.98.22.213:https
    ip-protocol tcp
    mask 255.255.255.255
    pool ssl
    profiles {
        c.1 {
            context clientside
        }
        s.1 {
            context serverside
        }
        s.2 {
            context serverside
        }
        tcp { }
    }
    serverssl-use-sni enabled
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
}


558976 : Improvement to cause tmm to core when mcpd exits

Component: Local Traffic Manager

Symptoms:
When troubleshooting the tmm state when mcpd exits, it is not possible to generate a tmm core

Conditions:
Troubleshooting mcpd and tmm state at the same time

Impact:
Unable to force a tmm core when mcpd exits. There is no functional impact to this but it can make diagnosing issues more difficult.

Fix:
A new sys db variable has been added called tmm.mcp.disconnect.core to cause tmm to core when mcpd disconnects.

Behavior Change:
A new sys db variable has been added called tmm.mcp.disconnect.core. The default value is disabled. When enabled, tmm will core if mcpd exists. This can be useful for troubleshooting purposes.


491303 : Cipher string text box does not resize itself

Component: Local Traffic Manager

Symptoms:
The cipher string text box is a fixed width, making it difficult to see long cipher strings.

Conditions:
This occurs when viewing the cipher string text box in the GUI for clientssl and serverssl profiles.

Impact:
If the cipher string is long, it can be hard to read.

Fix:
The cipher string HTML element now dynamically resizes itself with the cipher string.


487884 : SSL::collect, SSL::release iRule events might not work as expected in a mirroring configuration.

Component: Local Traffic Manager

Symptoms:
SSL::collect, SSL::release iRule events might not work as expected in a mirroring configuration.

Conditions:
-- SSL::collect, SSL::release iRule events.
-- High availability (HA) configuration that includes mirroring.

Impact:
iRules do not operate as expected on mirrored connections.

Workaround:
None.


439399 : Discrepancy between Throughput and Detailed Througput data

Solution Article: K17483

Component: TMOS

Symptoms:
Discrepancy between Throughput and Detailed Throughput graphs.

Conditions:
Conditions leading to this issue include vCMP guest with ePVA virtual servers in guest.

Impact:
The impact of this issue is a discrepancy between Throughput and Detailed Througput graphs.

Workaround:
This issue has no workaround at this time.

Fix:
ePVA statistics is included with the Throughput data to accurately match Detailed Throughput data.


409062 : ArcSight HSL is not supported for most system daemons

Solution Article: K20008325

Component: TMOS

Symptoms:
If a HSL configuration is defined that tries to publish logs from core system daemons (chmand, TMM, fpdd, merged, etc.) to an ArcSight destination, this will not work properly, and instead, all log messages at debug level and higher (from that daemon) will be captured in the local system log files.

For instance, configuring a wide-open filter that captures all traffic, such as the following, will result in many core daemons logging debug logs to /var/log/ltm on the BIG-IP system:


    sys log-config filter remote-log-filter {
        publisher publisher
    }
    sys log-config publisher publisher {
        destinations {
            arcsight { }
        }
    }
    sys log-config destination remote-high-speed-log hsl {
        pool-name pool_arcsight
    }
    sys log-config destination arcsight arcsight {
        forward-to hsl
    }

Conditions:
This occurs when a high-speed logger is configured with the ArcSight remote log servers as the destination.

Impact:
As a result of this, the system will log excessively to the local log files.

Workaround:
Only configure log filters that publish logs to ArcSight for supported (AFM, ASM, and SWG) components.



Known Issues in BIG-IP v15.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
841953-7 2-Critical   A tunnel can be expired when going offline, causing tmm crash
841333-7 2-Critical   TMM may crash when tunnel used after returning from offline
840769-2 2-Critical   Having more than one IKE-Peer version value results in upgrade failure
837889 2-Critical   Duplicate traffic-selectors may result in failure while reloading the configuration or during upgrade
837637-1 2-Critical   Orphaned bigip_gtm.conf can cause config load failure after upgrading
831821-1 2-Critical   Corrupted DAG packets causes bcm56xxd core on VCMP host
829677-2 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
817709-3 2-Critical   IPsec: TMM cored with SIGFPE in racoon2
816233-1 2-Critical   Session and authentication cookies should use larger character set
811701-3 2-Critical   AWS instance using xnet driver not receiving packets on an interface.
811149-2 2-Critical   Remote users are unable to authenticate via serial console.
796601-2 2-Critical   Invalid parameter in errdefsd while processing hostname db_variable
780437-6 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
776393-3 2-Critical   Memory leak in restjavad causing restjavad to restart frequently with OOM
750588-3 2-Critical   While loading large configurations on BIG-IP systems, some daemons may core intermittently.
746464 2-Critical   MCPD sync errors and restart after multiple modifications to file object in chassis
743132 2-Critical   mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
737692 2-Critical   Handle x520 PF DOWN/UP sequence automatically by VE
737322-3 2-Critical   tmm may crash at startup if the configuration load fails
593536-9 2-Critical K64445052 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
536757-1 2-Critical K40093184 BIG-IP VE may restart tmm if descheduled by hypervisor for extended periods
853617-1 3-Major   Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
852565-5 3-Major   On Device Management::Overview GUI page, device order changes
852265-1 3-Major   Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width
851021-1 3-Major   Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
850997-1 3-Major   'SNMPD' no longer shows up in the list of daemons on the HA Fail-safe GUI page
846141-1 3-Major   Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.
843661-1 3-Major   TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
843597-1 3-Major   Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
842901-1 3-Major   Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.
842669-3 3-Major   Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
841721-2 3-Major   BWC::policy detach appears to run, but BWC control is still enabled
841649-4 3-Major   Hardware accelerated connection mismatch resulting in tmm core
841277-7 3-Major   C4800 LCD fails to load after annunciator hot-swap
838901-4 3-Major   TMM receives invalid rx descriptor from HSB hardware
838337-1 3-Major   The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
838297-2 3-Major   Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
837481-7 3-Major   SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
829821-1 3-Major   Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
829317-5 3-Major   Memory leak observed when running ICRD child
829193-4 3-Major   REST system unavailable due to disk corruption
828873-3 3-Major   Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
828789-1 3-Major   Certificate Subject Alternative Name (SAN) limited to 1023 characters
827209-4 3-Major   HSB transmit lockup on i4600
827021-7 3-Major   MCP update message may be lost when primary blade changes in chassis
826313-6 3-Major   Error: Media type is incompatible with other trunk members
821309-1 3-Major   After an initial boot, mcpd has a defunct child "systemctl" process
819457-1 3-Major   LTM high availability (HA) sync should not sync GTM zone configuration
818505-1 3-Major   Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
817089-3 3-Major   Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
814585-1 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
814353-6 3-Major   Pool member silently changed to user-disabled from monitor-disabled
814273-1 3-Major   Multicast route entries are not populating to tmm after failover
812981-6 3-Major   MCPD: memory leak on standby BIG-IP device
812493-4 3-Major   When engineID is reconfigured, snmp and alert daemons must be restarted
811041-7 3-Major   Out of shmem, increment amount in /etc/ha_table/ha_table.conf
810381-2 3-Major   The SNMP max message size check is being incorrectly applied.
807945-3 3-Major   Loading UCS file for the first time not updating MCP DB
807337-5 3-Major   Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
806073-1 3-Major   MySQL monitor fails to connect to MySQL Server v8.0
803237-2 3-Major   PVA does not validate interface MTU when setting MSS
803157-3 3-Major   LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
802281-3 3-Major   Gossip shows active even when devices are missing
799001-1 3-Major   Sflow agent does not handle disconnect from SNMPD manager correctly
793121-5 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
785741-3 3-Major   Unable to login using LDAP with 'user-template' configuration
784733-6 3-Major   GUI LTM Stats page freezes for large number of pools
781397 3-Major   'License expired' message not specific
778513-1 3-Major   APM intermittently drops log messages for per-request policies
777265 3-Major   SNMPD logs are not included in the default set of files in logrotate
767341-1 3-Major   If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
760932 3-Major   Part of APM log messages are also in other logs when strings are long
758781 3-Major   iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
756155 3-Major   Add SNMP trap support for MySQL /var/lib/mysql
755197 3-Major   UCS creation might fail during frequent config save transactions
746758-1 3-Major   Qkview produces core file if interrupted while exiting
737536-7 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
730852-1 3-Major   The tmrouted repeatedly crashes and produces core when new peer device is added
719555-3 3-Major   Interface listed as 'disable' after SFP insertion and enable
718108 3-Major   It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts
714216-4 3-Major   Folder in a partition may result in load sys config error
688231-3 3-Major   Unable to set VET, AZOT, and AZOST timezones
674745-1 3-Major K53106344 Ordering and OSPF configuration timing of IA routes on HA configuration can lead to differences in route table
640696 3-Major   iCRD 400 Error even though request succeeds
613415-8 3-Major K22750357 Memory leak in ospfd when distribute-list is used
605675-6 3-Major   Sync requests can be generated faster than they can be handled
587821-10 3-Major   vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
583108-2 3-Major   Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
553776-3 3-Major K03365920 BGP may advertise default route with bad parameters
489572 3-Major K60934489 Sync fails if file objects are created and deleted in same transaction.
486997-4 3-Major   The vCMP guest lost watchdog heartbeat, and the host restarted it.
470203 3-Major K16133 Setting a remote syslog destination to a localhost address results in recursive log messages.
853101-2 4-Minor   ERROR: syntax error at or near "FROM" at character 17
851393-1 4-Minor   tmipsecd leaves a zombie rm process running after starting up
848681-7 4-Minor   Disabling the LCD on a VIPRION causes blade status lights to turn amber
846521-7 4-Minor   Config script does not refresh management address entry properly when alternating between dynamic and static
838925-7 4-Minor   Rewrite URI translation profile can cause connection reset while processing malformed CSS content
832665-1 4-Minor   The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
831293-5 4-Minor   SNMP get requests slow to respond.
828625-3 4-Minor   User shouldn't be able to configure two identical traffic selectors
826189-3 4-Minor   The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
824205-3 4-Minor   GUI displays error when a virtual server is modified if it is using an address-list
822253-1 4-Minor   After starting up, mcpd may have defunct child "run" and "xargs" processes
818737-3 4-Minor   Improve error message if user did not select a address-list or port list in the GUI
818297-3 4-Minor   OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
816353-3 4-Minor   Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
725591 4-Minor   Changing the management IP of an Active device in Device Service Cluster will cause Active/Active
722230-1 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address
706685-1 4-Minor   The web UI becomes unresponsive after certain commands
673573-1 4-Minor   tmsh logs boost assertion when running child process and reaches idle-timeout
642572 4-Minor   Configuration Utility shows 127.0.0.1 in the IP address field of the logon page and main page when using FQDN in browser
618889 4-Minor   Clicking the policies list tab does not refresh the policies list on click.
591305 4-Minor   Audit log messages with "user unknown" appear on install
588992 4-Minor   BIG-IP VE does not support live migration on Hyper-V
585876 4-Minor   Updates to data groups fails with very large numbers of objects
583930 4-Minor   VE supports only 2 NUMA domains
507566 4-Minor K16263 GUI cannot edit large external datagroup file
467043 4-Minor K03042515 modify sshd config gererates error messages while sshd not running
832661 5-Cosmetic   Default provisioning for all instances is LTM nominal
818777-2 5-Cosmetic   MCPD error - Trouble allocating MAC address for VLAN object
442489 5-Cosmetic   Licensed SSL and compression limits totals are not shown


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
853329-2 2-Critical   HTTP explicit proxy can crash TMM when used with classification profile
842937-6 2-Critical   TMM crash due to failed assertion 'valid node'
839401-1 2-Critical   Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
837617-1 2-Critical   Tmm may crash while processing a compression context
834373-5 2-Critical   Possible handshake failure with TLS 1.3 early data
824437-7 2-Critical   Chaining a standard virtual server and an ipother virtual server together can crash TMM.
798893-1 2-Critical   Changes to a webacceleration profile are not instantly applied to virtual servers using the profile
726518-1 2-Critical   Tmsh show command terminated with CTRL-C can cause TMM to crash.
713509 2-Critical   Manually changing a device to standby will cause TMM crash
853613-4 3-Major   Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
853145-1 3-Major   TMM cores in certain scenarios with SSL Forward Proxy Bypass
852953-1 3-Major   Accept Client Hello spread over multiple QUIC packets
852861-1 3-Major   TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario
852325-1 3-Major   HTTP2 does not support Global SNAT
851477-1 3-Major   Memory allocation failures during proxy initialization are ignored leading to TMM cores
851353-1 3-Major   Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request
851101-4 3-Major   Unable to establish active FTP connection with custom FTP filter
851045-1 3-Major   LTM database monitor may hang when monitored DB server goes down
850873-3 3-Major   LTM global SNAT sets TTL to 255 on egress.
850145-1 3-Major   Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
848777-3 3-Major   Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
847325-3 3-Major   Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.
846977-1 3-Major   TCP:collect validation changed in 12.0.0: the first argument can no longer be zero
846873-4 3-Major   Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
846441-2 3-Major   Flow-control is reset to default for secondary blade's interface
845333-6 3-Major   An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
844085-1 3-Major   GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
843317-3 3-Major   The iRules LX workspace imported with incorrect SELinux contexts
842425-1 3-Major   Mirrored connections on standby are never removed in certain configurations
841369-3 3-Major   HTTP monitor GUI displays incorrect green status information
841341-6 3-Major   IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-1 3-Major   Update documented examples for REST::send to use valid REST endpoints
838353-1 3-Major   MQTT monitor is not working in route domain.
836661-2 3-Major   Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
832133-1 3-Major   In-TMM monitors fail to match certain binary data in the response from the server.
830797-3 3-Major   Standby high availability (HA) device passes traffic through virtual wire
828601-1 3-Major   IPv6 Management route is preferred over IPv6 tmm route
825245-4 3-Major   SSL::enable does not work for server side ssl
824433-3 3-Major   Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
823825-7 3-Major   Renaming high availability (HA) VLAN can disrupt state-mirror connection
820333-1 3-Major   LACP working member state may be inconsistent when blade is forced offline
818853-1 3-Major   Duplicate MAC entries in FDB
818833-1 3-Major   TCP re-transmission during SYN Cookie activation results in high latency
818789-7 3-Major   Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
813701-6 3-Major   Proxy ARP failure
813629 3-Major   SSLO connection hang when bypass is enabled
810821-3 3-Major   Management interface flaps after rebooting the device
810533-2 3-Major   SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
809597-5 3-Major   Memory leak observed when running ICRD child
803629-7 3-Major   SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
803233-1 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
803109-3 3-Major   Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows
788753-2 3-Major   GATEWAY_ICMP monitor marks node down with wrong error code
786517-5 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
783145 3-Major   Pool gets disabled when one of its pool member with monitor session is disabled
760406-1 3-Major   HA connection might stall on Active device when the SSL session cache becomes out-of-sync
758599-3 3-Major   IPv6 Management route is preferred over IPv6 tmm route
756313-6 3-Major   SSL monitor continues to mark pool member down after restoring services
720440-6 3-Major   Radius monitor marks pool members down after 6 seconds
714372-5 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
709381-4 3-Major   iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.
705112-6 3-Major   DHCP server flows are not re-established after expiration
617296 3-Major   HTTPS Monitors Up Interval field cannot be disabled if enabled in parent monitor
557529 3-Major   Tcl monitors may not fire on their scheduled intervals
554506-1 3-Major K47835034 PMTU discovery from management does not work
440210 3-Major   NetHSM vendor config does not sync between high availability (HA) peers
851757-1 4-Minor   Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION
851425-1 4-Minor   Update QLOG to draft-01
845545 4-Minor   Potential name collision for client-ssl profile named 'clientssl-quic'
844337-4 4-Minor   Tcl error log improvement for node command
839245-3 4-Minor   IPother profile with SNAT sets egress TTL to 255
838405-3 4-Minor   Listener traffic-group may not be updated properly when spanning is in use.
838305-7 4-Minor   BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-7 4-Minor   Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-1 4-Minor   The iRule regexp command issues an incorrect warning
824365-5 4-Minor   Need informative messages for HTTP iRule runtime validation errors
822025 4-Minor   HTTP response not forwarded to client during an early response
818721-3 4-Minor   Virtual address can be deleted while it is in use by an address-list.
814037-6 4-Minor   No virtual server name in Hardware Syncookie activation logs.
714502-3 4-Minor   bigd restarts after loading a UCS for the first time
652577 4-Minor   Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
562370 4-Minor   SSL traffic stall with misconfigured mirroring configuration
544958 4-Minor   Monitors packets are sent even when pool member is 'Forced Offline'.
488314 4-Minor   SSL connections reset after failover.


Performance Issues

ID Number Severity Solution Article(s) Description
850193-4 3-Major   Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
846713-1 2-Critical   Gtm_add does not restart named
852101-1 3-Major   Monitor fails.
844689-1 3-Major   Possible temporary CPU usage increase with unusually large named.conf file
835209-3 3-Major   External monitors mark objects down
813221-5 3-Major   Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
760471-1 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.
746348-4 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
659930 3-Major   Enterprise Manager may receive malformed data if there are multiple monitors on a pool
839361-6 4-Minor   iRule 'drop' command does not drop packets when used in DNS_RESPONSE
760117 4-Minor   Duplicate error messages in log when updating a zone through ZoneRunner GUI
759804 4-Minor   Zones reload when Update button is clicked without any change
755282 4-Minor   [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
774257-4 5-Cosmetic   tmsh show gtm pool and tmsh show gtm wideip print duplicate object types


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
843801-2 2-Critical   Like-named previous Signature Update installations block Live Update usage after upgrade
825413-4 2-Critical   /var/lib/mysql disk is full
854177-5 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
850677-4 3-Major   Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
850673-1 3-Major   BD sends bad acks to the bd_agent for configuration
849349-5 3-Major   Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
846181-3 3-Major   Request samples for some of the learning suggestions are not visible
846073 3-Major   Installation of browser challenges fails through Live Update
846057-3 3-Major   UCS backup archive may include unnecessary files
844373-1 3-Major   Learning suggestion details layout broken in some browsers
839509-1 3-Major   Incorrect inheritance treatment in Response and Blocking Pages page
839141-1 3-Major   Issue with 'Multiple of' validation of numeric values
837341-1 3-Major   Response and Blocking Pages page: Deception Response pages should not be shown in parent policy
833685-5 3-Major   Idle async handlers can remain loaded for a long time doing nothing
829029-1 3-Major   Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
774457 3-Major   Unexpected 'Illegal entry point' and 'Illegal flow to URL' violations after upgrading to version without account_id
742549-3 3-Major   Cannot create non-ASCII entities in non-UTF ASM policy using REST
739618-3 3-Major   When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
651532 3-Major   XML sensitive data masks the whole parameter value when it is in a parameter context
640842-5 3-Major   ASM end user using mobile might be blocked when CSRF is enabled
842265-1 4-Minor   Create policy: trusted IP addresses from template are not shown
841985-5 4-Minor   TSUI GUI stuck for the same session during long actions
805089 4-Minor   JavaScript challenges fail when using LTM Rules which disable DoSL7, Bot Defense, or ASM by default
756244 4-Minor   Navigation parameters arriving with post payload causing problems
624933 4-Minor   DoSL7: total site TPS is lower than a single entity TPS


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
830073-2 3-Major   AVRD may core when restarting due to data collection device connection timeout
787677-5 3-Major   AVRD stays at 100% CPU constantly on some systems


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
579219-5 2-Critical   Access keys missing from SessionDB after multi-blade reboot.
853325-1 3-Major   TMM Crash while parsing form parameters by SSO.
852313-4 3-Major   VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
850277-1 3-Major   Memory leak when using OAuth
844781-3 3-Major   [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
844573-1 3-Major   Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
844281-3 3-Major   [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
831781-4 3-Major   AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
824121-2 3-Major   Using the Websocket profile prevents mouse wheel scroll function
783789 3-Major   APM cannot handle HTTP requests with very long URLs
753167 3-Major   Possible memory leak in nlad deamon
744407-1 3-Major   While the client has been closed, iRule function should not try to check on a closed session
685593-5 3-Major   Access session iRules can fail with error 'Illegal argument'
681478 3-Major   JS error "Failed to execute 'iterateNext' on 'XPathResult'...'"
667241 3-Major K29453454 Virtual server fails to process RD Gateway connections if 'Source Port' is set to 'Change'
639665 3-Major   Portal access page broken when accessed from Chrome and Firefox
632458 3-Major   Conditional compilation can be improperly rewritten in some cases
631654 3-Major   Attaching VDI profile to virtual server changes the default behavior of ACCESS::restrict_irule_events
626807 3-Major   Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
819233-3 4-Minor   Ldbutil utility ignores '--instance' option if '--list' option is specified
783757 4-Minor   Portal Access: property 'background-image' should be processed
782453 4-Minor   Portal Access: F5_Invoke_load() infinite recursion in special case
760109 4-Minor   Portal Access: URL with double dots at the end of the path is handled incorrectly
758651 4-Minor   Portal Access: JavaScript object with reserved property names may be handled incorrectly
757548 4-Minor   Rewrite plugin can crash during initial configuration load
754827 4-Minor   Portal Access: Weak F5_isAttr and other predicates
754571 4-Minor   Portal Access: Image HTML element with source URL like '//some.domain?a=b' cannot be loaded.
737952 4-Minor   Applications that use getResponseHeader or getAllResponseHeaders do not work properly
737951 4-Minor   Portal Access: fix F5_isXMLHttpObject predicate
713128 4-Minor   Portal Access: F5_isStyle() should be more selective
497349 4-Minor   Blank popups in APM Portal Access
484060 4-Minor   Failed to add/delete session entry (ERR_NOT_FOUND)


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
833213-1 3-Major   Conditional requests are served incorrectly with AAM policy in webacceleration profile


Service Provider Issues

ID Number Severity Solution Article(s) Description
839389-1 2-Critical   TMM can crash when connecting to IVS under extreme overload
853545-1 3-Major   MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
842625-5 3-Major   SIP message routing remembers a 'no connection' failure state forever
840821-1 3-Major   SCTP Multihoming not working within MRF Transport-config connections
825013-1 3-Major   GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
836357-5 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
793005-1 5-Cosmetic   'Current Sessions' statistic of MRF/Diameter pool may be incorrect


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
802421-6 2-Critical   The /var partition may become 100% full requiring manual intervention to clear space
844597-4 3-Major   AVR analytics is reporting null domain name for a dns query
837233-3 3-Major   "Application Security Administrator" user role cannot manage Dos Profile GUI
813969-5 3-Major   Network DoS reporting events as 'not dropped' while in fact, events are dropped


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
845313-3 2-Critical   Tmm crash under heavy load


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
812705-3 3-Major   'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
763809 3-Major   Malware JavaScript signatures is not case sensitive
738783 3-Major   Encrypted field lost reference when adding input element to parentElement
760330 4-Minor   Daily live update (ASU) may skip a day due to cron timing


Device Management Issues

ID Number Severity Solution Article(s) Description
718796-5 2-Critical   IControl REST token issue after upgrade
710809-5 2-Critical   Restjavad hangs and causes GUI page timeouts
835517-1 3-Major   After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED"


iApp Technology Issues

ID Number Severity Solution Article(s) Description
842193-1 3-Major   Scriptd coring while running f5.automated_backup script
802189 4-Minor   iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
825501-3 3-Major   IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

 

Known Issue details for BIG-IP v15.1.x

854177-5 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.


853617-1 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles

Component: TMOS

Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:

-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG

In older versions:

-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error

Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.

Impact:
Virtual server is defined and in configuration, but does not pass traffic.

On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.

Workaround:
None.


853613-4 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled.
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
-- Disable tm.tcpsendrandomtimestamp or
-- Disable either the TCP's Verified Accept or Timestamps option.


853545-1 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.


853329-2 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.


853325-1 : TMM Crash while parsing form parameters by SSO.

Component: Access Policy Manager

Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.

Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.

Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.

Workaround:
Do not use Passthrough mode with SSO.


853145-1 : TMM cores in certain scenarios with SSL Forward Proxy Bypass

Component: Local Traffic Manager

Symptoms:
TMM cores in certain scenarios with SSL Forward Proxy Bypass.

Conditions:
-- Virtual server with SSL profiles.
-- SSL Forward proxy is enabled.
-- SSL Forward proxy bypass is enabled.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


853101-2 : ERROR: syntax error at or near "FROM" at character 17

Component: TMOS

Symptoms:
After clicking UI Security :: Network Firewall : Active Rules, /var/log/ltm will get the following error message:
"warning postgres ERROR: syntax error at or near "FROM" at character 17"

Conditions:
Enabled turboflex-security and AFM module

Impact:
1. Possible leak of postgres database connections
2. A warning log message is created, but the system continues to function normally.

Workaround:
None


852953-1 : Accept Client Hello spread over multiple QUIC packets

Component: Local Traffic Manager

Symptoms:
A QUIC connection does not complete the handshake successfully when the Client Hello spans multiple initial packets.

Conditions:
-- QUIC is in use.
-- A Client Hello is received that spans multiple packets.

Impact:
QUIC is unable to process a Client Hello that spans multiple packets.

Workaround:
None.


852861-1 : TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario

Component: Local Traffic Manager

Symptoms:
TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL and httprouter profiles.
-- 0-RTT connection resumption in progress.

Impact:
TMM cores intermittently.

Workaround:
No workaround.


852565-5 : On Device Management::Overview GUI page, device order changes

Component: TMOS

Symptoms:
When manual device group sync is enabled, the device with the most recent change will be displayed at the top of the Device Management::Overview GUI page.

Conditions:
-- Multiple devices in a device group
-- Device group has manual config sync enabled
-- A change is made on a device

Impact:
When the list loads, the device with the most recent changes is displayed at the top. This can make the device order appear to be inconsistent, and can create confusion when doing manual config sync if you are expecting the order to be always consistent.


852325-1 : HTTP2 does not support Global SNAT

Component: Local Traffic Manager

Symptoms:
The Global SNAT feature does not work with HTTP2.

Conditions:
-- Global SNAT is used
-- HTTP2 is used.

Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.

Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.


852313-4 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.


852265-1 : Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width

Component: TMOS

Symptoms:
The 'SSL Profile (Client)' and 'SSL Profile (Server)' listboxes (both 'Selected' and 'Available') now have a fixed width when viewing Virtual Server settings.

Conditions:
-- An SSL profile (client or server) with a long name.
-- Accessing the Virtual Server settings page in the GUI.

Impact:
If many SSL profiles start with the same several letters, it may be impossible to detect which one is the desired profile.

Workaround:
None.


852101-1 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.


851757-1 : Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION

Component: Local Traffic Manager

Symptoms:
When a TLS END_OF_EARLY_DATA message is received by QUIC, a CONNECTION_CLOSE frame with a CRYPTO_ERROR is produced. However, the error should be a PROTOCOL_VIOLATION.

Conditions:
-- QUIC is in use.
-- A TLS END_OF_EARLY_DATA message is received.

Impact:
A CRYPTO_ERROR is produced, however, the error should be PROTOCOL_VIOLATION.

Workaround:
None.


851477-1 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.


851425-1 : Update QLOG to draft-01

Component: Local Traffic Manager

Symptoms:
The BIG-IP QLOG implementation is currently on draft-00, and draft-01 has been released.

Conditions:
QUIC and QLOG are in use.

Impact:
Existing third-party applications might remove support for QLOG draft-00 at some point.

Workaround:
None.


851393-1 : tmipsecd leaves a zombie rm process running after starting up

Component: TMOS

Symptoms:
After booting the system, you notice zombie 'rm' processes:

$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm

Restarting tmipsecd will kill the zombied process but will start a new one.

Conditions:
IPSEC is enabled

Impact:
A zombie 'rm' process exists. There should be no other impact.


851353-1 : Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request

Component: Local Traffic Manager

Symptoms:
Invalid pseudo header or malformed header in an HTTP/3 request should result in resetting of the stream with error code of HTTP3_GENERAL_PROTOCOL_ERROR. Instead the connection is reset with HTTP3_UNEXPECTED_FRAME error code.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL, and httprouter profiles.
-- HTTP/3 header frame from client with invalid or malformed header is received.

Impact:
Connection is reset with incorrect error code, instead of just the individual stream.

Workaround:
No workaround.


851101-4 : Unable to establish active FTP connection with custom FTP filter

Component: Local Traffic Manager

Symptoms:
Unable to establish active FTP connection with custom FTP filter.

Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.

Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.

Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.


851045-1 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.


851021-1 : Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error

Component: TMOS

Symptoms:
TMSH error example:

Configuration error: Can't associate ASM device sync (/Common/testsync/staging.example.com) folder does not exist

Conditions:
The conditions under which this occurs are unknown.

Impact:
Load of config file fails with an error that the folder does not exist.

Workaround:
Use 'tmsh load sys config verify', without specifying a specific file.


850997-1 : 'SNMPD' no longer shows up in the list of daemons on the HA Fail-safe GUI page

Component: TMOS

Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.

Conditions:
Viewing the page at:

System :: High Availability : Fail-safe : System

Impact:
Unable to configure the HA settings for the snmpd HA daemon through the GUI.

Workaround:
Use TMSH to modify the snmpd HA settings.


850873-3 : LTM global SNAT sets TTL to 255 on egress.

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.


850677-4 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.


850673-1 : BD sends bad acks to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
The bd_agents stops sending configuration in the middle of startup or a configuration change.
The policy maybe incomplete in the bd causing a wrong enforcement.

Conditions:
This is a rare issue and the exact conditions that trigger it are unknown.

Impact:
Bd_agent hangs or restarts which may cause a complete asm restart (and failover).
A partial policy may exist in bd causing improper enforcement.

Workaround:
Export and import the policy in case the policy is enforced incorrectly and un-assigning / re-assigning does not help.


850277-1 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.


850193-4 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues

Component: Performance

Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.

Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.

Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.

Workaround:
None.


850145-1 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.


849349-5 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db

Component: Application Security Manager

Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy

Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.

Impact:
Web application flow might fail.

Workaround:
Attach an iRule:

when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}


848777-3 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.

Component: Local Traffic Manager

Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:

-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

Conditions:
-- Create Custom partition.
-- Create Custom Route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port.
-- Now, try to Sync to high availability (HA) peer.

Impact:
Sync fails with error. Configuration will not sync to peer node.

Workaround:
None.


848681-7 : Disabling the LCD on a VIPRION causes blade status lights to turn amber

Component: TMOS

Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.

Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable

Impact:
Blade status lights change to amber, even if nothing is wrong with the system.

Workaround:
None.


847325-3 : Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.

Component: Local Traffic Manager

Symptoms:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions

Conditions:
A oneconnect profile is combined with certain persist profiles on a virtual server.

The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

The persistence types that are affected are
Source Address (but not hash-algorithm carp)
Destination Address (but not hash-algorithm carp)
Universal
Cookie (only cookie hash)
Host
SSL session
SIP
Hash (but not hash-algorithm carp)

Impact:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions


846977-1 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero

Component: Local Traffic Manager

Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.

Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:

/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].

Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.

Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.

Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.


846873-4 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure

Component: Local Traffic Manager

Symptoms:
Traffic fails to pass through a virtual server.

Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.

For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction

Impact:
Traffic failure on the new virtual server.

Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:

tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config


846713-1 : Gtm_add does not restart named

Component: Global Traffic Manager (DNS)

Symptoms:
Running gtm_add failed to restart the named daemon.

Conditions:
Run gtm_add to completion.

Impact:
Named is not restarted. No BIND functionality.

Workaround:
Restart named:
bigstart start named


846521-7 : Config script does not refresh management address entry properly when alternating between dynamic and static

Component: TMOS

Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.

Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.

Impact:
Remote management access is lost after DHCP lease expires.

Workaround:
Restart BIG-IP after changing the management IP address.


846441-2 : Flow-control is reset to default for secondary blade's interface

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.


846181-3 : Request samples for some of the learning suggestions are not visible

Component: Application Security Manager

Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.

Conditions:
'Learning Suggestion' created from only one 'Request Log' record.

Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section

Workaround:
None.


846141-1 : Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.

Component: TMOS

Symptoms:
Rest API returns 404 'Object not found"' error when attempting direct access to pool member that has pipe symbol '|' in the server or virtual server name.

Conditions:
An iControl/REST call to a pool member that has a virtual server on the Server whose name contains a | character in the server or virtual server name.

Impact:
The iControl/REST call cannot manage a pool member associated with a virtual server or server whose name contains a | character.

Workaround:
Rename the server or virtual server to a name that does not contains the | character.


846073 : Installation of browser challenges fails through Live Update

Component: Application Security Manager

Symptoms:
Live Update of Browser Challenges fails installation.

Live Update provides an interface on the F5 Downloads site to manually install or configure automatic installation of various updates to BIG-IP ASM components, including ASM Attack Signatures, Server Technologies, Browser Challenges, and others.

Conditions:
-- From the F5 Downloads side, select a software version.
-- Click BrowserChallengesUpdates.
-- Attempt to download and install Download BrowserChallenges<version_number>.im.

Note: Browser Challenges perform browser verification, device and bot identification, and proactive bot defense.

Impact:
Browser Challenges update file cannot be installed.

Workaround:
None.


846057-3 : UCS backup archive may include unnecessary files

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/


845545 : Potential name collision for client-ssl profile named 'clientssl-quic'

Component: Local Traffic Manager

Symptoms:
This release includes a new base client-ssl profile for use by QUIC virtual servers. If an existing client-ssl profile named 'clientssl-quic' exists, it will be overwritten by the new built-in profile after upgrading.

Conditions:
The system to be upgraded has an existing client-ssl profile named 'clientssl-quic'.

Impact:
The existing profile will be overwritten by the new built-in profile.

Workaround:
Rename the existing profile prior to upgrade.


845333-6 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config

Component: Local Traffic Manager

Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]

Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.

Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.

Workaround:
Make the datagroup a Tcl variable to bypass validation.


845313-3 : Tmm crash under heavy load

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


844781-3 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection

Component: Access Policy Manager

Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.

Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384

Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.

Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/


844689-1 : Possible temporary CPU usage increase with unusually large named.conf file

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.


844597-4 : AVR analytics is reporting null domain name for a dns query

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.


844573-1 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.

Component: Access Policy Manager

Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.

Conditions:
This is encountered when this message is logged by mcpd.

Impact:
Log message cannot be grouped with messages at the correct log level.

Workaround:
None.


844373-1 : Learning suggestion details layout broken in some browsers

Component: Application Security Manager

Symptoms:
One of the suggestion details is placed incorrectly, out of alighment.

Conditions:
This occurs when you open the details for learning suggestion, e.g., based on refinement.

Impact:
Refinement title is out of line.

Workaround:
Use a different browser, if needed.


844337-4 : Tcl error log improvement for node command

Component: Local Traffic Manager

Symptoms:
Because of the Tcl error, connection gets reset and reports an error:

err tmm[18774]: 01220001:3: TCL error: /Common/test2- bad port in node <addr> <port> cmdTCL error (line 43) (line 43) invoked from within "node 172.x.x.x IP [LB::server port]"

Conditions:
Using node command under pre-load-balancing iRule events.

Impact:
Unclear port values in Tcl error message.

Workaround:
None.


844281-3 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.

Component: Access Policy Manager

Symptoms:
Java applets are not patched when accessed through APM Portal Access.

/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.

/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.

Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.

Impact:
Java applets cannot be patched by APM Portal Access rewriter.

Workaround:
None.


844085-1 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: Local Traffic Manager

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name>traffic-matching-criteria<virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any


843801-2 : Like-named previous Signature Update installations block Live Update usage after upgrade

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.


843661-1 : TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command

Component: TMOS

Symptoms:
TMSH currently allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command, but the option is not honored and the entire license is revoked.

Conditions:
-- BIG-IP license and add-on license are installed.
-- Attempt to revoke the system license with 'add-on-keys' as an option.

Impact:
Add-on-keys option is ignored, and the entire license is revoked instead.

Workaround:
None.


843597-1 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.

Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0


843317-3 : The iRules LX workspace imported with incorrect SELinux contexts

Component: Local Traffic Manager

Symptoms:
Files imported from iRules LX workspace may have incorrect SELinux contexts such as abrt_var_cache_t.

This can cause reloading the workspace to fail with errors:

01070079: failed to create workspace archive ... Return code {2}

Conditions:
Importing the iRules LX workspace.

Impact:
Workspace cannot be imported

Workaround:
As a workaround you can run the following command on the folders to restore the context:
restorecon -R -v


842937-6 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.


842901-1 : Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.

Component: TMOS

Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.

Conditions:
Fast failover of PIM-DM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.

Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.

Workaround:
None. This is an improvement request.


842669-3 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Component: TMOS

Symptoms:
systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
The cron process tries and fails to send an email because of output about a cron script.

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first part to the appropriate file, and the other lines to /var/log/user.log.

Workaround:
No known workaround.


842625-5 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.


842425-1 : Mirrored connections on standby are never removed in certain configurations

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.


842265-1 : Create policy: trusted IP addresses from template are not shown

Component: Application Security Manager

Symptoms:
If there are trusted IP addresses in the selected template, they are not shown in GUI during policy creation

Conditions:
Create user-defined template from policy with trusted IP addresses.

Impact:
If you manually enter the same IP addresses that were in template, you may get an error message after policy creation

Workaround:
None.


842193-1 : Scriptd coring while running f5.automated_backup script

Component: iApp Technology

Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED

Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.

Impact:
Scriptd core.

Workaround:
None.


841985-5 : TSUI GUI stuck for the same session during long actions

Component: Application Security Manager

Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).

Conditions:
Long-running task is performed, such as export/import/update signatures.

Impact:
GUI is unresponsive for that session.

Workaround:
If you need to continue working during long task is performed, you can log in via another browser.


841953-7 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


841721-2 : BWC::policy detach appears to run, but BWC control is still enabled

Component: TMOS

Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.

Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.

Impact:
The detached policy continues to work.

Workaround:
None.


841649-4 : Hardware accelerated connection mismatch resulting in tmm core

Component: TMOS

Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.

Conditions:
A FastL4 virtual server that has hardware acceleration enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable hardware acceleration.


841369-3 : HTTP monitor GUI displays incorrect green status information

Component: Local Traffic Manager

Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.

TMSH shows correct information

Conditions:
LTM HTTP monitor destination port does not match with pool member port.

Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green

Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.


841341-6 : IP forwarding virtual server does not pick up any traffic if destination address is shared.

Component: Local Traffic Manager

Symptoms:
Virtual servers do not forward any traffic but the SNAT does.

Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.

Impact:
IP forwarding virtual server does not pick up any traffic.

Workaround:
Delete and then re-create virtual servers.


841333-7 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


841277-7 : C4800 LCD fails to load after annunciator hot-swap

Component: TMOS

Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.

Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.

Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.

Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable

2. Wait 10 seconds.

3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.

This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.


840821-1 : SCTP Multihoming not working within MRF Transport-config connections

Component: Service Provider

Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.

Conditions:
Usage of SCTP multi-homing with a MRF transport-config.

Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.

Workaround:
None.


840785-1 : Update documented examples for REST::send to use valid REST endpoints

Component: Local Traffic Manager

Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.

Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.

Impact:
Invalid examples lead to potential confusion.

Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.


840769-2 : Having more than one IKE-Peer version value results in upgrade failure

Component: TMOS

Symptoms:
When a 'net ipsec ike-peer' object has the version attribute with more than one value, upgrading to version 15.1.0 results in a failed upgrade.

Conditions:
The version attribute has two values, in this example, 'v1' and 'v2.'

net ipsec ike-peer test {
    my-cert-file default.crt
    my-cert-key-file default.key
    my-id-value 38.38.38.64
    peers-id-value 38.38.38.38
    phase1-auth-method rsa-signature
    phase1-encrypt-algorithm 3des
    phase1-hash-algorithm sha256
    prf sha256
    remote-address 38.38.38.38
    traffic-selector { /Common/homer2 }
    version { v1 v2 }
}

Impact:
Upgrading to version 15.1.0, which allows only one value for the version attribute, results in a failed upgrade/config load error.

Workaround:
Before upgrading, modify your config so that the version attribute has only one value for the version attribute.


839509-1 : Incorrect inheritance treatment in Response and Blocking Pages page

Component: Application Security Manager

Symptoms:
Deception Response Pages is not inherited, but if common response pages are inherited, you are unable to save changes.

Conditions:
-- Deception Response Pages features licensed.
-- Parent policy selected with inheritance of response pages.

Impact:
Deception Response Pages cannot be modified.

Workaround:
None.


839401-1 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.


839389-1 : TMM can crash when connecting to IVS under extreme overload

Component: Service Provider

Symptoms:
TMM might crash while attempting to connect internally to an internal virtual server (IVS) and the connection setup cannot be completed due to internal factors.

Conditions:
-- Extreme overload such that TMM is out of memory, or some other internal condition that prevents connection setup.
-- Connection to an internal virtual server is attempted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


839361-6 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.

Conditions:
iRule drop is used under DNS_RESPONSE event.

Impact:
DNS response may be improperly forwarded to the client.

Workaround:
Use DNS::drop instead.


839245-3 : IPother profile with SNAT sets egress TTL to 255

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.


839141-1 : Issue with 'Multiple of' validation of numeric values

Component: Application Security Manager

Symptoms:
'Multiple of' validation of numeric values may not be correct in some scenarios.

Conditions:
-- Create default policy from API Security template.
-- Create default decimal parameter with 'Multiple of'=5.
-- Send request to /index.php?param=0.

Impact:
'Multiple of' validation of numeric values does not block as expected.

Workaround:
None.


838925-7 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content

Component: TMOS

Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.

Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.

Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.

Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.


838901-4 : TMM receives invalid rx descriptor from HSB hardware

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.


838405-3 : Listener traffic-group may not be updated properly when spanning is in use.

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group:

> modify ltm virtual-address 0.0.0.0 traffic-group none spanning enabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled


838353-1 : MQTT monitor is not working in route domain.

Component: Local Traffic Manager

Symptoms:
MQTT monitor fails when non-default route domains are used.

Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use

Impact:
Mqtt monitor does not work in route domain.


838337-1 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.


838305-7 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.


838297-2 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.


837889 : Duplicate traffic-selectors may result in failure while reloading the configuration or during upgrade

Component: TMOS

Symptoms:
Configuring duplicate net ipsec traffic-selectors with one having interface mode ipsec-policy and another having non-interface mode ipsec-policy is allowed, but results in an error on reloading the config, and may fail during upgrades.

Conditions:
-- Adding a second traffic-selector that has the same values for all these five attributes:
 - destination-address
 - destination-port
 - source-address
 - source-port
 - ip-protocol.

-- The second traffic-selector ipsec-policy is in interface mode, i.e., has its 'mode' field set to 'interface'.

-- The first traffic-selector has a non-interface ipsec-policy.

Example of two duplicate traffic-sectors (trafsel1 and trafsel2):

net ipsec ipsec-policy temp-ipsec-policy {
    ike-phase2-auth-algorithm aes-gcm128
    ike-phase2-encrypt-algorithm aes-gcm128
}
net ipsec ipsec-policy temp-ipsec-policy-interface {
    ike-phase2-auth-algorithm aes-gcm128
    ike-phase2-encrypt-algorithm aes-gcm128
    mode interface
}
net ipsec traffic-selector trafsel1 {
    ipsec-policy temp-ipsec-policy
    source-address 1.1.1.1/32
    source-port texar
}
net ipsec traffic-selector trafsel2 {
    ipsec-policy temp-ipsec-policy-interface
    source-address 1.1.1.1/32
    source-port texar
}

Impact:
The configuration is allowed, but fails config reload and upgrade, giving the following error:

01070734:3: Configuration error: Duplicate traffic selector is not allowed.

Workaround:
Before upgrading:

Ensure all pairs of duplicate traffic-selectors have an ipsec-policy configured and that, this ipsec-policy is in interface mode, i.e., has its 'mode' field set to 'interface', or ensure any one of the five attributes listed above is unique.

This can be done in multiple ways:

1. Change the ipsec-policy of the traffic-selector to take an interace mode ipsec-policy:

Example:
net ipsec ipsec-policy temp-ipsec-policy {
    ike-phase2-auth-algorithm aes-gcm128
    ike-phase2-encrypt-algorithm aes-gcm128
}
net ipsec ipsec-policy temp-ipsec-policy-interface {
    ike-phase2-auth-algorithm aes-gcm128
    ike-phase2-encrypt-algorithm aes-gcm128
    mode interface
}
net ipsec traffic-selector trafsel1 {
    ipsec-policy temp-ipsec-policy-interface
    source-address 1.1.1.1/32
    source-port texar
}
net ipsec traffic-selector trafsel2 {
    ipsec-policy temp-ipsec-policy-interface
    source-address 1.1.1.1/32
    source-port texar
}


2. Change the mode of ipsec-policy (used by any duplicate traffic-selector) to 'interface'.

Example:
net ipsec ipsec-policy temp-ipsec-policy {
    ike-phase2-auth-algorithm aes-gcm128
    ike-phase2-encrypt-algorithm aes-gcm128
    mode interface
}
net ipsec ipsec-policy temp-ipsec-policy-interface {
    ike-phase2-auth-algorithm aes-gcm128
    ike-phase2-encrypt-algorithm aes-gcm128
    mode interface
}
net ipsec traffic-selector trafsel1 {
    ipsec-policy temp-ipsec-policy
    source-address 1.1.1.1/32
    source-port texar
}
net ipsec traffic-selector trafsel2 {
    ipsec-policy temp-ipsec-policy
    source-address 1.1.1.1/32
    source-port texar
}


3. Change any one of the five attributes to be unique, (e.g., source-address):

net ipsec traffic-selector trafsel1 {
    ipsec-policy temp-ipsec-policy
    source-address 1.1.2.2/32
    source-port texar
}
net ipsec traffic-selector trafsel2 {
    ipsec-policy temp-ipsec-policy-interface
    source-texar 1.1.1.1/32
    source-port texar
}


837637-1 : Orphaned bigip_gtm.conf can cause config load failure after upgrading

Component: TMOS

Symptoms:
Configuration fails to load after upgrade with a message like
01420006:3: Can't find specified cli schema data for 13.1.1.4

Conditions:
Orphaned bigip_gtm.conf from an older-version.
This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade leaving behind a bigip_gtm.conf with the old schema.

Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
After deprovisioning DNS, before upgrading run
rm -f /config bigip_gtm.conf
tmsh load sys config gtm-only


837617-1 : Tmm may crash while processing a compression context

Component: Local Traffic Manager

Symptoms:
Tmm crashes on segfault.

Conditions:
Conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.


837481-7 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID

Component: TMOS

Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.

Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.

Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.

Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device

- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID

            display-name "Authoritative (security) engineID for SNMPv3"
            display-name "Authentication pass phrase for SNMPv3 messages"
            display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
            display-name "User's passphrase"
            display-name "Privacy passphrase"

### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config

Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using

tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }

Then each device should respond OK to query for that same pass phrase

snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv


For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps


837341-1 : Response and Blocking Pages page: Deception Response pages should not be shown in parent policy

Component: Application Security Manager

Symptoms:
Deception Response pages shown and editable in parent policy.

Conditions:
-- Deception Response Pages feature is licensed and enabled.
-- You are editing the parent policy.

Impact:
Deception Response pages cannot be updated from the parent policy, thus any update of response pages fails with error.

Workaround:
None.


837233-3 : "Application Security Administrator" user role cannot manage Dos Profile GUI

Component: Advanced Firewall Manager

Symptoms:
BIG-IP GUI users in "Application Security Administrator" role are not allowed to manage DoS profile page and settings.

Conditions:
This affects users logged in with the "Application Security Administrator" role

Impact:
DoS profiles cannot be edited from GUI

Workaround:
Either change user role to allow managing DoS profile or edit profiles from tmsh


836661-2 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.

Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.

Workaround:
None.


836357-5 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.


835517-1 : After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED"

Component: Device Management

Symptoms:
After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED" and the REST endpoint /resolver/device-groups/tm-shared-all-BIG-IPs/devices/ may show only one device.

Conditions:
This has been observed during upgrade from 14.x.x to 15.x.x.

Impact:
SSLO won't work as expected

Workaround:
If gossip shows "UNPAIRED" after upgrade, you may need to do following at both devices:

1. Delete existing device information.
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-BIG-IPs/devices
 
2. Force updating.
bigstart restart restjavad
restcurl -X POST -d '{}' tm/shared/bigip-failover-state


835209-3 : External monitors mark objects down

Component: Global Traffic Manager (DNS)

Symptoms:
Object to which the external monitor is attached is marked down.

Conditions:
Executing external monitors trying to access something without appropriate permissions.

Impact:
Object to which the external monitor is attached is marked down.

Workaround:
None.


834373-5 : Possible handshake failure with TLS 1.3 early data

Component: Local Traffic Manager

Symptoms:
During TLS 1.3 early data handshake, a code alert and handshake failure may occur

Conditions:
TLS 1.3 with early data resumption.

Impact:
Handshake failure.

Workaround:
Turn off early data.


834217-7 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.

Component: Local Traffic Manager

Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.

Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).

Impact:
Degraded TCP performance.

Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).

Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.


833685-5 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing becasue they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Idle async handlers remain for a long time.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart it periodically via cron, as idle handlers are soon created again.


833213-1 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.


832665-1 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools will not be available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools will not be available.

Workaround:
None.


832661 : Default provisioning for all instances is LTM nominal

Component: TMOS

Symptoms:
Prior to configuring an AWS WAF (AWAF) PAYG cloud instance, you may see errors related to an unlicensed LTM module. This occurs because the default provisioning for all instances is LTM nominal. However, the license associated with an AWAF PAYG cloud instance does not enable the LTM feature. As a result, the default provisioning for an unconfigured AWAF PAYG cloud instance will be incompatible with the PAYG license.

Conditions:
-- This issue relates only to AWAF PAYG cloud instances.
-- Not using the onboarding/templates to configure/provision the instance prior to use.

Impact:
Licensing error messages may be observed before the AWAF cloud instance is configured/provisioned. The functionality works as expected, however, so you can ignore these messages.

Workaround:
The recommended workflow for all cloud instances is to use onboarding/templates to configure/provision the instance prior to use. If this workflow is followed, any provisioning errors associated with the default provisioning are cleared prior to usage.


832233-1 : The iRule regexp command issues an incorrect warning

Component: Local Traffic Manager

Symptoms:
At validation time, mcpd issues a warning similar to the following:

warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]

Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.

Impact:
A warning is generated, "\1" has no meaning, even though it is valid.

Workaround:
Ignore the warning.


832133-1 : In-TMM monitors fail to match certain binary data in the response from the server.

Component: Local Traffic Manager

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.

-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
You can use either of the following workarounds:

-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

-- Do not monitor the application through a binary response (if the application allows it).


831821-1 : Corrupted DAG packets causes bcm56xxd core on VCMP host

Component: TMOS

Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.

Conditions:
Unknown.

Impact:
Device goes offline, traffic disruption.


831781-4 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode

Component: Access Policy Manager

Symptoms:
Both AD Query and LDAP Auth/Query fails.

Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.

Impact:
Users may not be able to login to APM, and hence service is disrupted.

Workaround:
None.


831293-5 : SNMP get requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.


830797-3 : Standby high availability (HA) device passes traffic through virtual wire

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.


830073-2 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.


829821-1 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.


829677-2 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad


829317-5 : Memory leak observed when running ICRD child

Component: TMOS

Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak slowly in tms and APM.

Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently

Impact:
Memory slowly leaks in tmsh and APM.


829193-4 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.


829029-1 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error

Component: Application Security Manager

Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.

Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.

Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.

Workaround:
Retry the subsequent REST calls.


828873-3 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor

Component: TMOS

Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.

Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.

Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.

Workaround:
Steps:

1. Mount the drive:
mount -o rw,remount /usr

2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty

3. Reload the daemon:
systemctl daemon-reload

4. Restart the service:
systemctl restart f5-label


828789-1 : Certificate Subject Alternative Name (SAN) limited to 1023 characters

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP


828625-3 : User shouldn't be able to configure two identical traffic selectors

Component: TMOS

Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.

Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.

Impact:
Config load will fail after a reboot

Workaround:
Delete duplicate traffic-selectors.


828601-1 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.


827209-4 : HSB transmit lockup on i4600

Component: TMOS

Symptoms:
TMM shows HSB transmit lockup message and cored.

Conditions:
-- Using an i4600 platform.
-- Other conditions under which this occurs are unknown.

Impact:
Disruption to processing traffic on the BIG-IP system.

Workaround:
None.


827021-7 : MCP update message may be lost when primary blade changes in chassis

Component: TMOS

Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.

Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.

Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.

For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.

Workaround:
None.


826313-6 : Error: Media type is incompatible with other trunk members

Component: TMOS

Symptoms:
Loading system configuration is failing after upgrade with an error message

01070619:3: Interface 5.0 media type is incompatible with other trunk members

Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.

Impact:
The system configuration is failing to load.

Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.


826189-3 : The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

Component: TMOS

Symptoms:
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96).

In contrast, the TMSH utility correctly enforces values for this option.

Conditions:
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.

Impact:
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource.

The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.

Workaround:
When configuring this option using the WebUI, do not specify a subnet mask.


825501-3 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.


825413-4 : /var/lib/mysql disk is full

Component: Application Security Manager

Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.

Conditions:
ASM provisioned

Impact:
/var/lib/mysql can run out of disk space

Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
   Note that existing brute force username and IPs reporting data will be lost.

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"

2. Add row_limit for the two tables to avoid the same issue in the future.

Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml

  PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
    row_limit: 100000
    order_by: brute_force_mitigated_username_id

  PRX.BRUTE_FORCE_MITIGATED_IPS:
    row_limit: 100000
    order_by: brute_force_mitigated_ip_id

Restart clean_db process (there is no impact of restarting this process)

# pkill -f clean_db

Wait 30 sec, and make sure the process came back

# ps aux | grep clean_db


825245-4 : SSL::enable does not work for server side ssl

Component: Local Traffic Manager

Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.

Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.

Impact:
The connection will close instead of completing.

Workaround:
Do not use a disabled server-ssl profile in this situation.


825013-1 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.


824437-7 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.


824433-3 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.

There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.

Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.

Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.

Workaround:
None.


824365-5 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.


824205-3 : GUI displays error when a virtual server is modified if it is using an address-list

Component: TMOS

Symptoms:
When you modify a virtual server, the GUI returns an error similar to the following:

01b90011:3: Virtual Server /Common/vs2_udp's Traffic Matching Criteria /Common/vs2_udp_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1_tcp destination address, source address, service port.

Conditions:
This occurs when either of the following occur:

-- When renaming the virtual server.
-- When changing the address-list attribute.

Impact:
Cannot update virtual configuration with new value.

Workaround:
None.


824121-2 : Using the Websocket profile prevents mouse wheel scroll function

Component: Access Policy Manager

Symptoms:
Mouse wheel function does not work.

Conditions:
WebSSO and Websocket profiles are configured on a virtual server.

Impact:
Although there is no product functionality impact, it is an inconvenience to the BIG-IP administrator using the GUI.

Workaround:
To work around this issue, use an iRule that disables SSO for the Websocket request. For example, for remotespark (https://www.remotespark.com/html5.html) you can use the following iRule:

ltm rule sso_disable_ws {
  when HTTP_REQUEST {
   if {[HTTP::uri] starts_with "/RDP?" and [HTTP::header exists "Upgrade"] and [HTTP::header "Upgrade"] == "websocket" } {
    log "DISABLING WEBSSO"
    WEBSSO::disable
   }
  }
}


823825-7 : Renaming high availability (HA) VLAN can disrupt state-mirror connection

Component: Local Traffic Manager

Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.

Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

Impact:
System might crash eventually.

Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.


822253-1 : After starting up, mcpd may have defunct child "run" and "xargs" processes

Component: TMOS

Symptoms:
After starting up, mcpd may have defunct child "run" and "xargs" processes

Conditions:
Slow disk storage or large configuration files.

Impact:
Minimal; some zombie processes are created.


822025 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.


821309-1 : After an initial boot, mcpd has a defunct child "systemctl" process

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.


820333-1 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.


819457-1 : LTM high availability (HA) sync should not sync GTM zone configuration

Component: TMOS

Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.

Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.

Impact:
GTM zone files are accidentally modified.


819233-3 : Ldbutil utility ignores '--instance' option if '--list' option is specified

Component: Access Policy Manager

Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.

Conditions:
When both '--list' and '--instance' options are specified.

Impact:
The output lists all the local users and not limiting to the '--instance' option given.

Workaround:
None.


818853-1 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.


818833-1 : TCP re-transmission during SYN Cookie activation results in high latency

Component: Local Traffic Manager

Symptoms:
Issue is reported at the following system setup:

client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet

-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.

Conditions:
Haredware SYN Cookie is enabled on FastL4 profile

Impact:
High latency is observed.

Workaround:
Disable the SYN Cookie on the FastL4 profile


818789-7 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile

Component: Local Traffic Manager

Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.

Conditions:
Configure HTTPS Monitor with ssl-profile "None".

Impact:
Ciphers are not exchanged as expected in the ClientHello Packets

Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used


818777-2 : MCPD error - Trouble allocating MAC address for VLAN object

Component: TMOS

Symptoms:
You see the following errors in /var/log/ltm:

err mcpd[8985]: 0107071c:3: Trouble allocating mac address for vlan object /Common/external.

Conditions:
Conditions under which this occurs are unknown.

Impact:
There is no known impact to the system as a result of this log message.

Workaround:
If this reoccurs, you can try force reloading mcpd.

For more information, see K13030: Forcing the mcpd process to reload the BIG-IP configuration, available at https://support.f5.com/csp/article/K13030.


818737-3 : Improve error message if user did not select a address-list or port list in the GUI

Component: TMOS

Symptoms:
In the GUI, the Virtual Server screen displays the available address-lists or port lists for source address, but there is no clarity on whether the options are selected or available.

Conditions:
-- Virtual server's source address section.

Impact:
If you do not make a selection and try to create the Virtual Server, an error occurs: An error has occurred while trying to process your request.

Workaround:
Click to select the address-list of port-list displayed as source address for Virtual Server.


818721-3 : Virtual address can be deleted while it is in use by an address-list.

Component: Local Traffic Manager

Symptoms:
-- The virtual-address (and virtual server) will no longer work.

-- The BIG-IP won't answer ARP requests for it.

-- Loading the config again or performing similar operations will not re-create the virtual-address.

Conditions:
-- A virtual address is deleted while it is in use by an address list and virtual server.
-- MCPD is restarted (or the unit rebooted, etc.).

Impact:
Traffic processing is disrupted


818505-1 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Component: TMOS

Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

Conditions:
Modifying a virtual address using an iControl PUT command.

Impact:
An unintentional change to the virtual address's netmask.

Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.


818297-3 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Component: TMOS

Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.

In /var/log/openvswitch/ovsdb-server.log:

...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).

Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.

Impact:
Permission denied, SSL connection failure.

Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };

Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t

Step 4: Apply the policy:
# semodule -i openvswitch_t.pp


817709-3 : IPsec: TMM cored with SIGFPE in racoon2

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


817089-3 : Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing

Component: TMOS

Symptoms:
Connections that are hardware accelerated and that use asymmetric routing may use the wrong MAC address for return traffic. This can be observed by looking at a packet capture.

Conditions:
Hardware acceleration is enabled (ePVA/fastL4) with asymmetric routing.

Impact:
The return traffic has the wrong source MAC address. This may affect packet forwarding depending on the configuration.

Workaround:
Disable HW acceleration.


816353-3 : Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1

Component: TMOS

Symptoms:
During re-licensing or license reload, an unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 may be sent.

Conditions:
Occurs during license reload or reactivation.

Impact:
After a license reload, the unknown trap can be seen like the following:

run "tcpdump -ni mgmt port 162 -vvvv &":

12:01:59.883331 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 101)
    10.248.136.179.55540 > 172.28.8.68.snmptrap: [bad udp cksum 0x486e -> 0xd7b8!] { SNMPv2c { V2Trap(58) R=1205683810 .1.3.6.1.2.1.1.3.0=1775555 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.2.1.47.2.0.1.0.1 } }


816233-1 : Session and authentication cookies should use larger character set

Component: TMOS

Symptoms:
The session and authentication cookies are created using a limited character set.

Conditions:
Creating session and authentication cookies.

Impact:
Cookies created with a less broad character set than they could be.

Workaround:
None.


814585-1 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


814353-6 : Pool member silently changed to user-disabled from monitor-disabled

Component: TMOS

Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:

'Available (Disabled) pool members is available, monitor disabled'.

To:

'Available (Disabled), pool member is available, user disabled'.

Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.

Impact:
Pool member goes to 'user-disabled'.

Workaround:
To recover, re-enable the pool member.


814273-1 : Multicast route entries are not populating to tmm after failover

Component: TMOS

Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.

Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.

Impact:
Multicast traffic does not pass through properly

Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group


814037-6 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.


813969-5 : Network DoS reporting events as 'not dropped' while in fact, events are dropped

Component: Advanced Firewall Manager

Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.

Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.

Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped

Workaround:
There is no workaround at this time.


813701-6 : Proxy ARP failure

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.


813629 : SSLO connection hang when bypass is enabled

Component: Local Traffic Manager

Symptoms:
SSL handshake may hang due to a race condition.

Conditions:
SSL dynamic bypass is enabled, but verified-handshake is disabled, or is using VHF version of profiles.

Impact:
SSL handshake hangs.

Workaround:
When dynamic bypass is enabled, be sure to enable verified-handshake or use the VHT version of SSL profiles.


813221-5 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync

Component: Global Traffic Manager (DNS)

Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.

Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.

Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.

Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.


812981-6 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.


812705-3 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic

Component: Carrier-Grade NAT

Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.

Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.

Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.

Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.


812493-4 : When engineID is reconfigured, snmp and alert daemons must be restarted

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd


811701-3 : AWS instance using xnet driver not receiving packets on an interface.

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver; in releases 13.1.0 through 14.0.x, the 'unic' driver is the alternative.

Use one of the following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

-- Commands for Releases 14.1.0 and later:

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed


-- Commands for releases 13.1.0 through 14.0.0:

  # echo "device driver vendor_dev 1af4:1000 unic" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'unic']

  # tmctl -dblade -i tmm/device_probed


811149-2 : Remote users are unable to authenticate via serial console.

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.


811041-7 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf

Component: TMOS

Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.

Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.

Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.

Workaround:
None.


810821-3 : Management interface flaps after rebooting the device

Component: Local Traffic Manager

Symptoms:
The Management interface flaps after rebooting the device, which causes a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.


810533-2 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile

Component: Local Traffic Manager

Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.

Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.

Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.

Workaround:
Specify a valid server name in the server name field of the client SSL profile.


810381-2 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.


809597-5 : Memory leak observed when running ICRD child

Component: Local Traffic Manager

Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak.

Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently

Impact:
The memory leak is very progressive. Eventually ICRD's child process will run out of memory.


807945-3 : Loading UCS file for the first time not updating MCP DB

Component: TMOS

Symptoms:
MCP DB is not updated after loading a UCS file.

Conditions:
1. Save UCS with 'flow-control' default value 'tx-rx'.
2. Modify the value from 'rx-tx' to 'none'.
3. Save another UCS with modified value.
4. Load the UCS with default value, everything works fine here.
5. Load the UCS with the modified value.

Impact:
The 'flow-control' setting gets changed. The functionality does not work after the first UCS load as MCP DB is not getting updated.

Workaround:
Load the same UCS again.

The MCP DB gets updated properly.


807337-5 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
Web UI shows misleading info about pool monitor.The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').


806073-1 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.


805089 : JavaScript challenges fail when using LTM Rules which disable DoSL7, Bot Defense, or ASM by default

Component: Application Security Manager

Symptoms:
When using complex CPM rules (LTM Policy), and the default rule is to disable DoSL7, Bot Defense, or ASM, the special URLs cannot reach the DoSL7 hudfilter or BD, and are getting blocked. These cause any JavaScript challenges to not pass, and block the users.

Example of l7dos disabled by default:
        default {
            actions {
                0 {
                    l7dos
                    disable
                }
            }
            ordinal 3
        }

In this case, the following error is observed in /var/log/ltm if ASM Policy is also used:
  [2aeadec:931] Internal error (ASM requested abort (trans begin error))

The request reaches ASM but without the policy identifier and the error is seen.

Conditions:
Using complex CPM rules (LTM Policies) in which the default rule is to disable DoSL7, Bot Defense, or ASM.

Impact:
JavaScript challenges fail and block traffic from browsers.

Workaround:
-- If l7dos or bot-defense is disabled on the default rule, then add a rule for enabling l7dos or bot-defense on requests to /TSPD/* URLs.
-- If asm is disabled on the default rule, then add a rule for enabling asm on requests to /TSbd/* URLs.


803629-7 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.


803237-2 : PVA does not validate interface MTU when setting MSS

Component: TMOS

Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.

Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.

Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.

Workaround:
Increase MTU size.


803233-1 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.


803157-3 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots

Component: TMOS

Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.

Conditions:
Reboot the BIG-IP system.

Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.

Workaround:
None.


803109-3 : Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows

Component: Local Traffic Manager

Symptoms:
Source-port preserve-strict and OneConnect may result in zombie forwarding flows.

Conditions:
-- Source-port is set to preserve-strict.
-- OneConnect configured.

Impact:
Zombie forwarding flows. Over time, the the current allocation count grows and does not return to its prior level when traffic stops.

Workaround:
None.


802421-6 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


802281-3 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcul shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state


802189 : iApps: Calling 'Package Require <PKG>' in a template with a manager role is not supported

Component: iApp Technology

Symptoms:
With the Manager role, when calling 'package require <PKG>' in an iApp template, following exception occurs:

Error parsing template:can't eval proc: "script::run" invalid command name "file" while executing "file join $dir $f".

Conditions:
Users can not use Manager Role when importing iApps that contain a 'package require' call.

Impact:
Cannot use Manager Role when importing iApps that contain a 'package require' call.

Workaround:
Use the Admin role to import new templates.


799001-1 : Sflow agent does not handle disconnect from SNMPD manager correctly

Component: TMOS

Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.

Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.

Impact:
Snmpd service restarts repeatedly

Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.


798893-1 : Changes to a webacceleration profile are not instantly applied to virtual servers using the profile

Component: Local Traffic Manager

Symptoms:
Changing parameters in a webacceleration profile does not change the behavior of virtual servers already using the profile.

Conditions:
This issue is encountered after changing the settings of a webacceleration profile already in use by one or more virtual servers.

Impact:
The changes are saved correctly and are visible in the WebUI, TMSH, etc. However, virtual servers already using the profile are not affected by the changes. This may result in some confusion and in the BIG-IP Administrator unable to apply their desired changes.

Workaround:
After modifying the profile, remove the profile from all virtual servers and then re-add it.


796601-2 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.


793121-5 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.


793005-1 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.


788753-2 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.


787677-5 : AVRD stays at 100% CPU constantly on some systems

Component: Application Visibility and Reporting

Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.

Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.

Impact:
System performance degrades.

Workaround:
Restart TMM:
bigstart restart tmm


786517-5 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.


785741-3 : Unable to login using LDAP with 'user-template' configuration

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.


784733-6 : GUI LTM Stats page freezes for large number of pools

Component: TMOS

Symptoms:
When a configuration has approximately 5400 pools and 40,000 pool members, navigating to the GUI page to look at stats for all or one pool, the GUI page may freeze indefinitely.

Conditions:
Configurations with large number of pools and pool members, e.g., 5400 pools and/or 40,000 pool members.

Impact:
Cannot view pool or pool member stats in GUI.

Workaround:
Use iControl REST or TMSH to retrieve stats for such a large number of pools or pool members.


783789 : APM cannot handle HTTP requests with very long URLs

Component: Access Policy Manager

Symptoms:
If a very long URL (longer than 8KB) is used in APM session, such a request would fail.

Conditions:
- APM session established.
- HTTP request with very long URL (longer than 8 KB).

Impact:
There is no response for such HTTP request. Web application cannot work correctly.

Workaround:
None.


783757 : Portal Access: property 'background-image' should be processed

Component: Access Policy Manager

Symptoms:
Incorrect background image in web-application page.

Conditions:
Web-applications use the 'background-image' property of a style.

Impact:
Incorrect client-side web-application rendering.

Workaround:
You can create an iRule using the following template.

# Note: Replace PAGE_URL (below) with the actual page URL.
#
# Use this custom iRule for pages where
# the issue exists, it adds an entry for
# background-image into F5_Deflate table.
#


when REWRITE_REQUEST_DONE {

  if { [HTTP::path] ends_with "PAGE_URL" } {
    log local0. "URI=([HTTP::path])"

    # Found the file we wanted to modify
    REWRITE::post_process 1
  }
}

when REWRITE_RESPONSE_DONE {
        set rewrite_data [REWRITE::payload]

        set rewrite_start [string first {<script id='F5_helperVersionCheck} $rewrite_data]
        log local0. "Found </script> at $rewrite_start"

        if {$rewrite_start > -1} {
            REWRITE::payload replace $rewrite_start 0 {
<script>
  (function () {

    Object.prototype.hasOwnProperty.call = function (o) {
      o['background-image']=o.backgroundImage;
      return false;
    }

    F5_Deflate_index({},'a')

    delete Object.prototype.hasOwnProperty.call

  })()
</script>

            }
        }
}


783145 : Pool gets disabled when one of its pool member with monitor session is disabled

Component: Local Traffic Manager

Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.

Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.

Impact:
The pool status for the entire pool is marked disabled-by-parent.

Workaround:
None.


782453 : Portal Access: F5_Invoke_load() infinite recursion in special case

Component: Access Policy Manager

Symptoms:
Web-application page is frozen.

Conditions:
This can occur with certain JavaScript functions in the web application.

Impact:
Client-side web-application page is not usable.

Workaround:
None.


781397 : 'License expired' message not specific

Component: TMOS

Symptoms:
When booting into a 14.0.0 version on which restricted license mode is not enabled, the license-expired message shows the generic 'license expired' message, but does not list the specific modules.

Conditions:
Modules with license not enabled.

Note: This occurs in a specific scenario in which you upgrade to an unlicensed version, revert to the previous version, don't change the license, and upgrade back to the original version. This fails as it is designed to, but reports the general 'invalid license' failure rather than the more specific one.

Impact:
License expired message is generic, and does not list the specific modules which are not enabled on 14.0.0.

Workaround:
None. Specific modules not enabled for 14.0.0 may show 'generic' license expired. You can cross-check if there are any modules which are not enabled for 14.0.0.


780437-6 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


778513-1 : APM intermittently drops log messages for per-request policies

Component: TMOS

Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.

Conditions:
Using APM per-request policies, or ACCESS::log iRule commands.

Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.

Workaround:
No workaround is possible. When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.


777265 : SNMPD logs are not included in the default set of files in logrotate

Component: TMOS

Symptoms:
The SNMPD logs can grow large but are not rotated.

Conditions:
If the SNMPD is generating lots of log entries

Impact:
The /var/log space can become full.

Workaround:
Use the TMSH sys log-rotate command to modify the logrotate settings to add the snmpd.log. The syntax is:

tmsh modify sys log-rotate syslog-include "/var/log/snmpd.log {
    compress
    missingok
    notifempty
    postrotate
        killall -HUP snmpd 2>/dev/null || true
    endscript
}
"


In addition, restarting snmpd restarts the log.


776393-3 : Memory leak in restjavad causing restjavad to restart frequently with OOM

Component: TMOS

Symptoms:
Restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.

Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory. This is two-step process.

1. Update memory allocated to the control plane using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.

2. Run the following two commands, in sequence:
   tmsh modify sys db restjavad.useextramb value true
   bigstart restart restjavad


774457 : Unexpected 'Illegal entry point' and 'Illegal flow to URL' violations after upgrading to version without account_id

Component: Application Security Manager

Symptoms:
When upgrading from a version to v15.1.0 or later, the system might report 'Illegal entry point' and 'Illegal flow to URL' messages.

Conditions:
1. Upgrading from a version prior to v15.1.0 to a v15.1.0 or higher.
2. The policy contains flows, and illegal flow and illegal entry point are configured.

Impact:
False-positive violations.

Workaround:
You can use either of the following workarounds:

-- Turn off blocking from the illegal flows violations before upgrading. Then wait for some time until the violation alarms no longer appear.

-- Use an iRule that unblocks these violations and deletes the ASM cookies when that happens.


774257-4 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Component: Global Traffic Manager (DNS)

Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:

tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A

tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A

Conditions:
This occurs when running the following tmsh commands:

tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt

Impact:
The output type is printed twice

Workaround:
None.


767341-1 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.

Component: TMOS

Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.

Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.

This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.

Filesystem error might be due to power loss, full disk or other reasons.

Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.

Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.

Another workaround is clean install, if possible/acceptable


763809 : Malware JavaScript signatures is not case sensitive

Component: Fraud Protection Services

Symptoms:
When malware DOM Attribute/ Forbidden Words signature is configured, WebSafe will search for those signatures in the app in case insensitive way.

Conditions:
DOM Attribute/ Forbidden Words should be enabled with signatures.

Impact:
WebSafe will search for the signatures in the app in case insensitive way.

Workaround:
N/A


760932 : Part of APM log messages are also in other logs when strings are long

Component: TMOS

Symptoms:
APM logs are also in other logs like /var/log/user.log and /var/log/messages.

Conditions:
-- When APM log message strings are long.
-- APM in use.

Impact:
Log messages are duplicated. There is no indication of system functionality, and you can safely ignore them.

Workaround:
None.


760471-1 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.


760406-1 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync

Component: Local Traffic Manager

Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.

Conditions:
This might occur in either of the following scenarios:

Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.


Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.

Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.

-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.

In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.

-- The HA system performance becomes degraded due to SSL connection timeout.

Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.

-- Set device management sync type to Automatic with incremental sync.


760330 : Daily live update (ASU) may skip a day due to cron timing

Component: Fraud Protection Services

Symptoms:
Daily live updates, such as FPS Engine/Signatures or ASU from versions earlier than 14.1.0, might skip a day due to cron timing.

Conditions:
-- Live updates, such as FPS Engine/Signatures or ASU.
-- Versions earlier than 14.1.0.
-- For FPS live updates, this also occurs on v14.1.0.
-- Frequency set to daily update.

Impact:
A particular live update attempt may skip a day.

Workaround:
Perform the live update manually.


760117 : Duplicate error messages in log when updating a zone through ZoneRunner GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Duplicate error messages in log when updating a zone through ZoneRunner GUI.

Conditions:
This occurs upon every update to a zone in the GUI.

Impact:
The BIG-IP system logs the multiple occurrences of the following error in the /var/log/daemon.log file:

err named[17053]: 18-Feb-2019 15:22:51.011 general: error: zone siterequest.com/IN/external: zone serial (2019021807) unchanged. zone may fail to transfer to slaves.

Workaround:
None.


760109 : Portal Access: URL with double dots at the end of the path is handled incorrectly

Component: Access Policy Manager

Symptoms:
Portal Access incorrectly handles HTTP request with double dots (..) at the end of the URL path.

Conditions:
HTTP request with double dots at the end of the path, for example:

GET /some/path/.. HTTP/1.1
Host: 192.168.0.1

Impact:
HTTP response with the code of '404 Not Found'.

Workaround:
Use iRule to add slash to the end of the path:

GET /some/path/../ HTTP/1.1


759804 : Zones reload when Update button is clicked without any change

Component: Global Traffic Manager (DNS)

Symptoms:
When performing zone configuration, if you click the Update button before making changes, the zone still reloads.

Conditions:
-- No change is made.
-- Update button is clicked.

Impact:
Unnecessary zone reload.

Workaround:
None.


758781 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.


758651 : Portal Access: JavaScript object with reserved property names may be handled incorrectly

Component: Access Policy Manager

Symptoms:
JavaScript object may contain properties with names that match reserved names like 'default' or 'for'. If such a property is defined using getter / setter functions, Portal Access handles it incorrectly.

Conditions:
JavaScript object with property with reserved name defined via getter / setter functions, for example:

a = {get default () {}}

Impact:
JavaScript code cannot be rewritten; web application may not work correctly.

Workaround:
Use an iRule to rename such a property in JavaScript object.


758599-3 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.


757548 : Rewrite plugin can crash during initial configuration load

Component: Access Policy Manager

Symptoms:
Rewrite plugin can crash if the configuration is large enough to block mcpd from responding for more than 60 seconds.

Following messages appear in /var/log/ltm:
warning sod[6200]: 01140029:4: HA daemon_heartbeat rewrite0 fails action is restart.

Conditions:
-- Very large configuration that takes time to load (observed with ~100 virtual servers).
-- Low performance platform.

Impact:
Rewrite operation crashes, writes core file, and restarts normally. This happen only during initial config load and does not affect traffic.

Workaround:
None.


756313-6 : SSL monitor continues to mark pool member down after restoring services

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
To restore the state of the member, remove it, and add it back to the pool.


756244 : Navigation parameters arriving with post payload causing problems

Component: Application Security Manager

Symptoms:
False-positive illegal URL violation reported.

Conditions:
-- Navigation parameters are defined, and are arriving in the payload.
-- A wildcard URL is not defined.

Impact:
False-positive violation.

Workaround:
To work around this, configure a navigation parameter in the following order:

1. Create navigation parameter for a URL.
2. Create the URL.

There is now a checkbox in the URL where you can specify value to check navigation parameters).


756155 : Add SNMP trap support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, SNMP trap does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
SNMP trap does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.


755282 : [GTM] bigip_add password prompt for IPv4-mapped IPv6 address

Component: Global Traffic Manager (DNS)

Symptoms:
After running the big_ip add script without a specifying a server address, the host address posted in the ssh password prompt is an IPv4-mapped IPv6 address for IPv4 servers.

For example:
Enter root password for 0000:0000:0000:0000:0000:FFFF:0A3C:010A

Conditions:
Run bigip_add without a server address, when the host address is an IPv4-mapped IPv6 address.

Impact:
There is no way to tell what the actual server name is without converting the IPv4-mapped IPv6 addresses back to an IPv4 to find which password to enter, for example: 0A3C:010A to 10.60.1.10

Workaround:
To workaround this, edit the bigip_add script.

IMPORTANT: Make sure to back up the bigip_add script before making modifications.

1. Make /usr folder writable
# mount -o rw,remount /usr
2. Backup bigip_add:
# cp /usr/local/bin/bigip_add /shared/tmp/bigip_add.backup
3. Edit bigip_add by adding different 'print' output for IPv4 servers.

Replace this:
< print "Enter $ruser password for $ip if prompted\n";

With something similar to this:
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }

NOTE: Do not modify the actual value for $ip.

Below is an example diff:
# diff /shared/tmp/bigip_add.backup /usr/local/bin/bigip_add
18a19
>
43a45,51
> sub ipv6_to_ipv4
> {
> my $in_addr = $_[0];
> my @ipv6 = split /:/, $in_addr;
>
> my $ipv6_part1 = hex ($ipv6[6]);
> my $ipv6_part2 = hex($ipv6[7]);
44a53,60
> my $ipv4_1=scalar($ipv6_part1>>8);
> my $ipv4_2=scalar($ipv6_part1&0xff);
> my $ipv4_3=scalar($ipv6_part2>>8);
> my $ipv4_4=scalar($ipv6_part2&0xff);
>
> my $ipv4 = "${ipv4_1}.${ipv4_2}.${ipv4_3}.${ipv4_4}";
> return $ipv4;
> }
75d90
<
152c167,173
< print "Enter $ruser password for $ip if prompted\n";
---
>
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
179d199
<


755197 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.


754827 : Portal Access: Weak F5_isAttr and other predicates

Component: Access Policy Manager

Symptoms:
Various web-application misfunctions are possible.

Conditions:
User-defined properties with names that are subject to rewriting by Portal Access.

Impact:
Client-side web-application misfunction.

Workaround:
Use a custom iRule to remove unwanted rewriting.


754571 : Portal Access: Image HTML element with source URL like '//some.domain?a=b' cannot be loaded.

Component: Access Policy Manager

Symptoms:
Image HTML element with source URL like '//some.domain?a=b' (i.e., no slash following the doman) cannot be loaded via Portal Access.

Conditions:
HTML page with the IMG tag like this:

<img src=//some.domain?a=b />

Impact:
Image cannot be loaded.

Workaround:
Use iRule to add trailing slash to domain name in source URL:

<img src=//some.domain/?a=b />


753167 : Possible memory leak in nlad deamon

Component: Access Policy Manager

Symptoms:
nlad grows in size. The system posts the log message NT_STATUS_LOGON_FAILURE in the apm logfile.

Conditions:
- NTLM auth configured.
- The BIG-IP system cannot connect to the configured backend KDC.

Impact:
nlad may be killed by OOM killer if it grows significantly.

Workaround:
Correct configuration issues, so that the BIG-IP system can connect to the configured domain controllers.


750588-3 : While loading large configurations on BIG-IP systems, some daemons may core intermittently.

Component: TMOS

Symptoms:
When manually copying a large config file and running 'tmsh load sys config' on specific hardware BIG-IP platforms, multiple cores may be observed from different daemons.

Conditions:
This has been observed on i4800 platforms when the 'management' provisioning (corresponding to the provision.extramb DB key) is set to 500 MB or less.

Impact:
The mcp daemon may core and all daemons on the BIG-IP system may be restarted.

Workaround:
Set db key 'provision.extramb' to 1024 or greater.


746758-1 : Qkview produces core file if interrupted while exiting

Component: TMOS

Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.

Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.

Impact:
A core file is produced.

Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.


746464 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


746348-4 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.


744407-1 : While the client has been closed, iRule function should not try to check on a closed session

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.


743132 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile

Component: TMOS

Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.

Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.

Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.

Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.


742549-3 : Cannot create non-ASCII entities in non-UTF ASM policy using REST

Component: Application Security Manager

Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.

Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.

Workaround:
Use UTF-8.


739618-3 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy

Component: Application Security Manager

Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF or MSP license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}


738783 : Encrypted field lost reference when adding input element to parentElement

Component: Fraud Protection Services

Symptoms:
A config parameter is not encrypted in real time

Conditions:
This can occur when using innerHTML to add input before the encrypted input.

Impact:
Parameter is not encrypted


737952 : Applications that use getResponseHeader or getAllResponseHeaders do not work properly

Component: Access Policy Manager

Symptoms:
Various web-application misfunctions are possible.

Conditions:
Web-application defined properties getResponseHeader() or getAllResponseHeaders.

Impact:
Client-side web-application misfunction.

Workaround:
Custom iRule is possible.


737951 : Portal Access: fix F5_isXMLHttpObject predicate

Component: Access Policy Manager

Symptoms:
Various web-application misfunctions are possible.

Conditions:
Web-application defined object with properties which are subject to be rewritten by Portal Access.

Impact:
Client-side web-application misfunction.

Workaround:
Custom iRule is possible to remove unwanted rewriting.


737692 : Handle x520 PF DOWN/UP sequence automatically by VE

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.


737536-7 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
 ospf router-id 10.13.0.7
 redistribute ospf
 network 10.13.0.0/16 area 0.0.0.1
 default-information originate

OSPF 2:
router ospf 1
 ospf router-id 10.14.0.5
 redistribute ospf
 network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
 default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.


737322-3 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


730852-1 : The tmrouted repeatedly crashes and produces core when new peer device is added

Component: TMOS

Symptoms:
There is a tmrouted crash when new peer device is added.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.

Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).


726518-1 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.


725591 : Changing the management IP of an Active device in Device Service Cluster will cause Active/Active

Component: TMOS

Symptoms:
The Device Service Clustering software uses the management IP as the primary key to identify the nodes in the cluster.

When the Active device begins using a new management IP, the Next-Active device cannot reach the Active device, and becomes Active. Once the configuration change has propagated to all devices, a new Active device is chosen.

Conditions:
Changing the Management IP of an Active device in Device Service Cluster.

Impact:
Device Service Cluster has multiple Active devices for several seconds.

Workaround:
Do not change the management IP of the Active device. Force the device to Standby, and then change the IP.


722230-1 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.


720440-6 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.


719555-3 : Interface listed as 'disable' after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface


718796-5 : IControl REST token issue after upgrade

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.

Conditions:
-- Upgrading to version 13.1.0.x.
-- iControl REST.

Impact:
A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may loose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
      # bigstart restart restjavad.

   2) Update shared/authz/roles/iControl_REST_API_User userReference list to add repro user account using PUT:
      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Now, when you create a new user, the permissions should start in a healthy state.


718108 : It is not possible to core the icrd_child process if iControl REST requests were sent to the BIG-IP system using non-admin accounts

Component: TMOS

Symptoms:
When trying to create a diagnostic core file of the icrd_child process (for example, using the command: kill -6 <PID>), the process restarts but does not create a core file.

Conditions:
iControl REST requests are sent to the BIG-IP system using non-administrative (or resource admin) user accounts.

Impact:
This issue may hinder F5 Support efforts to diagnose memory leaks or other issues affecting the icrd_child process.

Workaround:
There are two workarounds for this issue.

Workaround #1:
The problem can be avoided by making calls to iControl REST using only User IDs that have the 'Admin' or 'Resource Admin' roles.

Note: If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', the 'restjavad' process must be restarted before core files can be created for icrd_child processes.

Workaround #2:
If iControl REST calls have already been made with User IDs that have a role other than 'Admin' or 'Resource Admin', and a core file is needed for a currently running icrd_child process, running the following two commands in the Advanced Shell (aka bash) creates the core file.

1: "echo 2 > /proc/sys/fs/suid_dumpable"
2: "pkill -6 icrd_child"

Note: The commands are shown inside quotation marks but do not include the quotations marks.


714502-3 : bigd restarts after loading a UCS for the first time

Component: Local Traffic Manager

Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.

Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check

Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.

Workaround:
System runs as expected after the bigd restart, and the user need not take any action.


714372-5 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.


714216-4 : Folder in a partition may result in load sys config error

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current-partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current-partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.


713509 : Manually changing a device to standby will cause TMM crash

Component: Local Traffic Manager

Symptoms:
When you change the set the HA state of a device to Standby when it's already in standby, tmm may crash.

Conditions:
This can occur when both devices are in Standby, and you run tmsh run /sys failover standby

Impact:
tmm crashes and restarts. Since the device was already in standby, traffic is not disrupted.


713128 : Portal Access: F5_isStyle() should be more selective

Component: Access Policy Manager

Symptoms:
Various web-application misfunctions are possible.

Conditions:
Web-application defined properties with names of style attributes that represent the subject for rewriting by Portal Access.

Impact:
Client-side web-application misfunction.

Workaround:
Use a custom iRule to handle this.


710809-5 : Restjavad hangs and causes GUI page timeouts

Component: Device Management

Symptoms:
Restjavad stops responding, causing GUI page timeouts.

Conditions:
The conditions behind this issue are not known.

Impact:
restjavad is active, but all endpoints are nonresponsive.

Workaround:
Restart restjavad.


709381-4 : iRules LX plugin imported from a system with a different version does not properly run, and the associated iRule times out.

Component: Local Traffic Manager

Symptoms:
An iRules LX plugin does not properly run and messages similar to the following example are logged to the /var/log/ltm file:

err tmm[17616]: 01220001:3: TCL error: /Common/my-plugin/my-rule <HTTP_REQUEST> - ILX timeout. invoked from within "ILX::call $ilx_handle -timeout 3000 my-function"

Conditions:
An iRules LX workspace archive is imported to BIG-IP version 13.1.0 or later from a previous software version.

It should be noted this is what happens during a regular software upgrade. Therefore, you might encounter this issue when upgrading a system to BIG-IP version 13.1.0 or later.

Impact:
The affected iRules LX are not functional under the new software version, and the virtual servers utilizing them will experience various failures.

Workaround:
Change the node version from 0.12.15 to 6.9.1 and back.


706685-1 : The web UI becomes unresponsive after certain commands

Component: TMOS

Symptoms:
The web UI becomes unresponsive after certain commands

Conditions:
Running certain commands

Impact:
The web UI becomes unresponsive

Workaround:
Reload the page


705112-6 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.


688231-3 : Unable to set VET, AZOT, and AZOST timezones

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.


685593-5 : Access session iRules can fail with error 'Illegal argument'

Component: Access Policy Manager

Symptoms:
Certain Access iRules can cause an argument error to occur. Errors in iRule logs appear similar to the following: session ID lookup failed - Illegal argument (line 1).

Conditions:
ACCESS::session iRules are used, for example:
-- ACCESS::session sid.
-- ACCESS::session data get {session.server.landinguri}.
-- ACCESS::session data get {session.policy.result}.

Impact:
Tcl error occurs and the connection is reset. The system posts the 'Illegal argument" message in the iRules logs.

Workaround:
There is no workaround at this time.


681478 : JS error "Failed to execute 'iterateNext' on 'XPathResult'...'"

Component: Access Policy Manager

Symptoms:
JS error "Failed to execute 'iterateNext' on 'XPathResult'...'"

Conditions:
Javascript access to Anchor.href within XPathResult.iterateNext() loop.

Impact:
Web-application misfunction

Workaround:
Custom iRule can be used


674745-1 : Ordering and OSPF configuration timing of IA routes on HA configuration can lead to differences in route table

Solution Article: K53106344

Component: TMOS

Symptoms:
In some specific circumstances, the configuration ordering and activation timing in an HA configuration of OSPF inter-area (IA) routes might lead to one unit learning the route off the peer instead of learning it from the configuration.

Conditions:
- Two or more units using very close or identical OSPF configurations.
- Announcement of IA summary routes that locally are blackholed.
- One unit is configured before the others, in a way that the peers learn the route before the configuration is introduced locally.

Impact:
A unit may prefer a route to the peer instead of a locally configured blackhole.

Workaround:
Do any of the following:
-- Restart the ospf process.
-- Run the command: clear ip ospf process.
-- Remove the ospf config and paste it back in.


673573-1 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
    'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.


667241 : Virtual server fails to process RD Gateway connections if 'Source Port' is set to 'Change'

Solution Article: K29453454

Component: Access Policy Manager

Symptoms:
RDP client fails to connect via APM used as RD Gateway, if 'Source Port' is set to 'Change' on the virtual server. Native RDP resources on APM Webtop are also affected.

Conditions:
-- APM is used as RD Gateway.
-- 'Source Port' is set to 'Change' on the virtual server.

Impact:
RDP client cannot connect via APM.

Workaround:
Use either of the following workarounds:
-- Set the virtual server'Source Port' setting to 'Preserve' (which is the default).

-- Disable CMP on the virtual server. To do so, run the following commands:
 tmsh modify ltm virtual <VS-name> cmp-enabled no
 tmsh save sys config


659930 : Enterprise Manager may receive malformed data if there are multiple monitors on a pool

Component: Global Traffic Manager (DNS)

Symptoms:
Enterprise Manager (EM) may receive malformed data if there are multiple monitors on a pool. big3d returns malformed xml. Messages similar to the following appear in /var/log/em:
 Could not parse xml for device.

Conditions:
-- Flapping pool monitor has more than two HTTP-type monitors.
-- iControl data returned from big3d LTM is malformed xml.

Impact:
Malformed data causes EM to not be able to gather stats from big3d.

Workaround:
None.


652577 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.

Conditions:
- HA pair
 - Traffic-group with a MAC set in the MAC Masquerading setting.
 - Floating Self-IP using the above traffic-group
 - Make a change to the MAC Masquerading MAC address on the Active unit.
 - Run a config-sync from Active to Standby

Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.

Workaround:
Reboot or restart TMM.


651532 : XML sensitive data masks the whole parameter value when it is in a parameter context

Component: Application Security Manager

Symptoms:
When XML payload is in a parameter and a sensitive entity exists, the whole parameter value is masked.

Conditions:
-- Send XML request.
-- The XML payload is in a parameter
-- A sensitive entity exists.

Impact:
Cannot view the other information in the event logs apart from the sensitive entity.

Workaround:
None.


642572 : Configuration Utility shows 127.0.0.1 in the IP address field of the logon page and main page when using FQDN in browser

Component: TMOS

Symptoms:
Configuration Utility shows 127.0.0.1 in the IP address field of the logon page and main page.

Conditions:
-- Accessing Configuration Utility via Self IP.
-- Using FQDN instead of Self IP in browser.

Impact:
127.0.0.1 appears instead of SelfIP used on the mainpage

Workaround:
None.


640842-5 : ASM end user using mobile might be blocked when CSRF is enabled

Component: Application Security Manager

Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.

Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.

Impact:
Client is blocked.

Workaround:
None.


640696 : iCRD 400 Error even though request succeeds

Component: TMOS

Symptoms:
When the BIG-IP system is under a heavy load or is processing large TMSH files, the internal API returns a timeout error for processes that exceed 60 seconds.

Conditions:
Heavy traffic going through the BIG-IP system, processing large config files with save or merge command.

Impact:
If you have external workflow tools, this will signal a false failure.

Workaround:
None.


639665 : Portal access page broken when accessed from Chrome and Firefox

Component: Access Policy Manager

Symptoms:
Portal access page broken when accessed from Chrome and Firefox, but loads in Internet Explorer. BLOB URLs refer to BLOB objects. These objects may contain arbitrary content including JavaScript code, CSS code, etc. In some cases, content of BLOB object should be rewritten before it is used by Web application.

Conditions:
Portal access page not load on Chrome & Firefox

Impact:
PA page does not load. Users cannot see the content of the page.

Workaround:
iRule workaround available upon request


632458 : Conditional compilation can be improperly rewritten in some cases

Component: Access Policy Manager

Symptoms:
Logically and syntactically improper JavaScript after rewriting if conditional compilation is present in some places.

Conditions:
Conditional compilation is present in some places.

Impact:
Web application misbehavior.

Workaround:
Use a custom iRule. No general iRule exists.


631654 : Attaching VDI profile to virtual server changes the default behavior of ACCESS::restrict_irule_events

Component: Access Policy Manager

Symptoms:
ACCESS::restrict_irule_events is enabled by default. But if you add the VDI profile to the virtual server, it changes this default behavior and disables this flag. Due to this, you will start seeing that iRule events are raised for internal APM requests as well.

When this is happening, the system posts the following error signatures in /var/log/ltm:
err tmm[20661]: 01220001:3: TCL error: /Common/stream_vdi_debug <HTTP_RESPONSE> - Operation not supported (line 15) invoked from within STREAM::expression "@$matchstring@$replacestring@" ".

err tmm[19745]: 01220001:3: TCL error: /Common/stream_vdi <HTTP_REQUEST> - Operation not supported (line 1) invoked from within "STREAM::disable".

Conditions:
Virtual server with VDI profile attached. And any iRule implementation written with the assumption that restrict_irule_events are enabled by default.

Impact:
iRule implementation may not work as expected. For example: attaching the OFBA iRule (_sys_APM_MS_Office_OFBA_Support) to the virtual server which has VDI profile breaks OFBA functionality.

Workaround:
Enable the ACCESS::restrict_irule_events flag manually using syntax similar to the following:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events enable
}

Note: This impacts Citrix Wyse client RSA next-token change scenario.


626807 : Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash on large rewritibale content when webtrace or debug log for Portal Access is enabled.

Conditions:
Portal Access log level is set to "Debug", or
Web Application Trace feature of Portal Access is active.

Impact:
Portal Access is temporarily unavailable.
Core file for 'rewrite' process is generated.

Workaround:
Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.


624933 : DoSL7: total site TPS is lower than a single entity TPS

Component: Application Security Manager

Symptoms:
A total site TPS is reported lower than a single TPS.

Conditions:
An entity is reported for the first time in the attack.

Impact:
Confusion in the reporting.

Workaround:
None.


618889 : Clicking the policies list tab does not refresh the policies list on click.

Component: TMOS

Symptoms:
Clicking the policies list tab does not refresh the policies list on click.

Conditions:
This occurs on the policy list page

Impact:
If the policy list changed, the updates will not be displayed.

Workaround:
Refresh the browser or click the menu Local Traffic > Policy List in order to refresh the page


617296 : HTTPS Monitors Up Interval field cannot be disabled if enabled in parent monitor

Component: Local Traffic Manager

Symptoms:
When the Up Interval of an HTTPS Monitor is enabled, all the children monitor of the same type will inherit the same setting and cannot disable it.

Conditions:
The parent https monitor has enabled the up interval.

Impact:
children monitors will also inherit the setting, and cannot disable the setting. They can, however, set a different value than the parent.


613415-8 : Memory leak in ospfd when distribute-list is used

Solution Article: K22750357

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.

Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.


605675-6 : Sync requests can be generated faster than they can be handled

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.


593536-9 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Solution Article: K64445052

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.


591305 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.


588992 : BIG-IP VE does not support live migration on Hyper-V

Component: TMOS

Symptoms:
Performing live migration of a BIG-IP Virtual Edition (VE) from one Hyper-V host to another may result in non-functional virtual network devices, requiring a reboot of the guest to resolve. This behavior is unsupported.

Conditions:
BIG-IP VE running on Hyper-V performing a live migration operation.

Impact:
The BIG-IP VE guest may be unable to process network traffic requiring a reboot.

Workaround:
To work around this:
1. Fail over traffic to a VE instance running on another host.
2. Shut down the previously active BIG-IP guest.
3. Migrate it to the new host.
4. Bring it back up.


587821-10 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.


585876 : Updates to data groups fails with very large numbers of objects

Component: TMOS

Symptoms:
When modifying very large data groups(~33k objects) in the Configuration Utility, updates will fail with an error message: "Unknown Button Pressed."

Conditions:
The BIG-IP contains a data group that exceeds roughly 33 thousand objects. Updates to particular object will fail.

Impact:
Updates to large data groups will fail in the Configuration Utility. Updates to smaller data groups are still possible.

Workaround:
Updates to large data groups must be made with tmsh.


583930 : VE supports only 2 NUMA domains

Component: TMOS

Symptoms:
VMware ESX version 5.5 and greater can expose NUMA topology to guests, sometimes exposing more NUMA nodes than the two that Virtual Edition (VE) supports. This causes a TMM core, with the following error message in /var/log/tmm:

sys_get_numa_info: <N> exceeds max nodes of 2

Conditions:
-- VE running on VMware ESX 5.5 or greater.
-- 16 vCPUs configured.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
In VMware ESX, modify the guest hardware configuration to present a maximum of two sockets to the VE guest.

For example, if you configure an 8 CPU VM, set Cores per Socket to 4.


583108-2 : Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.

Component: TMOS

Symptoms:
when a neighbor with ipv4 address is disabled in ipv6 address family, show running configuration displays that the neighbor is disabled. However, when we restart or reboot the tmrouted or bgp protocol, the neighbor is enabled again. The configuration persistence is not maintained.

Conditions:
1. disable a neighbor with ipv4 address in ipv6 address family.
2. reboot/restart tmrouted or bgp protocol

Impact:
configuration persistence is not maintained. This impacts the BIGIP upgrades as the configuration loaded is not the same as it was before the upgrade. Similarly, a restart/reboot will also have different configuration loaded than originally used. This might alter the intended behavior of the protocol that the use expects to function.

Workaround:
disable the neighbor again.


579219-5 : Access keys missing from SessionDB after multi-blade reboot.

Component: Access Policy Manager

Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.

Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.

Impact:
Some Access subkeys may be missing after the reboot.

Workaround:
Reboot the primary blade.


562370 : SSL traffic stall with misconfigured mirroring configuration

Component: Local Traffic Manager

Symptoms:
SSL traffic may be stalled if there is a mismatch in mirror setting on the SSL virtual server between the active and the standby unit.

Conditions:
SSL virtual server with mirroring enabled on the active unit and disabled on the standby unit.

Impact:
Connections on the active unit may be stalled up to "Handshake timeout" seconds

Workaround:
Configure both units to have the same mirror setting on the virtual server.


557529 : Tcl monitors may not fire on their scheduled intervals

Component: Local Traffic Manager

Symptoms:
Tcl monitors (FTP, IMAP, POP3, SMTP) might not fire on their scheduled intervals. If they are delayed long enough, it could trigger a false down condition even though the monitored object is up.

Conditions:
Multiple Tcl monitors are in use and several of the monitors are taking too long to complete. This could be caused monitored objects that are down and timing out or monitored objects that take too long to respond.

This will cause the Tcl monitor work load to back up preventing other monitors (that might be up) from firing on time.

Impact:
An object might be marked down even though it is actually up.

Workaround:
If you are encountering this, and your environment requires you to use these types of monitors, and the condition is triggering only occasionally, you may be able to increase the monitor interval and timeout settings to avoid the false down situation.


554506-1 : PMTU discovery from management does not work

Solution Article: K47835034

Component: Local Traffic Manager

Symptoms:
You encounter connectivity issues to management interface.

Conditions:
MTU on the intermediate route is less than the management interface's MTU and the response packets have the DF flag set.

Impact:
Connectivity issues to management interface.

Workaround:
None.


553776-3 : BGP may advertise default route with bad parameters

Solution Article: K03365920

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
Dynamic routing using BGP configured, BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command: clear ip bgp <affected neighbor address>.


544958 : Monitors packets are sent even when pool member is 'Forced Offline'.

Component: Local Traffic Manager

Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.

Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.

Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.

Workaround:
None.


536757-1 : BIG-IP VE may restart tmm if descheduled by hypervisor for extended periods

Solution Article: K40093184

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) configuration may restart the tmm process if it is descheduled for 10 seconds or more. This generally happens only on oversubscribed systems.

Conditions:
-- Overprovision resources on a hypervisor without any CPU reservations for a BIG-IP system.
-- Cause enough work to happen where the BIG-IP system cannot be scheduled to run for 10 seconds.

Impact:
The tmm potentially restarts due to an ABORT signal. This does not always happen, depending upon what happens to run first (tmm or sod) when the BIG-IP system gets a chance to run. Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Reserve ample CPU resources to guarantee that tmm gets an opportunity to touch its watchdog within 10 seconds.

-- Do not provision enough jobs on a hypervisor host such that the BIG-IP system is not allotted sufficient CPU cycles.


507566 : GUI cannot edit large external datagroup file

Solution Article: K16263

Component: TMOS

Symptoms:
GUI fails to successfully make edits to an external datagroup file.

Conditions:
An external datagroup that is approximately 1,488,900 bytes (depending on version) or larger in size, is loaded and edits are attempted via the GUI.

Impact:
The datagroup file is not updated correctly, and the system posts no error messages. iRules/datagroup dependent functions might fail to behave as expected.

Workaround:
Use TMSH to make edits to external datagroup files using the following command:

edit /sys file data-group datagroup_file_name.


497349 : Blank popups in APM Portal Access

Component: Access Policy Manager

Symptoms:
Blank popups or empty frames in APM Portal Access.

Conditions:
-- APM Portal Access.
-- Patching locally defined function named Open.

Impact:
Blank popups or empty frames in APM Portal Access.

Workaround:
Use an iRule workaround specific to missing element.


489572 : Sync fails if file objects are created and deleted in same transaction.

Solution Article: K60934489

Component: TMOS

Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:

Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.

Impact:
Sync fails.

Workaround:
When you create/add a file object, make sure to sync before deleting it.

If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.


488314 : SSL connections reset after failover.

Component: Local Traffic Manager

Symptoms:
Connection stalls and/or connection is reset due to handshake timeout.

Conditions:
-- Mirroring enabled on SSL virtual server.
-- Failover occurs during SSL handshake (i.e., negotiation/renegotiation).

Impact:
SSL connections might stall or be reset on failover.

Workaround:
None.


486997-4 : The vCMP guest lost watchdog heartbeat, and the host restarted it.

Component: TMOS

Symptoms:
The guest on one slot stops activating its watchdog for 30 seconds, and the host vcmpd restarts the guest. The host logs messages:

-- 01510014:1: vCMP guest 'guestname' heartbeat timeout at the halfway mark.
-- 01510013:1: vCMP guest mn2-jga1-smp-lb lost heartbeat.

In a multi-slot guest, the other, unaffected guest slots /var/log/ltm can report 'clusterd FAILED' and show evidence of the faulty slot going down.

Conditions:
The conditions under which this occurs are unknown. This is a rarely encountered issue.

Impact:
Guest restart on one slot.

Workaround:
This issue has no workaround at this time.

To assist in capturing potential missed messages from the guest serial console, beginning in version 12.0.0, you can enable the db variables vcmp.guest.console and vcmp.guest.console.logging to log the output to a host-side file. To activate the logging, the guest must be re-deployed.


484060 : Failed to add/delete session entry (ERR_NOT_FOUND)

Component: Access Policy Manager

Symptoms:
You see the following log entries in /var/log/ltm:

err tmm[10575]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)

Clients may report a “session already in progress” warning when they try to go to one protected resource, and then another, without logging in first.

Conditions:
-- APM configured, access policy in use
-- Client reaches the logon page but does not log in

Impact:
Log message is logged to /var/log/ltm. It can be safely ignored.


470203 : Setting a remote syslog destination to a localhost address results in recursive log messages.

Solution Article: K16133

Component: TMOS

Symptoms:
Setting a remote syslog destination to a localhost address results in recursive log messages.

Conditions:
Using 127.0.0.1 or a hostname resolving to it as a host for syslog's remote-server.

Impact:
Using a localhost address as a remote syslog destination results in continual log entries until the BIG-IP system runs out of disk space.

Workaround:
Use a non-local remote host for syslog's remote-server.


467043 : modify sshd config gererates error messages while sshd not running

Solution Article: K03042515

Component: TMOS

Symptoms:
Modifying banner and banner-text while sshd service is disabled, result in error.

Conditions:
This occurs when modifying banner and banner-text while sshd service is disabled.

Impact:
The system posts an error.

Workaround:
Workaround is to change config order to enable login before banner change, or perform the operations in separate commands. -- tmsh modify sys sshd login enabled banner disabled banner-text none. -- tmsh modify sys sshd login enabled. -- tmsh modify sys sshd banner disabled banner-text none.


442489 : Licensed SSL and compression limits totals are not shown

Component: TMOS

Symptoms:
Licensed SSL and compression limits totals are not shown.

Conditions:
Any multi-core system with SSL and/or compression licensed.

Impact:
Might result in confusion or assumption of different limits than actually exist. This is a cosmetic issue and does not affect system functionality.

Workaround:
None.


440210 : NetHSM vendor config does not sync between high availability (HA) peers

Component: Local Traffic Manager

Symptoms:
When configuring devices with NetHSM as a high availability (HA) pair, the NetHSM vendor config does not sync between the peers.

Conditions:
When BIG-IP high availability (HA) is used with netHSM

Impact:
You will need to manually configure the standby BIG-IP for netHSM vendor configuration.

Workaround:
The workaround is to manually add the config to each peer during installation.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************