Original Publication Date: 12/17/2024
Updated Date: 03/27/2026
BIG-IP Release Information
Version: 15.1.10.6
Build: 6.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see
Bug Tracker
.
| The blue background highlights fixes |
Cumulative fixes from BIG-IP v15.1.10.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.10.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.10.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.10.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.10.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.10 that are included in this release
Cumulative fixes from BIG-IP v15.1.9.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.9 that are included in this release
Cumulative fixes from BIG-IP v15.1.8.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.8.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.8 that are included in this release
Cumulative fixes from BIG-IP v15.1.7 that are included in this release
Cumulative fixes from BIG-IP v15.1.6.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.6 that are included in this release
Cumulative fixes from BIG-IP v15.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Known Issues in BIG-IP v15.1.x
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1702565-1 | 2-Critical | tmsh configuration save improvements | 15.1.10.6 | |
| 1689953-1 | 2-Critical | tmsh configuration save improvements | 15.1.10.6 | |
| 1689781-3 | 3-Major | TMUI hardening | 17.1.2, 15.1.10.6 |
Cumulative fixes from BIG-IP v15.1.10.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1593681-3 | CVE-2024-45844 | K000140061 , BT1593681 | Monitor validation improvements | 17.1.1.4, 16.1.5, 15.1.10.5 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1378329-3 | 2-Critical | K000137353 | Secure internal communication between Tomcat and Apache | 17.1.1.4, 16.1.5, 15.1.10.5 |
| 1615861-3 | 3-Major | TMUI hardening | 17.1.1.4, 16.1.5.1, 15.1.10.5 |
Cumulative fixes from BIG-IP v15.1.10.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1495217-1 | CVE-2024-31156 | K000138636 , BT1495217 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
| 1492361-3 | CVE-2024-33604 | K000138894 , BT1492361 | TMUI Security Hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
| 1449709-4 | CVE-2024-28889 | K000138912 , BT1449709 | Possible TMM core under certain Client-SSL profile configurations | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
| 1366025-3 | CVE-2023-44487 | K000137106 , BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
| 1360917-3 | CVE-2024-27202 | K000138520 , BT1360917 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Functional Change Fixes
None
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1494833-4 | 2-Critical | K000138898 , BT1494833 | A single signature does not match when exceeding 65535 states | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Cumulative fixes from BIG-IP v15.1.10.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1117229-2 | CVE-2022-26377 | K26314875 , BT1117229 | CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
| 1391357-2 | CVE-2023-43125 | K000136909 , BT1391357 | Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
| 1381357-3 | CVE-2023-46748 | K000137365 , BT1381357 | CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
| 1304957-5 | CVE-2023-5450 | K000135040 , BT1304957 | BIG-IP Edge Client for macOS vulnerability CVE-2023-5450 | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
| 1240121-2 | CVE-2022-36760 | K000132643 , BT1240121 | CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1354253-3 | 3-Major | K000137322 , BT1354253 | HTTP Request smuggling with redirect iRule | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1316277 | 3-Major | K000137796 , BT1316277 | Large CRL files may only be partially uploaded | 17.1.1, 16.1.4.2, 15.1.10.3 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1355117-1 | 2-Critical | K000137374 , BT1355117 | TMM core due to extensive memory usage ★ | 17.1.1, 16.1.5, 15.1.10.3 |
Cumulative fixes from BIG-IP v15.1.10.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1324745-3 | CVE-2023-41373 | K000135689 , BT1324745 | An undisclosed TMUI endpoint may allow unexpected behavior | 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v15.1.10.1 that are included in this release
Functional Change Fixes
None
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1194077-1 | 1-Blocking | BT1194077 | The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000 | 17.1.1 |
Cumulative fixes from BIG-IP v15.1.10 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 981917-2 | CVE-2020-8286 | K15402727 | CVE-2020-8286 - cUrl Vulnerability | 17.1.1, 16.1.4, 15.1.10 |
| 1314301-3 | CVE-2024-23805 | K000137334 , BT1314301 | TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled | 17.1.1, 16.1.4, 15.1.10 |
| 1289189-2 | CVE-2024-24775 | K000137333 , BT1289189 | In certain traffic patterns, TMM crash | 17.1.1, 16.1.4, 15.1.10 |
| 1238629-3 | CVE-2024-21763 | K000137521 , BT1238629 | TMM core when processing certain DNS traffic with bad actor (BA) enabled | 17.1.1, 16.1.4, 15.1.10 |
| 1223369-4 | CVE-2024-23982 | K000135946 , BT1223369 | Classification of certain UDP traffic may cause crash | 17.1.1, 16.1.3.4, 15.1.10 |
| 1075657-2 | CVE-2020-12825 | K01074825 , BT1075657 | CVE-2020-12825 - libcroco vulnerability | 17.1.1, 16.1.4, 15.1.10 |
| 1061977-2 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 | K31781390 , BT1061977 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 17.1.1, 16.1.4, 15.1.10 |
| 1295017-1 | CVE-2024-41164 | K000138477 , BT1295017 | TMM crash when using MPTCP | 17.1.1, 16.1.5, 15.1.10 |
| 1238321-3 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.1.0.1, 16.1.4, 15.1.10 |
| 1235813-10 | CVE-2023-0215 | K000132946 , BT1235813 | OpenSSL vulnerability CVE-2023-0215 | 17.1.0.1, 16.1.4, 15.1.10 |
| 1235801-3 | CVE-2023-0286 | K000132941 , BT1235801 | OpenSSL vulnerability CVE-2023-0286 | 17.1.1, 16.1.4, 15.1.10 |
| 1214069-1 | CVE-2024-32761 | K000139217 , BT1214069 | Potential data leak inside Ethernet padding field on rseries/VELOS architecture products | 17.1.0, 15.1.10 |
| 1296489-4 | CVE-2024-23603 | K000138047 , BT1296489 | ASM UI hardening | 17.1.1, 16.1.4, 15.1.10 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 883597-1 | 3-Major | BT883597 | Add a way to look up URLs in one specified custom category | 16.0.0, 15.1.10 |
| 1211513-1 | 3-Major | BT1211513 | Data payload validation is added to HSB validation loopback packets | 17.1.1, 16.1.4, 15.1.10 |
| 1069441-1 | 3-Major | BT1069441 | Cookie without '=' sign does not generate rfc violation | 17.1.1, 16.1.5, 15.1.10 |
| 792813-1 | 4-Minor | BT792813 | The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet information is not received | 16.0.0, 15.1.10 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 993481-3 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC | 17.1.1, 16.1.4, 15.1.10 |
| 808277-6 | 2-Critical | BT808277 | Root's crontab file may become empty | 16.0.0, 15.1.10 |
| 776117-2 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type | 17.1.1, 16.1.5, 15.1.10 |
| 723109-1 | 2-Critical | BT723109 | FIPS HSM: SO login failing when trying to update firmware | 17.1.1, 16.1.4, 15.1.10 |
| 1256841-2 | 2-Critical | BT1256841 | AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script | 17.1.1, 16.1.4, 15.1.10 |
| 1232997 | 2-Critical | BT1232997 | IPSEC: The tmm process may exit with 'Invalid policy remote index' | 16.1.4, 15.1.10 |
| 1155297-2 | 2-Critical | XAL debug register additions | 15.1.10 | |
| 1105901-3 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging | 17.1.1, 16.1.4, 15.1.10 |
| 1075677-3 | 2-Critical | Multiple GnuTLS Mend findings | 17.1.1, 16.1.4, 15.1.10 | |
| 997561-3 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic | 17.1.1, 16.1.5, 15.1.10 |
| 995097-3 | 3-Major | BT995097 | Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. | 17.0.0, 16.1.4, 15.1.10 |
| 992813-2 | 3-Major | BT992813 | The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. | 17.0.0, 16.1.4, 15.1.10 |
| 989501-1 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus | 17.1.1, 16.1.4, 15.1.10 |
| 969737-1 | 3-Major | BT969737 | Snmp requests not answered if V2 traps are configured | 16.1.0, 15.1.10 |
| 964125-2 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | 17.1.1, 16.1.4, 15.1.10 |
| 958833-1 | 3-Major | BT958833 | After mgmt ip change via GUI, brower is not redirected to new address | 16.1.0, 15.1.10, 14.1.5.1 |
| 955953-2 | 3-Major | BT955953 | iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg' | 17.0.0, 16.1.5, 15.1.10 |
| 950153-2 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned | 17.1.1, 16.1.5, 15.1.10 |
| 933329-2 | 3-Major | BT933329 | The process plane statistics do not accurately label some processes | 16.1.0, 15.1.10 |
| 930393-3 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration | 17.1.0, 16.1.4, 15.1.10 |
| 906273-2 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd | 17.1.1, 16.1.4, 15.1.10 |
| 878433-1 | 3-Major | BT878433 | Updated daemon may crash at shutdown | 16.1.0, 15.1.10 |
| 873013-5 | 3-Major | BT873013 | Alertd could leak memory if nokia alarm is enabled and nokiasnmpd is not running | 16.0.0, 15.1.10 |
| 807957-5 | 3-Major | BT807957 | Link Up status should clear Link Down in Nokia Alarm database | 16.1.0, 15.1.10 |
| 804529 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools | 17.1.1, 16.1.4, 15.1.10 |
| 760739-2 | 3-Major | BT760739 | The Nokia alert configuration is not correct for all clearing events | 16.1.0, 15.1.10 |
| 715748-6 | 3-Major | BT715748 | BWC: Flow fairness not in acceptable limits | 17.1.1, 16.1.5, 15.1.10 |
| 1304497 | 3-Major | BT1304497 | SIGSEGV core during HUDEVT_EXPIRED | 15.1.10 |
| 1293193-1 | 3-Major | BT1293193 | Missing MAC filters for IPv6 multicast | 17.1.1, 16.1.5, 15.1.10 |
| 1288729-1 | 3-Major | BT1288729 | Memory corruption due to use-after-free in the TCAM rule management module | 17.1.1, 15.1.10 |
| 1287981-1 | 3-Major | BT1287981 | Hardware SYN cookie mode may not exit | 17.1.1, 15.1.10 |
| 1287821-1 | 3-Major | BT1287821 | Missing Neuron/TCAM rules | 17.1.1, 15.1.10 |
| 1253649 | 3-Major | BT1253649 | RPM error log in liveinstall.log and TMM error with failed to load/open library during upgrade ★ | 15.1.10 |
| 1215613-1 | 3-Major | BT1215613 | ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address | 17.1.1, 15.1.10 |
| 1183901-4 | 3-Major | BT1183901 | VLAN name greater than 31 characters results in invalid F5OS tenant configuration | 17.1.1, 15.1.10 |
| 1154381-3 | 3-Major | BT1154381 | The tmrouted might crash when management route subnet is received over a dynamic routing protocol | 17.1.1, 16.1.5, 15.1.10 |
| 1136921-3 | 3-Major | BT1136921 | BGP might delay route updates after failover | 17.1.1, 16.1.4, 15.1.10 |
| 1134509-3 | 3-Major | BT1134509 | TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. | 17.1.1, 16.1.5, 15.1.10 |
| 1121517-3 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 | 16.1.4, 15.1.10 |
| 1112537-3 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. | 17.1.1, 16.1.4, 15.1.10 |
| 1111993-1 | 3-Major | BT1111993 | HSB tool utility does not display PHY settings for HiGig interfaces | 17.1.0, 16.1.5, 15.1.10 |
| 1106489-3 | 3-Major | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. | 16.1.4, 15.1.10 |
| 1102425-2 | 3-Major | BT1102425 | F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary | 17.1.1, 15.1.10 |
| 1100321-1 | 3-Major | BT1100321 | MCPD memory leak | 17.1.0, 16.1.4, 15.1.10 |
| 1100125-1 | 3-Major | BT1100125 | Per virtual SYN cookie may not be activated on all HSB modules | 17.1.0, 16.1.4, 15.1.10 |
| 1081641 | 3-Major | BT1081641 | Remove Hyperlink to Legal Statement from Login Page | 17.1.0, 16.1.4, 15.1.10 |
| 1077533 | 3-Major | BT1077533 | Status is showing INOPERATIVE after an upgrade and reboot ★ | 17.1.1, 16.1.4, 15.1.10 |
| 1044089-1 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. | 17.1.1, 16.1.4, 15.1.10 |
| 1042589-2 | 3-Major | BT1042589 | Wrong trunk_id is associated in bcm56xxd. | 17.0.0, 16.1.5, 15.1.10 |
| 1040573-2 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel | 17.1.1, 16.1.5, 15.1.10 |
| 1040117-1 | 3-Major | BT1040117 | BIG-IP Virtual Edition drops UDP packets | 17.1.1, 16.1.5, 15.1.10 |
| 1020129-1 | 3-Major | BT1020129 | Turboflex page in GUI reports 'profile.Features is undefined' error ★ | 17.1.1, 16.1.5, 15.1.10 |
| 964533-3 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. | 17.1.1, 16.1.4, 15.1.10 |
| 939757-4 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. | 17.1.1, 16.1.4, 15.1.10 |
| 889813-2 | 4-Minor | BT889813 | Show net bwc policy prints bytes-per-second instead of bits-per-second | 17.0.0, 16.1.4, 15.1.10, 14.1.4.5 |
| 838405-3 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use | 17.1.1, 16.1.4, 15.1.10 |
| 819429-5 | 4-Minor | BT819429 | Unable to scp to device after upgrade: path not allowed | 16.0.0, 15.1.10 |
| 818297-3 | 4-Minor | BT818297 | OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure | 16.0.0, 15.1.10 |
| 817989-1 | 4-Minor | BT817989 | Cannot change managemnet IP from GUI | 16.1.0, 15.1.10 |
| 1280281-2 | 4-Minor | BT1280281 | SCP allow list may have issues with file paths that have spaces in them | 17.1.1, 16.1.5, 15.1.10 |
| 1185257-3 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs | 17.1.1, 16.1.4, 15.1.10 |
| 1136837-3 | 4-Minor | BT1136837 | TMM crash in BFD code due to incorrect timer initialization | 17.1.1, 16.1.5, 15.1.10 |
| 1064753-3 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. | 16.1.5, 15.1.10 |
| 1058229-2 | 4-Minor | CVE-2019-17546 - heap-based buffer overflow via a crafted RGBA image | 15.1.10 | |
| 1050413-3 | 4-Minor | BT1050413 | Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml | 17.0.0, 15.1.10 |
| 1044893-3 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 | 17.1.1, 16.1.5, 15.1.10 |
| 1041765-1 | 4-Minor | BT1041765 | Racoon may crash in rare cases | 17.0.0, 16.1.2.1, 15.1.10 |
| 1003081-2 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. | 17.1.1, 16.1.5, 15.1.10 |
| 965457-4 | 5-Cosmetic | BT965457 | OSPF duplicate router detection might report false positives | 16.1.0, 15.1.10 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1305865 | 1-Blocking | BT1305865 | Drop in performance with high throughput on BIG-IP 15.1.9 Virtual Edition or tenants on r2000 or r4000 hosts. | 15.1.10 |
| 935193-1 | 2-Critical | BT935193 | With APM and AFM provisioned, single logout ( SLO ) fails | 17.0.0, 16.1.4, 15.1.10 |
| 858453-2 | 2-Critical | BT858453 | TMM may crash with forward proxy enabled when SessionDB looks for a null profile | 16.0.0, 15.1.10 |
| 474797-8 | 2-Critical | BT474797 | Nitrox crypto hardware may attempt soft reset while currently resetting | 16.0.0, 15.1.10, 12.1.5, 11.6.2, 11.5.7 |
| 1291993-1 | 2-Critical | BT1291993 | When using http2-to-http-gateway, tmm can crash in very rare circumstances | 15.1.10 |
| 1282357 | 2-Critical | BT1282357 | Double HTTP::disable can lead to tmm core | 17.1.1, 16.1.4, 15.1.10 |
| 1100721-3 | 2-Critical | BT1100721 | IPv6 link-local floating self-IP breaks IPv6 query to BIND | 17.1.1, 15.1.10 |
| 1072377-1 | 2-Critical | BT1072377 | TMM crash in rare circumstances during route changes | 17.1.0, 16.1.5, 15.1.10 |
| 996649-4 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections | 17.1.1, 16.1.5, 15.1.10 |
| 994269-2 | 3-Major | BT994269 | Message 'double flow removal' is logged in LTM log file | 16.1.0, 15.1.10 |
| 985925-1 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. | 17.1.1, 16.1.4, 15.1.10 |
| 980617-3 | 3-Major | BT980617 | SNAT iRule is not working with HTTP/2 and HTTP Router profiles | 17.0.0, 16.1.1, 15.1.10 |
| 976433-2 | 3-Major | BT976433 | Use of OCSP responder may leak X509 store instances | 16.1.0, 15.1.10 |
| 921541-3 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | 17.1.1, 16.1.4, 15.1.10 |
| 876569-3 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error | 17.1.1, 16.1.4, 15.1.10 |
| 851121-2 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently | 17.1.1, 16.1.4, 15.1.10 |
| 842425-1 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations | 17.1.1, 16.1.4, 15.1.10 |
| 774817-1 | 3-Major | BT774817 | ICMP packets are intermittently forwarded out of both VLAN group members | 16.0.0, 15.1.10 |
| 709952-4 | 3-Major | BT709952 | Disallow DHCP relay traffic to traverse between route domains | 16.0.0, 15.1.10, 13.1.1.5 |
| 582666-1 | 3-Major | BT582666 | TMM spams ltm log with "01010235:2: Inet port find called for pg 1 with invalid cmp state 0" | 16.0.0, 15.1.10 |
| 1292793-1 | 3-Major | BT1292793 | FIX protocol late binding flows that are not PVA accelerated may fail | 17.1.1, 16.1.4, 15.1.10 |
| 1291565-1 | 3-Major | BT1291565 | BIG-IP generates more multicast packets in multicast failover high availability (HA) setup | 17.1.1, 16.1.4, 15.1.10 |
| 1284261-2 | 3-Major | BT1284261 | Constant traffic on DHCPv6 virtual servers may cause a TMM crash. | 17.1.1, 16.1.5, 15.1.10 |
| 1269733-4 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout | 17.1.1, 16.1.4, 15.1.10 |
| 1238413-2 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group | 17.1.1, 16.1.4, 15.1.10 |
| 1229369-1 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function | 17.1.1, 16.1.4, 15.1.10 |
| 1126841-2 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores | 17.1.1, 16.1.4, 15.1.10 |
| 1117609-3 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi | 17.1.1, 16.1.4, 15.1.10 |
| 1112385-2 | 3-Major | BT1112385 | Traffic classes match when they shouldn't | 17.1.1, 16.1.5, 15.1.10 |
| 1088597-3 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances | 17.1.1, 16.1.5, 15.1.10 |
| 1059573-3 | 3-Major | BT1059573 | Variation in a case insensitive value of an operand in LTM policy may fail in some rules. | 17.0.0, 16.1.5, 15.1.10 |
| 1037257 | 3-Major | BT1037257 | SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check | 17.1.1, 15.1.10 |
| 1017841 | 3-Major | BT1017841 | High tmm memory use when transferring large documents to slow clients | 15.1.10 |
| 929429-2 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed | 17.1.1, 16.1.5, 15.1.10 |
| 1289549-2 | 4-Minor | BT1289549 | TCP RST internal error in tcpproxy bad transition during SSL connection closure. | 15.1.10 |
| 1281709-2 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener | 17.1.1, 16.1.4, 15.1.10 |
| 1269773-4 | 4-Minor | BT1269773 | Convert network-order to host-order for extensions in TLS1.3 certificate request | 17.1.1, 16.1.5, 15.1.10 |
| 1253481-2 | 4-Minor | BT1253481 | Traffic loss observed after reconfiguring Virtual Networks | 17.1.1, 15.1.10 |
| 1252405 | 4-Minor | BT1252405 | HTTP Invalid action:0x10a090 serverside | 15.1.10 |
| 1251033-2 | 4-Minor | BT1251033 | HA is not established between Active and Standby devices when the vwire configuration is added | 17.1.1, 15.1.10 |
| 1240937-2 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic | 17.1.1, 16.1.4, 15.1.10 |
| 1137717-3 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization | 17.1.1, 16.1.4, 15.1.10 |
| 1133557-3 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name | 17.1.1, 16.1.4, 15.1.10 |
| 979213-2 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | 17.1.1, 16.1.5, 15.1.10 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1211341-3 | 1-Blocking | BT1211341 | Failed to delete custom monitor after dissociating from virtual server | 17.1.0, 16.1.4, 15.1.10 |
| 958325-1 | 3-Major | BT958325 | Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB | 16.1.0, 15.1.10 |
| 935945-1 | 3-Major | BT935945 | GTM HTTP/HTTPS monitors cannot be modified via GUI | 17.1.0, 16.1.4, 15.1.10 |
| 894081-2 | 3-Major | BT894081 | The Wide IP members view in the WebUI may report the incorrect status for a virtual server. | 16.0.0, 15.1.10 |
| 1250077-3 | 3-Major | BT1250077 | TMM memory leak | 17.1.1, 15.1.10 |
| 1230709 | 3-Major | BT1230709 | Remove unnecessary logging with nsec3_add_nonexist_proof | 16.1.4, 15.1.10 |
| 1200929-1 | 3-Major | BT1200929 | GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang | 17.1.0, 16.1.4, 15.1.10 |
| 1162221-4 | 3-Major | BT1162221 | Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough | 15.1.10 |
| 1137569-2 | 3-Major | BT1137569 | Set nShield HSM environment variable. | 17.1.2, 16.1.5, 15.1.10 |
| 1103477-1 | 3-Major | BT1103477 | Refreshing pool member statistics results in error while processing requests | 17.1.1, 15.1.10 |
| 1073677-4 | 3-Major | BT1073677 | Add a db variable to enable answering DNS requests before reqInitState Ready | 17.1.0, 16.1.4, 15.1.10 |
| 1225941-1 | 5-Cosmetic | BT1225941 | OLH Default Values on Notification and Early Retransmit Settings | 15.1.10 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 880917-1 | 2-Critical | BT880917 | A BD memory leak | 16.0.0, 15.1.10 |
| 1282281-2 | 2-Critical | BT1282281 | Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns | 17.1.1, 16.1.5, 15.1.10 |
| 895013-2 | 3-Major | BT895013 | Learning of login pages does not work | 16.1.0, 16.0.0, 15.1.10 |
| 890169-2 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | 17.1.1, 16.1.4, 15.1.10 |
| 875909-1 | 3-Major | BT875909 | Added internal parameter to address Chrome samesite default change | 16.0.0, 15.1.10 |
| 835029-1 | 3-Major | BT835029 | The liveupdate.log file is not gzipped | 16.0.0, 15.1.10 |
| 1302925 | 3-Major | BT1302925 | Failed to load detected bots list , when you clicked on Bot Category | 15.1.10 |
| 1302689-1 | 3-Major | BT1302689 | ASM requests to rechunk payload | 17.1.1, 16.1.5, 15.1.10 |
| 1301197-4 | 3-Major | BT1301197 | Bot Profile screen does not load and display large number of pools/members | 17.1.1, 16.1.5, 15.1.10 |
| 1295009-4 | 3-Major | BT1295009 | "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data | 17.1.1, 16.1.5, 15.1.10 |
| 1292685-1 | 3-Major | BT1292685 | The date-time RegExp pattern through swagger would not cover all valid options | 17.1.1, 16.1.5, 15.1.10 |
| 1286101-4 | 3-Major | BT1286101 | JSON Schema validation failure with E notation number | 17.1.1, 16.1.4, 15.1.10 |
| 1229813-3 | 3-Major | BT1229813 | The ref schema handling fails with oneOf/anyOf | 17.1.1, 16.1.5, 15.1.10 |
| 1207793-4 | 3-Major | BT1207793 | Bracket expression in JSON schema pattern does not work with non basic latin characters | 17.1.1, 16.1.5, 15.1.10 |
| 1190365-4 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly | 17.1.1, 16.1.4, 15.1.10 |
| 1184841-3 | 3-Major | BT1184841 | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | 17.1.1, 16.1.4, 15.1.10 |
| 1173493-1 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile | 17.1.1, 16.1.4, 15.1.10 |
| 1117245-3 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file | 17.1.1, 16.1.4, 15.1.10 |
| 1095041-3 | 3-Major | BT1095041 | ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. | 17.1.0, 16.1.4, 15.1.10 |
| 1085661-3 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer | 17.1.1, 16.1.4, 15.1.10 |
| 1059513-4 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. | 17.1.1, 16.1.4, 15.1.10 |
| 1029989-2 | 3-Major | BT1029989 | CORS : default port of origin header is set 80, even when the protocol in the header is https | 16.1.4, 15.1.10 |
| 1023889-2 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | 17.1.1, 16.1.4, 15.1.10 |
| 942617-3 | 4-Minor | BT942617 | Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable | 17.1.1, 16.1.4, 15.1.10 |
| 1113753-3 | 4-Minor | BT1113753 | Signatures might not be detected when using truncated multipart requests | 17.1.1, 16.1.4, 15.1.10 |
| 1099765-4 | 4-Minor | BT1099765 | Inconsistent behavior in violation detection with maximum parameter enforcement | 17.1.1, 16.1.4, 15.1.10 |
| 1084857-3 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit | 17.1.1, 16.1.4, 15.1.10 |
| 1083513-2 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd | 17.1.1, 16.1.4, 15.1.10 |
| 1011045-1 | 5-Cosmetic | BT1011045 | GUI does not reflect 'Fully Automatic' state , which is substate of Automatic learning mode. | 16.1.0, 15.1.10 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1146341-3 | 1-Blocking | BT1146341 | TMM crashes while processing traffic on virtual server | 17.1.0, 16.1.5, 15.1.10 |
| 756540-1 | 2-Critical | BT756540 | End-user may not be able to connect to VPN. | 16.0.0, 15.1.10 |
| 1272537 | 2-Critical | BT1272537 | TMM high memory due to ping_access_agent | 15.1.10 |
| 1104517 | 2-Critical | BT1104517 | In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map | 17.1.1, 16.1.5, 15.1.10 |
| 1078829-2 | 2-Critical | BT1078829 | Login as current user fails in VMware | 17.0.0, 16.1.4, 15.1.10 |
| 1063261-1 | 2-Critical | BT1063261 | TMM crash is seen due to sso_config objects. | 17.0.0, 16.1.5, 15.1.10 |
| 949105-2 | 3-Major | BT949105 | Error log seen on Category Lookup SNI requests for same connection | 16.1.0, 15.1.10 |
| 848673-1 | 3-Major | BT848673 | Messages that originate from split tunneled frame have incorrect Portal Access message event origin. | 16.0.0, 15.1.10 |
| 1268521-2 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching applications or remote desktops from the APM Webtop if multiple RD resources are assigned. | 17.1.1, 16.1.4, 15.1.10 |
| 1251157 | 3-Major | BT1251157 | Ping Access filter can accumulate connections increasing the memory use | 17.1.1, 16.1.5, 15.1.10 |
| 1208949-3 | 3-Major | BT1208949 | TMM cored with SIGSEGV at 'vpn_idle_timer_callback' | 17.1.1, 16.1.4, 15.1.10 |
| 1207821-4 | 3-Major | BT1207821 | APM internal virtual server leaks memory under certain conditions | 17.1.1, 16.1.5, 15.1.10 |
| 1180365-1 | 3-Major | BT1180365 | APM Integration with Citrix Cloud Connector | 17.1.1, 16.1.4, 15.1.10 |
| 1124109-1 | 3-Major | Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS | 17.1.0, 16.1.4, 15.1.10 | |
| 1071485-1 | 3-Major | BT1071485 | For IP based bypass, Response Analytics sends RST. | 17.0.0, 16.1.3.1, 15.1.10 |
| 1070029 | 3-Major | BT1070029 | GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service | 17.1.1, 16.1.4, 15.1.10 |
| 1046401-1 | 3-Major | BT1046401 | APM logs shows truncated OCSP URL path while performing OCSP Authentication. | 17.1.1, 16.1.4, 15.1.10 |
| 1044457-2 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. | 17.1.1, 16.1.5, 15.1.10 |
| 1039941-2 | 3-Major | BT1039941 | The webtop offers to download F5 VPN when it is already installed | 17.1.1, 16.1.4, 15.1.10 |
| 1022493-2 | 3-Major | BT1022493 | Slow file descriptor leak in urldbmgrd (sockets open over time) | 17.0.0, 16.1.3.1, 15.1.10 |
| 1013729-3 | 3-Major | BT1013729 | Changing User login password using VMware View Horizon client results in “HTTP error 500” | 17.0.0, 16.1.4, 15.1.10 |
| 1252005-2 | 4-Minor | BT1252005 | VMware USB redirection does not work with DaaS | 17.1.1, 16.1.4, 15.1.10 |
| 1224409-2 | 4-Minor | BT1224409 | Unable to set session variables of length >4080 using the -secure flag | 17.1.1, 16.1.4, 15.1.10 |
| 1142389-1 | 4-Minor | BT1142389 | APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request | 17.1.1, 16.1.5, 15.1.10 |
| 1040829-3 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge | 17.1.1, 16.1.4, 15.1.10 |
| 427094-2 | 5-Cosmetic | BT427094 | Accept-language is not respected if there is no session context for page requested. | 17.1.1, 16.1.5, 15.1.10 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 839389-3 | 2-Critical | BT839389 | TMM can crash when connecting to IVS under extreme overload | 16.0.0, 15.1.10 |
| 1269889-2 | 2-Critical | BT1269889 | LTM crashes are observed while running SIP traffic and pool members are offline | 17.1.1, 16.1.4, 15.1.10 |
| 1291149-2 | 3-Major | BT1291149 | Cores with fail over and message routing | 17.1.1, 16.1.4, 15.1.10 |
| 1287313-1 | 3-Major | BT1287313 | SIP response message with missing Reason-Phrase or with spaces are not accepted | 17.1.1, 16.1.4, 15.1.10 |
| 1251013-3 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters | 17.1.1, 16.1.5, 15.1.10 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 965897-2 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync | 17.1.1, 16.1.5, 15.1.10 |
| 1080957 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW | 17.1.1, 15.1.10 |
| 1060833-1 | 2-Critical | BT1060833 | After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash. | 17.0.0, 15.1.10 |
| 1040685-3 | 2-Critical | BT1040685 | Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) | 17.0.0, 16.1.4, 15.1.10 |
| 998701-2 | 3-Major | BT998701 | Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value. | 17.1.1, 15.1.10 |
| 955773-1 | 3-Major | BT955773 | Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4 | 17.1.2, 15.1.10 |
| 918905-2 | 3-Major | BT918905 | PCCD restart loop when using more than 256 FQDN entries in Firewall Rules | 16.1.0, 15.1.10 |
| 863285-1 | 3-Major | BT863285 | Incorrect value (icmpv6) is used when Rule List/Rule/Protocol is set to ICMPv6 via GUI. ★ | 16.0.0, 15.1.10 |
| 844597-4 | 3-Major | BT844597 | AVR analytics is reporting null domain name for a dns query | 17.1.1, 16.1.5, 15.1.10 |
| 594600-1 | 3-Major | BT594600 | No validation when delete iRule that is assigned to ACL policy | 16.0.0, 15.1.10 |
| 1307697 | 3-Major | BT1307697 | IPI not working on a new device - 401 invalid device error from BrightCloud | 17.1.1, 15.1.10 |
| 1199025-1 | 3-Major | BT1199025 | DNS vectors auto-threshold events are not seen in webUI | 17.1.1, 15.1.10 |
| 1196053-2 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates | 17.1.1, 16.1.5, 15.1.10 |
| 1101653-1 | 3-Major | BT1101653 | Query Type Filter in DNS Security Profile blocks allowed query types | 17.1.1, 15.1.10 |
| 1057061-1 | 3-Major | BT1057061 | BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with Log Translation Fields. | 17.0.0, 15.1.10 |
| 1042153-1 | 3-Major | BT1042153 | AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN. | 17.1.1, 17.0.0, 16.1.5, 15.1.10 |
| 1251105-3 | 4-Minor | BT1251105 | DoS Overview (non-HTTP) - A null pointer was passed into a function | 15.1.10 |
| 1211021-3 | 4-Minor | BT1211021 | Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues | 17.1.0, 16.1.4, 15.1.10 |
| 1069265-1 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. | 17.1.1, 16.1.4, 15.1.10 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1302677-1 | 3-Major | BT1302677 | Memory leak in PEM when Policy is queried via TCL | 17.1.1, 16.1.5, 15.1.10 |
| 1259489-1 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information | 17.1.1, 16.1.4, 15.1.10 |
| 1238249-4 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate | 17.1.1, 16.1.4, 15.1.10 |
| 1190353-2 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working | 17.1.1, 16.1.4, 15.1.10 |
| 1093357-1 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash | 17.1.1, 16.1.4, 15.1.10 |
| 1020041-2 | 3-Major | BT1020041 | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | 17.1.1, 16.1.4, 15.1.10 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 751719-2 | 2-Critical | BT751719 | UDP::hold/UDP::release does not work correctly | 17.1.0, 15.1.10 |
| 1096317-3 | 3-Major | BT1096317 | SIP msg alg zombie flows | 17.1.1, 15.1.10 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 954001-5 | 3-Major | REST File Upload hardening | 17.1.1, 16.1.4, 15.1.10 | |
| 1049237 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix | 17.1.1, 16.1.4, 15.1.10 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1004697-2 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space | 17.1.2, 16.1.4, 15.1.10 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1122205 | 3-Major | BT1122205 | The 'action' value changes when loading protocol-inspection profile config | 17.1.1, 16.1.4, 15.1.10 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1211985-3 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring | 17.1.1, 16.1.5, 15.1.10 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 922737-4 | 2-Critical | BT922737 | TMM crashes with a sigsegv while passing traffic | 17.1.0, 16.1.4, 15.1.10 |
| 1104037-3 | 2-Critical | BT1104037 | Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire | 17.1.0, 16.1.4, 15.1.10 |
| 873545-2 | 3-Major | BT873545 | SSL Orchestrator Configuration GUI freezes after management IP change. | 15.1.10, 14.1.4.5 |
| 1303185-2 | 3-Major | BT1303185 | Large numbers of URLs in url-db can cause TMM to restart | 17.1.1, 16.1.5, 15.1.10 |
| 1289365-3 | 3-Major | BT1289365 | The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode ★ | 17.1.1, 16.1.4, 15.1.10 |
F5OS Messaging Agent Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1295113 | 3-Major | BT1295113 | LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00 | 15.1.10 |
| 1289997-1 | 3-Major | BT1289997 | Tenant clustering fails when adding a lower number slot to Tenant | 17.1.1, 15.1.10 |
Cumulative fixes from BIG-IP v15.1.9.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1285173-4 | CVE-2023-38138 | K000133474 , BT1285173 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
| 1265425-3 | CVE-2023-38423 | K000134535 , BT1265425 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
| 1185421-3 | CVE-2023-38419 | K000133472 , BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v15.1.9 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1167897-5 | CVE-2022-40674 | K44454157 , BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
| 1122441-3 | CVE-2015-1283, CVE-2021-45960,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143 | K19473898 , BT1122441 | Upgrading the libexpat library | 17.1.0, 16.1.4, 15.1.9 |
| 949857-5 | CVE-2024-22389 | K32544615 , BT949857 | Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync | 17.1.1, 16.1.4, 15.1.9 |
| 884541-7 | CVE-2023-40537 | K29141800 , BT884541 | Improper handling of cookies on VIPRION platforms | 17.1.0, 16.1.4, 15.1.9 |
| 1271349-2 | CVE-2023-25690 | K000133098 , BT1271349 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy | 17.1.1, 16.1.4, 15.1.9 |
| 1220629-4 | CVE-2024-23314 | K000137675 , BT1220629 | TMM may crash on response from certain backend traffic | 17.1.1, 16.1.4, 15.1.9 |
| 1208529-3 | CVE-2023-41085 | K000132420 , BT1208529 | TMM crash when handling IPSEC traffic | 17.1.0, 16.1.4, 15.1.9 |
| 1195489-3 | CVE-2024-22093 | K000137522 , BT1195489 | iControl REST input sanitization | 17.1.1, 16.1.4, 15.1.9 |
| 1189465-4 | CVE-2023-24461 | K000132539 , BT1189465 | Edge Client allows connections to untrusted APM Virtual Servers | 17.1.0.3, 16.1.4, 15.1.9 |
| 1183453-2 | CVE-2022-31676 | K87046687 | Local privilege escalation vulnerability (CVE-2022-31676) | 17.1.0, 16.1.4, 15.1.9 |
| 1167929-3 | CVE-2022-40674 | K44454157 , BT1167929 | CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
| 1161733-3 | CVE-2023-40542 | K000134652 , BT1161733 | Enabling client-side TCP Verified Accept can cause excessive memory consumption | 17.1.0, 16.1.4, 15.1.9 |
| 1153969-3 | CVE-2024-23979 | K000134516 , BT1153969 | Excessive resource consumption when processing LDAP and CRLDP auth traffic | 17.1.1, 16.1.4, 15.1.9 |
| 1133013-2 | CVE-2023-43746 | K41072952 , BT1133013 | Appliance mode hardening | 17.1.0, 16.1.4, 15.1.9 |
| 1111097-4 | CVE-2022-1271 | K000130546 , BT1111097 | gzip arbitrary-file-write vulnerability CVE-2022-1271 | 17.1.0, 16.1.4, 15.1.9 |
| 1102881-3 | CVE-2021-25217 | K08832573 , BT1102881 | dhclient/dhcpd vulnerability CVE-2021-25217 | 17.1.0, 16.1.4, 15.1.9 |
| 1098829-5 | CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 | K19473898 , BT1098829 | Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 | 17.1.0, 16.1.4, 15.1.9 |
| 1093253-5 | CVE-2021-3999 | K24207649 | CVE-2021-3999 Glibc Vulnerability | 17.1.0, 16.1.4, 15.1.9 |
| 1091601-6 | CVE-2022-23218, CVE-2022-23219 | K52308021 , BT1091601 | Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 | 17.1.0, 16.1.4, 15.1.9 |
| 1075733-2 | CVE-2018-14348 | K26890535 , BT1075733 | Updated libcgroup library to fix CVE-2018-14348 | 17.1.0, 16.1.4, 15.1.9 |
| 1070753-3 |
CVE-2020-27216
CVE-2021-28169 CVE-2021-34428 CVE-2018-12536 |
K33548065 , BT1070753 | CVE-2020-27216: Eclipse Jetty vulnerability | 17.1.1, 16.1.4, 15.1.9 |
| 1043821-2 | CVE-2023-42768 | K26910459 , BT1043821 | Inconsistent user role handling across configuration UIs | 17.1.0, 16.1.4, 15.1.9 |
| 989373-3 | CVE-2020-14314 | K67830124 , BT989373 | CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem | 17.1.2, 16.1.5, 15.1.9 |
| 972545-2 | CVE-2024-23976 | K91054692 , BT972545 | iApps LX does not follow best practices in appliance mode | 17.1.1, 16.1.4, 15.1.9 |
| 966541-3 | CVE-2023-43485 | K06110200 , BT966541 | Improper data logged in plaintext | 17.1.0, 16.1.4, 15.1.9 |
| 950605-4 | CVE-2020-14145 | K48050136 , BT950605 | Openssh insecure client negotiation CVE-2020-14145 | 17.1.0, 16.1.4, 15.1.9 |
| 905937-4 | CVE-2023-41253 | K98334513 , BT905937 | TSIG key value logged in plaintext in log | 17.1.0, 16.1.4, 15.1.9 |
| 785197-3 | CVE-2019-9075 | K42059040 , BT785197 | binutils vulnerability CVE-2019-9075 | 17.1.0, 16.1.4, 15.1.9 |
| 651029-9 | CVE-2023-45219 | K20307245 , BT651029 | Sensitive information exposed during incremental sync | 17.1.0, 16.1.4, 15.1.9 |
| 601271-10 | CVE-2016-0723 | K43650115 | CVE-2016-0723: TTY use-after-free race | 15.1.9 |
| 1189457-4 | CVE-2023-22372 | K000132522 , BT1189457 | Hardening of client connection handling from Edge client. | 16.1.4, 15.1.9 |
| 1123537-5 | CVE-2022-28615 | K40582331 , BT1123537 | CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() | 17.1.1, 16.1.4, 15.1.9 |
| 1121965-4 | CVE-2022-28614 | K58003591 , BT1121965 | CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() | 17.1.0, 16.1.4, 15.1.9 |
| 1099341-3 | CVE-2018-25032 | K21548854 , BT1099341 | CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs | 17.1.1, 16.1.4, 15.1.9 |
| 1089921-5 | CVE-2022-0359 | K08827426 , BT1089921 | Vim vulnerability CVE-2022-0359 | 17.1.0, 16.1.4, 15.1.9 |
| 1089233-3 | CVE-2022-0492 | K54724312 | CVE-2022-0492 Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.9 |
| 1088445-5 | CVE-2022-22720 | K67090077 , BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 17.1.1, 16.1.4, 15.1.9 |
| 1070905-3 | CVE-2017-7656 | K21054458 , BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 17.1.1, 16.1.4, 15.1.9 |
| 1041577-3 | CVE-2024-21782 | K98606833 , BT1041577 | SCP file transfer system, completing fix for 994801 | 17.1.1, 16.1.4, 15.1.9 |
| 1026873-5 | CVE-2020-27618 | K08641512 , BT1026873 | CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets | 17.1.2, 16.1.5, 15.1.9 |
| 1021245-2 | CVE-2019-20907 | K78284681 , BT1021245 | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | 17.1.0, 16.1.4, 15.1.9 |
| 1018997-3 | CVE-2023-41964 | K20850144 , BT1018997 | Improper logging of sensitive DB variables | 17.1.0, 16.1.4, 15.1.9 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1144373-3 | 3-Major | BT1144373 | BIG-IP SFTP hardening | 17.1.0, 16.1.4, 15.1.9 |
| 1040609-3 | 3-Major | K21800102 , BT1040609 | RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. | 17.1.0, 16.1.4, 15.1.9 |
| 1025497-2 | 4-Minor | BT1025497 | BIG-IP may accept and forward invalid DNS responses | 17.1.0, 16.1.4, 15.1.9 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1209561-2 | 1-Blocking | BT1209561 | License is not operational after reboot and an error is logged in /var/log/ltm | 17.1.0, 15.1.9 |
| 1173441-2 | 1-Blocking | BT1173441 | The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired | 17.1.0, 16.1.4, 15.1.9 |
| 1116845-1 | 1-Blocking | BT1116845 | Interfaces using the xnet driver are not assigned a MAC address | 17.1.0, 16.1.4, 15.1.9 |
| 995849-2 | 2-Critical | BT995849 | Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c | 17.0.0, 16.1.4, 15.1.9 |
| 994033-2 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated | 17.1.1, 16.1.4, 15.1.9 |
| 950201-4 | 2-Critical | BT950201 | Tmm core on GCP | 17.1.1, 16.1.4, 15.1.9 |
| 856713-3 | 2-Critical | BT856713 | IPsec crash during rekey | 16.1.0, 16.0.1.2, 15.1.9, 14.1.2.8 |
| 756830-5 | 2-Critical | BT756830 | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' | 17.1.2, 15.1.9 |
| 1290889-3 | 2-Critical | K000134792 , BT1290889 | TMM disconnects from processes such as mcpd causing TMM to restart | 17.1.1, 16.1.4, 15.1.9 |
| 1286433-1 | 2-Critical | BT1286433 | Improve ASM performance for BIG-IP instances running on r2k / r4k appliances | 17.1.1, 15.1.9 |
| 1282513 | 2-Critical | BT1282513 | Redirections on the lowest numbered blade in mirroring configuration. | 17.1.1, 15.1.9 |
| 1225789-3 | 2-Critical | BT1225789 | The iHealth API is transitioning from SSODB to OKTA | 17.1.1, 16.1.4, 15.1.9 |
| 1209709 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ | 17.1.1, 16.1.4, 15.1.9 |
| 1191137-2 | 2-Critical | BT1191137 | WebUI crashes when the localized form data fails to match the expectations | 17.1.1, 16.1.5, 15.1.9 |
| 1189881 | 2-Critical | BT1189881 | Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading does not work on hardware | 15.1.9 |
| 1178221-2 | 2-Critical | BT1178221 | In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT | 17.1.0, 16.1.4, 15.1.9 |
| 1136429-3 | 2-Critical | BT1136429 | Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group | 17.1.0, 16.1.4, 15.1.9 |
| 1134301-2 | 2-Critical | BT1134301 | IPsec interface mode may stop sending packets over tunnel after configuration update | 17.1.0, 16.1.4, 15.1.9 |
| 1128629-2 | 2-Critical | BT1128629 | Neurond crash observed during live install through test script | 17.1.0, 16.1.4, 15.1.9 |
| 1122313 | 2-Critical | BT1122313 | VXLAN tunnels fail to pass traffic after TMM restarts | 17.1.0, 15.1.9 |
| 1110893-3 | 2-Critical | BT1110893 | Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy | 17.1.0, 16.1.4, 15.1.9 |
| 1097193-1 | 2-Critical | K000134769 , BT1097193 | Unable to SCP files using WinSCP or relative path name | 17.1.0, 16.1.3.1, 15.1.9 |
| 1095217-3 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after merging the configuration | 17.1.0, 16.1.4, 15.1.9 |
| 1082941-3 | 2-Critical | System account hardening | 17.1.0, 16.1.4, 15.1.9 | |
| 1076909-3 | 2-Critical | BT1076909 | Syslog-ng truncates the hostname at the first period. | 17.1.0, 16.1.4, 15.1.9 |
| 1035121-3 | 2-Critical | K94850939 , BT1035121 | Configsync syncs the node's monitor status | 17.0.0, 16.1.4, 15.1.9 |
| 1023829 | 2-Critical | BT1023829 | Security->Policies in Virtual Server web page spins mcpd 100%, which later cores | 17.0.0, 16.1.4, 15.1.9 |
| 998225-4 | 3-Major | BT998225 | TMM crash when disabling/re-enabling a blade that triggers a primary blade transition. | 17.0.0, 16.1.4, 15.1.9 |
| 987301-1 | 3-Major | BT987301 | Software install on vCMP guest via block-device may fail with error 'reason unknown' | 17.0.0, 16.1.4, 15.1.9 |
| 966949-2 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node | 17.1.0, 16.1.4, 15.1.9 |
| 936093-2 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline | 17.1.1, 16.1.4, 15.1.9 |
| 925797-2 | 3-Major | BT925797 | Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pool members | 16.1.0, 15.1.9 |
| 925469-1 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo | 17.1.0, 16.1.4, 15.1.9 |
| 921149-1 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy | 17.1.0, 16.1.4, 15.1.9 |
| 883593-1 | 3-Major | BT883593 | Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low | 16.0.0, 15.1.9 |
| 879001-1 | 3-Major | BT879001 | LDAP data is not updated consistently which might affect authentication. | 16.0.0, 15.1.9 |
| 853161-4 | 3-Major | BT853161 | Restjavad has different behavior for error responses if the body is over 2k | 16.0.0, 15.1.9 |
| 850997-1 | 3-Major | BT850997 | 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page | 16.0.0, 15.1.9 |
| 662301-2 | 3-Major | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config | 17.1.0, 16.1.4, 15.1.9 |
| 398683-4 | 3-Major | K12304 | Use of a # in a TACACS secret causes remote auth to fail | 16.1.0, 16.0.1.1, 15.1.9 |
| 1232521-1 | 3-Major | SCTP connection sticking on BIG-IP even after connection terminated | 17.1.1, 16.1.4, 15.1.9 | |
| 1195177 | 3-Major | BT1195177 | TMM may crash during hardware offload on virtual-wire setup | 17.1.0, 15.1.9 |
| 1160805 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin | 17.1.2, 16.1.4, 15.1.9 |
| 1155861-1 | 3-Major | BT1155861 | 'Unlicensed objects' error message appears despite there being no unlicensed configuration | 17.1.1, 15.1.9 |
| 1154933-3 | 3-Major | Improper permissions handling in REST SNMP endpoint | 17.1.0, 16.1.4, 15.1.9 | |
| 1153865-3 | 3-Major | BT1153865 | Restjavad OutOfMemoryError errors and restarts after upgrade ★ | 17.1.0, 16.1.4, 15.1.9 |
| 1146373 | 3-Major | BT1146373 | Basic authentication for REST admin account fails | 15.1.9 |
| 1136013-4 | 3-Major | BT1136013 | The tmrouted generates core with double free or corruption | 15.1.9 |
| 1135961-4 | 3-Major | BT1135961 | The tmrouted generates core with double free or corruption | 17.1.1, 16.1.5, 15.1.9 |
| 1134057-3 | 3-Major | BT1134057 | BGP routes not advertised after graceful restart | 17.1.1, 16.1.5, 15.1.9 |
| 1126805-2 | 3-Major | BT1126805 | TMM CPU usage statistics may show a lower than expected value on Virtual Edition | 17.1.0, 16.1.4, 15.1.9 |
| 1125773-2 | 3-Major | BT1125773 | TCP options are disabled while hardware SYN cookie is active | 17.1.0, 15.1.9 |
| 1125733-1 | 3-Major | BT1125733 | Wrong server-side window scale used in hardware SYN cookie mode | 17.1.0, 16.1.5, 15.1.9 |
| 1124209-2 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle | 17.1.1, 16.1.4, 15.1.9 |
| 1123885-3 | 3-Major | BT1123885 | A specific type of software installation may fail to carry forward the management port's default gateway. | 17.1.0, 16.1.4, 15.1.9 |
| 1121085-2 | 3-Major | BT1121085 | Some valid connections may get rejected in hardware SYN cookie mode | 17.1.0, 15.1.9 |
| 1117673-1 | 3-Major | BT1117673 | Configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}' ★ | 17.1.0, 15.1.9 |
| 1116813 | 3-Major | BT1116813 | Some of the valid connections may get rejected in HW SYN cookie mode | 17.1.0, 15.1.9 |
| 1113961-4 | 3-Major | K43391532 , BT1113961 | BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China | 17.1.0, 16.1.4, 15.1.9 |
| 1112109-3 | 3-Major | K000134769 , BT1112109 | Unable to retrieve SCP files using WinSCP or relative path name | 17.1.0, 16.1.4, 15.1.9 |
| 1111629-3 | 3-Major | BT1111629 | Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors | 17.1.0, 16.1.4, 15.1.9 |
| 1102849-2 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
| 1101453-3 | 3-Major | BT1101453 | MCPD SIGABRT and core happened while deleting GTM pool member | 17.1.0, 16.1.4, 15.1.9 |
| 1100409-3 | 3-Major | BT1100409 | Valid connections may fail while a virtual server is in SYN cookie mode. | 17.1.0, 16.1.4, 15.1.9 |
| 1091725-3 | 3-Major | BT1091725 | Memory leak in IPsec | 17.1.0, 16.1.4, 15.1.9 |
| 1088429-3 | 3-Major | BT1088429 | Kernel slab memory leak | 17.1.0, 16.1.4, 15.1.9 |
| 1086389-3 | 3-Major | BT1086389 | BIG-IP r4k and r2k series based systems shows has_pva flag true though they cannot support | 17.1.0, 15.1.9 |
| 1084781-5 | 3-Major | Resource Admin permission modification | 17.1.0, 16.1.4, 15.1.9 | |
| 1081649-1 | 3-Major | BT1081649 | Remove the "F5 iApps and Resources" link from the iApps->Package Management | 17.1.0, 16.1.4, 15.1.9 |
| 1080297-2 | 3-Major | BT1080297 | ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration | 17.1.0, 16.1.4, 15.1.9 |
| 1077405-3 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. | 17.1.0, 16.1.4, 15.1.9 |
| 1076377-2 | 3-Major | BT1076377 | OSPF path calculation for IA and E routes is incorrect. | 17.0.0, 16.1.2.2, 15.1.9 |
| 1069337-3 | 3-Major | CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument | 17.1.0, 16.1.4, 15.1.9 | |
| 1063237-3 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 | 16.1.4, 15.1.9 |
| 1053557-3 | 3-Major | BT1053557 | Support for Mellanox CX-6 | 17.1.0, 16.1.4, 15.1.9 |
| 1048137-3 | 3-Major | BT1048137 | IPsec IKEv1 intermittent but consistent tunnel setup failures | 17.0.0, 16.1.3.1, 15.1.9 |
| 1032821-5 | 3-Major | BT1032821 | Syslog: invalid level/facility from /usr/libexec/smart_parse.pl | 17.0.0, 16.1.4, 15.1.9 |
| 1022757-3 | 3-Major | BT1022757 | Tmm core due to corrupt list of ike-sa instances for a connection | 17.0.0, 16.1.2, 15.1.9 |
| 1001069-3 | 3-Major | BT1001069 | VE CPU usage higher after upgrade, given same throughput | 17.1.0, 16.1.4, 15.1.9 |
| 955057-2 | 4-Minor | BT955057 | UCS archives containing a large number of DNS zone files may fail to restore. ★ | 16.1.0, 15.1.9 |
| 936501-6 | 4-Minor | BT936501 | Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled | 17.1.0, 16.1.3.1, 15.1.9 |
| 921001-4 | 4-Minor | BT921001 | After provisioning change, pfmand might keep interfaces down on particular platforms | 16.1.0, 15.1.9 |
| 760496-1 | 4-Minor | BT760496 | Traffic processing interrupted by PF reset | 17.1.0, 16.1.4, 15.1.9 |
| 674026-4 | 4-Minor | BT674026 | iSeries AOM web UI update fails to complete. ★ | 17.0.0, 16.1.4, 15.1.9 |
| 1155733-2 | 4-Minor | BT1155733 | NULL bytes are clipped from the end of buffer | 17.1.0, 16.1.4, 15.1.9 |
| 1154673 | 4-Minor | BT1154673 | Enabling DHCP for management should not be allowed on F5OS BIG-IP tenants | 17.1.0, 15.1.9 |
| 1144817-1 | 4-Minor | BT1144817 | Traffic processing interrupted by PF reset | 17.1.0, 15.1.9 |
| 1117305-1 | 4-Minor | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials | 17.1.1, 16.1.4, 15.1.9 |
| 1113889 | 4-Minor | BT1113889 | Classic BIG-IP tenant running on F5OS will not correctly pin in-tenant control plane threads correctly on first deployment | 17.1.0, 15.1.9 |
| 1106353-3 | 4-Minor | BT1106353 | [Zebos] Expand zebos/bgp commands in a qkview | 17.1.0, 16.1.4, 15.1.9 |
| 1076897-3 | 4-Minor | BT1076897 | OSPF default-information originate command options not working properly | 17.1.0, 16.1.4, 15.1.9 |
| 1076253-3 | 4-Minor | BT1076253 | IKE library memory leak | 17.0.0, 16.1.4, 15.1.9 |
| 1062385-3 | 4-Minor | BT1062385 | BIG-IP has an incorrect limit on the number of monitored HA-group entries. | 17.1.0, 16.1.4, 15.1.9 |
| 1022417-2 | 4-Minor | BT1022417 | Ike stops with error ikev2_send_request: [WINDOW] full window | 17.0.0, 16.1.2, 15.1.9 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1112349-3 | 1-Blocking | BT1112349 | FIPS Card Cannot Initialize | 17.1.0, 16.1.4, 15.1.9 |
| 966421-3 | 2-Critical | BT966421 | Connection stall happened when the shutdown received before all egress data | 16.1.0, 15.1.9 |
| 937649-3 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict | 17.1.0, 16.1.4, 15.1.9 |
| 1286357-1 | 2-Critical | BT1286357 | Reducing packet loss for BIG-IP instance running on r2k / r4k appliances | 17.1.1, 15.1.9 |
| 1214073-1 | 2-Critical | BT1214073 | LACP Trunks are not created in TMM on R2800/R4800 platforms. | 17.1.0, 15.1.9 |
| 1210433-1 | 2-Critical | BT1210433 | Conversion between virtual-wire VLAN and normal VLAN | 17.1.0, 15.1.9 |
| 1209945 | 2-Critical | BT1209945 | Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs | 17.1.1, 15.1.9 |
| 1205501 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration | 17.1.1, 16.1.4, 15.1.9 |
| 1156697-2 | 2-Critical | BT1156697 | Translucent VLAN groups may pass some packets without changing the locally administered bit | 17.1.0, 16.1.4, 15.1.9 |
| 1154681 | 2-Critical | BT1154681 | Reconfiguration of virtual-wire VLAN in tenant | 17.1.0, 15.1.9 |
| 1146377-3 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules | 17.1.1, 16.1.4, 15.1.9 |
| 1132405-1 | 2-Critical | BT1132405 | TMM does not process BFD echo pkts with src.addr == dst.addr | 17.1.0, 16.1.4, 15.1.9 |
| 1124865-1 | 2-Critical | BT1124865 | Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart | 15.1.9 |
| 1110813-2 | 2-Critical | BT1110813 | Improve MPTCP retransmission handling while aborting | 17.1.0, 16.1.4, 15.1.9 |
| 1110205-1 | 2-Critical | BT1110205 | SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown | 17.1.0, 16.1.3.1, 15.1.9 |
| 1099545-3 | 2-Critical | BT1099545 | Tmm may core when PEM virtual with a simple policy and iRule is being used | 17.1.0, 16.1.4, 15.1.9 |
| 1075073-1 | 2-Critical | BT1075073 | TMM Crash observed with Websocket and MQTT profile enabled | 17.0.0, 16.1.4, 15.1.9 |
| 1067669-2 | 2-Critical | BT1067669 | TCP/UDP virtual servers drop all incoming traffic. | 17.0.0, 16.1.4, 15.1.9 |
| 1030185-3 | 2-Critical | BT1030185 | TMM may crash when looking up a persistence record using "persist lookup" iRule commands | 17.0.0, 16.1.4, 15.1.9 |
| 1024241-2 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination | 17.1.1, 16.1.4, 15.1.9 |
| 948065-3 | 3-Major | BT948065 | DNS Responses egress with an incorrect source IP address. | 17.0.0, 16.1.4, 15.1.9 |
| 947125-2 | 3-Major | BT947125 | Unable to delete monitors after certain operations | 17.1.0, 15.1.9 |
| 945601-4 | 3-Major | BT945601 | An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions. | 16.1.0, 16.0.1.2, 15.1.9 |
| 920205-4 | 3-Major | BT920205 | Rate shaping might suppress TCP RST | 16.1.0, 15.1.9 |
| 918277-2 | 3-Major | BT918277 | Slow Ramp does not take into account pool members' ratio weights | 16.1.0, 15.1.9 |
| 909997-3 | 3-Major | BT909997 | Virtual server status displays as unavailable when it is accepting connections | 16.1.0, 15.1.9 |
| 883133-2 | 3-Major | BT883133 | TLS_FALLBACK_SCSV with TLS1.3 | 16.1.0, 15.1.9 |
| 878641-2 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs | 17.1.1, 16.1.4, 15.1.9 |
| 863165-3 | 3-Major | BT863165 | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | 16.0.0, 15.1.9 |
| 785361-3 | 3-Major | BT785361 | In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped | 16.1.0, 15.1.9 |
| 756313-6 | 3-Major | BT756313 | SSL monitor continues to mark pool member down after restoring services | 16.1.0, 15.1.9 |
| 693473-6 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption | 17.1.1, 16.1.4, 15.1.9 |
| 574762-2 | 3-Major | BT574762 | Forwarding flows leak when a routing update changes the egress vlan | 17.0.0, 16.1.4, 15.1.9 |
| 1281637 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE | 17.1.1, 16.1.4, 15.1.9 |
| 1229417-3 | 3-Major | BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 | |
| 1210469-5 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone | 17.1.1, 16.1.4, 15.1.9 |
| 1185133-3 | 3-Major | BT1185133 | ILX streaming plugins limited to MCP OIDs less than 10 million | 17.1.0, 16.1.4, 15.1.9 |
| 1184153-3 | 3-Major | BT1184153 | TMM crashes when you use the rateshaper with packetfilter enabled | 17.1.0, 16.1.4, 15.1.9 |
| 1159569-1 | 3-Major | BT1159569 | Persistence cache records may accumulate over time | 17.1.0, 16.1.4, 15.1.9 |
| 1155393-1 | 3-Major | BT1155393 | Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression | 17.1.0, 16.1.4, 15.1.9 |
| 1146241-3 | 3-Major | BT1146241 | FastL4 virtual server may egress packets with unexpected and erratic TTL values | 17.1.0, 16.1.4, 15.1.9 |
| 1144117-2 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands | 17.1.1, 16.1.4, 15.1.9 |
| 1141845-3 | 3-Major | BT1141845 | RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. | 17.1.0, 16.1.4, 15.1.9 |
| 1135313-3 | 3-Major | BT1135313 | Pool member current connection counts are incremented and not decremented | 17.1.0, 16.1.4, 15.1.9 |
| 1133881-3 | 3-Major | BT1133881 | Errors in attaching port lists to virtual server when TMC is used with same sources | 17.1.0, 16.1.4, 15.1.9 |
| 1133625-3 | 3-Major | BT1133625 | The HTTP2 protocol is not working when SSL persistence and session ticket are enabled | 17.1.0, 16.1.4, 15.1.9 |
| 1126329-3 | 3-Major | BT1126329 | SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT ★ | 17.1.0, 16.1.4, 15.1.9 |
| 1123169-3 | 3-Major | BT1123169 | Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event | 17.1.0, 16.1.4, 15.1.9 |
| 1115041-3 | 3-Major | BT1115041 | BIG-IP does not forward the response received after GOAWAY, to the client. | 17.1.0, 16.1.4, 15.1.9 |
| 1113181-3 | 3-Major | BT1113181 | Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". | 16.1.4, 15.1.9 |
| 1112205-2 | 3-Major | BT1112205 | HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire | 17.1.0, 15.1.9 |
| 1111473-3 | 3-Major | BT1111473 | The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes | 17.1.0, 16.1.4, 15.1.9 |
| 1109953-3 | 3-Major | BT1109953 | TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry | 17.1.0, 16.1.4, 15.1.9 |
| 1102429-3 | 3-Major | BT1102429 | iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. | 17.1.0, 16.1.4, 15.1.9 |
| 1101181-1 | 3-Major | BT1101181 | HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
| 1099229-3 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
| 1096893-2 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection | 17.1.1, 16.1.4, 15.1.9 |
| 1091969-2 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. | 17.1.2, 16.1.4, 15.1.9 |
| 1083621-4 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length | 17.1.1, 16.1.5, 15.1.9 |
| 1081085 | 3-Major | BT1081085 | MQTT with slow reading server cores on larger payload | 15.1.9 |
| 1080569-1 | 3-Major | BT1080569 | BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
| 1079769-4 | 3-Major | BT1079769 | Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers | 17.0.0, 16.1.4, 15.1.9 |
| 1077553-2 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration | 17.1.0, 16.1.4, 15.1.9 |
| 1076573-1 | 3-Major | BT1076573 | MQTT profile addition is different in GUI and TMSH | 17.0.0, 16.1.4, 15.1.9 |
| 1070389-3 | 3-Major | K000132430 , BT1070389 | Tightening HTTP RFC enforcement | 17.1.0, 16.1.4, 15.1.9 |
| 1068673-2 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. | 17.1.0, 16.1.4, 15.1.9 |
| 1062605 | 3-Major | BT1062605 | Support for MQTT functionality over websockets | 15.1.9 |
| 1060021-2 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. | 17.1.0, 16.1.4, 15.1.9 |
| 1059337 | 3-Major | BT1059337 | Potential data leak inside Ethernet padding field on VELOS architecture products | 17.1.0, 15.1.9 |
| 1046717 | 3-Major | BT1046717 | Tmm crash when utilizing one-connect with inband monitors and ECMP or pool routes. | 15.1.9 |
| 1043009-3 | 3-Major | BT1043009 | TMM dump capture for compression engine hang | 17.1.0, 16.1.4, 15.1.9 |
| 1037645-1 | 3-Major | BT1037645 | TMM may crash under memory pressure when using iRule 'AES::key' command | 17.0.0, 15.1.9 |
| 1000561-3 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side | 17.1.1, 16.1.4, 15.1.9 |
| 1000069-1 | 3-Major | BT1000069 | Virtual server does not create the listener | 17.1.0, 16.1.4, 15.1.9 |
| 982993-4 | 4-Minor | BT982993 | Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail | 16.1.0, 15.1.9 |
| 960677-2 | 4-Minor | BT960677 | Improvement in handling accelerated TLS traffic | 17.1.1, 16.1.4, 15.1.9 |
| 932045-3 | 4-Minor | BT932045 | Memory leak when creating/deleting LTM node object | 16.1.0, 15.1.9 |
| 834217-7 | 4-Minor | BT834217 | Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window. | 16.0.0, 15.1.9 |
| 1230753 | 4-Minor | BT1230753 | HTTP/2 sends RST_STREAM for completed streams | 15.1.9 |
| 1181345-1 | 4-Minor | BT1181345 | Fix for VLAN Group reconfiguration issue when an additional virutal-wire configuration is added on top of deployed tenant | 17.1.0, 15.1.9 |
| 1168309-1 | 4-Minor | BT1168309 | Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms | 17.1.0, 15.1.9 |
| 1156105-3 | 4-Minor | BT1156105 | Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition | 17.1.0, 16.1.4, 15.1.9 |
| 1132765-3 | 4-Minor | BT1132765 | Virtual server matching might fail in rare cases when using virtual server chaining. | 17.1.0, 16.1.4, 15.1.9 |
| 1122377-3 | 4-Minor | BT1122377 | If-Modified-Since always returns 304 response if there is no last-modified header in the server response | 17.1.0, 16.1.4, 15.1.9 |
| 1111981-2 | 4-Minor | BT1111981 | Decrement in MQTT current connections even if the connection was never active | 17.1.0, 16.1.4, 15.1.9 |
| 1103617-3 | 4-Minor | BT1103617 | 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. | 17.1.0, 16.1.4, 15.1.9 |
| 1101369-2 | 4-Minor | BT1101369 | MQTT connection stats are not updated properly | 17.1.0, 16.1.4, 15.1.9 |
| 1037265-1 | 4-Minor | K11453402 , BT1037265 | Improper handling of multiple cookies with the same name. | 17.1.0, 16.1.4, 15.1.9 |
| 1034217-1 | 4-Minor | BT1034217 | Quic_update_rtt can leave ack_delay uninitialized. | 17.0.0, 16.1.4, 15.1.9 |
| 1030533-2 | 4-Minor | BT1030533 | The BIG-IP system may reject valid HTTP responses from OCSP servers. | 17.0.0, 16.1.4, 15.1.9 |
| 1027805-3 | 4-Minor | BT1027805 | DHCP flows crossing route-domain boundaries might fail. | 17.0.0, 16.1.4, 15.1.9 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1127445-2 | 2-Critical | BT1127445 | Performance degradation after Bug ID 1019853 | 17.1.0, 16.1.4, 15.1.9 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1137485-3 | 2-Critical | K10865360 , BT1137485 | Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly ★ | 17.1.0, 16.1.4, 15.1.9 |
| 966461-6 | 3-Major | BT966461 | Tmm memory leak | 17.1.0, 16.1.4, 15.1.9 |
| 1182353-4 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states | 17.1.1, 16.1.4, 15.1.9 |
| 1162081-4 | 3-Major | Upgrade the bind package to fix security vulnerabilities | 17.1.0, 16.1.4, 15.1.9 | |
| 1137677 | 3-Major | BT1137677 | GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources | 17.1.1, 15.1.9 |
| 1122497-1 | 3-Major | BT1122497 | Rapid response not functioning after configuration changes | 17.1.0, 16.1.4, 15.1.9 |
| 1060145-2 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. | 17.1.0, 16.1.4, 15.1.9 |
| 808913-2 | 4-Minor | BT808913 | Big3d cannot log the full XML buffer data | 17.0.0, 16.1.4, 15.1.9 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1105341-3 | 0-Unspecified | BT1105341 | Decode_application_payload can break exponent notation in JSON | 17.1.0, 16.1.4, 15.1.9 |
| 923821-3 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack | 17.1.1, 16.1.4, 15.1.9 |
| 884945-2 | 2-Critical | BT884945 | Latency reduce in case of empty parameters. | 17.0.0, 16.1.4, 15.1.9 |
| 850141-1 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile | 17.1.1, 16.1.4, 15.1.9 |
| 845953-1 | 2-Critical | BT845953 | BD crash on specific scenario | 16.0.0, 15.1.9 |
| 1132697-1 | 2-Critical | BT1132697 | Use of proactive bot defense profile can trigger TMM crash | 17.1.1, 16.1.4, 15.1.9 |
| 1113161-4 | 2-Critical | BT1113161 | After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets ★ | 17.1.0, 16.1.4, 15.1.9 |
| 1095185-3 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync | 17.1.0, 16.1.4, 15.1.9 |
| 974985-2 | 3-Major | BT974985 | Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable | 17.0.0, 16.1.4, 15.1.9 |
| 928997-2 | 3-Major | BT928997 | Less XML memory allocated during ASM startup | 17.1.1, 16.1.4, 15.1.9 |
| 841285-1 | 3-Major | BT841285 | Sometimes apply policy is stuck in Applying state | 16.0.0, 15.1.9 |
| 1196537-2 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile | 17.1.1, 16.1.4, 15.1.9 |
| 1194173-3 | 3-Major | BT1194173 | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | 17.1.1, 16.1.4, 15.1.9 |
| 1186401-3 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. | 17.1.1, 16.1.4, 15.1.9 |
| 1156889-2 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions | 17.1.1, 16.1.4, 15.1.9 |
| 1148009-4 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP | 17.1.1, 16.1.4, 15.1.9 |
| 1144497-3 | 3-Major | BT1144497 | Base64 encoded metachars are not detected on HTTP headers | 17.1.1, 16.1.4, 15.1.9 |
| 1141665-3 | 3-Major | BT1141665 | Significant slowness in policy creation following Threat Campaign LU installation | 17.1.0, 16.1.4, 15.1.9 |
| 1137993-3 | 3-Major | BT1137993 | Violation is not triggered on specific configuration | 17.1.1, 16.1.4, 15.1.9 |
| 1132981-1 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records | 17.1.1, 16.1.4, 15.1.9 |
| 1132741-4 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB | 17.1.1, 16.1.4, 15.1.9 |
| 1128689-3 | 3-Major | BT1128689 | High BD CPU utilization | 16.1.4, 15.1.9 |
| 1127809-4 | 3-Major | BT1127809 | Due to incorrect URI parsing, the system does not extract the expected domain name | 17.1.0, 16.1.4, 15.1.9 |
| 1126409-4 | 3-Major | BT1126409 | BD process crash | 17.1.0, 16.1.4, 15.1.9 |
| 1113881-3 | 3-Major | BT1113881 | Headers without a space after the colon, trigger an HTTP RFC violation | 17.1.0, 16.1.4, 15.1.9 |
| 1112805-1 | 3-Major | BT1112805 | ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 | 17.1.0, 16.1.4, 15.1.9 |
| 1110281-4 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable | 17.1.1, 16.1.4, 15.1.9 |
| 1106937-1 | 3-Major | BT1106937 | ASM may skip signature matching | 17.1.0, 16.1.4, 15.1.9 |
| 1100669-1 | 3-Major | BT1100669 | Brute force captcha loop | 17.1.0, 16.1.4, 15.1.9 |
| 1099193-3 | 3-Major | BT1099193 | Incorrect configuration for "Auto detect" parameter is shown after switching from other data types | 17.1.0, 16.1.4, 15.1.9 |
| 1098609-5 | 3-Major | BT1098609 | BD crash on specific scenario | 17.1.1, 16.1.4, 15.1.9 |
| 1091185-3 | 3-Major | K000135944 , BT1091185 | Issue with input normalization | 17.1.0, 15.1.9 |
| 1088849-3 | 3-Major | BT1088849 | Inconsistent behavior while sending malformed request to /TSbd URLs | 15.1.9 |
| 1080613-2 | 3-Major | BT1080613 | LU configurations revert to default and installations roll back to genesis files ★ | 17.1.0, 16.1.4, 15.1.9 |
| 1078065-3 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. | 17.1.1, 16.1.4, 15.1.9 |
| 1072165-1 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format | 17.1.0, 16.1.4, 15.1.9 |
| 1069729-2 | 3-Major | BT1069729 | TMM might crash after a configuration change. | 17.1.1, 16.1.4, 15.1.9 |
| 1067589-2 | 3-Major | BT1067589 | Memory leak in nsyncd | 17.1.0, 16.1.4, 15.1.9 |
| 1067557-3 | 3-Major | BT1067557 | Value masking under XML and JSON content profiles does not follow policy case sensitivity | 17.1.1, 16.1.4, 15.1.9 |
| 1058597-3 | 3-Major | BT1058597 | Bd crash on first request after system recovery. | 17.0.0, 16.1.4, 15.1.9 |
| 1048949-3 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile | 17.1.1, 16.1.4, 15.1.9 |
| 1017557-3 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN | 17.1.0, 16.1.4, 15.1.9 |
| 937541-2 | 4-Minor | BT937541 | Wrong display of signature references in violation details | 17.0.0, 15.1.9 |
| 932893-2 | 4-Minor | BT932893 | Content profile cannot be updated after redirect from violation details in Request Log | 16.1.0, 15.1.9 |
| 1189865-3 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs | 17.1.1, 16.1.4, 15.1.9 |
| 1132925-4 | 4-Minor | BT1132925 | Bot defense does not work with DNS Resolvers configured under non-zero route domains | 17.1.0, 16.1.4, 15.1.9 |
| 1123153-1 | 4-Minor | BT1123153 | "Such URL does not exist in policy" error in the GUI | 17.1.1, 16.1.4, 15.1.9 |
| 1092965-3 | 4-Minor | BT1092965 | Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value | 17.1.0, 16.1.4, 15.1.9 |
| 1113333-2 | 5-Cosmetic | BT1113333 | Change ArcSight Threat Campaign key names to be camelCase | 17.1.0, 16.1.4, 15.1.9 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 990073 | 2-Critical | BT990073 | BIG-IP software v13.1.3.6, v14.1.4, v15.1.2.1, v16.0.1.1 or later require APM Clients 7.1.8.5, 7.1.9.8, or 7.2.1.1 ★ | 15.1.9 |
| 965837-2 | 2-Critical | BT965837 | When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection | 17.0.0, 16.1.4, 15.1.9 |
| 956913-2 | 2-Critical | BT956913 | HTTPS traffic may fail for Inbound topology gateway mode | 16.1.0, 15.1.9 |
| 856909-3 | 2-Critical | BT856909 | Apmd core occurs when it fails to retrieve agentInfo | 16.0.0, 15.1.9 |
| 1283645-2 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6 |
| 1122473-3 | 2-Critical | BT1122473 | TMM panic while initializing URL DB | 17.1.0, 16.1.3.3, 15.1.9 |
| 1111149-1 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.1, 16.1.4, 15.1.9 |
| 1110489-1 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event | 17.1.1, 16.1.4, 15.1.9 |
| 1106757-2 | 2-Critical | BT1106757 | Horizon VDI clients are intermittently disconnected | 17.1.0, 16.1.4, 15.1.9 |
| 1082581-1 | 2-Critical | BT1082581 | Apmd sees large memory growth due to CRLDP Cache handling | 17.1.0, 16.1.4, 15.1.9, 14.1.5.3 |
| 1065501-3 | 2-Critical | BT1065501 | [API Protection]Per request policy is getting timed out | 17.0.0, 16.1.4, 15.1.9 |
| 1046633-2 | 2-Critical | BT1046633 | Rare tmm crash when sending packets to apmd fails | 17.0.0, 16.1.4, 15.1.9 |
| 963869-2 | 3-Major | BT963869 | Remote Desktop app fails to launch from webtop when Per-request Policy is added to virtual server. | 16.1.0, 15.1.9 |
| 957453-2 | 3-Major | BT957453 | Javascript parser incompatible with ECMAScript 6/7+ javascript versions | 17.1.0, 16.1.4, 15.1.9 |
| 956645-2 | 3-Major | BT956645 | Per-request policy execution may timeout. | 17.0.0, 16.1.4, 15.1.9, 14.1.4.5 |
| 904725-1 | 3-Major | BT904725 | Add new macro dialogue not working for AD auth and resources and password change | 16.0.0, 15.1.9 |
| 892861-3 | 3-Major | BT892861 | Cannot configure aaa OAuth provider - invalid x509 file | 16.1.0, 15.1.9 |
| 819645-2 | 3-Major | BT819645 | Reset Horizon View application does not work when accessing through F5 APM | 17.1.0, 16.1.4, 15.1.9 |
| 752077-1 | 3-Major | BT752077 | Kerberos replay cache leaks file descriptors | 17.0.0, 16.1.4, 15.1.9 |
| 592353-3 | 3-Major | BT592353 | Javascript parser incompatible with ECMA6/7+ | 16.1.0, 15.1.9 |
| 490138-2 | 3-Major | BT490138 | Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers | 17.1.0, 16.1.4, 15.1.9 |
| 1196401-3 | 3-Major | BT1196401 | Restarting TMM does not restart APM Daemon | 17.1.0, 16.1.4, 15.1.9 |
| 1173669-3 | 3-Major | BT1173669 | Unable to reach backend server with Per Request policy and Per Session together | 17.1.0, 16.1.4, 15.1.9 |
| 1166449-3 | 3-Major | BT1166449 | APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list | 17.1.0, 16.1.4, 15.1.9 |
| 1147621 | 3-Major | BT1147621 | AD query do not change password does not come into effect when RSA Auth agent used | 17.1.1, 16.1.5, 15.1.9 |
| 1146017-2 | 3-Major | BT1146017 | WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile | 17.1.0, 16.1.4, 15.1.9 |
| 1111397 | 3-Major | BT1111397 | [APM][UI] Wizard should also allow same patterns as the direct GUI | 17.1.1, 16.1.4, 15.1.9 |
| 1108109-1 | 3-Major | BT1108109 | APM policy sync fails when access policy contains customization images ★ | 17.1.0, 16.1.4, 15.1.9 |
| 1104409-2 | 3-Major | BT1104409 | Added Rewrite Control Lists builder to Admin UI | 17.1.0, 16.1.4, 15.1.9 |
| 1101321 | 3-Major | BT1101321 | APM log files are flooded after a client connection fails. | 17.1.0, 16.1.4, 15.1.9 |
| 1100549-1 | 3-Major | BT1100549 | "Resource Administrator" role cannot change ACL order | 17.1.0, 16.1.4, 15.1.9 |
| 1099305-1 | 3-Major | BT1099305 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.0, 16.1.4, 15.1.9 |
| 1089101-1 | 3-Major | BT1089101 | Apply Access Policy notification in UI after auto discovery | 17.1.0, 16.1.4, 15.1.9 |
| 1067609-3 | 3-Major | Static keys were used while generating UUIDs under OAuth module | 17.1.0, 16.1.4, 15.1.9 | |
| 1064001-2 | 3-Major | BT1064001 | POST request to a virtual server with stream profile and a access policy is aborted. | 17.0.0, 16.1.4, 15.1.9 |
| 1063345-3 | 3-Major | BT1063345 | Urldbmgrd may crash while downloading the database. | 17.0.0, 16.1.3.1, 15.1.9 |
| 1060477 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". | 17.1.1, 16.1.4, 15.1.9 |
| 1050165-1 | 3-Major | BT1050165 | APM SSO is disabled in the session of users and requires support of administrator for resolving | 17.1.0, 16.1.4, 15.1.9 |
| 1042505-2 | 3-Major | BT1042505 | Session variable "session.user.agent" does not get populated for edge clients | 17.0.0, 16.1.4, 15.1.9 |
| 1039725-2 | 3-Major | BT1039725 | Reverse proxy traffic fails when a per-request policy is attached to a virtual server. | 17.0.0, 16.1.3.1, 15.1.9 |
| 1038753-3 | 3-Major | K75431121 , BT1038753 | OAuth Bearer with SSO does not process headers as expected | 17.1.0, 16.1.4, 15.1.9 |
| 1037877-2 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE | 17.1.0, 16.1.4, 15.1.9 |
| 1024437-3 | 3-Major | BT1024437 | Urldb index building fails to open index temp file | 17.0.0, 16.1.3.1, 15.1.9 |
| 1018877-1 | 3-Major | BT1018877 | Subsession variable values mixing between sessions | 17.0.0, 16.1.4, 15.1.9 |
| 1010809-2 | 3-Major | BT1010809 | Connection is reset when sending a HTTP HEAD request to APM Virtual Server | 17.1.0, 16.1.4, 15.1.9 |
| 1000669-2 | 3-Major | BT1000669 | Tmm memory leak 'string cache' leading to SIGFPE | 17.0.0, 16.1.4, 15.1.9 |
| 1218813-3 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag | 17.1.1, 16.1.5, 15.1.9 |
| 1088389 | 4-Minor | BT1088389 | Admin to define the AD Query/LDAP Query page-size globally | 17.1.0, 16.1.4, 15.1.9 |
| 1079441-1 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries | 17.1.0, 16.1.4, 15.1.9 |
| 1050009-1 | 4-Minor | BT1050009 | Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs | 17.1.0, 16.1.4, 15.1.9 |
| 1041985-3 | 4-Minor | BT1041985 | TMM memory utilization increases after upgrade ★ | 17.1.1, 16.1.4, 15.1.9 |
| 1028081 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page | 17.1.1, 16.1.4, 15.1.9 |
| 824073 | 5-Cosmetic | BT824073 | Incorrect error message when uploading OpenAPI 3.0 file | 15.1.9 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1239901-1 | 2-Critical | BT1239901 | LTM crashes while running SIP traffic | 17.1.1, 16.1.4, 15.1.9 |
| 1141853-1 | 2-Critical | BT1141853 | SIP MRF ALG can lead to a TMM core | 17.1.0, 16.1.4, 15.1.9 |
| 755033-1 | 3-Major | BT755033 | Dynamic Routes stats row does not appear in the UI | 16.0.0, 15.1.9 |
| 1189513-3 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header | 17.1.1, 16.1.4, 15.1.9 |
| 1167941-2 | 3-Major | BT1167941 | CGNAT SIP ALG INVITE loops between BIG-IP and Server | 17.1.0, 16.1.4, 15.1.9 |
| 1038057-1 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile | 17.1.1, 16.1.4, 15.1.9 |
| 862337-2 | 4-Minor | BT862337 | Message Routing Diameter profile fails to forward messages with zero length AVPs | 16.0.0, 15.1.9 |
| 1184629-3 | 4-Minor | BT1184629 | Validate content length with respective to SIP header offset instead of parser offset | 17.1.0, 16.1.5, 15.1.9 |
| 1116941-3 | 4-Minor | BT1116941 | Need larger Content-Length value supported for SIP | 17.1.0, 16.1.4, 15.1.9 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 897137 | 2-Critical | BT897137 | NAT traffic across BIG-IP was dropped and TMM can crash if attached FW policy with subscriber ID enabled to the virtual server | 15.1.9 |
| 1106273-1 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG | 17.1.1, 16.1.4, 15.1.9 |
| 1069809-1 | 2-Critical | BT1069809 | AFM rules with ipi-category src do not match traffic after failover. | 16.1.4, 15.1.9 |
| 1067405-1 | 2-Critical | BT1067405 | TMM crash while offloading / programming bad actor connections to hardware. | 17.0.0, 15.1.9 |
| 997429 | 3-Major | BT997429 | When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled | 17.1.0, 16.1.4, 15.1.9 |
| 993269-1 | 3-Major | BT993269 | DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option | 17.0.0, 16.1.4, 15.1.9 |
| 952521-2 | 3-Major | BT952521 | Memory allocation error while creating an address list with a large range of IPv6 addresses ★ | 17.0.0, 16.1.4, 15.1.9 |
| 950253-1 | 3-Major | BT950253 | Source address translation occurs with self IP after NAT policy removal from Virtual Server | 16.1.0, 15.1.9 |
| 929913-2 | 3-Major | BT929913 | External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events | 17.0.0, 16.1.4, 15.1.9 |
| 818705-1 | 3-Major | BT818705 | The daemon afm_cmi.py can cause high BIG-IP CPU utilization (>90%) | 16.1.0, 15.1.9 |
| 1167949 | 3-Major | BT1167949 | Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware | 17.1.1, 15.1.9 |
| 1141597-1 | 3-Major | BT1141597 | DOS stats are not updating for IPv4-all and IPv6-all vectors | 17.1.0, 15.1.9 |
| 1137133-4 | 3-Major | BT1137133 | Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors | 17.1.0, 15.1.9 |
| 1127117 | 3-Major | BT1127117 | High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes | 17.1.0, 16.1.4, 15.1.9 |
| 1126401 | 3-Major | BT1126401 | Variables are not displayed in Debug log messages for MGMT network firewall rules | 17.1.1, 15.1.9 |
| 1124149 | 3-Major | BT1124149 | Increase the configuration for the PCCD Max Blob size from 4GB to 8GB | 17.1.0, 16.1.4, 15.1.9 |
| 1112781-1 | 3-Major | BT1112781 | DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. | 17.1.1, 16.1.4, 15.1.9 |
| 1104741-1 | 3-Major | BT1104741 | ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on zone | 17.1.0, 15.1.9 |
| 1082453 | 3-Major | BT1082453 | Dwbld stops working after adding an IP address to IPI category manually | 17.1.1, 15.1.9 |
| 1069321-1 | 3-Major | BT1069321 | High iowait and pgstat wait every hour on the hour, due to excessive logging in autodosd.out | 15.1.9 |
| 1039993-2 | 3-Major | BT1039993 | AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE" | 15.1.9 |
| 1020061-1 | 3-Major | BT1020061 | Nested address lists can increase configuration load time | 17.0.0, 16.1.4, 15.1.9 |
| 760355-3 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default' ★ | 17.1.2, 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1 |
| 1215401 | 4-Minor | BT1215401 | Under Shared Objects, some country names are not available to select in the Address List | 16.1.4, 15.1.9 |
| 1211885-1 | 4-Minor | BT1211885 | Zone Based DDoS upgrade fails from 15.1.8 to 15.1.8.1 | 17.1.0, 15.1.9 |
| 1086309 | 4-Minor | BT1086309 | Legitimate traffic gets blocked on detecting Bad Destination IP of virtual server subnet | 15.1.9 |
| 1003377-1 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option | 16.1.4, 15.1.9 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1159397-2 | 1-Blocking | BT1159397 | The high utilization of memory when blade turns offline results in core | 17.1.0, 16.1.4, 15.1.9 |
| 904509-1 | 2-Critical | BT904509 | TMM crash SIGSEGV - spmdb_subscriber_info_deserialize() in spm/spmdb_deser.c | 16.0.0, 15.1.9 |
| 1186925-3 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups | 17.1.1, 16.1.4, 15.1.9 |
| 1091565 | 2-Critical | BT1091565 | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL | 17.1.0, 16.1.3.1, 15.1.9 |
| 1226121-3 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session | 17.1.1, 16.1.4, 15.1.9 |
| 1207381-5 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored | 17.1.1, 16.1.4, 15.1.9 |
| 1174085 | 3-Major | BT1174085 | Spmdb_session_hash_entry_delete releases the hash's reference | 17.1.1, 16.1.4, 15.1.9 |
| 1174033-3 | 3-Major | BT1174033 | The UPDATE EVENT is triggered with faulty session_info and resulting in core | 17.1.0, 16.1.4, 15.1.9 |
| 1108681-1 | 3-Major | BT1108681 | PEM queries with filters return error message when a blade is offline | 17.1.0, 16.1.4, 15.1.9 |
| 1089829 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers | 17.1.0, 16.1.4, 15.1.9 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1023461 | 3-Major | BT1023461 | Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created | 17.0.0, 15.1.9 |
| 1016045-3 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. | 16.1.4, 15.1.9 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1211297 | 2-Critical | BT1211297 | Handling DoS profiles created dynamically using iRule and L7Policy | 17.1.1, 16.1.4, 15.1.9 |
| 1060057-1 | 3-Major | BT1060057 | Enable or Disable APM dynamically with Bados generates APM error | 17.1.0, 16.1.4, 15.1.9 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1161965-4 | 3-Major | BT1161965 | File descriptor(fd) and shared memory leak in wr_urldbd | 17.1.0, 16.1.4, 15.1.9 |
| 1013629-3 | 3-Major | BT1013629 | URLCAT: Scan finds many Group/User Read/Write (666/664/662) files | 17.0.0, 16.1.2, 15.1.9 |
| 776285-1 | 4-Minor | BT776285 | No stats returned for 'ltm classification stats urlcat-cloud' component at system startup | 16.1.0, 15.1.9 |
| 1168137-2 | 4-Minor | BT1168137 | PEM Classification Auto-Update for month is working as hourly | 17.1.0, 16.1.4, 15.1.9 |
| 1167889-3 | 4-Minor | BT1167889 | PEM classification signature scheduled updates do not complete | 17.1.0, 16.1.4, 15.1.9 |
| 1117297 | 4-Minor | BT1117297 | Wr_urldbd continuously crashes and restarts ★ | 17.1.0, 16.1.4, 15.1.9 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1196477-2 | 3-Major | BT1196477 | Request timeout in restnoded | 17.1.1, 16.1.4, 15.1.9 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 889605-3 | 3-Major | BT889605 | iApp with Bot profile is unavailable if application folder includes a subpath | 17.1.0, 16.1.4, 15.1.9 |
| 1093933-2 | 4-Minor | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1098837 | 4-Minor | BT1098837 | Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables | 17.1.0, 16.1.4, 15.1.9 |
| 1135073-2 | 5-Cosmetic | BT1135073 | IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled | 17.1.0, 16.1.4, 15.1.9 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1110241-3 | 3-Major | BT1110241 | in-tmm http(s) monitor accumulates unchecked memory | 17.1.0, 16.1.4, 15.1.9 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 890721-2 | 3-Major | BT890721 | SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment | 16.1.0, 15.1.9 |
| 1017053-1 | 3-Major | BT1017053 | [SSL Orchestrator] Policy fails to complete when URL branching is configured | 17.0.0, 15.1.9 |
F5OS Messaging Agent Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1182613 | 2-Critical | BT1182613 | BIG-IP Version 15.1.8 installed as a tenant on CX410 or rSeries systems see continuous 'Unable to Notify Tenant stats' log in /var/log/ltm | 15.1.9 |
| 1133869 | 3-Major | BT1133869 | Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms | 17.1.0, 15.1.9 |
Cumulative fixes from BIG-IP v15.1.8.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1213305-2 | CVE-2023-27378 | K000132726 , BT1213305 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1208989-5 | CVE-2023-27378 | K000132726 , BT1208989 | Improper value handling in DOS Profile properties page | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1208001-6 | CVE-2023-22374 | K000130415 , BT1208001 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1204961-3 | CVE-2023-27378 | K000132726 , BT1204961 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1204793-3 | CVE-2023-27378 | K000132726 , BT1204793 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1196033-3 | CVE-2023-27378 | K000132726 , BT1196033 | Improper value handling in DataSafe UI | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1106989-2 | CVE-2023-29163 | K20145107 , BT1106989 | Certain configuration settings may lead to memory accumulation | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1086293-5 | CVE-2023-22358 | K76964818 , BT1086293 | Untrusted search path vulnerability in APM Windows Client installer processes | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1086289-5 | CVE-2023-22358 | K76964818 , BT1086289 | BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1207661-2 | CVE-2023-28406 | K000132768 , BT1207661 | Datasafe UI hardening | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
| 1096373-3 | CVE-2023-28742 | K000132972 , BT1096373 | Unexpected parameter handling in BIG3d | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
Functional Change Fixes
None
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1075849-6 | 3-Major | APM client hardening | 17.1.0, 16.1.4, 15.1.8.2 |
Cumulative fixes from BIG-IP v15.1.8.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 890917-2 | CVE-2023-22323 | K56412001 , BT890917 | Performance may be reduced while processing SSL traffic | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
| 1143073-3 | CVE-2022-41622 | K94221585 , BT1143073 | iControl SOAP vulnerability CVE-2022-41622 | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
| 1107437-5 | CVE-2023-22839 | K37708118 , BT1107437 | TMM may crash when enable-rapid-response is enabled on a DNS profile | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
| 1106161-3 | CVE-2022-41800 | K13325942 , BT1106161 | Securing iControlRest API for appliance mode | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
| 1083225-1 | CVE-2023-22842 | K08182564 , BT1083225 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
| 1073005-1 | CVE-2023-22326 | K83284425 , BT1073005 | iControl REST use of the dig command does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1113385-3 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
| 1103369-3 | 3-Major | K000133368 , BT1103369 | DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1134085-1 | 2-Critical | BT1134085 | Intermittent TMM core when iRule is configured with SSL persistence | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1 |
| 1215165 | 3-Major | BT1215165 | Support added for Microsoft Azure Managed HSM | 15.1.8.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1174873-1 | 3-Major | BT1174873 | Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
F5OS Messaging Agent Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1183553 | 3-Major | BT1183553 | The platform_mgr core dumps on token renewal intermittently | 17.1.0, 15.1.8.1 |
Cumulative fixes from BIG-IP v15.1.8 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 982785-3 | CVE-2022-25946 | K52322100 | Guided Configuration hardening | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
| 982777-10 | CVE-2022-27230 | K21317311 , BT982777 | APM hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
| 982769-11 | CVE-2022-27806 | K68647001 , BT982769 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
| 982753-5 | CVE-2022-27806 | K68647001 , BT982753 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
| 982745-4 | CVE-2022-27806 | K68647001 , BT982745 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
| 968729-4 | CVE-2017-18344 | K07020416 , BT968729 | Kernel CVE-2017-18344 out-of-bounds access in the show_timer function | 16.1.0, 15.1.8 |
| 963625-6 | CVE-2022-27806 | K68647001 , BT963625 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
| 959153-4 | CVE-2022-27806 | K68647001 , BT959153 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
| 1107481 | CVE-2023-23555 | K24572686 , BT1107481 | TMM restarting repeatedly after upgrade 15.1.5.1 | 15.1.8, 14.1.5.3 |
| 1107293-5 | CVE-2021-22555 | K06524534 , BT1107293 | CVE-2021-22555: Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.8 |
| 1105389-5 | CVE-2023-23552 | K17542533 , BT1105389 | Incorrect HTTP request handling may lead to resource leak | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
| 1091453-5 | CVE-2022-23308 | K32760744 , BT1091453 | libxml2 vulnerability CVE-2022-23308 | 17.1.0, 16.1.4, 15.1.8 |
| 1089225-3 | CVE-2021-4034 | K46015513 , BT1089225 | Polkit pkexec vulnerability CVE-2021-4034 | 17.1.0, 16.1.4, 15.1.8 |
| 1085077-3 | CVE-2023-22340 | K34525368 , BT1085077 | TMM may crash while processing SIP-ALG traffic | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
| 1077301-3 | CVE-2021-23133 | K67416037 , BT1077301 | CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del | 17.1.0, 16.1.4, 15.1.8 |
| 1075689-4 | CVE-2020-25692,CVE-2020-25709,CVE-2020-12243,CVE-2019-13565,CVE-2020-25710,CVE-2020-36222,CVE-2020-36226,CVE-2020-36228,CVE-2020-36227,CVE-2021-27212,CVE-2020-36223,CVE-2020-36221,CVE-2020-36225,CVE-2020-36224,CVE-2019-13057 | K56241216 , BT1075689 | Multiple CVE fixes for OpenLDAP library | 17.1.0, 16.1.4, 15.1.8 |
| 1057393-2 | CVE-2019-18197 | K10812540 , BT1057393 | CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText | 17.0.0, 16.1.4, 15.1.8 |
| 1032553-3 | CVE-2023-22281 | K46048342 , BT1032553 | Core when virtual server with destination NATing receives multicast | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
| 1004881-3 | CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 | K12492858 , BT1004881 | Update angular, jquery, moment, axios, and lodash libraries in AGC | 17.0.0, 16.1.3.2, 15.1.8 |
| 960845-5 | CVE-2021-23046 | K70652532 , BT960845 | Secure properties were logged in restnoded logs | 16.1.0, 15.1.8, 14.1.5.3 |
| 1009157-3 | CVE-2023-39447 | K47756555 , BT1009157 | AGC hardening | 16.1.4, 15.1.8 |
| 1057445-2 | CVE-2019-13118 | K96300145 , BT1057445 | CVE-2019-13118 libxslt vulnerability: uninitialized stack data | 17.0.0, 16.1.4, 15.1.8 |
| 1057437-2 | CVE-2019-13117 | K96300145 , BT1057437 | CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers | 17.0.0, 16.1.4, 15.1.8 |
| 1057149-2 | CVE-2019-11068 | K30444545 , BT1057149 | CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite | 17.0.0, 16.1.4, 15.1.8 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1088037 | 3-Major | BT1088037 | VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers | 17.1.0, 16.1.4, 15.1.8 |
| 1053589 | 3-Major | BT1053589 | DDoS functionality cannot be configured at a Zone level | 16.1.4, 15.1.8 |
| 1049213-1 | 3-Major | BT1049213 | A new disaggregation (DAG) mode based on TEID field in GTP-U header is introduced | 17.0.0, 15.1.8 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1098009 | 2-Critical | BT1098009 | DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms | 17.1.0, 15.1.8 |
| 1117637-2 | 3-Major | BT1117637 | FastL4 traffic traversing the tunnels such as VXLAN, may fail on VELOS and rSeries tenants | 17.1.0, 15.1.8 |
| 1048709-1 | 3-Major | BT1048709 | FCS errors between the switch and HSB | 17.1.0, 16.1.4, 15.1.8 |
| 1057457-2 | 4-Minor | CVE-2015-9019: libxslt vulnerability: math.random() | 17.0.0, 16.1.4, 15.1.8 | |
| 1057449-2 | 4-Minor | CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS | 17.0.0, 16.1.4, 15.1.8 | |
| 1057441-2 | 4-Minor | An out-of-bounds access flawb in the libxslt component | 17.0.0, 16.1.4, 15.1.8 | |
| 1057433-2 | 4-Minor | Integer overflow in libxslt component | 17.0.0, 16.1.4, 15.1.8 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1135041 | 1-Blocking | BT1135041 | Performance issue related to crypto and compression | 17.1.0, 15.1.8 |
| 1154465-1 | 2-Critical | BT1154465 | Error attaching QAT devices to TMM on F5OS | 17.1.0, 15.1.8 |
| 1076805 | 2-Critical | BT1076805 | Tmm crash SIGSEGV | 17.1.0, 15.1.8 |
| 1053741-3 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason | 17.1.0, 16.1.4, 15.1.8 |
| 1128721 | 4-Minor | BT1128721 | L2 wire support on vCMP architecture platform | 17.1.0, 16.1.4, 15.1.8 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1128977 | 3-Major | BT1128977 | When the device DoS vector rate-limit setting is configured to a low value, sampled attack log messages are not logged | 17.1.0, 15.1.8 |
| 1121521-1 | 3-Major | BT1121521 | Libssh upgrade from v0.7.7 to v0.9.6 | 16.1.4, 15.1.8 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1107549-3 | 2-Critical | BT1107549 | In-TMM TCP monitor memory leak | 17.1.0, 16.1.4, 15.1.8 |
| 1046917-3 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes | 17.1.0, 16.1.4, 15.1.8 |
Cumulative fixes from BIG-IP v15.1.7 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1106289-3 | CVE-2022-41624 | K43024307 , BT1106289 | TMM may leak memory when processing sideband connections. | 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1 |
| 1085729-3 | CVE-2022-41836 | K47204506 , BT1085729 | bd may crash while processing specific request | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 1051305-3 | CVE-2021-34798 | K72382141 , BT1051305 | CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests | 17.0.0, 16.1.4, 15.1.7 |
| 919357-1 | CVE-2022-41770 | K22505850 , BT919357 | iControl REST hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 881809-2 | CVE-2022-41983 | K31523465 , BT881809 | Client SSL and Server SSL profile hardening | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1084013-3 | CVE-2022-36795 | K52494562 , BT1084013 | TMM does not follow TCP best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1065917-3 | CVE-2023-22418 | K95503300 , BT1065917 | BIG-IP APM Virtual Server does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1025261-2 | 3-Major | BT1025261 | Restjavad uses more resident memory in control plane after software upgrade | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 957637-2 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 759928-4 | 2-Critical | BT759928 | Engineering Hotfixes might not contain all required packages | 17.0.0, 16.1.3.1, 15.1.7 |
| 1102837-3 | 2-Critical | BT1102837 | Use native driver for e810 instead of sock | 17.1.0, 16.1.5, 15.1.7 |
| 1048853-2 | 2-Critical | BT1048853 | TMM memory leak of "IKE VBUF" | 17.0.0, 16.1.3.1, 15.1.7 |
| 1041865-3 | 2-Critical | K16392416 , BT1041865 | Correctable machine check errors [mce] should be suppressed | 17.0.0, 16.1.3.1, 15.1.7 |
| 1064357-2 | 3-Major | BT1064357 | execute_post_install: EPSEC: Installation of EPSEC package failed | 17.0.0, 16.1.3, 15.1.7 |
| 1042737-3 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 1021773-3 | 3-Major | BT1021773 | Mcpd core. | 17.0.0, 16.1.2, 15.1.7 |
| 756918-3 | 4-Minor | BT756918 | Engineering Hotfix ISOs may be nearly as large as full Release ISOs | 17.0.0, 16.1.3.1, 15.1.7 |
| 1080317-2 | 4-Minor | BT1080317 | Hostname is getting truncated on some logs that are sourced from TMM | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1067105-1 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 967249-2 | 2-Critical | BT967249 | TMM may leak memory early during its startup process, and may continue to do so indefinitely. | 16.1.0, 15.1.7 |
| 864897-2 | 2-Critical | BT864897 | TMM may crash when using "SSL::extensions insert" | 16.0.0, 15.1.7 |
| 1086677-3 | 2-Critical | BT1086677 | TMM Crashes in xvprintf() because of NULL Flow Key | 17.0.0, 16.1.3.1, 15.1.7 |
| 1074517-2 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 999881-4 | 3-Major | BT999881 | Tcl command 'string first' not working if payload contains Unicode characters. | 17.0.0, 16.1.3.1, 15.1.7 |
| 995201-4 | 3-Major | BT995201 | IP fragments for the same flow are dropped if they are received on different VLANs and route domains. | 16.1.0, 15.1.7 |
| 977153-1 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 922413-2 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 1112745 | 3-Major | BT1112745 | System CPU Usage detailed graph is not accessible on Cerebrus+ | 17.1.0, 16.1.4, 15.1.7 |
| 1104553 | 3-Major | BT1104553 | HTTP_REJECT processing can lead to zombie SPAWN flows piling up | 17.1.1, 15.1.7 |
| 1101697-1 | 3-Major | BT1101697 | TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). | 17.1.0, 16.1.4, 15.1.7 |
| 1091761-2 | 3-Major | BT1091761 | Mqtt_message memory leaks when iRules are used | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1088173 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile | 17.1.0, 16.1.4, 15.1.7 |
| 1082225-3 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1076577-2 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' | 17.1.0, 16.1.4, 15.1.7 |
| 1043805-2 | 3-Major | BT1043805 | ICMP traffic over NAT does not work properly. | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1040017-3 | 3-Major | BT1040017 | Final ACK validation during flow accept might fail with hardware SYN Cookie | 17.0.0, 16.1.4, 15.1.7 |
| 1022453-2 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 1006157-1 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1104073-3 | 4-Minor | BT1104073 | Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 984749-2 | 3-Major | BT984749 | Discrepancy between DNS cache statistics "Client Summary" and "Client Cache." | 17.0.0, 16.1.3.1, 15.1.7 |
| 961229-1 | 3-Major | BT961229 | The responses for EDNS/Non-EDNS UDP queries against DNS Express zone were truncated | 16.1.0, 15.1.7 |
| 933577-1 | 3-Major | BT933577 | Changes to support DNS Flag Day | 16.1.0, 15.1.7 |
| 887749-2 | 3-Major | BT887749 | Observed crash when resetting stats for GTM server devices in a GTM sync group. | 16.0.0, 15.1.7 |
| 1078669-4 | 3-Major | BT1078669 | iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. | 17.0.0, 16.1.3.1, 15.1.7 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1048685-2 | 2-Critical | BT1048685 | Rare TMM crash when using Bot Defense Challenge | 17.0.0, 16.1.3.1, 15.1.7 |
| 1015881-3 | 2-Critical | BT1015881 | TMM might crash after configuration failure | 17.1.0, 16.1.3.1, 15.1.7 |
| 1084257-4 | 3-Major | K11342432 , BT1084257 | New HTTP RFC Compliance check in headers | 17.1.0, 17.0.0.1, 16.1.4, 15.1.7 |
| 1078765-2 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 1062493-2 | 3-Major | BT1062493 | BD crash close to it's startup | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 1030133-3 | 3-Major | BT1030133 | BD core on XML out of memory | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1014973-3 | 3-Major | BT1014973 | ASM changed cookie value. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 1111793-3 | 4-Minor | BT1111793 | New HTTP RFC Compliance check for incorrect newline separators between request line and first header | 17.1.0, 16.1.4, 15.1.7 |
| 1058297-3 | 4-Minor | BT1058297 | Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade ★ | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 1014573-2 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1029689-3 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1121657 | 1-Blocking | BT1121657 | EAM is down after APM is provisioned | 17.1.0, 15.1.7 |
| 1034041-1 | 3-Major | BT1034041 | Microsoft Intune Azure AD Graph cannot cannot migrate to Microsoft Graph. | 17.0.0, 15.1.7 |
| 1006509 | 3-Major | BT1006509 | TMM memory leak ★ | 16.1.5, 15.1.7 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 921441-2 | 3-Major | BT921441 | MR_INGRESS iRules that change diameter messages corrupt diam_msg | 17.0.0, 16.1.3.1, 15.1.7 |
| 1103233-4 | 4-Minor | BT1103233 | Diameter in-tmm monitor is logging disconnect events unnecessarily | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1106341 | 3-Major | BT1106341 | /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition | 17.1.1, 15.1.7 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1090649 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
| 1084993-4 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 911585-3 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
| 815901-1 | 4-Minor | BT815901 | Add rule to the disabled pem policy is not allowed | 17.0.0, 16.1.3.1, 15.1.7 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 832133-1 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Cumulative fixes from BIG-IP v15.1.6.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 996233-2 | CVE-2022-33947 | K38893457 , BT996233 | Tomcat may crash while processing TMUI requests | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
| 972517-2 | CVE-2023-43746 | K41072952 , BT972517 | Appliance mode hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
| 937777-2 | CVE-2022-34655 | K93504311 , BT937777 | HTTP::payload may cause the TMM to crash | 16.1.0, 16.0.1.1, 15.1.6.1, 14.1.5 |
| 1093621-1 | CVE-2022-41832 | K10347453 | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1 |
| 1079505-2 | CVE-2022-33203 | K52534925 , BT1079505 | TMM may consume excessive resources while processing SSL Orchestrator traffic | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
| 1076397-2 | CVE-2022-35735 | K13213418 , BT1076397 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1073841-2 | CVE-2022-34862 | K66510514 , BT1073841 | URI normalization does not function as expected | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
| 1073357-1 | CVE-2022-34862 | K66510514 , BT1073357 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
| 1071593-1 | CVE-2022-32455 | K16852653 , BT1071593 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1067505-3 | CVE-2022-34651 | K59197053 , BT1067505 | TMM may crash while processing TLS traffic with HTTP::respond | 17.0.0, 16.1.3.1, 15.1.6.1 |
| 1066673-2 | CVE-2022-35728 | K55580033 , BT1066673 | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1055737-2 | CVE-2022-35236 | K79933541 , BT1055737 | TMM may consume excessive resources while processing HTTP/2 traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1032513-2 | CVE-2022-35240 | K28405643 , BT1032513 | TMM may consume excessive resources while processing MRF traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1024029-3 | CVE-2022-35245 | K58235223 , BT1024029 | TMM may crash when processing traffic with per-session APM Access Policy | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 947057-2 | CVE-2022-34865 | K25046752 , BT947057 | Traffic intelligence feeds to do not follow best practices | 16.1.0, 15.1.6.1, 14.1.5, 12.1.6 |
| 740321-2 | CVE-2022-34851 | K50310001 , BT740321 | iControl SOAP API does not follow current best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1081201-2 | CVE-2022-41694 | K64829234 , BT1081201 | MCPD certification import hardening | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
| 1081153 | CVE-2022-41813 | K93723284 , BT1081153 | TMM may crash while processing administrative requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
| 1073549-2 | CVE-2022-35735 | K13213418 , BT1073549 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1055925-2 | CVE-2022-34844 | K34511555 , BT1055925 | TMM may crash while processing traffic on AWS | 17.0.0, 16.1.3.1, 15.1.6.1 |
| 1043281-1 | CVE-2021-3712 | K19559038 , BT1043281 | OpenSSL vulnerability CVE-2021-3712 | 17.0.0, 16.1.3.1, 15.1.6.1 |
| 1006921-3 | CVE-2022-33962 | K80970653 , BT1006921 | iRules Hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1063641-3 | CVE-2022-33968 | K23465404 , BT1063641 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1063637-3 | CVE-2022-33968 | K23465404 , BT1063637 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1078821-2 | 2-Critical | BT1078821 | Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
| 971217-2 | 3-Major | BT971217 | AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations. | 16.1.0, 15.1.6.1, 14.1.5 |
| 882709-4 | 3-Major | BT882709 | Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors ★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 874941-2 | 3-Major | BT874941 | HTTP authentication in the access policy times out after 60 seconds | 16.1.2.2, 15.1.6.1, 14.1.5 |
| 669046-5 | 3-Major | BT669046 | Handling large replies to MCP audit_request messages | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1036057-2 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1071621-3 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 992097-2 | 2-Critical | BT992097 | Incorrect hostname is seen in logging files | 16.1.0, 15.1.6.1, 14.1.5 |
| 989517-2 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
| 943109-2 | 2-Critical | BT943109 | Mcpd crash when bulk deleting Bot Defense profiles | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
| 940225-2 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
| 1108181-1 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
| 1107689 | 2-Critical | BT1107689 | IPI is not dropping traffic from IPREP database malicious IPs | 15.1.6.1 |
| 1084213 | 2-Critical | BT1084213 | [rseries]: VLAN member not restored post loading default configuration in BIG-IP tenant | 17.1.0, 15.1.6.1 |
| 1079817-2 | 2-Critical | BT1079817 | Java null pointer exception when saving UCS with iAppsLX installed ★ | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
| 1076921-2 | 2-Critical | BT1076921 | The Hostname in BootMarker logs and /var/log/ltm logs that sourced from TMM were getting truncated. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1034329-2 | 2-Critical | BT1034329 | SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 992121-1 | 3-Major | BT992121 | REST "/mgmt/tm/services" endpoint is not accessible | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 977657-2 | 3-Major | BT977657 | SELinux errors when deploying a vCMP guest. | 16.1.0, 15.1.6.1, 14.1.5 |
| 959985-1 | 3-Major | BT959985 | Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 943653-2 | 3-Major | BT943653 | Allow 32-bit processes to use larger area of virtual address space | 16.1.0, 15.1.6.1, 14.1.5 |
| 935177-2 | 3-Major | BT935177 | IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 930825-4 | 3-Major | BT930825 | System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors | 16.1.0, 15.1.6.1 |
| 886649-2 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
| 862693-6 | 3-Major | BT862693 | PAM_RHOST not set when authenticating BIG-IP using iControl REST | 16.0.0, 15.1.6.1, 14.1.5.1 |
| 724653-3 | 3-Major | BT724653 | In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
| 720610-3 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3 |
| 1091345-3 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1087621-2 | 3-Major | BT1087621 | IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
| 1086517-1 | 3-Major | BT1086517 | TMM may not properly exit hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
| 1085837-1 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
| 1084873 | 3-Major | BT1084873 | Packets are dropped when a masquerade MAC is on a shared VLAN | 17.1.0, 15.1.6.1 |
| 1071609-1 | 3-Major | BT1071609 | IPsec IKEv1: Log Key Exchange payload in racoon.log. | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 1064461-3 | 3-Major | BT1064461 | PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1060009 | 3-Major | BT1060009 | Platform Agent may run out of file descriptors | 17.1.0, 15.1.6.1, 14.1.5 |
| 1024661-2 | 3-Major | BT1024661 | SCTP forwarding flows based on VTAG for bigproto | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1020789-3 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
| 1019357-1 | 3-Major | BT1019357 | Active fails to resend ipsec ikev2_message_id_sync if no response received | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 758105-6 | 4-Minor | BT758105 | Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml | 15.1.6.1 |
| 742753-5 | 4-Minor | BT742753 | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1090569 | 4-Minor | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
| 1072237-2 | 4-Minor | BT1072237 | Retrieval of policy action stats causes memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1067617-3 | 4-Minor | BT1067617 | BGP default route not advertised after mid-session OPEN. | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 1062333-2 | 4-Minor | Linux kernel vulnerability: CVE-2019-19523 | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
| 1011217-3 | 4-Minor | BT1011217 | TurboFlex Profile setting reverts to turboflex-base after upgrade ★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 944381-1 | 2-Critical | BT944381 | Dynamic CRL checking for client certificate is not working when TLS1.3 is used. | 17.0.0, 16.1.3.1, 15.1.6.1 |
| 1088049 | 2-Critical | BT1088049 | The fix for ID841469 became broken in the 15.1.x branch for some platforms. | 17.1.0, 15.1.6.1 |
| 1087469-1 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. | 17.1.0, 16.1.3.1, 15.1.6.1 |
| 1073609-1 | 2-Critical | BT1073609 | Tmm may core while using reject iRule command in LB_SELECTED event. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1071449-3 | 2-Critical | BT1071449 | The statsd memory leak on platforms with license disabled processors. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1047581-2 | 2-Critical | BT1047581 | Ramcache can crash when serving files from the hot cache | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 993517-3 | 3-Major | BT993517 | Loading an upgraded config can result in a file object error in some cases | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 976525-3 | 3-Major | BT976525 | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5 |
| 953601-3 | 3-Major | BT953601 | HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 948985-2 | 3-Major | BT948985 | Workaround to address Nitrox 3 compression engine hang | 17.0.0, 16.1.3.1, 15.1.6.1 |
| 934697-3 | 3-Major | BT934697 | Route domain is not reachable (strict mode) | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
| 883049-2 | 3-Major | BT883049 | Statsd can deadlock with rrdshim if an rrd file is invalid | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 873677-7 | 3-Major | BT873677 | LTM policy matching does not work as expected | 16.0.0, 15.1.6.1 |
| 780857-2 | 3-Major | BT780857 | HA failover network disruption when cluster management IP is not in the list of unicast addresses | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 748886-3 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1083989-2 | 3-Major | BT1083989 | TMM may restart if abort arrives during MBLB iRule execution | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1074505-2 | 3-Major | BT1074505 | Traffic classes are not attached to virtual server at TMM start | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1 |
| 1072953-3 | 3-Major | BT1072953 | Memory leak in traffic management interface. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1071701 | 3-Major | BT1071701 | VE rate limit should not count packet that does not have a matched vlan or matched MAC address | 15.1.6.1 |
| 1068445-2 | 3-Major | BT1068445 | TCP duplicate acks are observed in speed tests for larger requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1064157-2 | 3-Major | BT1064157 | Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 1063453-2 | 3-Major | BT1063453 | FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1053149-2 | 3-Major | BT1053149 | A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1043017-3 | 3-Major | BT1043017 | Virtual-wire with standard-virtual fragmentation | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
| 1042913 | 3-Major | BT1042913 | Pkcs11d CPU utilization jumps to 100% | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1036169-3 | 3-Major | BT1036169 | VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1024225 | 3-Major | BT1024225 | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1017721-3 | 3-Major | BT1017721 | WebSocket does not close cleanly when SSL enabled. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1 |
| 1017533-2 | 3-Major | BT1017533 | Using TMC might cause virtual server vlans-enabled configuration to be ignored | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
| 1004897-4 | 3-Major | BT1004897 | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4 |
| 1004689-3 | 3-Major | BT1004689 | TMM might crash when pool routes with recursive nexthops and reselect option are used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 987885-4 | 4-Minor | BT987885 | Half-open unclean SSL termination might not close the connection properly | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1080341-3 | 4-Minor | BT1080341 | Changing an L2-forward virtual to any other virtual type might not update the configuration. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 993921-4 | 2-Critical | BT993921 | TMM SIGSEGV | 16.1.0, 15.1.6.1, 14.1.5.1 |
| 1077701-2 | 2-Critical | BT1077701 | GTM "require M from N" monitor rules do not report when the number of "up" responses change | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1011433-3 | 2-Critical | BT1011433 | TMM may crash under memory pressure when performing DNS resolution | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 950069-2 | 3-Major | BT950069 | Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" | 17.0.0, 16.1.3.1, 15.1.6.1 |
| 876677-1 | 3-Major | BT876677 | When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 1091249-3 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1084173-2 | 3-Major | BT1084173 | Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup). | 17.0.0, 16.1.3, 15.1.6.1 |
| 1076401-3 | 3-Major | BT1076401 | Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1071301-2 | 3-Major | BT1071301 | GTM server does not get updated even when the virtual server status changes. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1071233-2 | 3-Major | BT1071233 | GTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1084673-3 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1079909-2 | 2-Critical | K82724554 , BT1079909 | The bd generates a core file | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
| 1069501-2 | 2-Critical | K22251611 , BT1069501 | ASM may not match certain signatures | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1068237-2 | 2-Critical | BT1068237 | Some attack signatures added to policies are not used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1000789-2 | 2-Critical | BT1000789 | ASM-related iRule keywords may not work as expected | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 923221-4 | 3-Major | BT923221 | BD does not use all the CPU cores | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 886533-3 | 3-Major | BT886533 | Icap server connection adjustments | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1083913-1 | 3-Major | BT1083913 | Missing error check in ICAP handling | 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1082461-3 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
| 1077281-4 | 3-Major | BT1077281 | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages | 17.1.0, 16.1.2.2, 15.1.6.1 |
| 1070833-1 | 3-Major | BT1070833 | False positives on FileUpload parameters due to default signature scanning | 17.1.0, 16.1.3, 15.1.6.1 |
| 1070273-2 | 3-Major | BT1070273 | OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 1070073 | 3-Major | BT1070073 | ASM Signature Set accuracy filter is wrong on GUI. | 15.1.6.1, 14.1.5 |
| 1069133-3 | 3-Major | BT1069133 | ASMConfig memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1061617-3 | 3-Major | BT1061617 | Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1056365-3 | 3-Major | BT1056365 | Bot Defense injection does not follow best SOP practice. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1036305-4 | 3-Major | BT1036305 | "Mandatory request body is missing" violation in staging but request is unexpectedly blocked | 17.0.0, 16.1.3.1, 15.1.6.1 |
| 1033017-4 | 3-Major | BT1033017 | Policy changes learning mode to automatic after upload and sync | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 1028473-2 | 3-Major | BT1028473 | URL sent with trailing slash might not be matched in ASM policy | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 948241-2 | 4-Minor | BT948241 | Count Stateful anomalies based only on Device ID | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1073625-3 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1048445-3 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name | 17.1.0, 16.1.2.2, 15.1.6.1 |
| 1046317-1 | 4-Minor | BT1046317 | Violation details are not populated with staged URLs for some violation types | 17.0.0, 16.1.3.1, 15.1.6.1 |
| 1040513-1 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1021637-2 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs | 17.1.0, 16.1.2.2, 15.1.6.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 987341-2 | 2-Critical | BT987341 | BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
| 965777-2 | 2-Critical | BT965777 | Per-request policy authentication becomes unresponsive | 16.1.0, 15.1.6.1 |
| 831737-1 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile | 17.1.1, 16.1.5, 15.1.6.1 |
| 1020349-2 | 2-Critical | BT1020349 | APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL | 16.1.0, 15.1.6.1, 14.1.4.4 |
| 858005-2 | 3-Major | BT858005 | When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 849029-5 | 3-Major | BT849029 | No configurable setting for maximum entries in CRLDP cache | 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
| 470916-3 | 3-Major | BT470916 | Launching resources that are published on an apm webtop from multiple VMWare servers will fail when the Native View client is selected. | 16.0.0, 15.1.6.1, 14.1.5 |
| 1097821-3 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5 |
| 1053309-2 | 3-Major | BT1053309 | Localdbmgr leaks memory while syncing data to sessiondb and mysql. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
| 1043217-2 | 3-Major | BT1043217 | NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
| 1010597-2 | 3-Major | BT1010597 | Traffic disruption when virtual server is assigned to a non-default route domain ★ | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 990461-3 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade ★ | 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
| 964625-3 | 3-Major | BT964625 | Improper processing of firewall-rule metadata | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
| 959609 | 3-Major | BT959609 | Autodiscd daemon keeps crashing | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 1075321 | 3-Major | BT1075321 | AFM never exits attack_detected state after attack has stopped for global/per-virtual HW syncookies | 17.1.0, 16.1.5, 15.1.6.1 |
| 1012581-3 | 3-Major | BT1012581 | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1064217-2 | 3-Major | BT1064217 | Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1071181-1 | 3-Major | BT1071181 | Improving Signature Detection Accuracy | 16.1.2.2, 15.1.6.1, 14.1.5 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1094177-3 | 1-Blocking | BT1094177 | Analytics iApp installation fails | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1072733-3 | 2-Critical | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
| 1070677 | 3-Major | BT1070677 | Learning phase does not take traffic into account - dropping all. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 854129-2 | 3-Major | BT854129 | SSL monitor continues to send previously configured server SSL configuration after removal | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1076729-4 | 2-Critical | BT1076729 | TMM restarts when SSL Orchestrator processes traffic | 15.1.6.1 |
| 1029869-3 | 3-Major | BT1029869 | Use of ha-sync script may cause gossip communications to fail | 17.0.0, 16.1.2.2, 15.1.6.1 |
| 1029585-3 | 3-Major | BT1029585 | Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync | 17.0.0, 16.1.2.2, 15.1.6.1 |
Cumulative fixes from BIG-IP v15.1.6 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1021005 | 3-Major | BT1021005 | IPI IPV6 traffic Reputation. | 17.0.0, 15.1.6 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1058509 | 1-Blocking | BT1058509 | Platform_agent crash on tenant token renewal | 17.1.0, 15.1.6 |
| 1075229 | 3-Major | BT1075229 | Jumbo frames not supported | 17.1.0, 15.1.6 |
| 1073165 | 3-Major | BT1073165 | Add IPv6 prefix length | 17.1.0, 15.1.6 |
| 1048977 | 3-Major | BT1048977 | IPSec tunnel is not coming up after tmm/system restart when ipsec.removeredundantsa db variable is enabled | 17.1.0, 15.1.6 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1084953 | 2-Critical | BT1084953 | CPU usage increase observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition | 17.1.0, 15.1.6 |
| 1084929 | 2-Critical | BT1084929 | Performance drop observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition | 15.1.6 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1063173-1 | 2-Critical | BT1063173 | Blob size consistency after changes to pktclass. | 15.1.6 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1082885-2 | 3-Major | BT1082885 | MR::message route virtual asserts when configuration changes during ongoing traffic | 17.0.0, 16.1.2.2, 15.1.6, 14.1.5 |
Cumulative fixes from BIG-IP v15.1.5.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 965853-2 | CVE-2022-28695 | K08510472 , BT965853 | IM package file hardening ★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 964489-2 | CVE-2022-28695 | K08510472 , BT964489 | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1051561-2 | CVE-2022-1388 | K23605346 , BT1051561 | BIG-IP iControl REST vulnerability CVE-2022-1388 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 993981-1 | CVE-2022-28705 | K52340447 , BT993981 | TMM may crash when ePVA is enabled | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 982697-5 | CVE-2022-26071 | K41440465 , BT982697 | ICMP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 972489-2 | CVE-2022-35243 | K11010341 , BT972489 | BIG-IP Appliance Mode iControl hardening | 17.0.0, 16.1.3, 15.1.5.1, 14.1.5 |
| 951257-3 | CVE-2022-26130 | K82034427 , BT951257 | FTP active data channels are not established | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 946325-2 | CVE-2022-28716 | K25451853 , BT946325 | PEM subscriber GUI hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 830361-2 | CVE-2012-6711 | K05122252 , BT830361 | CVE-2012-6711 Bash Vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1087201-5 | CVE-2022-0778 | K31323265 , BT1087201 | OpenSSL Vulnerability: CVE-2022-0778 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1078721-2 | CVE-2022-27189 | K16187341 , BT1078721 | TMM may consume excessive resources while processing ICAP traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1069629-3 | CVE-2022-32455 | K16852653 , BT1069629 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 1067993-5 | CVE-2022-28714 | K54460845 , BT1067993 | APM Windows Client installer hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1059185-2 | CVE-2022-26415 | K81952114 , BT1059185 | iControl REST Hardening | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1057801-5 | CVE-2022-28707 | K70300233 , BT1057801 | TMUI does not follow current best practices | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1051797-2 | CVE-2018-18281 | K36462841 , BT1051797 | Linux kernel vulnerability: CVE-2018-18281 | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1029629-2 | CVE-2022-28706 | K03755971 , BT1029629 | TMM may crash while processing DNS lookups | 17.0.0, 16.1.2, 15.1.5.1 |
| 1021713-3 | CVE-2022-41806 | K00721320 , BT1021713 | TMM may crash when processing AFM NAT64 policy | 17.0.0, 16.1.2, 15.1.5.1 |
| 1019161-4 | CVE-2022-29263 | K33552735 , BT1019161 | Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files ★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1002565-3 | CVE-2021-23840 | K24624116 , BT1002565 | OpenSSL vulnerability CVE-2021-23840 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 992073-4 | CVE-2022-27181 | K93543114 , BT992073 | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 982757-5 | CVE-2022-26835 | K53197140 | APM Access Guided Configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 982341-5 | CVE-2022-26835 | K53197140 , BT982341 | iControl REST endpoint hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 975593-3 | CVE-2022-29473 | K06323049 , BT975593 | TMM may crash while processing IPSec traffic | 16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5 |
| 968725-3 | CVE-2017-10661 | K04337834 , BT968725 | Linux Kernel Vulnerability CVE-2017-10661 | 16.1.0, 15.1.5.1, 14.1.5 |
| 931677-5 | CVE-2022-29479 | K64124988 , BT931677 | IPv6 hardening | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 919249-2 | CVE-2022-28859 | K47662005 , BT919249 | NETHSM installation script hardening | 16.1.0, 15.1.5.1, 14.1.4.6 |
| 915981-3 | CVE-2022-26340 | K38271531 , BT915981 | BIG-IP SCP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 823877-5 |
CVE-2019-10098
CVE-2020-1927 |
K25126370 , BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
| 1071365-4 | CVE-2022-29474 | K59904248 , BT1071365 | iControl SOAP WSDL hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1066729-3 | CVE-2022-28708 | K85054496 , BT1066729 | TMM may crash while processing DNS traffic | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1057809-5 | CVE-2022-27659 | K41877405 , BT1057809 | Saved dashboard hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1016657-3 | CVE-2022-26517 | K54082580 , BT1016657 | TMM may crash while processing LSN traffic | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1009049-5 | CVE-2022-27636 | K57110035 , BT1009049 | browser based vpn did not follow best practices while logging. ★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1001937-3 | CVE-2022-27634 | K57555833 , BT1001937 | APM configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 713754-2 | CVE-2017-15715 | K27757011 | Apache vulnerability: CVE-2017-15715 | 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1050537-2 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 930633-3 | 3-Major | BT930633 | Delay in using new route updates by existing connections on BIG-IP. | 16.1.0, 15.1.5.1, 14.1.4.5 |
| 1046669-2 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1033837-2 | 4-Minor | K23605346 , BT1033837 | REST authentication tokens persist on reboot ★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1060149-1 | 1-Blocking | BT1060149 | BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 976669-2 | 2-Critical | BT976669 | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6 |
| 957897-1 | 2-Critical | BT957897 | Unable to modify gateway-ICMP monitor fields in the GUI | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 894133-1 | 2-Critical | BT894133 | After ISO upgrade the SSL Orchestrator guided configuration user interface is not available. ★ | 16.0.0, 15.1.5.1, 14.1.5 |
| 865329-1 | 2-Critical | BT865329 | WCCP crashes on "ServiceGroup size exceeded" exception | 16.0.0, 15.1.5.1 |
| 718573-3 | 2-Critical | BT718573 | Internal SessionDB invalid state | 16.1.0, 15.1.5.1, 14.1.4.4 |
| 1075905-1 | 2-Critical | BT1075905 | TCP connections may fail when hardware SYN Cookie is active | 17.1.0, 15.1.5.1, 14.1.5 |
| 1048141-2 | 2-Critical | BT1048141 | Sorting pool members by 'Member' causes 'General database error' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 999125-2 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 994305-1 | 3-Major | BT994305 | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 | 17.0.0, 16.1.2.1, 15.1.5.1 |
| 988165-2 | 3-Major | BT988165 | VMware CPU reservation is now enforced. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 984585-1 | 3-Major | BT984585 | IP Reputation option not shown in GUI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 968657-2 | 3-Major | BT968657 | Added support for IMDSv2 on AWS | 17.0.0, 16.1.2.1, 15.1.5.1 |
| 963541-2 | 3-Major | BT963541 | Net-snmp5.8 crash | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 943793-2 | 3-Major | BT943793 | Neurond continuously restarting. | 16.1.0, 15.1.5.1, 14.1.4 |
| 943577-2 | 3-Major | BT943577 | Full sync failure for traffic-matching-criteria with port list under certain conditions | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 919317-5 | 3-Major | BT919317 | NSM consumes 100% CPU processing nexthops for recursive ECMP routes | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 918409-2 | 3-Major | BT918409 | BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 912253-1 | 3-Major | BT912253 | Non-admin users cannot run show running-config or list sys | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 901669-4 | 3-Major | BT901669 | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 755976-4 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 741702-2 | 3-Major | BT741702 | TMM crash | 16.1.0, 15.1.5.1, 14.1.4.4 |
| 730852-1 | 3-Major | BT730852 | The tmrouted repeatedly crashes and produces core when new peer device is added | 16.1.0, 15.1.5.1, 14.1.4.4 |
| 1076785 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 16.1.4, 15.1.5.1 |
| 1075729-1 | 3-Major | BT1075729 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 15.1.5.1, 14.1.5.1 |
| 1066285-3 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1063473-2 | 3-Major | BT1063473 | While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly | 17.1.0, 15.1.5.1, 14.1.5 |
| 1061797-2 | 3-Major | BT1061797 | Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1060181 | 3-Major | BT1060181 | SSL handshakes fail when using CRL certificate validator. | 17.0.0, 15.1.5.1 |
| 1056993-1 | 3-Major | BT1056993 | 404 error is raised on GUI when clicking "App IQ." | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1056741 | 3-Major | BT1056741 | ECDSA certificates signed by RSA CA are not selected based by SNI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1048541-2 | 3-Major | BT1048541 | Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1047169-2 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1036613-1 | 3-Major | BT1036613 | Client flow might not get offloaded to PVA in embryonic state | 17.1.0, 15.1.5.1 |
| 1032257-2 | 3-Major | BT1032257 | Forwarded PVA offload requests fail on platforms with multiple PDE/TMM | 17.1.0, 15.1.5.1 |
| 1019085-1 | 3-Major | BT1019085 | Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file. ★ | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1008269-3 | 3-Major | BT1008269 | Error: out of stack space | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 976337-1 | 4-Minor | BT976337 | i40evf Requested 4 queues, but PF only gave us 16. | 16.1.2.2, 15.1.5.1 |
| 1058677-1 | 4-Minor | BT1058677 | Not all SCTP connections are mirrored on the standby device when auto-init is enabled. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1046693-3 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1045549-3 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1040821-3 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1034589-2 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1031425-2 | 4-Minor | BT1031425 | Provide a configuration flag to disable BGP peer-id check. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1030645-3 | 4-Minor | BT1030645 | BGP session resets during traffic-group failover | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1024621-3 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1023817-1 | 4-Minor | BT1023817 | Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning | 17.0.0, 15.1.5.1 |
| 1002809-1 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 946481-1 | 2-Critical | BT946481 | Virtual Edition FIPS not compatible with TLS 1.3 | 16.1.0, 15.1.5.1, 14.1.4.6 |
| 910213-2 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 881401-1 | 2-Critical | BT881401 | TMM crash at Tcl_AfterCancelByUF() while deleting connections. | 16.0.0, 15.1.5.1 |
| 1080581-3 | 2-Critical | BT1080581 | Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles. ★ | 17.0.0, 16.1.3.1, 15.1.5.1 |
| 1067397 | 2-Critical | BT1067397 | TMM cored after response, due to receipt of GOAWAY frame from server post TCP FIN. | 15.1.5.1 |
| 1064617-2 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1059053-1 | 2-Critical | BT1059053 | Tmm crash when passing traffic over some configurations with L2 virtual wire | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1009161-1 | 2-Critical | BT1009161 | SSL mirroring protect for null sessions | 15.1.5.1, 14.1.4.5 |
| 999901-3 | 3-Major | K68816502 , BT999901 | Certain LTM policies may not execute correctly after a system reboot or TMM restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 987077-1 | 3-Major | BT987077 | TLS1.3 with client authentication handshake failure | 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6 |
| 967101-2 | 3-Major | BT967101 | When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 955617-2 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 939085-2 | 3-Major | BT939085 | /config/ssl/ssl.csr directory disappears after creating certificate archive | 16.1.0, 15.1.5.1, 14.1.4.6 |
| 937769-2 | 3-Major | BT937769 | SSL connection mirroring failure on standby with sslv2 records | 16.1.0, 15.1.5.1 |
| 936441-2 | 3-Major | BT936441 | Nitrox5 SDK driver logging messages | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 927713-1 | 3-Major | BT927713 | Clsh reboot hangs when executed from the primary blade. | 16.1.0, 15.1.5.1, 14.1.5 |
| 912517-2 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 910905-1 | 3-Major | BT910905 | TMM crash when processing virtual server traffic with TLS/SSL session cache enabled | 15.1.5.1, 14.1.4.4 |
| 910673-4 | 3-Major | BT910673 | Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' | 17.0.0, 16.1.2.1, 15.1.5.1 |
| 902377-2 | 3-Major | BT902377 | HTML profile forces re-chunk even though HTML::disable | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 892485-2 | 3-Major | BT892485 | A wrong OCSP status cache may be looked up and re-used during SSL handshake. | 16.1.0, 15.1.5.1, 14.1.4.6 |
| 892073-3 | 3-Major | BT892073 | TLS1.3 LTM policy rule based on SSL SNI is not triggered | 16.0.0, 15.1.5.1, 14.1.4.6 |
| 872721-3 | 3-Major | BT872721 | SSL connection mirroring intermittent failure with TLS1.3 | 16.0.0, 15.1.5.1, 14.1.4.5 |
| 838353-1 | 3-Major | BT838353 | MQTT monitor is not working in route domain. | 16.0.0, 15.1.5.1, 14.1.4.6 |
| 825245-4 | 3-Major | BT825245 | SSL::enable does not work for server side ssl | 16.0.0, 15.1.5.1, 14.1.4.6 |
| 803109-3 | 3-Major | BT803109 | Certain configuration may result in zombie forwarding flows | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 794385-3 | 3-Major | BT794385 | BGP sessions may be reset after CMP state change | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 793669-5 | 3-Major | BT793669 | FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 760406-1 | 3-Major | BT760406 | HA connection might stall on Active device when the SSL session cache becomes out-of-sync. | 16.0.0, 15.1.5.1, 14.1.4.1 |
| 672963-2 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1068561 | 3-Major | BT1068561 | Can't create key on the second netHSM partition. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1058469-2 | 3-Major | BT1058469 | Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1056401-3 | 3-Major | BT1056401 | Valid clients connecting under active syncookie mode might experience latency. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1052929-3 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1043357-3 | 3-Major | BT1043357 | SSL handshake may fail when using remote crypto client | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1031609 | 3-Major | BT1031609 | Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package. ★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
| 1029897-2 | 3-Major | K63312282 , BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1024841-1 | 3-Major | BT1024841 | SSL connection mirroring with ocsp connection failure on standby | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1023341-2 | 3-Major | HSM hardening | 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5 | |
| 1019609 | 3-Major | BT1019609 | No Error logging when BIG-IP device's IP address is not added in client list on netHSM. ★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
| 1017513-3 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
| 1016449-2 | 3-Major | BT1016449 | After certain configuration tasks are performed, TMM may run with stale Self IP parameters. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1016049-4 | 3-Major | BT1016049 | EDNS query with CSUBNET dropped by protocol inspection | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1015161-2 | 3-Major | BT1015161 | Ephemeral pool member may not be created when FQDN resolves to address that matches static node | 16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5 |
| 1008501-3 | 3-Major | BT1008501 | TMM core | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1008009-2 | 3-Major | BT1008009 | SSL mirroring null hs during session sync state | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
| 838305-7 | 4-Minor | BT838305 | BIG-IP may create multiple connections for packets that should belong to a single flow. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 801705-6 | 4-Minor | BT801705 | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | 16.0.0, 15.1.5.1, 14.1.3.1, 13.1.3.6 |
| 717806-1 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1064669-2 | 4-Minor | BT1064669 | Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 1048433 | 4-Minor | BT1048433 | Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation. ★ | 16.1.2.1, 15.1.5.1 |
| 1045913-3 | 4-Minor | BT1045913 | COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression | 15.1.5.1, 14.1.4.5 |
| 1026605-4 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1026005-2 | 4-Minor | BT1026005 | BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 1016441-3 | 4-Minor | K11342432 , BT1016441 | RFC Enforcement Hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 968581-2 | 5-Cosmetic | BT968581 | TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 873249-1 | 5-Cosmetic | BT873249 | Switching from fast_merge to slow_merge can result in incorrect tmm stats | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1062513-3 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1027657-3 | 2-Critical | BT1027657 | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 1010617-3 | 2-Critical | BT1010617 | String operation against DNS resource records cause tmm memory corruption | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 874221-1 | 3-Major | BT874221 | DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd | 16.1.0, 15.1.5.1 |
| 872037-2 | 3-Major | BT872037 | DNS::header rd does not set the Recursion desired | 16.1.0, 15.1.5.1 |
| 1046785-3 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5 |
| 1044425-3 | 3-Major | K85021277 , BT1044425 | NSEC3 record improvements for NXDOMAIN | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1039205 | 3-Major | BT1039205 | DNSSEC key stored on netHSM fails to generate if the key name length is > 24 | 15.1.5.1, 14.1.4.6 |
| 1020337-1 | 3-Major | BT1020337 | DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1018613-3 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 885869-2 | 4-Minor | BT885869 | Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime | 16.0.0, 15.1.5.1, 14.1.4 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1069449-2 | 2-Critical | K39002226 , BT1069449 | ASM attack signatures may not match cookies as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 965785-2 | 3-Major | BT965785 | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 961509-2 | 3-Major | BT961509 | ASM blocks WebSocket frames with signature matched but Transparent policy | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 926845-5 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 921697-3 | 3-Major | BT921697 | Attack signature updates fail to install with Installation Error. ★ | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6 |
| 818889-2 | 3-Major | BT818889 | False positive malformed json or xml violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1072197-2 | 3-Major | K94142349 , BT1072197 | Issue with input normalization in WebSocket. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1067285-2 | 3-Major | BT1067285 | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1066829-2 | 3-Major | BT1066829 | Memory leak for xml/json auto-detected parameter with signature patterns. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1060933-2 | 3-Major | K49237345 | Issue with input normalization. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1051213-2 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1051209-2 | 3-Major | K53593534 , BT1051209 | BD may not process certain HTTP payloads as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1047389-2 | 3-Major | BT1047389 | Bot Defense challenge hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1043533-1 | 3-Major | BT1043533 | Unable to pick up the properties of the parameters from audit reports. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1043385-3 | 3-Major | BT1043385 | No Signature detected If Authorization header is missing padding. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1042605-3 | 3-Major | BT1042605 | ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above ★ | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1041149-2 | 3-Major | BT1041149 | Staging of URL does not affect apply value signatures | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1038733-3 | 3-Major | BT1038733 | Attack signature not detected for unsupported authorization types. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1037457-2 | 3-Major | BT1037457 | High CPU during specific dos mitigation | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1030853-2 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1023993-3 | 3-Major | BT1023993 | Brute Force is not blocking requests, even when auth failure happens multiple times | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1012221-2 | 3-Major | BT1012221 | The childInheritanceStatus is not compatible with parentInheritanceStatus ★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1011069-3 | 3-Major | BT1011069 | Group/User R/W permissions should be changed for .pid and .cfg files. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1008849-3 | 3-Major | BT1008849 | OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 844045-3 | 4-Minor | BT844045 | ASM Response event logging for "Illegal response" violations. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 842029-2 | 4-Minor | BT842029 | Unable to create policy: Inherited values may not be changed. | 16.0.0, 15.1.5.1, 14.1.5 |
| 1050697-5 | 4-Minor | BT1050697 | Traffic learning page counts Disabled signatures when they are ready to be enforced | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1038741-3 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1036521-3 | 4-Minor | BT1036521 | TMM crash in certain cases | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1035361-2 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 1034941-2 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1020717-3 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1038913-3 | 3-Major | BT1038913 | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 883841-1 | 3-Major | BT883841 | APM now displays icons of all sizes what Horizon VCS supports. | 16.0.0, 15.1.5.1 |
| 827393-2 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
| 423519-3 | 3-Major | K74302282 , BT423519 | Bypass disabling the redirection controls configuration of APM RDP Resource. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
| 1045229-2 | 3-Major | BT1045229 | APMD leaks Tcl_Objs as part of the fix made for ID 1002557 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
| 1044121-2 | 3-Major | BT1044121 | APM logon page is not rendered if db variable "ipv6.enabled" is set to false | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1007109-1 | 2-Critical | BT1007109 | Flowmap entry is deleted before updating its timeout to INDEFINITE | 16.1.0, 15.1.5.1, 14.1.4.6 |
| 957905-2 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1061929 | 2-Critical | BT1061929 | Unable to perform IPI update (through proxy) after upgrade to 15.1.4. ★ | 17.0.0, 15.1.5.1 |
| 1058645-1 | 2-Critical | BT1058645 | ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. | 17.0.0, 15.1.5.1, 14.1.4.6 |
| 980593 | 3-Major | BT980593 | LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table | 16.1.0, 15.1.5.1 |
| 929909-2 | 3-Major | BT929909 | TCP Packets are not dropped in IP Intelligence | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1079637 | 3-Major | BT1079637 | Incorrect Neuron rule order | 17.0.0, 16.1.3, 15.1.5.1 |
| 1067393-1 | 3-Major | BT1067393 | MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool. ★ | 17.0.0, 16.1.5, 15.1.5.1 |
| 1063681-1 | 3-Major | BT1063681 | PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn. | 17.0.0, 15.1.5.1 |
| 1008265-3 | 3-Major | K92306170 , BT1008265 | DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond ★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
| 1072057-2 | 4-Minor | BT1072057 | "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1028269-1 | 2-Critical | BT1028269 | Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. | 17.0.0, 16.1.2.2, 15.1.5.1 |
| 1019613-3 | 2-Critical | BT1019613 | Unknown subscriber in PBA deployment may cause CPU spike | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 873617-2 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1060409-3 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1033829-1 | 2-Critical | BT1033829 | Unable to load Traffic Classification package | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
| 1052153 | 3-Major | BT1052153 | Signature downloads for traffic classification updates via proxy fail | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 940261-3 | 4-Minor | BT940261 | Support IPS package downloads via HTTP proxy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 944121-1 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1050969-2 | 1-Blocking | BT1050969 | After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
| 1055361-2 | 2-Critical | BT1055361 | Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. | 17.0.0, 16.1.2.1, 15.1.5.1 |
Cumulative fixes from BIG-IP v15.1.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 1056933-5 | CVE-2022-26370 | K51539421 , BT1056933 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
| 1047053-2 | CVE-2022-28691 | K37155600 , BT1047053 | TMM may consume excessive resources while processing RTSP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
| 1045101-3 | CVE-2022-26890 | K03442392 , BT1045101 | Bd may crash while processing ASM traffic | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5 |
| 997193-1 | CVE-2022-23028 | K16101409 , BT997193 | TCP connections may fail when AFM global syncookies are in operation. | 16.1.0, 15.1.5, 14.1.4.5, 13.1.5 |
| 940185-2 | CVE-2022-23023 | K11742742 , BT940185 | icrd_child may consume excessive resources while processing REST requests | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
| 1065789-2 | CVE-2023-24594 | K000133132 , BT1065789 | TMM may send duplicated alerts while processing SSL connections | 17.0.0, 16.1.2.1, 15.1.5 |
| 1047089 | CVE-2022-29491 | K14229426 , BT1047089 | TMM may terminate while processing TLS/DTLS traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
| 1000021-5 | CVE-2022-27182 | K31856317 , BT1000021 | TMM may consume excessive resources while processing packet filters | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1015133-3 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 749332-2 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4 |
| 1040929 | 2-Critical | BT1040929 | Change F5OS BIG-IP tenant name from VELOS to F5OS. | 15.1.5 |
| 1004929-2 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | 17.0.0, 16.1.5, 15.1.5, 14.1.4.5, 13.1.5 |
| 996001-1 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
| 940177-1 | 3-Major | BT940177 | Certificate instances tab shows incorrect number of instances in certain conditions | 16.1.0, 15.1.5 |
| 888869-2 | 3-Major | BT888869 | GUI reports General Database Error when accessing Instances Tab of SSL Certificates | 16.1.0, 15.1.5 |
| 1055785 | 3-Major | BT1055785 | SmartNIC 2.0: stats throughput logging is broken on Virtual Edition dashboard. | 15.1.5 |
| 1048917 | 3-Major | BT1048917 | Image2disk does not work on F5OS BIG-IP tenant. ★ | 15.1.5 |
| 1032949 | 3-Major | BT1032949 | Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. | 17.0.0, 16.1.2.1, 15.1.5 |
| 1022637-2 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
| 1019793 | 3-Major | BT1019793 | Image2disk does not work on F5OS BIG-IP tenant. ★ | 17.1.0, 15.1.5 |
| 528894-6 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1053809 | 1-Blocking | BT1053809 | TMM crashes while running L4 Max concurrent connections | 17.1.0, 15.1.5 |
| 1064649-1 | 2-Critical | BT1064649 | Tmm crash after upgrade. ★ | 17.0.0, 15.1.5 |
| 1060093 | 2-Critical | BT1060093 | Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues. ★ | 17.1.0, 15.1.5 |
| 1056213 | 2-Critical | BT1056213 | TMM core due to freeing of connflow, assuming it as http data. | 15.1.5 |
| 1040361-2 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5 |
| 1013181-2 | 2-Critical | BT1013181 | TMM may produce core when dynamic CRL check is enabled on the client SSL profile | 16.1.0, 15.1.5 |
| 999097-3 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
| 967093-1 | 3-Major | BT967093 | In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail | 17.0.0, 15.1.5 |
| 686395-3 | 3-Major | BT686395 | With DTLS version1, when client hello uses version1.2, handshake shall proceed | 15.1.5, 12.1.3.4 |
| 608952-1 | 3-Major | BT608952 | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | 16.0.0, 15.1.5, 14.1.2.7, 13.1.3.6, 12.1.5.3 |
| 1038629 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
| 1034365-2 | 3-Major | BT1034365 | DTLS handshake fails with DTLS1.2 client version | 15.1.5, 14.1.4.5, 13.1.5 |
| 1015201 | 3-Major | BT1015201 | HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. | 15.1.5, 14.1.4.4 |
| 1007749-1 | 3-Major | BT1007749 | URI TCL parse functions fail when there are interior segments with periods and semi-colons | 17.0.0, 16.1.2.1, 15.1.5 |
| 1024761-3 | 4-Minor | BT1024761 | HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body | 17.0.0, 16.1.2.1, 15.1.5 |
| 1005109-2 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
| 898929-4 | 5-Cosmetic | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1035853-3 | 2-Critical | K41415626 , BT1035853 | Transparent DNS Cache can consume excessive resources. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
| 935249-2 | 3-Major | BT935249 | GTM virtual servers have the wrong status | 17.0.0, 16.1.2.1, 15.1.5 |
| 1039553-2 | 3-Major | BT1039553 | Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors | 17.0.0, 16.1.2.1, 15.1.5 |
| 1024553-2 | 3-Major | BT1024553 | GTM Pool member set to monitor type "none" results in big3d: timed out | 15.1.5, 14.1.4.5, 13.1.5 |
| 1021061-3 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
| 1011285-2 | 3-Major | BT1011285 | The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. | 16.1.0, 15.1.5, 13.1.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 993613-5 | 2-Critical | BT993613 | Device fails to request full sync | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
| 984593-2 | 3-Major | BT984593 | BD crash | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
| 907025-3 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
| 885765-3 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
| 580715-2 | 3-Major | BT580715 | ASM is not sending 64 KB remote logs over UDP | 17.0.0, 15.1.5 |
| 1004069-1 | 3-Major | BT1004069 | Brute force attack is detected too soon | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
| 886865-1 | 4-Minor | BT886865 | P3P header is added for all browsers, but required only for Internet Explorer | 16.1.0, 15.1.5, 14.1.4.5 |
| 1016033-2 | 4-Minor | BT1016033 | Remote logging of WS/WSS shows date_time equal to Unix epoch start time | 17.0.0, 16.1.5, 15.1.5 |
| 1002385-3 | 4-Minor | K67397230 , BT1002385 | Fixing issue with input normalization | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1009093-1 | 2-Critical | BT1009093 | GUI widgets pages are not functioning correctly | 17.0.0, 16.1.2.1, 15.1.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 883889-3 | 2-Critical | BT883889 | Tmm might crash when under memory pressure | 16.0.0, 15.1.5, 14.1.4.5 |
| 997761-2 | 3-Major | BT997761 | Subsessionlist entries leak if there is no RADIUS accounting agent in policy | 16.1.0, 15.1.5 |
| 973673-1 | 3-Major | BT973673 | CPU spikes when the LDAP operational timeout is set to 180 seconds | 16.1.0, 15.1.5 |
| 926973-1 | 3-Major | BT926973 | APM / OAuth issue with larger JWT validation | 16.1.0, 15.1.5 |
| 828761-1 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
| 738593-2 | 3-Major | BT738593 | Vmware Horizon session collaboration (shadow session) feature does not work through APM. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
| 1020561-1 | 3-Major | BT1020561 | Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case | 17.0.0, 15.1.5 |
| 942965-2 | 4-Minor | BT942965 | Local users database can sometimes take more than 5 minutes to sync to the standby device | 16.1.0, 15.1.5, 14.1.4.5 |
| 886841-1 | 4-Minor | BT886841 | Allow LDAP Query and HTTP Connector for API Protection policies | 16.0.0, 15.1.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1029397-1 | 2-Critical | BT1029397 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
| 1039329-1 | 3-Major | BT1039329 | MRF per peer mode is not working in vCMP guest. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 919465-2 | 2-Critical | BT919465 | A dwbld core on configuration changes on IP Intelligence policy | 16.0.0, 15.1.5 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 956013-1 | 3-Major | BT956013 | System reports{{validation_errors}} | 16.1.2.1, 15.1.5, 14.1.4.5 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 922665-2 | 3-Major | BT922665 | The admd process is terminated by watchdog on some heavy load configuration process | 16.1.0, 15.1.5, 14.1.4.5 |
| 1023437-3 | 3-Major | Buffer overflow during attack with large HTTP Headers | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1050273-2 | 3-Major | BT1050273 | ERR_BOUNDS errors observed with HTTP service in SSL Orchestrator. | 17.0.0, 16.1.3.1, 15.1.5 |
| 1038669-2 | 3-Major | BT1038669 | Antserver keeps restarting. | 17.0.0, 16.1.2, 15.1.5 |
| 1032797-2 | 3-Major | BT1032797 | Tmm continuously cores when parsing custom category URLs | 17.0.0, 16.1.2, 15.1.5 |
Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 999933-3 | CVE-2022-23017 | K28042514 , BT999933 | TMM may crash while processing DNS traffic on certain platforms | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 991421-3 | CVE-2022-23016 | K91013510 , BT991421 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2, 15.1.4.1 |
| 989701-5 | CVE-2020-25212 | K42355373 , BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 989637-3 | CVE-2022-23015 | K08476614 , BT989637 | TMM may crash while processing SSL traffic | 16.1.0, 15.1.4.1, 14.1.4.5 |
| 988549-5 | CVE-2020-29573 | K27238230 , BT988549 | CVE-2020-29573: glibc vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 968893-2 | CVE-2022-23014 | K93526903 , BT968893 | TMM crash when processing APM traffic | 17.0.0, 16.1.2, 15.1.4.1 |
| 966901-2 | CVE-2020-14364 | K09081535 , BT966901 | CVE-2020-14364: Qemu Vulnerability | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 940317-4 | CVE-2020-13692 | K23157312 , BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 910517-1 | CVE-2022-23012 | K26310765 , BT910517 | TMM may crash while processing HTTP traffic | 15.1.4.1, 14.1.4.5 |
| 550928-5 | CVE-2022-23010 | K34360320 , BT550928 | TMM may crash when processing HTTP traffic with a FastL4 virtual server | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1032405-3 | CVE-2021-23037 | K21435974 , BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1030689-2 | CVE-2022-23019 | K82793463 , BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1028669-5 | CVE-2019-9948 | K28622040 , BT1028669 | Python vulnerability: CVE-2019-9948 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1028573-5 | CVE-2020-10878 | K40508224 , BT1028573 | Perl vulnerability: CVE-2020-10878 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 1028497-5 | CVE-2019-15903 | K05295469 , BT1028497 | libexpat vulnerability: CVE-2019-15903 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1012365-2 | CVE-2021-20305 | K33101555 , BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 1007489-5 | CVE-2022-23018 | K24358905 , BT1007489 | TMM may crash while handling specific HTTP requests ★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 988589-5 | CVE-2019-25013 | K68251873 | CVE-2019-25013 glibc vulnerability: buffer over-read in iconv | 15.1.4.1 |
| 981693-1 | CVE-2022-23024 | K54892865 , BT981693 | TMM may consume excessive resources while processing IPSec ALG traffic | 16.1.0, 15.1.4.1, 14.1.4.2, 13.1.5 |
| 975589-4 | CVE-2020-8277 | K07944249 , BT975589 | CVE-2020-8277 Node.js vulnerability | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 974341-2 | CVE-2022-23026 | K08402414 , BT974341 | REST API: File upload | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 973409-5 | CVE-2020-1971 | K42910051 , BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
| 941649-2 | CVE-2021-23043 | K63163637 , BT941649 | Local File Inclusion Vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1009725-3 | CVE-2022-23030 | K53442005 , BT1009725 | Excessive resource usage when ixlv drivers are enabled | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1008077-5 | CVE-2022-23029 | K50343028 , BT1008077 | TMM may crash while processing TCP traffic with a FastL4 VS | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1001369-2 | CVE-2020-12049 | K16729408 | D-Bus vulnerability CVE-2020-12049 | 15.1.4.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 754335-3 | 3-Major | BT754335 | Install ISO does not boot on BIG-IP VE ★ | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 985953-3 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1042993-2 | 1-Blocking | K19272127 , BT1042993 | Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' | 17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1039049 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 997313-3 | 2-Critical | BT997313 | Unable to create APM policies in a sync-only folder ★ | 17.0.0, 16.1.2, 15.1.4.1 |
| 942549-2 | 2-Critical | BT942549 | Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 897509-1 | 2-Critical | BT897509 | IPsec SAs are missing on HA standby, leading to packet drops after failover | 16.1.0, 15.1.4.1 |
| 831821-1 | 2-Critical | BT831821 | Corrupted DAG packets causes bcm56xxd core on VCMP host | 16.0.0, 15.1.4.1, 14.1.4.5 |
| 1043277-3 | 2-Critical | BT1043277 | 'No access' error page displays for APM policy export and apply options. | 17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 992053-1 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows | 17.1.0, 15.1.4.1 |
| 965205-2 | 3-Major | BT965205 | BIG-IP dashboard downloads unused widgets | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 958093-3 | 3-Major | BT958093 | IPv6 routes missing after BGP graceful restart | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 947529-2 | 3-Major | BT947529 | Security tab in virtual server menu renders slowly | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 940885-2 | 3-Major | BT940885 | Add embedded SR-IOV support for Mellanox CX5 Ex adapter | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 922185-1 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth' ★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 909197-3 | 3-Major | BT909197 | The mcpd process may become unresponsive | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4 |
| 900933-1 | 3-Major | BT900933 | IPsec interoperability problem with ECP PFS | 16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.5 |
| 887117-2 | 3-Major | BT887117 | Invalid SessionDB messages are sent to Standby | 17.0.0, 16.1.1, 15.1.4.1 |
| 881085-3 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 873641-1 | 3-Major | BT873641 | Re-offloading of TCP flows to hardware does not work | 16.0.0, 15.1.4.1 |
| 856953-4 | 3-Major | BT856953 | IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 | 16.0.0, 15.1.4.1, 14.1.2.8, 13.1.5 |
| 809657-7 | 3-Major | BT809657 | HA Group score not computed correctly for an unmonitored pool when mcpd starts | 16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1045421-2 | 3-Major | K16107301 , BT1045421 | No Access error when performing various actions in the TMOS GUI | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1032737-1 | 3-Major | BT1032737 | IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate | 17.0.0, 16.1.2, 15.1.4.1 |
| 1032077-2 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1027713 | 3-Major | BT1027713 | SELinux avc: denied { signull } for pid=6207 comm="useradd" on vCMP guest during its deployment. | 15.1.4.1 |
| 1026549-3 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 1024877-2 | 3-Major | BT1024877 | Systemd[]: systemd-ask-password-serial.service failed. | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 1019429-3 | 3-Major | BT1019429 | CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated | 17.0.0, 16.1.5, 15.1.4.1 |
| 1018309-3 | 3-Major | BT1018309 | Loading config file with imish removes the last character | 17.0.0, 16.1.1, 15.1.4.1 |
| 1015093-3 | 3-Major | BT1015093 | The "iq" column is missing from the ndal_tx_stats table | 15.1.4.1, 14.1.4.5 |
| 1010245-1 | 3-Major | BT1010245 | Duplicate ipsec-sa SPI values shown by tmsh command | 16.1.0, 15.1.4.1 |
| 1009949-2 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version ★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
| 1003257-4 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 988533-1 | 4-Minor | BT988533 | GRE-encapsulated MPLS packet support | 17.0.0, 15.1.4.1, 14.1.4.5 |
| 966073-1 | 4-Minor | BT966073 | GENEVE protocol support | 16.1.0, 15.1.4.1 |
| 884165-3 | 4-Minor | BT884165 | Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG | 16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1030845-2 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 862885-2 | 2-Critical | BT862885 | Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error | 16.1.0, 15.1.4.1, 14.1.4.5 |
| 1020645-1 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | 17.1.0, 16.1.3.1, 15.1.4.1 |
| 985433-2 | 3-Major | BT985433 | Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset. | 16.1.0, 15.1.4.1 |
| 978833-2 | 3-Major | BT978833 | Use of CRL-based Certificate Monitoring Causes Memory Leak | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 965037-1 | 3-Major | BT965037 | SSL Orchestrator does not send HTTP CONNECT tunnel payload to services | 16.1.0, 15.1.4.1 |
| 963705-3 | 3-Major | BT963705 | Proxy ssl server response not forwarded | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 915773-1 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
| 904041-2 | 3-Major | BT904041 | Ephemeral pool members may be incorrect when modified via various actions | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 803629-7 | 3-Major | BT803629 | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 758041-1 | 3-Major | BT758041 | LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. | 16.0.0, 15.1.4.1, 14.1.2.7, 13.1.3.5 |
| 723112-8 | 3-Major | BT723112 | LTM policies does not work if a condition has more than 127 matches | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 1023365-1 | 3-Major | BT1023365 | SSL server response could be dropped on immediate client shutdown. | 17.0.0, 16.1.2, 15.1.4.1 |
| 1018577-3 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1012009-1 | 3-Major | BT1012009 | MQTT Message Routing virtual may result in TMM crash | 15.1.4.1 |
| 1008017-5 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1006781-1 | 3-Major | BT1006781 | Server SYN is sent on VLAN 0 when destination MAC is multicast | 17.0.0, 16.1.2.2, 15.1.4.1 |
| 949721-2 | 4-Minor | BT949721 | QUIC does not send control frames in PTO packets | 16.1.0, 16.0.1.2, 15.1.4.1 |
| 936773-2 | 4-Minor | BT936773 | Improve logging for "double flow removal" TMM Oops | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 936557-2 | 4-Minor | BT936557 | Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 890881-4 | 4-Minor | BT890881 | ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address | 16.1.0, 15.1.4.1, 14.1.4.5 |
| 1031901-1 | 4-Minor | BT1031901 | In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked | 17.0.0, 16.1.2, 15.1.4.1 |
| 1002945-2 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 933405-2 | 1-Blocking | K34257075 , BT933405 | Zonerunner GUI hangs when attempting to list Resource Records | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4 |
| 1009037-3 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 847105-2 | 3-Major | BT847105 | The bigip_gtm.conf is reverted to default after rebooting with license expired ★ | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1021417-3 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 997137-3 | 2-Critical | K80945213 , BT997137 | CSRF token modification may allow WAF bypass on GET requests | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 912149-5 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 879841-4 | 2-Critical | BT879841 | Domain cookie same-site option is missing the "None" as value in GUI and rest | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1019853-2 | 2-Critical | K30911244 , BT1019853 | Some signatures are not matched under specific conditions | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1011065-2 | 2-Critical | K39002226 , BT1011065 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1 |
| 1011061-2 | 2-Critical | K39002226 , BT1011061 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 948805-1 | 3-Major | BT948805 | False positive "Null in Request" | 16.1.0, 15.1.4.1, 14.1.4.5 |
| 945789-1 | 3-Major | BT945789 | Live update cannot resolve hostname if IPv6 is configured. | 16.1.0, 15.1.4.1 |
| 932133-2 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 920149-1 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4 |
| 914277-2 | 3-Major | BT914277 | [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU | 16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.4 |
| 904133-1 | 3-Major | BT904133 | Creating a user-defined signature via iControl REST occasionally fails with a 400 response code | 16.0.0, 15.1.4.1, 14.1.4.4 |
| 882377-3 | 3-Major | BT882377 | ASM Application Security Editor Role User can update/install ASU | 16.0.0, 15.1.4.1, 14.1.2.5 |
| 857633-7 | 3-Major | BT857633 | Attack Type (SSRF) appears incorrectly in REST result | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 842013-3 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation ★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 753715-2 | 3-Major | BT753715 | False positive JSON max array length violation | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1042069-2 | 3-Major | Some signatures are not matched under specific conditions. | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5 | |
| 1017153-2 | 3-Major | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 1039805 | 4-Minor | BT1039805 | Save button in Response and Blocking Pages section is enabled when there are no changes to save. | 15.1.4.1 |
| 1003765-1 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled | 17.1.0, 16.1.4, 15.1.4.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 932137-5 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 922105-3 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 832805-2 | 3-Major | BT832805 | AVR should make sure file permissions are correct (tmstat_tables.xml) | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 787677-5 | 3-Major | BT787677 | AVRD stays at 100% CPU constantly on some systems | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1035133-3 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 948113-3 | 4-Minor | BT948113 | User-defined report scheduling fails | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1027217 | 1-Blocking | BT1027217 | Script errors in Network Access window using browser. | 17.0.0, 16.1.2, 15.1.4.1 |
| 860617-3 | 2-Critical | BT860617 | Radius sever pool without attaching the load balancing algorithm will result into core | 16.0.0, 15.1.4.1, 14.1.4.5 |
| 817137-1 | 2-Critical | BT817137 | SSO setting for Portal Access resources in webtop sections cannot be updated. | 16.0.0, 15.1.4.1 |
| 1006893-2 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 998473-2 | 3-Major | BT998473 | NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL) | 16.1.0, 15.1.4.1 |
| 993457-2 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 969317-3 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
| 964037 | 3-Major | BT964037 | Error: Exception response while loading properties from server | 15.1.4.1 |
| 949477-1 | 3-Major | BT949477 | NTLM RPC exception: Failed to verify checksum of the packet | 16.1.0, 15.1.4.1, 14.1.4.4 |
| 933129-2 | 3-Major | BT933129 | Portal Access resources are visible when they should not be | 16.0.0, 15.1.4.1 |
| 932213-2 | 3-Major | BT932213 | Local user db not synced to standby device when it is comes online after forced offline state | 16.1.0, 15.1.4.1, 14.1.4.5 |
| 918717-2 | 3-Major | BT918717 | Exception at rewritten Element.innerHTML='<a href></a>' | 16.1.0, 15.1.4.1 |
| 915509-1 | 3-Major | BT915509 | RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true | 16.1.0, 15.1.4.1, 14.1.4.5 |
| 891613-1 | 3-Major | BT891613 | RDP resource with user-defined address cannot be launched from webtop with modern customization | 16.1.0, 15.1.4.1 |
| 1021485-2 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 1017233-1 | 3-Major | BT1017233 | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | 17.0.0, 16.1.2, 15.1.4.1 |
| 1007677-1 | 3-Major | BT1007677 | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | 17.0.0, 16.1.2.1, 15.1.4.1 |
| 1007629-1 | 3-Major | BT1007629 | APM policy configured with many ACL policies can create APM memory pressure | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1002557-2 | 3-Major | BT1002557 | Tcl free object list growth | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1001337-1 | 3-Major | BT1001337 | Cannot read single sign-on configuration from GUI when logged in as guest | 15.1.4.1, 14.1.4.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1012721-1 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5 |
| 1012533-1 | 2-Critical | BT1012533 | `HTTP2::disable serverside` can cause cores | 15.1.4.1 |
| 1007113-1 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
| 1025529-1 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
| 1018285-1 | 4-Minor | BT1018285 | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | 17.0.0, 16.1.2, 15.1.4.1 |
| 1003633-3 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 968533 | 2-Critical | BT968533 | Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector. | 15.1.4.1 |
| 1049229-2 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 997169 | 3-Major | BT997169 | AFM rule not triggered | 17.1.2, 15.1.4.1 |
| 995433 | 3-Major | BT995433 | IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT | 16.1.0, 15.1.4.1, 14.1.4.5 |
| 1032329 | 3-Major | BT1032329 | A user with low privileges cannot open the Rule List editor. | 16.1.5, 15.1.4.1 |
| 1031909-1 | 3-Major | BT1031909 | NAT policies page unusable due to the page load time | 15.1.4.1 |
| 987345-1 | 5-Cosmetic | BT987345 | Disabling periodic-refresh-log has no effect | 16.1.0, 15.1.4.1 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 981689-2 | 2-Critical | BT981689 | TMM memory leak with IPsec ALG | 16.1.0, 15.1.4.1, 14.1.4.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 984657-3 | 3-Major | BT984657 | Sysdb variable not working from tmsh | 16.1.5, 16.0.1.2, 15.1.4.1 |
| 686783-2 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
| 1032689-3 | 4-Minor | BT1032689 | UlrCat Custom db feedlist does not work for some URLs | 16.1.2, 15.1.4.1, 14.1.4.5 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 929213-1 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade ★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 946185-1 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.' ★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 949933-1 | CVE-2021-22980 | K29282483 , BT949933 | BIG-IP APM CTU vulnerability CVE-2021-22980 | 16.1.0, 16.0.1.1, 15.1.4, 14.1.4, 13.1.3.6 |
| 937333-2 | CVE-2022-23013 | K29500533 , BT937333 | Incomplete validation of input in unspecified forms | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 889045-3 | CVE-2022-23011 | K68755210 , BT889045 | Virtual server may stop responding while processing TCP traffic | 16.0.0, 15.1.4 |
| 1017973-2 | CVE-2021-25215 | K96223611 , BT1017973 | BIND Vulnerability CVE-2021-25215 | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 1017965-2 | CVE-2021-25214 | K11426315 , BT1017965 | BIND Vulnerability CVE-2021-25214 | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 981273-2 | CVE-2021-23054 | K41997459 , BT981273 | APM webtop hardening | 16.1.0, 15.1.4, 14.1.5, 13.1.5 |
| 979877-10 | CVE-2020-1971 | K42910051 , BT979877 | CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information | 16.1.1, 15.1.4, 14.1.5.1 |
| 965485-3 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 954425-2 | CVE-2022-23031 | K61112120 , BT954425 | Hardening of Live-Update | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
| 949889-3 | CVE-2019-3900 | K04107324 , BT949889 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 887965-1 | CVE-2022-23027 | K30573026 , BT887965 | Virtual server may stop responding while processing TCP traffic | 16.0.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 819053 | CVE-2019-13232 | K80311892 , BT819053 | CVE-2019-13232 unzip: overlapping of files in ZIP container | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
| 803965-7 | CVE-2018-20843 | K51011533 , BT803965 | Expat Vulnerability: CVE-2018-20843 | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
| 797797-4 | CVE-2019-11811 | K01512680 , BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3 |
| 797769-9 | CVE-2019-11599 | K51674118 | Linux vulnerability : CVE-2019-11599 | 16.1.0, 16.0.1.2, 15.1.4, 13.1.4.1 |
| 1013569 | CVE-2022-31473 | K34893234 , BT1013569 | Hardening of iApps processing | 17.0.0, 16.1.1, 15.1.4 |
| 1008561-1 | CVE-2022-23025 | K44110411 , BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 968733-6 | CVE-2018-1120 | K42202505 , BT968733 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
| 939421-2 | CVE-2020-10029 | K38481791 , BT939421 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 913729-5 | 2-Critical | BT913729 | Support for DNSSEC Lookaside Validation (DLV) has been removed. | 16.1.0, 16.0.1.2, 15.1.4 |
| 907765-1 | 2-Critical | BT907765 | BIG-IP system does not respond to ARP requests if it has a route to the source IP address | 16.1.0, 15.1.4 |
| 1014433 | 2-Critical | BT1014433 | Time stamp format is not the same for all LTM logs | 15.1.4 |
| 948073-2 | 3-Major | BT948073 | Dual stack download support for IP Intelligence Database | 17.0.0, 15.1.4 |
| 923301-2 | 3-Major | BT923301 | ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
| 911141-3 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 876937-3 | 3-Major | BT876937 | DNS Cache not functioning | 16.0.0, 15.1.4, 14.1.4.3 |
| 866073-2 | 3-Major | BT866073 | Add option to exclude stats collection in qkview to avoid very large data files | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
| 1001865-2 | 3-Major | No platform trunk information passed to tenant | 17.1.0, 15.1.4 | |
| 751032-5 | 4-Minor | BT751032 | TCP receive window may open too slowly after zero-window | 16.0.0, 15.1.4, 14.1.4.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1032761 | 1-Blocking | BT1032761 | HA mirroring may not function correctly. | 17.1.0, 15.1.4 |
| 1004833-2 | 1-Blocking | BT1004833 | NIST SP800-90B compliance | 17.0.0, 16.1.3, 15.1.4, 14.1.4.2 |
| 1002109-3 | 1-Blocking | BT1002109 | Xen binaries do not follow security best practices | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 988645 | 2-Critical | BT988645 | Traffic may be affected after tmm is aborted and restarted | 17.1.0, 15.1.4 |
| 987113-1 | 2-Critical | BT987113 | CMP state degraded while under heavy traffic | 17.1.0, 15.1.4, 14.1.5 |
| 980325-5 | 2-Critical | BT980325 | Chmand core due to memory leak from dossier requests. | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 974241-1 | 2-Critical | BT974241 | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | 17.0.0, 16.1.1, 15.1.4 |
| 967905-2 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
| 950673-3 | 2-Critical | BT950673 | Hardware Syncookie mode not cleared when deleting/changing virtual server config. | 16.1.0, 15.1.4 |
| 944513-2 | 2-Critical | BT944513 | Apache configuration file hardening | 16.1.0, 15.1.4, 14.1.4.6 |
| 941893-3 | 2-Critical | BT941893 | VE performance tests in Azure causes loss of connectivity to objects in configuration | 16.1.0, 15.1.4 |
| 928029-2 | 2-Critical | BT928029 | Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis | 17.1.0, 15.1.4, 14.1.3 |
| 1027637 | 2-Critical | BT1027637 | System controller failover may cause dropped requests | 17.1.0, 15.1.4 |
| 1016633 | 2-Critical | BT1016633 | iprep.protocol with auto-detect fails when DNS takes time to resolve | 15.1.4 |
| 1004517-2 | 2-Critical | BT1004517 | BIG-IP tenants on VELOS cannot install EHFs | 17.1.0, 15.1.4, 14.1.4.3 |
| 1000973-3 | 2-Critical | BT1000973 | Unanticipated restart of TMM due to heartbeat failure | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
| 998221-3 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3 |
| 996593-2 | 3-Major | BT996593 | Password change through REST or GUI not allowed if the password is expired | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
| 992865 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | 17.1.0, 16.1.2.2, 15.1.4 |
| 988793 | 3-Major | BT988793 | SecureVault on BIG-IP tenant does not store unit key securely | 17.1.0, 15.1.4 |
| 985537-1 | 3-Major | BT985537 | Upgrade Microsoft Hyper-V driver ★ | 16.1.0, 15.1.4 |
| 976505-2 | 3-Major | BT976505 | Rotated restnoded logs will fail logintegrity verification. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 975809-1 | 3-Major | BT975809 | Rotated restjavad logs fail logintegrity verification. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 973201-2 | 3-Major | BT973201 | F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions ★ | 16.1.0, 15.1.4, 14.1.4 |
| 969713-1 | 3-Major | BT969713 | IPsec interface mode tunnel may fail to pass packets after first IPsec rekey | 16.1.0, 15.1.4 |
| 969105-2 | 3-Major | BT969105 | HA failover connections via the management address do not work on vCMP guests running on VIPRION | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 964941-1 | 3-Major | BT964941 | IPsec interface-mode tunnel does not initiate or respond after config change | 16.1.0, 15.1.4 |
| 959629-2 | 3-Major | BT959629 | Logintegrity script for restjavad/restnoded fails | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 958353-2 | 3-Major | BT958353 | Restarting the mcpd messaging service renders the PAYG VE license invalid. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 956293-2 | 3-Major | BT956293 | High CPU from analytics-related REST calls - Dashboard TMUI | 16.1.0, 15.1.4, 14.1.4.4 |
| 946089-2 | 3-Major | BT946089 | BIG-IP might send excessive multicast/broadcast traffic. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 932497-3 | 3-Major | BT932497 | Autoscale groups require multiple syncs of datasync-global-dg | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 928697-2 | 3-Major | BT928697 | Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT | 16.1.0, 16.0.1.2, 15.1.4 |
| 919305-2 | 3-Major | BT919305 | Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS. | 17.1.0, 15.1.4 |
| 913849-1 | 3-Major | BT913849 | Syslog-ng periodically logs nothing for 20 seconds | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 908601-2 | 3-Major | BT908601 | System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
| 895781-2 | 3-Major | BT895781 | Round Robin disaggregation does not disaggregate globally | 16.0.0, 15.1.4 |
| 880289 | 3-Major | BT880289 | FPGA firmware changes during configuration loads ★ | 16.1.0, 15.1.4 |
| 850193-4 | 3-Major | BT850193 | Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues | 16.0.0, 15.1.4, 14.1.4.4 |
| 849157-2 | 3-Major | BT849157 | An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck | 16.0.0, 15.1.4 |
| 841277-7 | 3-Major | BT841277 | C4800 LCD fails to load after annunciator hot-swap | 16.0.0, 15.1.4, 14.1.4.3 |
| 827033-1 | 3-Major | BT827033 | Boot marker is being logged before shutdown logs | 16.0.0, 15.1.4, 14.1.4.4 |
| 746861-3 | 3-Major | BT746861 | SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated ★ | 16.0.0, 15.1.4, 14.1.2.5 |
| 1029105 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address | 17.1.0, 16.1.4, 15.1.4 |
| 1024853 | 3-Major | BT1024853 | Platform Agent logs to ERROR severity on success | 15.1.4 |
| 1013649-4 | 3-Major | BT1013649 | Leftover files in /var/run/key_mgmt after key export | 16.1.0, 15.1.4 |
| 1010393-4 | 3-Major | BT1010393 | Unable to relax AS-path attribute in multi-path selection | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 1008837-2 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4 |
| 1002761-1 | 3-Major | BT1002761 | SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure | 17.0.0, 16.0.1.2, 15.1.4 |
| 962249-2 | 4-Minor | BT962249 | Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm | 17.1.0, 15.1.4 |
| 921365-1 | 4-Minor | BT921365 | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | 17.0.0, 16.1.2, 15.1.4 |
| 921065 | 4-Minor | BT921065 | BIG-IP systems not responding to DPD requests from initiator after failover | 16.1.0, 15.1.4 |
| 898441-1 | 4-Minor | BT898441 | Enable logging of IKE keys | 16.1.0, 15.1.4, 14.1.4.4 |
| 1004417-3 | 4-Minor | BT1004417 | Provisioning error message during boot up ★ | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1029357 | 1-Blocking | BT1029357 | Performance drop during traffic test on VIPRION (B2250, C2400) platforms | 15.1.4 |
| 945997-2 | 2-Critical | BT945997 | LTM policy applied to HTTP/2 traffic may crash TMM | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 943101-2 | 2-Critical | BT943101 | Tmm crash in cipher group delete. | 17.1.0, 15.1.4, 14.1.3 |
| 942185-2 | 2-Critical | BT942185 | Non-mirrored persistence records may accumulate over time | 16.1.0, 16.0.1.2, 15.1.4 |
| 934461-2 | 2-Critical | BT934461 | Connection error with server with TLS1.3 single-dh-use. | 17.1.0, 15.1.4, 14.1.3 |
| 1039145-3 | 2-Critical | BT1039145 | Tenant mirroring channel disconnects with peer and never reconnects after failover. | 17.0.0, 15.1.4 |
| 1005489-2 | 2-Critical | BT1005489 | iRules with persist command might result in tmm crash. | 16.1.0, 16.0.1.2, 15.1.4 |
| 997929-3 | 3-Major | BT997929 | Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
| 969637-2 | 3-Major | BT969637 | Config may fail to load with "FIPS 140 operations not available on this system" after upgrade ★ | 16.1.0, 15.1.4, 14.1.4.4 |
| 963713-1 | 3-Major | BT963713 | HTTP/2 virtual server with translate-disable can core tmm | 16.1.0, 15.1.4 |
| 956133-3 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading. ★ | 17.0.0, 16.1.4, 15.1.4, 14.1.4.4 |
| 944641-1 | 3-Major | BT944641 | HTTP2 send RST_STREAM when exceeding max streams | 16.1.0, 16.0.1.1, 15.1.4, 14.1.4 |
| 941481-2 | 3-Major | BT941481 | iRules LX - nodejs processes consuming excessive memory | 16.1.0, 15.1.4, 14.1.4.4 |
| 941257-1 | 3-Major | BT941257 | Occasional Nitrox3 ZIP engine hang | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 940665-1 | 3-Major | BT940665 | DTLS 1.0 support for PFS ciphers | 16.1.0, 16.0.1.2, 15.1.4 |
| 930385-3 | 3-Major | BT930385 | SSL filter does not re-initialize when an OCSP object is modified | 17.1.0, 15.1.4, 14.1.3 |
| 912425-3 | 3-Major | BT912425 | Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 891373-2 | 3-Major | BT891373 | BIG-IP does not shut a connection for a HEAD request | 16.1.0, 16.0.1.2, 15.1.4 |
| 882549-2 | 3-Major | BT882549 | Sock driver does not use multiple queues in unsupported environments | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
| 819329-4 | 3-Major | BT819329 | Specific FIPS device errors will not trigger failover | 16.1.0, 16.0.1.2, 15.1.4, 14.1.3.1, 13.1.5 |
| 818833-1 | 3-Major | BT818833 | TCP re-transmission during SYN Cookie activation results in high latency | 16.0.0, 15.1.4, 14.1.4.4 |
| 760050-8 | 3-Major | BT760050 | "cwnd too low" warning message seen in logs | 16.0.0, 15.1.4, 14.1.2.7, 13.1.4.1 |
| 1020941-2 | 3-Major | BT1020941 | HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags | 16.1.0, 15.1.4, 14.1.4.5 |
| 1016113-3 | 3-Major | BT1016113 | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | 17.0.0, 16.1.2, 15.1.4 |
| 962433-4 | 4-Minor | BT962433 | HTTP::retry for a HEAD request fails to create new connection | 15.1.4, 14.1.4.3, 13.1.4.1 |
| 962177-2 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1 |
| 912945-2 | 4-Minor | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
| 895557-2 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 751586-3 | 4-Minor | BT751586 | Http2 virtual does not honour translate-address disabled | 16.0.0, 15.1.4, 14.1.2.1, 13.1.3.4, 12.1.4.1 |
| 1018493-2 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910633-1 | 2-Critical | BT910633 | Continuous 'neurond restart' message on console | 16.0.0, 15.1.4 |
| 1004633-3 | 2-Critical | BT1004633 | Performance degradation on KVM and VMware platforms. | 16.1.0, 15.1.4 |
| 948417-2 | 3-Major | BT948417 | Network Management Agent (Azure NMAgent) updates causes Kernel Panic | 16.1.0, 15.1.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1039069-2 | 1-Blocking | BT1039069 | Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049. ★ | 17.0.0, 16.1.1, 15.1.4 |
| 995853-2 | 2-Critical | BT995853 | Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 918597-5 | 2-Critical | BT918597 | Under certain conditions, deleting a topology record can result in a crash. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 993489-3 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 973261-2 | 3-Major | BT973261 | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 912001-3 | 3-Major | BT912001 | TMM cores on secondary blades of the Chassis system. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 864797-2 | 3-Major | BT864797 | Cached results for a record are sent following region modification | 16.1.0, 15.1.4, 14.1.4.4 |
| 857953-2 | 4-Minor | BT857953 | Non-functional disable/enable buttons present in GTM wide IP members page | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 996381-3 | 2-Critical | K41503304 , BT996381 | ASM attack signature may not match as expected | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
| 970329-3 | 2-Critical | K70134152 , BT970329 | ASM hardening | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 965229-2 | 2-Critical | BT965229 | ASM Load hangs after upgrade ★ | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 957965-1 | 2-Critical | BT957965 | Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent' | 16.1.0, 15.1.4 |
| 898365-1 | 2-Critical | BT898365 | XML Policy cannot be imported | 16.0.0, 15.1.4 |
| 854001-2 | 2-Critical | BT854001 | TMM might crash in case of trusted bot signature and API protected url | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 791669-2 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3 |
| 1017645-2 | 2-Critical | BT1017645 | False positive HTTP compliance violation | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
| 986937-1 | 3-Major | BT986937 | Cannot create child policy when the signature staging setting is not equal in template and parent policy | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4 |
| 981785-3 | 3-Major | BT981785 | Incorrect incident severity in Event Correlation statistics | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
| 981069-1 | 3-Major | BT981069 | Reset cause: "Internal error ( requested abort (payload release error))" | 17.0.0, 16.1.1, 15.1.4 |
| 964245-2 | 3-Major | BT964245 | ASM reports and enforces username always | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 963485-1 | 3-Major | BT963485 | Performance issue with data guard | 16.1.0, 15.1.4 |
| 963461-1 | 3-Major | BT963461 | ASM performance drop on the response side | 16.1.0, 16.0.1.2, 15.1.4 |
| 962589-2 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
| 962497 | 3-Major | BT962497 | BD crash after ICAP response | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 955017-2 | 3-Major | BT955017 | Excessive CPU consumption by asm_config_event_handler | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
| 951133-2 | 3-Major | BT951133 | Live Update does not work properly after upgrade ★ | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4 |
| 950917-1 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 946081-1 | 3-Major | BT946081 | Getcrc tool help displays directory structure instead of version | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 928717-3 | 3-Major | BT928717 | [ASM - AWS] - ASU fails to sync | 16.1.0, 15.1.4, 14.1.4.4 |
| 922261-2 | 3-Major | BT922261 | WebSocket server messages are logged even it is not configured | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 920197-3 | 3-Major | BT920197 | Brute force mitigation can stop mitigating without a notification | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 912089-2 | 3-Major | BT912089 | Some roles are missing necessary permission to perform Live Update | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 907337-2 | 3-Major | BT907337 | BD crash on specific scenario | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 888289-1 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 883853-2 | 3-Major | BT883853 | Bot Defense Profile with staged signatures prevents signature update ★ | 16.0.0, 15.1.4, 14.1.4.2 |
| 867825-4 | 3-Major | BT867825 | Export/Import on a parent policy leaves children in an inconsistent state | 16.0.0, 15.1.4, 14.1.4.4, 13.1.5 |
| 862793-1 | 3-Major | BT862793 | ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation | 16.0.0, 15.1.4 |
| 846181-3 | 3-Major | BT846181 | Request samples for some of the learning suggestions are not visible | 16.0.0, 15.1.4, 14.1.4.2 |
| 837333-1 | 3-Major | BT837333 | User cannot update blocking response pages after upgrade ★ | 16.0.0, 15.1.4 |
| 830341-2 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 802873-2 | 3-Major | BT802873 | Manual changes to policy imported as XML may introduce corruption for Login Pages | 16.0.0, 15.1.4, 14.1.2.7 |
| 673272-2 | 3-Major | BT673272 | Search by "Signature ID is" does not return results for some signature IDs | 17.0.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4 |
| 1022269-2 | 3-Major | BT1022269 | False positive RFC compliant violation | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 1005105-1 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 17.0.0, 16.1.1, 15.1.4, 14.1.4.5 |
| 1000741-3 | 3-Major | K67397230 , BT1000741 | Fixing issue with input normalization | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
| 952509-2 | 4-Minor | BT952509 | Cross origin AJAX requests are blocked in case there is no Origin header | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
| 944441-2 | 4-Minor | BT944441 | BD_XML logs memory usage at TS_DEBUG level | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 941929-2 | 4-Minor | BT941929 | Google Analytics shows incorrect stats, when Google link is redirected. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 941625-1 | 4-Minor | BT941625 | BD sometimes encounters errors related to TS cookie building | 17.0.0, 16.1.1, 15.1.4 |
| 941249-2 | 4-Minor | BT941249 | Improvement to getcrc tool to print cookie names when cookie attributes are involved | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
| 911729-2 | 4-Minor | BT911729 | Redundant learning suggestion to set a Maximum Length when parameter is already at that value | 17.0.0, 16.1.5, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 1004537-1 | 4-Minor | BT1004537 | Traffic Learning: Accept actions for multiple suggestions not localized | 17.0.0, 16.1.2, 15.1.4 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 965581-2 | 2-Critical | BT965581 | Statistics are not reported to BIG-IQ | 17.1.0, 15.1.4, 14.1.4 |
| 932485-3 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 926341-2 | 3-Major | BT926341 | RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade ★ | 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 913085-1 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 909161-3 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 833113-6 | 3-Major | BT833113 | Avrd core when sending large messages via https | 16.0.0, 15.1.4, 15.0.1.3, 14.1.4.3, 13.1.3.4 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 934393-2 | 1-Blocking | BT934393 | APM authentication fails due to delay in sessionDB readiness | 17.1.0, 15.1.4, 14.1.3 |
| 995029-3 | 2-Critical | BT995029 | Configuration is not updated during auto-discovery | 16.1.0, 15.1.4, 14.1.4.2 |
| 891505-3 | 2-Critical | BT891505 | TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. | 16.0.0, 15.1.4, 14.1.2.8 |
| 874949-1 | 2-Critical | BT874949 | TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent. | 16.0.0, 15.1.4 |
| 997641 | 3-Major | BT997641 | APM policy ending with redirection results in policy execution failure | 15.1.4 |
| 984765-1 | 3-Major | BT984765 | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) ★ | 16.1.0, 15.1.4, 14.1.4.4 |
| 946125-2 | 3-Major | BT946125 | Tmm restart adds 'Revoked' tokens to 'Active' token count | 16.1.0, 15.1.4, 14.1.4.4 |
| 924521-2 | 3-Major | BT924521 | OneConnect does not work when WEBSSO is enabled/configured. | 16.1.0, 15.1.4, 14.1.4.3 |
| 903573 | 3-Major | BT903573 | AD group cache query performance | 16.1.0, 15.1.4 |
| 896125-2 | 3-Major | BT896125 | Reuse Windows Logon Credentials feature does not work with modern access policies | 16.1.0, 15.1.4 |
| 894885-3 | 3-Major | BT894885 | [SAML] SSO crash while processing client SSL request | 16.1.0, 15.1.4, 14.1.4.2 |
| 881641 | 3-Major | BT881641 | Errors on VPN client status window in non-English environment | 16.0.0, 15.1.4 |
| 869653-1 | 3-Major | BT869653 | VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction | 16.0.0, 15.1.4 |
| 866109-2 | 3-Major | BT866109 | JWK keys frequency does not support fewer than 60 minutes | 16.0.0, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 827325-1 | 3-Major | BT827325 | JWT token verification failure | 16.0.0, 15.1.4 |
| 825493-1 | 3-Major | BT825493 | JWT token verification failure | 16.0.0, 15.1.4 |
| 738865-6 | 3-Major | BT738865 | MCPD might enter into loop during APM config validation | 16.0.0, 15.1.4, 14.1.4.2 |
| 470346-3 | 3-Major | BT470346 | Some IPv6 client connections get RST when connecting to APM virtual | 16.0.0, 15.1.4, 14.1.4.3, 13.1.5 |
| 1001041-3 | 3-Major | BT1001041 | Reset cause 'Illegal argument' | 16.1.0, 15.1.4, 14.1.4.4 |
| 939877-1 | 4-Minor | BT939877 | OAuth refresh token not found | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4 |
| 747234-7 | 4-Minor | BT747234 | Macro policy does not find corresponding access-profile directly | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 993913-2 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
| 974881-2 | 2-Critical | BT974881 | Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 1007821-1 | 2-Critical | BT1007821 | SIP message routing may cause tmm crash | 17.0.0, 16.1.1, 15.1.4 |
| 996113-1 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 989753-2 | 3-Major | BT989753 | In HA setup, standby fails to establish connection to server | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 957029-1 | 3-Major | BT957029 | MRF Diameter loop-detection is enabled by default | 16.1.0, 16.0.1.2, 15.1.4 |
| 805821-3 | 3-Major | BT805821 | GTP log message contains no useful information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 788625-1 | 3-Major | BT788625 | A pool member is not marked up by the inband monitor even after successful connection to the pool member | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
| 919301-3 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 916781-1 | 4-Minor | BT916781 | Validation error while attaching DoS profile to GTP virtual | 16.1.0, 16.0.1, 15.1.4 |
| 913413-3 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 913409-3 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
| 913393-3 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 987637-2 | 1-Blocking | BT987637 | DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware | 17.1.0, 17.0.0, 15.1.4 |
| 992213-2 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 17.0.0, 16.1.1, 15.1.4, 14.1.4.2 |
| 988761-1 | 3-Major | BT988761 | Cannot create Protected Object in GUI | 16.1.0, 15.1.4 |
| 988005-1 | 3-Major | BT988005 | Zero active rules counters in GUI | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 987605-2 | 3-Major | BT987605 | DDoS: ICMP attacks are not hardware-mitigated | 15.1.4 |
| 759799-3 | 3-Major | BT759799 | New rules cannot be compiled | 16.1.0, 15.1.4 |
| 685904-1 | 3-Major | BT685904 | Firewall Rule hit counts are not auto-updated after a Reset is done | 16.0.0, 15.1.4, 14.1.4.2 |
| 1016309-1 | 3-Major | BT1016309 | When two policies with the same properties are configured with geo property, the geo for the second policy is ignored. | 17.0.0, 15.1.4 |
| 1012521-2 | 3-Major | BT1012521 | BIG-IP UI file permissions | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
| 1012413-3 | 3-Major | BT1012413 | Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled | 17.0.0, 15.1.4 |
| 1000405-2 | 3-Major | BT1000405 | VLAN/Tunnels not listed when creating a new rule via GUI | 17.0.0, 16.1.1, 15.1.4 |
| 977005-1 | 4-Minor | BT977005 | Network Firewall Policy rules-list showing incorrect 'Any' for source column | 16.1.0, 15.1.4, 14.1.4.2 |
| 1038117 | 4-Minor | BT1038117 | TMM SIGSEGV with BDoS attack signature | 17.1.0, 15.1.4 |
| 1014609 | 4-Minor | BT1014609 | Tunnel_src_ip support for dslite event log for type field list | 17.1.2, 15.1.4 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1019481 | 2-Critical | BT1019481 | Unable to provision PEM on VELOS platform | 17.1.0, 15.1.4 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 994985-2 | 3-Major | BT994985 | CGNAT GUI shows blank page when applying SIP profile | 17.0.0, 15.1.4, 14.1.4.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 968741-1 | 2-Critical | BT968741 | Traffic Intelligence pages not visible | 16.1.0, 15.1.4 |
| 913453-5 | 2-Critical | BT913453 | URL Categorization: wr_urldbd cores while processing urlcat-query | 16.1.0, 15.1.4, 14.1.4.4 |
| 901041-3 | 2-Critical | BT901041 | CEC update using incorrect method of determining number of blades in VIPRION chassis ★ | 16.1.0, 16.0.1.2, 15.1.4 |
| 893721-2 | 2-Critical | BT893721 | PEM-provisioned systems may suffer random tmm crashes after upgrading ★ | 16.1.0, 15.1.4, 14.1.4.2 |
| 958085-3 | 3-Major | BT958085 | IM installation fails with error: Spec file not found ★ | 16.1.0, 15.1.4, 14.1.4.4 |
| 948573-4 | 3-Major | BT948573 | Wr_urldbd list of valid TLDs needs to be updated | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
| 846601-4 | 3-Major | BT846601 | Traffic classification does not update when an inactive slot becomes active after upgrade ★ | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
| 974205-3 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 970829-5 | 2-Critical | K03310534 , BT970829 | iSeries LCD incorrectly displays secure mode | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1018145-1 | 3-Major | BT1018145 | Firewall Manager user role is not allowed to configure/view protocol inspection profiles | 16.1.1, 15.1.4 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 822245-2 | 4-Minor | BT822245 | Large number of in-TMM monitors results in some monitors being marked down or delay in marking node down | 16.1.0, 15.1.4, 14.1.4.4 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 947925-1 | 3-Major | BT947925 | TMM may crash when executing L7 Protocol Lookup per-request policy agent | 16.1.0, 15.1.4, 14.1.4.3 |
| 918317-2 | 3-Major | BT918317 | SSL Orchestrator resets subsequent requests when HTTP services are being used. | 16.1.0, 15.1.4, 14.1.4.4 |
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 989317-12 | CVE-2021-23023 | K33757590 , BT989317 | Windows Edge Client does not follow best practice | 16.1.0, 15.1.3.1 |
| 989009-3 | CVE-2021-23033 | K05314769 , BT989009 | BD daemon may crash while processing WebSocket traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
| 981461-4 | CVE-2021-23032 | K45407662 , BT981461 | Unspecified DNS responses cause TMM crash | 16.1.0, 15.1.3.1, 14.1.4.4, 13.1.5 |
| 980125-3 | CVE-2021-23030 | K42051445 , BT980125 | BD Daemon may crash while processing WebSocket traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
| 962341 | CVE-2021-23028 | K00602225 , BT962341 | BD crash while processing JSON content | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4 |
| 946377-2 | CVE-2021-23027 | K24301698 , BT946377 | HSM WebUI Hardening | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
| 1007049-3 | CVE-2021-23034 | K30523121 , BT1007049 | TMM may crash while processing DNS traffic | 16.1.0, 15.1.3.1 |
| 996753-2 | CVE-2021-23050 | K44553214 , BT996753 | ASM BD process may crash while processing HTML traffic | 16.1.0, 16.0.1.2, 15.1.3.1 |
| 994801-3 | CVE-2024-21782 | K98606833 , BT994801 | SCP file transfer system | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
| 984613-11 | CVE-2021-23022 | K08503505 , BT984613 | CVE-2020-5896 - Edge Client Installer Vulnerability | 16.1.0, 15.1.3.1 |
| 968349 | CVE-2021-23048 | K19012930 , BT968349 | TMM crashes with unspecified message | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
| 962069-3 | CVE-2021-23047 | K79428827 , BT962069 | Excessive resource consumption while processing OSCP requests via APM | 16.1.0, 15.1.3.1, 14.1.4.4, 13.1.5 |
| 950017-2 | CVE-2021-23045 | K94941221 , BT950017 | TMM may crash while processing SCTP traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
| 942701-2 | CVE-2021-23044 | K35408374 , BT942701 | TMM may consume excessive resources while processing HTTP traffic | 16.1.0, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
| 906377-2 | CVE-2021-23038 | K61643620 , BT906377 | iRulesLX hardening | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
| 1015381-5 | CVE-2021-23022 | K08503505 , BT1015381 | Windows Edge Client does not follow best practices while installing | 16.1.0, 15.1.3.1 |
| 1009773 | CVE-2021-23051 | K01153535 , BT1009773 | AWS deployments of TMM may crash while processing traffic | 15.1.3.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 737692-4 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE | 17.1.1, 16.1.5, 15.1.3.1 |
| 1024421-1 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log | 17.1.0, 15.1.3.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 958465-2 | 3-Major | BT958465 | in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.4 |
| 950849-4 | 3-Major | BT950849 | B4450N blades report page allocation failure. ★ | 16.1.0, 15.1.3.1, 14.1.4.4 |
| 948717-3 | 3-Major | BT948717 | F5-pf_daemon_cond_restart uses excessive CPU ★ | 16.1.0, 15.1.3.1 |
| 1032001-1 | 3-Major | BT1032001 | Statemirror address can be configured on management network or clusterd restarting | 15.1.3.1 |
| 1006345-1 | 3-Major | BT1006345 | Static mac entry on trunk is not programmed on CPU-only blades | 15.1.3.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1019081-3 | 2-Critical | K97045220 , BT1019081 | HTTP/2 hardening | 16.1.0, 15.1.3.1, 14.1.4.5, 13.1.5 |
| 1008525-2 | 2-Critical | BT1008525 | The partition text field becomes unusable when the user enters an invalid entry such as, "<, >, &, ", ', ', etc. | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
| 994125-2 | 3-Major | BT994125 | NetHSM Sanity results are not reflecting in GUI test output box | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
| 980821-2 | 3-Major | BT980821 | Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 943913-3 | 2-Critical | K30150004 , BT943913 | ASM attack signature does not match | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1020705-1 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 999317-8 | 2-Critical | K03544414 , BT999317 | Running Diagnostics report for Edge Client on Windows does not follow best practice | 17.0.0, 15.1.3.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1019453-3 | 3-Major | BT1019453 | Core generated for autodosd daemon when synchronization process is terminated | 17.0.0, 15.1.3.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 976365 | 3-Major | BT976365 | Traffic Classification hardening ★ | 16.1.0, 15.1.3.1, 14.1.4.3 |
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 980809-2 | CVE-2021-23031 | K41351250 , BT980809 | ASM REST Signature Rule Keywords Tool Hardening | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
| 959121-4 | CVE-2021-23015 | K74151369 , BT959121 | Not following best practices in Guided Configuration Bundle Install worker | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
| 943081-3 | CVE-2021-23009 | K90603426 , BT943081 | Unspecified HTTP/2 traffic may cause TMM to crash | 16.1.0, 16.0.1.1, 15.1.3 |
| 935433-2 | CVE-2021-23026 | K53854428 , BT935433 | iControl SOAP | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
| 882633-2 | CVE-2021-23008 | K51213246 , BT882633 | Active Directory authentication does not follow current best practices | 16.1.0, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
| 990333-5 | CVE-2021-23016 | K75540265 , BT990333 | APM may return unexpected content when processing HTTP requests | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
| 975465-2 | CVE-2021-23049 | K65397301 , BT975465 | TMM may consume excessive resources while processing DNS iRules | 16.1.0, 16.0.1.2, 15.1.3 |
| 954429-2 | CVE-2021-23014 | K23203045 , BT954429 | User authorization changes for live update | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 948769-5 | CVE-2021-23013 | K05300051 , BT948769 | TMM panic with SCTP traffic | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3 |
| 945109-2 | CVE-2015-9382 | K46641512 , BT945109 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
| 938233-2 | CVE-2021-23042 | K93231374 | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
| 937637-3 | CVE-2021-23002 | K71891773 , BT937637 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
| 937365-2 | CVE-2021-23041 | K42526507 , BT937365 | LTM UI does not follow best practices | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
| 907245-1 | CVE-2021-23040 | K94255403 , BT907245 | AFM UI Hardening | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
| 907201-2 | CVE-2021-23039 | K66782293 , BT907201 | TMM may crash when processing IPSec traffic | 16.1.0, 16.0.1.2, 15.1.3, 14.1.2.8, 13.1.5 |
| 877109-1 | CVE-2021-23012 | K04234247 | Unspecified input can break intended functionality in iHealth proxy | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4 |
| 842829-1 | CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 CVE-2018-14880 | K04367730 , BT842829 | Multiple tcpdump vulnerabilities | 16.0.0, 15.1.3, 14.1.3.1, 13.1.4.1 |
| 832757 | CVE-2017-18551 | K48073202 , BT832757 | Linux kernel vulnerability CVE-2017-18551 | 15.1.3, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 803933-7 | CVE-2018-20843 | K51011533 , BT803933 | Expat XML parser vulnerability CVE-2018-20843 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
| 718189-9 | CVE-2021-23011 | K10751325 , BT718189 | Unspecified IP traffic can cause low-memory conditions | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6, 11.6.5.3 |
| 1003557-3 | CVE-2021-23015 | K74151369 , BT1003557 | Not following best practices in Guided Configuration Bundle Install worker | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4 |
| 1003105-3 | CVE-2021-23015 | K74151369 , BT1003105 | iControl Hardening | 16.1.0, 16.0.1.2, 15.1.3 |
| 1002561-5 | CVE-2021-23007 | K37451543 , BT1002561 | TMM vulnerability CVE-2021-23007 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6 |
| 825413-4 | CVE-2021-23053 | K36942191 , BT825413 | ASM can use additional resources while matching the signatures | 16.0.0, 15.1.3, 14.1.3.1, 13.1.3.6 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 776393-3 | 2-Critical | BT776393 | Restjavad restarts frequently due to insufficient memory with relatively large configurations | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 945265-4 | 3-Major | BT945265 | BGP may advertise default route with incorrect parameters | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 933777-1 | 3-Major | BT933777 | Context use and syntax changes clarification | 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
| 930005-2 | 3-Major | BT930005 | Recover previous QUIC cwnd value on spurious loss | 16.1.0, 16.0.1.1, 15.1.3 |
| 913829-4 | 3-Major | BT913829 | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
| 794417-4 | 3-Major | BT794417 | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not ★ | 16.1.3, 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
| 918097-3 | 4-Minor | BT918097 | Cookies set in the URI on Safari | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 995629-3 | 2-Critical | BT995629 | Loading UCS files may hang if ASM is provisioned ★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4.1 |
| 990849-2 | 2-Critical | BT990849 | Loading UCS with platform-migrate option hangs and requires exiting from the command ★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4.1 |
| 908517-3 | 2-Critical | BT908517 | LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 888341-7 | 2-Critical | BT888341 | HA Group failover may fail to complete Active/Standby state transition | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
| 886693-3 | 2-Critical | BT886693 | System might become unresponsive after upgrading. ★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
| 860349-3 | 2-Critical | BT860349 | Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication | 16.0.0, 15.1.3, 14.1.2.8 |
| 785017-3 | 2-Critical | BT785017 | Secondary blades go offline after new primary is elected | 16.1.0, 15.1.3, 14.1.4, 13.1.4 |
| 969213-1 | 3-Major | BT969213 | VMware: management IP cannot be customized via net.mgmt.addr property | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 963049-1 | 3-Major | BT963049 | Unexpected config loss when modifying protected object | 16.1.0, 15.1.3 |
| 963017-2 | 3-Major | BT963017 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed | 16.1.0, 15.1.3, 14.1.4 |
| 946745-2 | 3-Major | BT946745 | 'System Integrity: Invalid' after Engineering Hotfix installation | 16.1.0, 15.1.3, 14.1.4 |
| 939541-2 | 3-Major | BT939541 | TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 936125-2 | 3-Major | BT936125 | SNMP request times out after configuring IPv6 trap destination | 16.1.0, 16.0.1.1, 15.1.3 |
| 934941-2 | 3-Major | BT934941 | Platform FIPS power-up self test failures not logged to console | 16.1.0, 15.1.3, 14.1.3.1 |
| 934065-1 | 3-Major | BT934065 | The turboflex-low-latency and turboflex-dns are missing in early 15.1.x and 16.0.x releases | 16.1.0, 16.0.1.2, 15.1.3 |
| 927941-5 | 3-Major | BT927941 | IPv6 static route BFD does not come up after OAMD restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
| 922297-2 | 3-Major | BT922297 | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
| 914245-2 | 3-Major | BT914245 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 914081-1 | 3-Major | BT914081 | Engineering Hotfixes missing bug titles | 16.0.0, 15.1.3, 14.1.4 |
| 913433-3 | 3-Major | BT913433 | On blade failure, some trunked egress traffic is dropped. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
| 908021-1 | 3-Major | BT908021 | Management and VLAN MAC addresses are identical | 16.1.0, 15.1.3, 14.1.3.1, 13.1.3.5 |
| 896553-3 | 3-Major | BT896553 | On blade failure, some trunked egress traffic is dropped. | 16.0.0, 15.1.3, 14.1.4, 13.1.3.6 |
| 896473-2 | 3-Major | BT896473 | Duplicate internal connections can tear down the wrong connection | 16.0.0, 15.1.3 |
| 893885-3 | 3-Major | BT893885 | The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation | 16.1.0, 15.1.3, 14.1.4 |
| 891337-1 | 3-Major | BT891337 | 'save_master_key(master): Not ready to save yet' errors in the logs | 16.0.0, 15.1.3, 14.1.4 |
| 889029-2 | 3-Major | BT889029 | Unable to login if LDAP user does not have search permissions | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 879829-2 | 3-Major | BT879829 | HA daemon sod cannot bind to ports numbered lower than 1024 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 876805-3 | 3-Major | BT876805 | Modifying address-list resets the route advertisement on virtual servers. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 862937-3 | 3-Major | BT862937 | Running cpcfg after first boot can result in daemons stuck in restart loop ★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 839121-3 | 3-Major | K74221031 , BT839121 | A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade ★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 829821-1 | 3-Major | BT829821 | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
| 820845-3 | 3-Major | BT820845 | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
| 809205-6 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | 16.0.1.2, 15.1.3, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.1 | |
| 803237-2 | 3-Major | BT803237 | PVA does not validate interface MTU when setting MSS | 16.0.0, 15.1.3, 14.1.4 |
| 799001-1 | 3-Major | BT799001 | Sflow agent does not handle disconnect from SNMPD manager correctly | 16.1.0, 15.1.3, 14.1.4 |
| 787885-2 | 3-Major | BT787885 | The device status is falsely showing as forced offline on the network map while actual device status is not. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 749007-1 | 3-Major | BT749007 | South Sudan is missing in the GTM region list | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 692218-1 | 3-Major | BT692218 | Audit log messages sent from the primary blade to the secondaries should not be logged. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 675911-12 | 3-Major | K13272442 , BT675911 | Different sections of the GUI can report incorrect CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 615934-6 | 3-Major | BT615934 | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | 16.1.0, 15.1.3, 14.1.4, 13.1.3.5 |
| 569859-7 | 3-Major | BT569859 | Password policy enforcement for root user when mcpd is not available | 16.0.0, 15.1.3, 14.1.4.1 |
| 966277-1 | 4-Minor | BT966277 | BFD down on multi-blade system | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 959889-2 | 4-Minor | BT959889 | Cannot update firewall rule with ip-protocol property as 'any' | 16.1.0, 15.1.3, 14.1.4 |
| 947865-2 | 4-Minor | BT947865 | Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read | 16.1.0, 15.1.3, 14.1.4 |
| 887505-1 | 4-Minor | BT887505 | Coreexpiration script improvement | 16.1.0, 15.1.3 |
| 879189-1 | 4-Minor | BT879189 | Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910653-5 | 2-Critical | BT910653 | iRule parking in clientside/serverside command may cause tmm restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 882157-1 | 2-Critical | BT882157 | One thread of pkcs11d consumes 100% without any traffic. | 16.0.0, 15.1.3, 14.1.4 |
| 738964-4 | 2-Critical | Instruction logger debugging enhancement | 16.1.0, 15.1.3, 14.1.4.1 | |
| 1001509 | 2-Critical | K11162395 , BT1001509 | Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates | 15.1.3, 14.1.4.3 |
| 968641-2 | 3-Major | BT968641 | Fix for zero LACP priority | 16.0.1.2, 15.1.3, 14.1.4 |
| 953845-1 | 3-Major | BT953845 | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
| 946953-1 | 3-Major | BT946953 | HTTP::close used in iRule might not close connection. | 16.1.0, 16.0.1.1, 15.1.3 |
| 928857-2 | 3-Major | BT928857 | Use of OCSP responder may leak X509 store instances | 16.1.0, 15.1.3, 14.1.4 |
| 928805-2 | 3-Major | BT928805 | Use of OCSP responder may cause memory leakage | 16.1.0, 15.1.3, 14.1.4 |
| 928789-2 | 3-Major | BT928789 | Use of OCSP responder may leak SSL handshake instances | 16.1.0, 15.1.3, 14.1.4 |
| 921881-2 | 3-Major | BT921881 | Use of IPFIX log destination can result in increased CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 921721-1 | 3-Major | BT921721 | FIPS 140-2 SP800-56Arev3 compliance | 16.1.0, 15.1.3, 14.1.3 |
| 889601-3 | 3-Major | K14903688 , BT889601 | OCSP revocation not properly checked | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
| 889165-3 | 3-Major | BT889165 | "http_process_state_cx_wait" errors in log and connection reset | 16.1.0, 15.1.3, 14.1.4 |
| 888517-2 | 3-Major | BT888517 | Busy polling leads to high CPU ★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
| 858701-1 | 3-Major | BT858701 | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x ★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
| 845333-6 | 3-Major | BT845333 | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 842517-2 | 3-Major | BT842517 | CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails | 16.1.0, 15.1.3 |
| 785877-5 | 3-Major | BT785877 | VLAN groups do not bridge non-link-local multicast traffic. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 767341-1 | 3-Major | BT767341 | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 756812-3 | 3-Major | BT756812 | Nitrox 3 instruction/request logger may fail due to SELinux permission error | 16.1.0, 15.1.3, 14.1.4.1 |
| 696755-5 | 3-Major | BT696755 | HTTP/2 may truncate a response body when served from cache | 16.1.0, 16.0.1.2, 15.1.3, 14.1.0.6, 13.1.0.8 |
| 804157-3 | 4-Minor | BT804157 | ICMP replies are forwarded with incorrect checksums causing them to be dropped | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 748333-5 | 4-Minor | BT748333 | DHCP Relay does not retain client source IP address for chained relay mode | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 743253-2 | 4-Minor | BT743253 | TSO in software re-segments L3 fragments. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 960749-2 | 1-Blocking | BT960749 | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3 |
| 960437-2 | 2-Critical | BT960437 | The BIG-IP system may initially fail to resolve some DNS queries | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3 |
| 971297-2 | 3-Major | BT971297 | DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade ★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 921625-2 | 3-Major | BT921625 | The certs extend function does not work for GTM/DNS sync group | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
| 863917-2 | 3-Major | BT863917 | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.5, 13.1.4.1 |
| 858973-1 | 3-Major | BT858973 | DNS request matches less specific WideIP when adding new wildcard wideips | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
| 835209-3 | 3-Major | BT835209 | External monitors mark objects down | 16.0.0, 15.1.3, 14.1.4.2 |
| 896861-2 | 4-Minor | BT896861 | PTR query enhancement for RESOLVER::name_lookup | 16.1.0, 16.0.1.1, 15.1.3 |
| 885201-2 | 4-Minor | BT885201 | BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log | 16.1.0, 15.1.3, 14.1.4.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 846057-3 | 2-Critical | BT846057 | UCS backup archive may include unnecessary files | 16.0.0, 15.1.3, 14.1.4, 13.1.4 |
| 960369-2 | 3-Major | BT960369 | Negative value suggested in Traffic Learning as max value | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 956373-2 | 3-Major | BT956373 | ASM sync files not cleaned up immediately after processing | 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 947341-1 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 941621-2 | 3-Major | K91414704 , BT941621 | Brute Force breaks server's Post-Redirect-Get flow | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4 |
| 929077-2 | 3-Major | BT929077 | Bot Defense allow list does not apply when using default Route Domain and XFF header | 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4 |
| 929001-3 | 3-Major | K48321015 , BT929001 | ASM form handling improvements | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
| 928685-2 | 3-Major | K49549213 , BT928685 | ASM Brute Force mitigation not triggered as expected | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
| 921677-2 | 3-Major | BT921677 | Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 910253-2 | 3-Major | BT910253 | BD error on HTTP response after upgrade ★ | 16.1.0, 16.0.1.1, 15.1.3 |
| 884425-2 | 3-Major | BT884425 | Creation of new allowed HTTP URL is not possible | 16.0.0, 15.1.3, 14.1.3.1 |
| 868053-3 | 3-Major | BT868053 | Live Update service indicates update available when the latest update was already installed | 16.0.0, 15.1.3, 14.1.3.1 |
| 867373-4 | 3-Major | BT867373 | Methods Missing From ASM Policy | 16.0.0, 15.1.3, 14.1.4 |
| 864677-1 | 3-Major | BT864677 | ASM causes high mcpd CPU usage | 16.0.0, 15.1.3, 14.1.4 |
| 856725-1 | 3-Major | BT856725 | Missing learning suggestion for "Illegal repeated parameter name" violation | 16.0.0, 15.1.3 |
| 964897-2 | 4-Minor | BT964897 | Live Update - Indication of "Update Available" when there is no available update | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 962817-2 | 4-Minor | BT962817 | Description field of a JSON policy overwrites policy templates description | 17.0.0, 16.0.1.1, 15.1.3 |
| 956105-2 | 4-Minor | BT956105 | Websocket URLs content profiles are not created as expected during JSON Policy import | 16.1.0, 16.0.1.2, 15.1.3 |
| 935293-2 | 4-Minor | BT935293 | 'Detected Violation' Field for event logs not showing | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5 |
| 922785-2 | 4-Minor | BT922785 | Live Update scheduled installation is not installing on set schedule | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 824093-5 | 4-Minor | BT824093 | Parameters payload parser issue | 16.0.0, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 981385-3 | 3-Major | BT981385 | AVRD does not send HTTP events to BIG-IQ DCD | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4 |
| 949593-3 | 3-Major | BT949593 | Unable to load config if AVR widgets were created under '[All]' partition ★ | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
| 924945-3 | 3-Major | BT924945 | Fail to detach HTTP profile from virtual server | 17.0.0, 16.1.1, 16.0.1.2, 15.1.3 |
| 869049-4 | 3-Major | BT869049 | Charts discrepancy in AVR reports | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 894565-1 | 2-Critical | BT894565 | Autodosd.default crash with SIGFPE | 16.0.0, 15.1.3, 14.1.4 |
| 879401-1 | 2-Critical | K90423190 , BT879401 | Memory corruption during APM SAML SSO | 16.0.0, 15.1.3, 14.1.2.5 |
| 976501-2 | 3-Major | BT976501 | Failed to establish VPN connection | 16.1.0, 15.1.3, 14.1.4, 13.1.3.6 |
| 952557-2 | 3-Major | BT952557 | Azure B2C Provider OAuth URLs are updated for B2Clogin.com | 16.1.0, 15.1.3, 14.1.4 |
| 925573-6 | 3-Major | BT925573 | SIGSEGV: receiving a sessiondb callback response after the flow is aborted | 15.1.3, 14.1.4 |
| 916969-3 | 3-Major | BT916969 | Support of Microsoft Identity 2.0 platform | 16.1.0, 15.1.3, 14.1.4 |
| 888145-2 | 3-Major | BT888145 | When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property | 16.1.0, 15.1.3 |
| 883577-4 | 3-Major | BT883577 | ACCESS::session irule command does not work in HTTP_RESPONSE event | 16.1.0, 15.1.3, 14.1.4.1 |
| 831517-2 | 3-Major | BT831517 | TMM may crash when Network Access tunnel is used | 16.0.0, 15.1.3, 14.1.2.7 |
WebAccelerator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 833213-1 | 3-Major | BT833213 | Conditional requests are served incorrectly with AAM policy in webacceleration profile | 15.1.3, 15.0.1.3, 14.1.2.3, 13.1.3.4 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 982869-1 | 3-Major | BT982869 | With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 977053-2 | 3-Major | BT977053 | TMM crash on standby due to invalid MR router instance | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 966701-2 | 3-Major | BT966701 | Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
| 952545-2 | 3-Major | BT952545 | 'Current Sessions' statistics of HTTP2 pool may be incorrect | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 913373-2 | 3-Major | BT913373 | No connection error after failover with MRF, and no connection mirroring | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 945853-2 | 2-Critical | BT945853 | Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession | 16.1.3, 15.1.3 |
| 969509-4 | 3-Major | BT969509 | Possible memory corruption due to DOS vector reset | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 965617-3 | 3-Major | BT965617 | HSB mitigation is not applied on BDoS signature with stress-based mitigation mode | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 963237-3 | 3-Major | BT963237 | Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 937749-3 | 3-Major | BT937749 | The 'total port blocks' value for NAT stats is limited to 64 bits of range | 16.1.0, 15.1.3 |
| 903561-3 | 3-Major | BT903561 | Autodosd returns small bad destination detection value when the actual traffic is high | 16.0.0, 15.1.3, 14.1.4 |
| 887017-3 | 3-Major | BT887017 | The dwbld daemon consumes a large amount of memory | 16.0.0, 15.1.3, 14.1.4 |
| 837233-3 | 3-Major | BT837233 | Application Security Administrator user role cannot use GUI to manage DoS profile | 16.0.0, 15.1.3, 14.1.4 |
| 716746-3 | 3-Major | BT716746 | Possible tmm restart when disabling single endpoint vector while attack is ongoing | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.0.7 |
| 967889-1 | 4-Minor | BT967889 | Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) | 16.1.0, 15.1.3, 14.1.4 |
| 748561-2 | 4-Minor | BT748561 | Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context | 16.0.0, 15.1.3, 14.1.4 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 928553-3 | 2-Critical | BT928553 | LSN64 with hairpinning can lead to a tmm core in rare circumstances | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 966681-1 | 3-Major | BT966681 | NAT translation failures while using SP-DAG in a multi-blade chassis | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 998085-1 | 3-Major | BT998085 | BIG-IP DataSafe GUI does not save changes | 16.1.0, 15.1.3 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 932737-2 | 2-Critical | BT932737 | DNS & BADOS high-speed logger messages are mixed | 16.0.1.2, 15.1.3, 14.1.4 |
| 922597-2 | 3-Major | BT922597 | BADOS default sensitivity of 50 creates false positive attack on some sites | 16.1.0, 15.1.3, 14.1.4 |
| 914293-3 | 3-Major | BT914293 | TMM SIGSEGV and crash | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 874677-1 | 2-Critical | BT874677 | Traffic Classification auto signature update fails from GUI ★ | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4.3 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 768085-4 | 4-Minor | BT768085 | Error in python script /usr/libexec/iAppsLX_save_pre line 79 | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 964585-3 | 3-Major | BT964585 | "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
| 825501-3 | 3-Major | BT825501 | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline. ★ | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
| 964577-3 | 4-Minor | BT964577 | IPS automatic IM download not working as expected | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
BIG-IP Risk Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 969385-2 | 3-Major | BT969385 | Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers. | 16.0.1.2, 15.1.3 |
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 975233-2 | CVE-2021-22992 | K52510511 , BT975233 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 973333-5 | CVE-2021-22991 | K56715231 , BT973333 | TMM buffer-overflow vulnerability CVE-2021-22991 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
| 955145-2 | CVE-2021-22986 | K03009991 , BT955145 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
| 954381-2 | CVE-2021-22986 | K03009991 , BT954381 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
| 953677-2 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188 , BT953677 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
| 951705-2 | CVE-2021-22986 | K03009991 , BT951705 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
| 950077-2 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188 , BT950077 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 981169-2 | CVE-2021-22994 | K66851119 , BT981169 | F5 TMUI XSS vulnerability CVE-2021-22994 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 953729-2 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101 , BT953729 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 931837-1 | CVE-2020-13817 | K55376430 , BT931837 | NTP has predictable timestamps | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 976925-2 | CVE-2021-23002 | K71891773 , BT976925 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
| 935401-2 | CVE-2021-23001 | K06440657 , BT935401 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 743105-2 | CVE-2021-22998 | K31934524 , BT743105 | BIG-IP SNAT vulnerability CVE-2021-22998 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 867793-1 | 3-Major | BT867793 | BIG-IP sending the wrong trap code for BGP peer state | 16.0.0, 15.1.2.1, 14.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 942497-1 | 2-Critical | BT942497 | Declarative onboarding unable to download and install RPM | 16.1.0, 16.0.1.1, 15.1.2.1 |
| 940021-3 | 2-Critical | BT940021 | Syslog-ng hang may lead to unexpected reboot | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
| 932437-2 | 2-Critical | BT932437 | Loading SCF file does not restore files from tar file ★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
| 915305-5 | 2-Critical | BT915305 | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4 |
| 838713 | 2-Critical | BT838713 | LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test' | 15.1.2.1 |
| 829277-2 | 2-Critical | BT829277 | A Large /config folder can cause memory exhaustion during live-install ★ | 16.0.0, 15.1.2.1, 14.1.3.1 |
| 739505-3 | 2-Critical | BT739505 | Automatic ISO digital signature checking not required when FIPS license active ★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.1.2 |
| 967745 | 3-Major | BT967745 | Last resort pool error for the modify command for Wide IP | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4 |
| 956589-1 | 3-Major | BT956589 | The tmrouted daemon restarts and produces a core file | 16.1.0, 15.1.2.1, 14.1.4.6, 13.1.5 |
| 930905-4 | 3-Major | BT930905 | Management route lost after reboot. | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
| 904785-1 | 3-Major | BT904785 | Remotely authenticated users might not be able to log in over the serial console | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
| 896817-2 | 3-Major | BT896817 | iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
| 895837-3 | 3-Major | BT895837 | Mcpd crash when a traffic-matching-criteria destination-port-list is modified | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
| 865177-4 | 3-Major | BT865177 | Cert-LDAP returning only first entry in the sequence that matches san-other oid | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1 |
| 842189-4 | 3-Major | BT842189 | Tunnels removed when going offline are not restored when going back online | 16.0.0, 15.1.2.1, 14.1.2.7, 13.1.3.6, 12.1.5.3 |
| 830413-3 | 3-Major | BT830413 | Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure ★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
| 806073-1 | 3-Major | BT806073 | MySQL monitor fails to connect to MySQL Server v8.0 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1 |
| 767737-4 | 3-Major | BT767737 | Timing issues during startup may make an HA peer stay in the inoperative state | 16.0.0, 15.1.2.1, 14.1.3.1, 13.1.3.5 |
| 853101-2 | 4-Minor | BT853101 | ERROR: syntax error at or near 'FROM' at character 17 | 16.0.0, 15.1.2.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 926929-3 | 1-Blocking | BT926929 | RFC Compliance Enforcement lacks configuration availability | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4, 13.1.4 |
| 911041-3 | 2-Critical | BT911041 | Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.3.1 |
| 846217-3 | 2-Critical | BT846217 | Translucent vlan-groups set local bit in destination MAC address | 16.0.0, 15.1.2.1, 14.1.4.4 |
| 841469-6 | 2-Critical | BT841469 | Application traffic may fail after an internal interface failure on a VIPRION system. | 16.0.0, 15.1.2.1, 14.1.5, 13.1.3.4 |
| 812525-1 | 2-Critical | K27551003 , BT812525 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
| 974501-1 | 3-Major | BT974501 | Excessive memory usage by mirroring subsystem when remirroring | 16.1.0, 15.1.2.1 |
| 903581-1 | 3-Major | BT903581 | The pkcs11d process cannot recover under certain error condition | 16.1.0, 15.1.2.1 |
| 868209-3 | 3-Major | BT868209 | Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection | 16.1.0, 15.1.2.1, 14.1.4 |
| 863401-1 | 3-Major | BT863401 | QUIC congestion window sometimes increases inappropriately | 16.0.0, 15.1.2.1 |
| 858301-1 | 3-Major | K27551003 , BT858301 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2 |
| 858297-1 | 3-Major | K27551003 , BT858297 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2 |
| 858289-1 | 3-Major | K27551003 , BT858289 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
| 858285-1 | 3-Major | K27551003 , BT858285 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
| 818109-1 | 3-Major | BT818109 | Certain plaintext traffic may cause SSL Orchestrator to hang | 16.0.0, 15.1.2.1, 14.1.4 |
| 773253-5 | 4-Minor | BT773253 | The BIG-IP may send VLAN failsafe probes from a disabled blade | 16.0.0, 15.1.2.1, 14.1.4.2, 13.1.4 |
| 738032-3 | 4-Minor | BT738032 | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 953393-2 | 1-Blocking | BT953393 | TMM crashes when performing iterative DNS resolutions. | 16.1.0, 16.0.1.1, 15.1.2.1 |
| 891093-1 | 3-Major | BT891093 | iqsyncer does not handle stale pidfile | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
| 853585-1 | 4-Minor | BT853585 | REST Wide IP object presents an inconsistent lastResortPool value | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.6 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 968421-2 | 2-Critical | K30291321 , BT968421 | ASM attack signature doesn't matched | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4.2, 13.1.4.1, 12.1.6, 11.6.5.3 |
| 865289-1 | 2-Critical | BT865289 | TMM crash following DNS resolve with Bot Defense profile | 16.0.0, 15.1.2.1 |
| 913757-1 | 3-Major | BT913757 | Error viewing security policy settings for virtual server with FTP Protocol Security | 16.1.0, 16.0.1.1, 15.1.2.1 |
| 758336-5 | 4-Minor | BT758336 | Incorrect recommendation in Online Help of Proactive Bot Defense | 16.1.0, 15.1.2.1, 14.1.4, 13.1.1.5, 12.1.5 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 934721-2 | 2-Critical | BT934721 | TMM core due to wrong assert | 16.1.0, 16.0.1.1, 15.1.2.1 |
| 743826-2 | 3-Major | BT743826 | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) | 17.0.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
| 648242-6 | 3-Major | K73521040 , BT648242 | Administrator users unable to access all partition via TMSH for AVR reports | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 14.0.0.5, 13.1.0.8, 12.1.3.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 896709-3 | 2-Critical | BT896709 | Add support for Restart Desktop for webtop in VMware VDI | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6 |
| 924929-2 | 3-Major | BT924929 | Logging improvements for VDI plugin | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6 |
| 899009 | 3-Major | BT899009 | Azure Active Directory deployment fails on BIG-IP 15.1 | 15.1.2.1 |
| 760629-5 | 3-Major | BT760629 | Remove Obsolete APM keys in BigDB | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 939529-2 | 3-Major | BT939529 | Branch parameter not parsed properly when topmost via header received with comma separated values | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 870381-1 | 2-Critical | BT870381 | Network Firewall Active Rule page does not load | 16.0.0, 15.1.2.1 |
| 919381-1 | 3-Major | Extend AFM subscriber aware policy rule feature to support multiple subscriber groups | 16.1.0, 15.1.2.1 | |
| 870385-5 | 3-Major | BT870385 | TMM may restart under very heavy traffic load | 16.0.0, 15.1.2.1, 14.1.2.8 |
| 906885-1 | 5-Cosmetic | BT906885 | Spelling mistake on AFM GUI Flow Inspector screen | 16.1.0, 15.1.2.1, 14.1.2.8 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 845313-3 | 2-Critical | BT845313 | Tmm crash under heavy load | 16.0.0, 15.1.2.1, 14.1.4 |
| 941169-4 | 3-Major | BT941169 | Subscriber Management is not working properly with IPv6 prefix flows. | 16.1.0, 15.1.2.1, 14.1.4 |
| 875401-2 | 3-Major | BT875401 | PEM subcriber lookup can fail for internet side new connections | 16.0.0, 15.1.2.1, 14.1.4 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 915489-2 | 4-Minor | BT915489 | LTM Virtual Server Health is not affected by iRule Requests dropped | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
BIG-IP Risk Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 921181 | 3-Major | BT921181 | Wrong error message upon bad credential stuffing configuration | 15.1.2.1 |
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 943125-2 | CVE-2021-23010 | K18570111 , BT943125 | ASM bd may crash while processing WebSocket traffic | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 941449-2 | CVE-2021-22993 | K55237223 , BT941449 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
| 921337-2 | CVE-2021-22976 | K88230177 , BT921337 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
| 916821-2 | CVE-2021-22974 | K68652018 , BT916821 | iControl REST vulnerability CVE-2021-22974 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 882189-6 | CVE-2020-5897 | K20346072 , BT882189 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 882185-6 | CVE-2020-5897 | K20346072 , BT882185 | BIG-IP Edge Client Windows ActiveX | 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
| 881317-6 | CVE-2020-5896 | K15478554 , BT881317 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 881293-6 | CVE-2020-5896 | K15478554 , BT881293 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 939845-2 | CVE-2021-23004 | K31025212 , BT939845 | BIG-IP MPTCP vulnerability CVE-2021-23004 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 939841-2 | CVE-2021-23003 | K43470422 , BT939841 | BIG-IP MPTCP vulnerability CVE-2021-23003 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 924961-2 | CVE-2019-20892 | K45212738 , BT924961 | CVE-2019-20892: SNMP Vulnerability | 16.1.0, 16.0.1.1, 15.1.2 |
| 919989-2 | CVE-2020-5947 | K64571774 , BT919989 | TMM does not follow TCP best practices | 16.1.0, 16.0.1, 15.1.2 |
| 881445-7 | CVE-2020-5898 | K69154630 , BT881445 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
| 880361-1 | CVE-2021-22973 | K13323323 , BT880361 | iRules LX vulnerability CVE-2021-22973 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 842717-6 | CVE-2020-5855 | K55102004 , BT842717 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 693360-2 | CVE-2020-27721 | K52035247 , BT693360 | A virtual server status changes to yellow while still available | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 773693-7 | CVE-2020-5892 | K15838353 , BT773693 | CVE-2020-5892: APM Client Vulnerability | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 11.6.5.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 920961-2 | 3-Major | BT920961 | Devices incorrectly report 'In Sync' after an incremental sync | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 756139-3 | 3-Major | BT756139 | Inconsistent logging of hostname files when hostname contains periods | 16.0.1.1, 15.1.2, 14.1.3.1 |
| 754924-1 | 3-Major | BT754924 | New VLAN statistics added. | 16.0.0, 15.1.2 |
| 921421-3 | 4-Minor | BT921421 | iRule support to get/set UDP's Maximum Buffer Packets | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 957337-1 | 2-Critical | BT957337 | Tab complete in 'mgmt' tree is broken | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 933409-2 | 2-Critical | BT933409 | Tomcat upgrade via Engineering Hotfix causes live-update files removal ★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 927033-2 | 2-Critical | BT927033 | Installer fails to calculate disk size of destination volume ★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 910201-3 | 2-Critical | BT910201 | OSPF - SPF/IA calculation scheduling might get stuck infinitely | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 829677-2 | 2-Critical | BT829677 | .tmp files in /var/config/rest/ may cause /var directory exhaustion | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.5 |
| 796601-2 | 2-Critical | BT796601 | Invalid parameter in errdefsd while processing hostname db_variable | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 943669-1 | 3-Major | BT943669 | B4450 blade reboot | 16.1.2.2, 15.1.2 |
| 935801-4 | 3-Major | BT935801 | HSB diagnostics are not provided under certain types of failures | 16.1.0, 15.1.2, 14.1.4.5 |
| 932233-2 | 3-Major | BT932233 | '@' no longer valid in SNMP community strings | 16.1.0, 16.0.1.1, 15.1.2 |
| 930741-2 | 3-Major | BT930741 | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | 16.1.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 920301-1 | 3-Major | BT920301 | Unnecessarily high number of JavaScript Obfuscator instances when device is busy | 15.1.2, 14.1.3.1 |
| 911809-2 | 3-Major | BT911809 | TMM might crash when sending out oversize packets. | 16.0.0, 15.1.2, 14.1.3.1 |
| 902401-5 | 3-Major | BT902401 | OSPFd SIGSEGV core when 'ospf clear' is done on remote device | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 898705-5 | 3-Major | BT898705 | IPv6 static BFD configuration is truncated or missing | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 889041-3 | 3-Major | BT889041 | Failover scripts fail to access resolv.conf due to permission issues | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 879405-1 | 3-Major | BT879405 | Incorrect value in Transparent Nexthop property | 16.1.0, 16.0.1.1, 15.1.2 |
| 867181-1 | 3-Major | BT867181 | ixlv: double tagging is not working | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 865241-1 | 3-Major | BT865241 | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 860317-3 | 3-Major | BT860317 | JavaScript Obfuscator can hang indefinitely | 16.0.0, 15.1.2, 14.1.3.1 |
| 858197-2 | 3-Major | BT858197 | Merged crash when memory exhausted | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.5 |
| 846441-2 | 3-Major | BT846441 | Flow-control is reset to default for secondary blade's interface | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 846137-4 | 3-Major | BT846137 | The icrd returns incorrect route names in some cases | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 843597-1 | 3-Major | BT843597 | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 841649-4 | 3-Major | BT841649 | Hardware accelerated connection mismatch resulting in tmm core | 16.0.0, 15.1.2, 14.1.4.1 |
| 838901-4 | 3-Major | BT838901 | TMM receives invalid rx descriptor from HSB hardware | 16.0.0, 15.1.2, 14.1.4, 13.1.4 |
| 826905-3 | 3-Major | BT826905 | Host traffic via IPv6 route pool uses incorrect source address | 16.0.0, 15.1.2, 14.1.3.1 |
| 816229-3 | 3-Major | BT816229 | Kernel Log Messages Logged Twice | 16.0.0, 15.1.2, 14.1.2.4 |
| 811053-6 | 3-Major | BT811053 | REBOOT REQUIRED prompt appears after failover and clsh reboot | 16.0.0, 15.1.2, 14.1.2.7 |
| 811041-7 | 3-Major | BT811041 | Out of shmem, increment amount in /etc/ha_table/ha_table.conf | 16.1.0, 15.1.2 |
| 810821-3 | 3-Major | BT810821 | Management interface flaps after rebooting the device. | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5 |
| 789181-5 | 3-Major | BT789181 | Link Status traps are not issued on BIG-IP VE systems | 16.0.0, 15.1.2 |
| 755197-5 | 3-Major | BT755197 | UCS creation might fail during frequent config save transactions | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 754932-1 | 3-Major | BT754932 | New SNMP MIB, sysVlanIfcStat, for VLAN statistics. | 16.0.0, 15.1.2 |
| 737098-1 | 3-Major | BT737098 | ASM Sync does not work when the configsync IP address is an IPv6 address | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 933461-4 | 4-Minor | BT933461 | BGP multi-path candidate selection does not work properly in all cases. | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
| 924429-2 | 4-Minor | BT924429 | Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 892677-1 | 4-Minor | BT892677 | Loading config file with imish adds the newline character | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 882713-3 | 4-Minor | BT882713 | BGP SNMP trap has the wrong sysUpTime value | 16.0.0, 15.1.2, 14.1.3.1 |
| 583084-6 | 4-Minor | K15101680 , BT583084 | iControl produces 404 error while creating records successfully | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 941089-3 | 2-Critical | BT941089 | TMM core when using Multipath TCP | 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 915957-1 | 2-Critical | BT915957 | The wocplugin may get into a restart loop when AAM is provisioned | 15.1.2, 14.1.3 |
| 908873-1 | 2-Critical | BT908873 | Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core | 16.0.0, 15.1.2 |
| 908621-2 | 2-Critical | BT908621 | Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core | 16.0.0, 15.1.2, 14.1.4.1 |
| 876801-5 | 2-Critical | BT876801 | Tmm crash: invalid route type | 16.0.0, 15.1.2, 14.1.4, 13.1.4 |
| 866481-2 | 2-Critical | BT866481 | TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode | 16.0.0, 15.1.2 |
| 851345-1 | 2-Critical | BT851345 | The TMM may crash in certain rare scenarios involving HTTP/2 | 16.0.0, 15.1.2, 14.1.3.1 |
| 850873-3 | 2-Critical | BT850873 | LTM global SNAT sets TTL to 255 on egress. | 16.0.0, 15.1.2, 14.1.3.1 |
| 726518-1 | 2-Critical | BT726518 | Tmsh show command terminated with CTRL-C can cause TMM to crash. | 16.0.0, 15.1.2, 14.1.2.8, 13.1.3.6 |
| 705768-2 | 2-Critical | BT705768 | The dynconfd process may core and restart with multiple DNS name servers configured | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
| 949145-5 | 3-Major | BT949145 | Improve TCP's response to partial ACKs during loss recovery | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 948757-2 | 3-Major | BT948757 | A snat-translation address responds to ARP requests but not to ICMP ECHO requests. | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1 |
| 940209 | 3-Major | BT940209 | Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. | 15.1.2, 14.1.4 |
| 939961-2 | 3-Major | BT939961 | TCP connection is closed when necessary after HTTP::respond iRule. | 16.1.0, 16.0.1.2, 15.1.2 |
| 934993-2 | 3-Major | BT934993 | BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams | 16.1.0, 16.0.1.1, 15.1.2 |
| 932033 | 3-Major | BT932033 | Chunked response may have DATA frame with END_STREAM prematurely | 15.1.2, 14.1.4 |
| 915605-6 | 3-Major | K56251674 , BT915605 | Image install fails if iRulesLX is provisioned and /usr mounted read-write ★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
| 913249-2 | 3-Major | BT913249 | Restore missing UDP statistics | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 901929-2 | 3-Major | BT901929 | GARPs not sent on virtual server creation | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 892941-2 | 3-Major | K20105555 , BT892941 | F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat) | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4 |
| 888113-3 | 3-Major | BT888113 | TMM may core when the HTTP peer aborts the connection | 16.0.0, 15.1.2 |
| 879413-1 | 3-Major | BT879413 | Statsd fails to start if one or more of its *.info files becomes corrupted | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 878925-2 | 3-Major | BT878925 | SSL connection mirroring failover at end of TLS handshake | 16.0.0, 15.1.2, 14.1.4.1 |
| 860005-1 | 3-Major | BT860005 | Ephemeral nodes/pool members may be created for wrong FQDN name | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
| 857845-1 | 3-Major | BT857845 | TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 850145-1 | 3-Major | BT850145 | Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed | 16.0.0, 15.1.2, 14.1.3.1 |
| 820333-1 | 3-Major | BT820333 | LACP working member state may be inconsistent when blade is forced offline | 16.0.0, 15.1.2, 14.1.3.1 |
| 809701-7 | 3-Major | BT809701 | Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist | 16.0.0, 15.1.2, 15.0.1.3, 14.1.3.1 |
| 803233-1 | 3-Major | BT803233 | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
| 790845-4 | 3-Major | BT790845 | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | 16.0.0, 15.1.2, 14.1.4, 13.1.3.5 |
| 724824-1 | 3-Major | BT724824 | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 714642-2 | 3-Major | BT714642 | Ephemeral pool-member state on the standby is down | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6 |
| 935593-4 | 4-Minor | BT935593 | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5 |
| 895153 | 4-Minor | BT895153 | HTTP::has_responded returns incorrect values when using HTTP/2 | 15.1.2, 14.1.3.1 |
| 883105-1 | 4-Minor | BT883105 | HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect | 16.1.0, 15.1.2 |
| 808409-4 | 4-Minor | BT808409 | Unable to specify if giaddr will be modified in DHCP relay chain | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
| 859717-2 | 5-Cosmetic | BT859717 | ICMP-limit-related warning messages in /var/log/ltm | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 918169-1 | 2-Critical | BT918169 | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.6 |
| 916753-2 | 2-Critical | BT916753 | RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core | 16.1.0, 16.0.1.1, 15.1.2 |
| 905557-1 | 2-Critical | BT905557 | Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure | 16.0.0, 15.1.2, 14.1.4, 13.1.5 |
| 850509-1 | 2-Critical | BT850509 | Zone Trusted Signature inadequately maintained, following change of master key | 16.0.0, 15.1.2, 14.1.4.4, 13.1.5 |
| 837637-1 | 2-Critical | K02038650 , BT837637 | Orphaned bigip_gtm.conf can cause config load failure after upgrading ★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 926593-2 | 3-Major | BT926593 | GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 852101-1 | 3-Major | BT852101 | Monitor fails. | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 844689-1 | 3-Major | BT844689 | Possible temporary CPU usage increase with unusually large named.conf file | 16.0.0, 15.1.2, 14.1.3.1 |
| 746348-4 | 3-Major | BT746348 | On rare occasions, gtmd fails to process probe responses originating from the same system. | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
| 644192-2 | 3-Major | K23022557 , BT644192 | Query of "MX" or "any" RR type to a CNAME wide IP results in a NXDOMAIN reply | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5, 11.6.5.3 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 940249-2 | 2-Critical | BT940249 | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6, 11.6.5.3 |
| 927617-2 | 2-Critical | BT927617 | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 941853-1 | 3-Major | BT941853 | Logging Profiles do not disassociate from virtual server when multiple changes are made | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 940897-3 | 3-Major | BT940897 | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6 |
| 918933-2 | 3-Major | K88162221 , BT918933 | The BIG-IP ASM system may not properly perform signature checks on cookies | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
| 913137-1 | 3-Major | BT913137 | No learning suggestion on ASM policies enabled via LTM policy | 16.1.0, 16.0.1.1, 15.1.2 |
| 904053-2 | 3-Major | BT904053 | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6 |
| 893061-2 | 3-Major | BT893061 | Out of memory for restjavad | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 882769-1 | 3-Major | BT882769 | Request Log: wrong filter applied when searching by Response contains or Response does not contain | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5 |
| 919001-2 | 4-Minor | BT919001 | Live Update: Update Available notification is shown twice in rare conditions | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8 |
| 896285-2 | 4-Minor | BT896285 | No parent entity in suggestion to add predefined-filetype as allowed filetype | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 924301-1 | 3-Major | BT924301 | Incorrect values in REST response for DNS/SIP | 16.1.0, 16.0.1.1, 15.1.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910097-2 | 2-Critical | BT910097 | Changing per-request policy while tmm is under traffic load may drop heartbeats | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 924857-1 | 3-Major | BT924857 | Logout URL with parameters resets TCP connection | 16.1.0, 16.0.1.2, 15.1.2, 14.1.4.5 |
| 914649-3 | 3-Major | BT914649 | Support USB redirection through VVC (VMware virtual channel) with BlastX | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
| 739570-4 | 3-Major | BT739570 | Unable to install EPSEC package ★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
| 833049-4 | 4-Minor | BT833049 | Category lookup tool in GUI may not match actual traffic categorization | 16.0.0, 15.1.2, 14.1.4, 13.1.3.5 |
| 766017-6 | 4-Minor | BT766017 | [APM][LocalDB] Local user database instance name length check inconsistencies ★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4.2, 13.1.3.5, 12.1.5.3 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 942581-1 | 1-Blocking | BT942581 | Timestamp cookies do not work with hardware accelerated flows | 16.1.0, 15.1.2 |
| 938165-1 | 2-Critical | BT938165 | TMM Core after attempted update of IP geolocation database file | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
| 938149-1 | 3-Major | BT938149 | Port Block Update log message is missing the "Start time" field | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.1 |
| 910417-2 | 3-Major | BT910417 | TMM core may be seen when reattaching a vector to a DoS profile | 16.1.0, 16.0.1.2, 15.1.2, 14.1.4 |
| 872049-1 | 3-Major | BT872049 | Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command | 16.0.0, 15.1.2 |
| 871985-1 | 3-Major | BT871985 | No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection | 16.0.0, 15.1.2 |
| 851745-3 | 3-Major | BT851745 | High cpu consumption due when enabling large number of virtual servers | 16.0.0, 15.1.2, 14.1.4.1 |
| 840809-2 | 3-Major | BT840809 | If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged | 16.0.0, 15.1.2, 14.1.4 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 842989-6 | 3-Major | BT842989 | PEM: tmm could core when running iRules on overloaded systems | 16.1.0, 15.1.2, 14.1.4 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 944785-2 | 3-Major | BT944785 | Admd restarting constantly. Out of memory due to loading malformed state file | 16.1.0, 16.0.1.2, 15.1.2, 14.1.3.1 |
| 923125-2 | 3-Major | BT923125 | Huge amount of admd processes caused oom | 16.1.0, 15.1.2, 14.1.3.1 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 927993-1 | 1-Blocking | K97501254 , BT927993 | Built-in SSL Orchestrator RPM installation failure | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 14.1.3, 13.1.3.6, 12.1.5.3 |
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 935721-5 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291 , BT935721 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | 16.1.0, 16.0.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 935029-3 | CVE-2020-27720 | K04048104 , BT935029 | TMM may crash while processing IPv6 NAT traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
| 933741-2 | CVE-2021-22979 | K63497634 , BT933741 | BIG-IP FPS XSS vulnerability CVE-2021-22979 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
| 932065-2 | CVE-2021-22978 | K87502622 , BT932065 | iControl REST vulnerability CVE-2021-22978 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 931513-3 | CVE-2021-22977 | K14693346 , BT931513 | TMM vulnerability CVE-2021-22977 | 16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1, 13.1.3.6 |
| 928321-1 | CVE-2020-27719 | K19166530 , BT928321 | K19166530: XSS vulnerability CVE-2020-27719 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
| 917509-3 | CVE-2020-27718 | K58102101 , BT917509 | BIG-IP ASM vulnerability CVE-2020-27718 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 911761-2 | CVE-2020-5948 | K42696541 , BT911761 | F5 TMUI XSS vulnerability CVE-2020-5948 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 908673-5 | CVE-2020-27717 | K43850230 , BT908673 | TMM may crash while processing DNS traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 904165-1 | CVE-2020-27716 | K51574311 , BT904165 | BIG-IP APM vulnerability CVE-2020-27716 | 16.0.0, 15.1.1, 14.1.3.1, 13.1.5 |
| 879745-4 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 876353-1 | CVE-2020-5941 | K03125360 , BT876353 | iRule command RESOLV::lookup may cause TMM to crash | 16.1.0, 16.0.1, 15.1.1 |
| 839453-6 | CVE-2019-10744 | K47105354 , BT839453 | lodash library vulnerability CVE-2019-10744 | 16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5, 12.1.5.2 |
| 834257-1 | CVE-2020-5931 | K25400442 , BT834257 | TMM may crash when processing HTTP traffic | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.6 |
| 814953 | CVE-2020-5940 | K43310520 , BT814953 | TMUI dashboard hardening | 16.1.0, 16.0.1, 15.1.1, 14.1.2.5 |
| 754855-7 | CVE-2020-27714 | K60344652 , BT754855 | TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile | 16.0.0, 15.1.1, 14.1.3.1, 13.1.4 |
| 928037-2 | CVE-2020-27729 | K15310332 , BT928037 | APM Hardening | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 919841-3 | CVE-2020-27728 | K45143221 , BT919841 | AVRD may crash while processing Bot Defense traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
| 917469-2 | CVE-2020-5946 | K53821711 , BT917469 | TMM may crash while processing FPS traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 912969-2 | CVE-2020-27727 | K50343630 , BT912969 | iAppsLX REST vulnerability CVE-2020-27727 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 910017-2 | CVE-2020-5945 | K21540525 , BT910017 | Security hardening for the TMUI Interface page | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 905125-2 | CVE-2020-27726 | K30343902 , BT905125 | Security hardening for APM Webtop | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 904937-2 | CVE-2020-27725 | K25595031 , BT904937 | Excessive resource consumption in zxfrd | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 889557-1 | CVE-2019-11358 | K20455158 , BT889557 | jQuery Vulnerability CVE-2019-11358 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.6, 11.6.5.3 |
| 880001-1 | CVE-2020-5937 | K58290051 , BT880001 | TMM may crash while processing L4 behavioral DoS traffic | 16.0.0, 15.1.1 |
| 870273-5 | CVE-2020-5936 | K44020030 , BT870273 | TMM may consume excessive resources when processing SSL traffic | 16.0.0, 15.1.1, 14.1.2.8, 13.1.5, 12.1.5.2 |
| 868349-1 | CVE-2020-5935 | K62830532 , BT868349 | TMM may crash while processing iRules with MQTT commands | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4 |
| 858349-3 | CVE-2020-5934 | K44808538 , BT858349 | TMM may crash while processing SAML SLO traffic | 16.0.0, 15.1.1, 14.1.2.5 |
| 848405-2 | CVE-2020-5933 | K26244025 , BT848405 | TMM may consume excessive resources while processing compressed HTTP traffic | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
| 839761-1 | CVE-2020-5932 | K12002065 , BT839761 | Response Body preview hardening | 16.0.0, 15.1.1 |
| 825689-1 | CVE-2023-3470 | K000135449 , BT825689 | Enhance FIPS crypto-user storage | 16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6 |
| 778049-2 | CVE-2018-13405 | K00854051 , BT778049 | Linux Kernel Vulnerability: CVE-2018-13405 | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5 |
| 639773-6 | CVE-2021-22983 | K76518456 | BIG-IP AFM vulnerability CVE-2021-22983 | 16.0.1, 15.1.1, 14.1.3.1 |
| 887637-2 | CVE-2019-3815 | K22040951 , BT887637 | Systemd-journald Vulnerability: CVE-2019-3815 | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5 |
| 852929-6 | CVE-2020-5920 | K25160703 , BT852929 | AFM WebUI Hardening | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
| 818213-4 | CVE-2019-10639 | K32804955 , BT818213 | CVE-2019-10639: KASLR bypass using connectionless protocols | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 818177-6 | CVE-2019-12295 | K06725231 , BT818177 | CVE-2019-12295 Wireshark Vulnerability | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
| 858537-2 | CVE-2019-1010204 | K05032915 , BT858537 | CVE-2019-1010204: Binutilis Vulnerability | 16.0.0, 15.1.1, 14.1.2.8 |
| 834533-7 | CVE-2019-15916 | K57418558 , BT834533 | Linux kernel vulnerability CVE-2019-15916 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 822377-6 | CVE-2019-10092 | K30442259 , BT822377 | CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability | 16.1.0, 15.1.1, 14.1.2.8 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 912289-1 | 2-Critical | BT912289 | Cannot roll back after upgrading on certain platforms ★ | 16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6 |
| 890229-1 | 3-Major | BT890229 | Source port preserve setting is not honored | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
| 858189-3 | 3-Major | BT858189 | Make restnoded/restjavad/icrd timeout configurable with sys db variables. | 16.0.0, 15.1.1, 14.1.2.7, 12.1.5.2 |
| 719338-1 | 4-Minor | BT719338 | Concurrent management SSH connections are unlimited | 16.1.0, 15.1.1, 14.1.4, 13.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 864513-1 | 1-Blocking | K48234609 , BT864513 | ASM policies may not load after upgrading to 14.x or later from a previous major version ★ | 16.0.0, 15.1.1, 14.1.2.7 |
| 896217-2 | 2-Critical | BT896217 | BIG-IP GUI unresponsive | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 876957-1 | 2-Critical | BT876957 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 16.0.0, 15.1.1, 14.1.4.1 |
| 871561-5 | 2-Critical | BT871561 | Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)' ★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 860517-1 | 2-Critical | BT860517 | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 818253-3 | 2-Critical | BT818253 | Generate signature files for logs | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
| 805417-3 | 2-Critical | BT805417 | Unable to enable LDAP system auth profile debug logging | 16.0.0, 15.1.1, 14.1.2.7 |
| 706521-2 | 2-Critical | K21404407 , BT706521 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
| 593536-9 | 2-Critical | K64445052 , BT593536 | Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations | 16.0.0, 15.1.1, 14.1.2.8 |
| 924493-2 | 3-Major | BT924493 | VMware EULA has been updated | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
| 921361-2 | 3-Major | BT921361 | SSL client and SSL server profile names truncated in GUI | 16.1.0, 16.0.1.1, 15.1.1 |
| 915825-2 | 3-Major | BT915825 | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | 16.1.0, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 904845-2 | 3-Major | BT904845 | VMware guest OS customization works only partially in a dual stack environment. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
| 904705-2 | 3-Major | BT904705 | Cannot clone Azure marketplace instances. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 898461-2 | 3-Major | BT898461 | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | 16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1 |
| 886689-6 | 3-Major | BT886689 | Generic Message profile cannot be used in SCTP virtual | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1 |
| 880625-3 | 3-Major | BT880625 | Check-host-attr enabled in LDAP system-auth creates unusable config | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 880165-2 | 3-Major | BT880165 | Auto classification signature update fails | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 867013-2 | 3-Major | BT867013 | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | 16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5 |
| 850777-3 | 3-Major | BT850777 | BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config | 16.0.0, 15.1.1, 14.1.3.1 |
| 838297-2 | 3-Major | BT838297 | Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication | 16.0.0, 15.1.1, 14.1.2.8 |
| 828789-1 | 3-Major | BT828789 | Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters | 16.1.0, 15.1.1, 14.1.2.8 |
| 807337-5 | 3-Major | BT807337 | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
| 788577-7 | 3-Major | BT788577 | BFD sessions may be reset after CMP state change | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
| 759564-2 | 3-Major | BT759564 | GUI not available after upgrade | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 740589-4 | 3-Major | BT740589 | MCPD crashes with core after 'tmsh edit /sys syslog all-properties' | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 719555-3 | 3-Major | BT719555 | Interface listed as 'disable' after SFP insertion and enable | 16.0.0, 15.1.1, 14.1.4, 13.1.5 |
| 489572-5 | 3-Major | K60934489 , BT489572 | Sync fails if file object is created and deleted before sync to peer BIG-IP | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
| 431503-8 | 3-Major | K14838 , BT431503 | TMSH crashes in rare initial tunnel configurations | 15.1.1, 14.1.2.8, 13.1.3.5, 11.5.0 |
| 921369 | 4-Minor | BT921369 | Signature verification for logs fails if the log files are modified during log rotation | 16.1.0, 15.1.1 |
| 914761-3 | 4-Minor | BT914761 | Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
| 906889-4 | 4-Minor | BT906889 | Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 902417-2 | 4-Minor | BT902417 | Configuration error caused by Drafts folder in a deleted custom partition ★ | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
| 890277-3 | 4-Minor | BT890277 | Full config sync to a device group operation takes a long time when there are a large number of partitions. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
| 864757-3 | 4-Minor | BT864757 | Traps that were disabled are enabled after configuration save | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 779857-2 | 4-Minor | BT779857 | Misleading GUI error when installing a new version in another partition ★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
| 751103-2 | 4-Minor | BT751103 | TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 849085-1 | 5-Cosmetic | BT849085 | Lines with only asterisks filling message and user.log file | 16.0.0, 15.1.1, 14.1.3.1 |
| 714176-1 | 5-Cosmetic | BT714176 | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 889209-2 | 2-Critical | BT889209 | Sflow receiver configuration may lead to egress traffic dropped after TMM starts. | 16.0.0, 15.1.1, 14.1.4 |
| 879409-3 | 2-Critical | BT879409 | TMM core with mirroring traffic due to unexpected interface name length | 16.0.0, 15.1.1, 14.1.3.1 |
| 858429-3 | 2-Critical | BT858429 | BIG-IP system sends ICMP packets on both virtual wire interfaces. | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.8 |
| 851857-1 | 2-Critical | BT851857 | HTTP 100 Continue handling does not work when it arrives in multiple packets | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 851581-3 | 2-Critical | BT851581 | Server-side detach may crash TMM | 16.0.0, 15.1.1, 14.1.2.8 |
| 842937-6 | 2-Critical | BT842937 | TMM crash due to failed assertion 'valid node' | 16.0.0, 15.1.1, 14.1.2.7, 12.1.5.3 |
| 932825-2 | 3-Major | BT932825 | Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device | 16.1.0, 15.1.1 |
| 915713-2 | 3-Major | BT915713 | Support QUIC and HTTP3 draft-29 | 16.1.0, 16.0.1.1, 15.1.1 |
| 915689-1 | 3-Major | BT915689 | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 915281-2 | 3-Major | BT915281 | Do not rearm TCP Keep Alive timer under certain conditions | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
| 892385 | 3-Major | BT892385 | HTTP does not process WebSocket payload when received with server HTTP response | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5 |
| 883529-1 | 3-Major | BT883529 | HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path | 16.0.0, 15.1.1 |
| 851789-2 | 3-Major | BT851789 | SSL monitors flap with client certs with private key stored in FIPS | 16.0.0, 15.1.1, 14.1.2.5, 12.1.5.3 |
| 851477-1 | 3-Major | BT851477 | Memory allocation failures during proxy initialization are ignored leading to TMM cores | 16.0.0, 15.1.1, 14.1.3.1 |
| 851045-1 | 3-Major | BT851045 | LTM database monitor may hang when monitored DB server goes down | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
| 830797-3 | 3-Major | BT830797 | Standby high availability (HA) device passes traffic through virtual wire | 16.0.0, 15.1.1, 15.0.1.1, 14.1.2.3 |
| 816881-2 | 3-Major | BT816881 | Serverside conection may use wrong VLAN when virtual wire is configured | 16.0.0, 15.1.1, 14.1.2.8 |
| 801497-3 | 3-Major | BT801497 | Virtual wire with LACP pinning to one link in trunk. | 16.0.0, 15.1.1, 14.1.2.1 |
| 932937-2 | 4-Minor | BT932937 | HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
| 926997-1 | 4-Minor | BT926997 | QUIC HANDSHAKE_DONE profile statistics are not reset | 16.1.0, 16.0.1, 15.1.1 |
| 852373-3 | 4-Minor | BT852373 | HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5 |
| 814037-6 | 4-Minor | BT814037 | No virtual server name in Hardware Syncookie activation logs. | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 919553-2 | 2-Critical | BT919553 | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
| 788465-5 | 2-Critical | BT788465 | DNS cache idx synced across HA group could cause tmm crash | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
| 783125-1 | 2-Critical | BT783125 | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
| 898093-2 | 3-Major | BT898093 | Removing one member from a WideIP removes it from all WideIPs. | 16.0.0, 15.1.1 |
| 869361-1 | 3-Major | BT869361 | Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated | 16.0.0, 15.1.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 868641-3 | 2-Critical | BT868641 | Possible TMM crash when disabling bot profile for the entire connection | 16.0.0, 15.1.1, 14.1.2.7 |
| 843801-2 | 2-Critical | BT843801 | Like-named previous Signature Update installations block Live Update usage after upgrade ★ | 16.0.0, 15.1.1, 14.1.2.7 |
| 918081-1 | 3-Major | BT918081 | Application Security Administrator role cannot create parent policy in the GUI | 16.1.0, 16.0.1.1, 15.1.1 |
| 913761-2 | 3-Major | BT913761 | Security - Options section in navigation menu is visible for only Administrator users | 16.1.0, 16.0.1.2, 15.1.1 |
| 903357-2 | 3-Major | BT903357 | Bot defense Profile list is loads too slow when there are 750 or more Virtual servers | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.7 |
| 901061-2 | 3-Major | BT901061 | Safari browser might be blocked when using Bot Defense profile and related domains. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 898741-2 | 3-Major | BT898741 | Missing critical files causes FIPS-140 system to halt upon boot | 16.1.0, 15.1.1, 14.1.2.7 |
| 892637-1 | 3-Major | BT892637 | Microservices cannot be added or modified | 16.0.0, 15.1.1 |
| 888285-1 | 3-Major | K18304067 , BT888285 | Sensitive positional parameter not masked in 'Referer' header value | 16.0.0, 15.1.1, 14.1.2.8 |
| 888261-1 | 3-Major | BT888261 | Policy created with declarative WAF does not use updated template. | 16.0.0, 15.1.1 |
| 881757-1 | 3-Major | BT881757 | Unnecessary HTML response parsing and response payload is not compressed | 16.1.0, 16.0.1.2, 15.1.1, 14.1.4.2 |
| 880753-3 | 3-Major | K38157961 , BT880753 | Possible issues when using DoSL7 and Bot Defense profile on the same virtual server | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.7 |
| 879777-3 | 4-Minor | BT879777 | Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge | 16.0.0, 15.1.1, 14.1.2.8 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 908065-2 | 3-Major | BT908065 | Logrotation for /var/log/avr blocked by files with .1 suffix | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
| 819301-2 | 3-Major | BT819301 | Incorrect values in REST response for dos-l3 table | 16.1.0, 16.0.1, 15.1.1 |
| 866613-4 | 4-Minor | BT866613 | Missing MaxMemory Attribute | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 886729-2 | 2-Critical | BT886729 | Intermittent TMM crash in per-request-policy allow-ending agent | 16.0.0, 15.1.1 |
| 838861-3 | 2-Critical | BT838861 | TMM might crash once after upgrading SSL Orchestrator ★ | 16.0.0, 15.1.1, 14.1.2.7 |
| 579219-5 | 2-Critical | BT579219 | Access keys missing from SessionDB after multi-blade reboot. | 16.0.0, 15.1.1, 14.1.2.8, 13.1.5 |
| 892937-2 | 3-Major | K20105555 , BT892937 | F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat) | 16.1.0, 16.0.1, 15.1.1, 14.1.4 |
| 857589-1 | 3-Major | BT857589 | On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed' | 16.0.0, 15.1.1 |
| 771961-3 | 3-Major | BT771961 | While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core | 16.0.0, 15.1.1, 14.1.3.1 |
| 747020-2 | 3-Major | BT747020 | Requests that evaluate to same subsession can be processed concurrently | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
| 679751-2 | 4-Minor | BT679751 | Authorization header can cause a connection reset | 16.1.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 868781-1 | 2-Critical | BT868781 | TMM crashes while processing MRF traffic | 16.0.0, 15.1.1, 14.1.4.2, 13.1.4.1 |
| 898997-2 | 3-Major | BT898997 | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | 16.1.0, 16.0.1, 15.1.1, 14.1.2.7 |
| 891385-2 | 3-Major | BT891385 | Add support for URI protocol type "urn" in MRF SIP load balancing | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
| 697331-2 | 3-Major | BT697331 | Some TMOS tools for querying various DBs fail when only a single TMM is running | 16.0.0, 15.1.1, 14.1.3.1, 14.1.3 |
| 924349-2 | 4-Minor | DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 872645-2 | 3-Major | BT872645 | Protected Object Aggregate stats are causing elevated CPU usage | 16.0.0, 15.1.1, 14.1.3.1 |
| 852289-4 | 3-Major | K23278332 , BT852289 | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4 |
| 789857 | 3-Major | BT789857 | "TCP half open' reports drops made by LTM syn-cookies mitigation. | 15.1.1, 14.1.4 |
| 920361-2 | 4-Minor | BT920361 | Standby device name sent in Traffic Statistics syslog/Splunk messages | 16.1.0, 15.1.1, 14.1.3.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 876581-2 | 3-Major | BT876581 | JavaScript engine file is empty if the original HTML page cached for too long | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
| 891729-2 | 4-Minor | BT891729 | Errors in datasyncd.log ★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
| 759988-2 | 4-Minor | BT759988 | Geolocation information inconsistently formatted | 16.1.0, 16.0.1, 15.1.1 |
| 940401-2 | 5-Cosmetic | BT940401 | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 937281-3 | 3-Major | BT937281 | SSL Orchestrator pool members are limited to 20 with Standalone license | 16.1.0, 16.0.0.1, 15.1.1 |
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 912221-1 |
CVE-2020-12662
CVE-2020-12663 |
K37661551 , BT912221 | CVE-2020-12662 & CVE-2020-12663 | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
| 900905-3 | CVE-2020-5926 | K42830212 , BT900905 | TMM may crash while processing SIP data | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
| 888417-5 | CVE-2020-8840 | K15320518 , BT888417 | Apache Vulnerability: CVE-2020-8840 | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
| 883717-1 | CVE-2020-5914 | K37466356 , BT883717 | BD crash on specific server cookie scenario | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 841577-2 | CVE-2020-5922 | K20606443 , BT841577 | iControl REST hardening | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
| 838677-1 | CVE-2019-10744 | K47105354 , BT838677 | lodash library vulnerability CVE-2019-10744 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
| 837773-7 | CVE-2020-5912 | K12936322 , BT837773 | Restjavad Storage and Configuration Hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
| 788057-3 | CVE-2020-5921 | K00103216 , BT788057 | MCPD may crash while processing syncookies | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.2, 11.6.5.3 |
| 917005-5 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
| 909837-1 | CVE-2020-5950 | K05204103 , BT909837 | TMM may consume excessive resources when AFM is provisioned | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
| 902141-1 | CVE-2020-5919 | K94563369 , BT902141 | TMM may crash while processing APM data | 16.0.0, 15.1.0.5 |
| 898949-1 | CVE-2020-27724 | K04518313 , BT898949 | APM may consume excessive resources while processing VPN traffic | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 888489-2 | CVE-2020-5927 | K55873574 , BT888489 | ASM UI hardening | 16.1.0, 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
| 886085-5 | CVE-2020-5925 | K45421311 , BT886085 | BIG-IP TMM vulnerability CVE-2020-5925 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 872673-1 | CVE-2020-5918 | K26464312 , BT872673 | TMM can crash when processing SCTP traffic | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 856961-7 | CVE-2018-12207 | K17269881 , BT856961 | INTEL-SA-00201 MCE vulnerability CVE-2018-12207 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8, 13.1.3.5 |
| 837837-2 | CVE-2020-5917 | K43404629 , BT837837 | F5 SSH server key size vulnerability CVE-2020-5917 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 12.1.5.2 |
| 832885-1 | CVE-2020-5923 | K05975972 , BT832885 | Self-IP hardening | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 830481-1 | CVE-2020-5916 | K29923912 , BT830481 | SSL TMUI hardening | 16.0.0, 15.1.0.5, 15.0.1.4 |
| 816413-5 | CVE-2019-1125 | K31085564 , BT816413 | CVE-2019-1125: Spectre SWAPGS Gadget | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
| 811789-7 | CVE-2020-5915 | K57214921 , BT811789 | Device trust UI hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
| 888493-2 | CVE-2020-5928 | K40843345 , BT888493 | ASM GUI Hardening | 16.1.0, 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.2 |
| 748122-8 | CVE-2018-15333 | K53620021 , BT748122 | BIG-IP Vulnerability CVE-2018-15333 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
| 746091-8 | CVE-2019-19151 | K21711352 , BT746091 | TMSH Vulnerability: CVE-2019-19151 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3 |
| 717276-9 | CVE-2020-5930 | K20622530 , BT717276 | TMM Route Metrics Hardening | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4, 12.1.5.3, 11.6.5.3 |
| 839145-3 | CVE-2019-10744 | K47105354 , BT839145 | CVE-2019-10744: lodash vulnerability | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
| 767269-5 | CVE-2018-16884 | K21430012 | Linux kernel vulnerability: CVE-2018-16884 | 16.0.0, 15.1.0.5, 14.1.2.8 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 816233-1 | 2-Critical | BT816233 | Session and authentication cookies should use larger character set | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
| 890421-2 | 3-Major | BT890421 | New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers ★ | 16.0.0, 15.1.0.5, 15.0.1.3 |
| 691499-5 | 3-Major | BT691499 | GTP::ie primitives in iRule to be certified | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
| 745465-4 | 4-Minor | BT745465 | The tcpdump file does not provide the correct extension | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 934241-2 | 1-Blocking | BT934241 | TMM may core when using FastL4's hardware offloading feature | 16.1.0, 15.1.0.5 |
| 891477-3 | 2-Critical | BT891477 | No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
| 890513-2 | 2-Critical | BT890513 | MCPD fails to load configuration from binary database | 16.0.0, 15.1.0.5, 14.1.4 |
| 849405-2 | 2-Critical | BT849405 | LTM v14.1.2.1 does not log after upgrade ★ | 16.0.0, 15.1.0.5, 14.1.2.5 |
| 842865-2 | 2-Critical | BT842865 | Add support for Auto MAC configuration (ixlv) | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8 |
| 739507-3 | 2-Critical | BT739507 | Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check | 16.1.0, 15.1.0.5, 14.1.4, 13.1.1.2 |
| 927901-4 | 3-Major | BT927901 | After BIG-IP reboot, vxnet interfaces come up as uninitialized | 15.1.0.5 |
| 915497-2 | 3-Major | BT915497 | New Traffic Class Page shows multiple question marks. | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.3.1 |
| 907549-1 | 3-Major | BT907549 | Memory leak in BWC::Measure | 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5 |
| 891721-3 | 3-Major | BT891721 | Anti-Fraud Profile URLs with query strings do not load successfully | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
| 888497-2 | 3-Major | BT888497 | Cacheable HTTP Response | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
| 887089-1 | 3-Major | BT887089 | Upgrade can fail when filenames contain spaces | 16.1.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 877145-4 | 3-Major | BT877145 | Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException | 16.0.0, 15.1.0.5, 15.0.1.3 |
| 871657-1 | 3-Major | BT871657 | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
| 844085-1 | 3-Major | BT844085 | GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
| 842125-6 | 3-Major | BT842125 | Unable to reconnect outgoing SCTP connections that have previously aborted | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4 |
| 821309-1 | 3-Major | BT821309 | After an initial boot, mcpd has a defunct child "systemctl" process | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 814585-1 | 3-Major | BT814585 | PPTP profile option not available when creating or modifying virtual servers in GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
| 807005-5 | 3-Major | BT807005 | Save-on-auto-sync is not working as expected with large configuration objects | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
| 802685-2 | 3-Major | BT802685 | Unable to configure performance HTTP virtual server via GUI | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
| 797829-6 | 3-Major | BT797829 | The BIG-IP system may fail to deploy new or reconfigure existing iApps | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5 |
| 785741-3 | 3-Major | K19131357 , BT785741 | Unable to login using LDAP with 'user-template' configuration | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.3 |
| 760622-5 | 3-Major | BT760622 | Allow Device Certificate renewal from BIG-IP Configuration Utility | 16.0.0, 15.1.0.5 |
| 405329-3 | 3-Major | The imish utility cores while checking help strings for OSPF6 vertex-threshold | 16.0.0, 15.1.0.5, 14.1.4.6 | |
| 919745-2 | 4-Minor | BT919745 | CSV files downloaded from the Dashboard have the first row with all 'NaN | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
| 918209-3 | 4-Minor | BT918209 | GUI Network Map icons color scheme is not section 508 compliant | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
| 851393-1 | 4-Minor | BT851393 | Tmipsecd leaves a zombie rm process running after starting up | 16.0.0, 15.1.0.5, 14.1.4.4 |
| 804309-1 | 4-Minor | BT804309 | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
| 713614-7 | 4-Minor | BT713614 | Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) | 16.0.0, 15.1.0.5, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 925989 | 2-Critical | BT925989 | Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4 ★ | 15.1.0.5 |
| 839749-3 | 2-Critical | BT839749 | Virtual server with specific address list might fail to create via GUI | 16.0.0, 15.1.0.5, 15.0.1.1, 14.1.2.8 |
| 715032-1 | 2-Critical | K73302459 , BT715032 | iRulesLX Hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3 |
| 916589-2 | 3-Major | BT916589 | QUIC drops 0RTT packets if CID length changes | 16.1.0, 16.0.1.1, 15.1.0.5 |
| 910521-2 | 3-Major | BT910521 | Support QUIC and HTTP draft-28 | 16.1.0, 16.0.1, 15.1.0.5 |
| 893281-3 | 3-Major | BT893281 | Possible ssl stall on closed client handshake | 16.1.0, 15.1.0.5, 14.1.2.7 |
| 813701-6 | 3-Major | BT813701 | Proxy ARP failure | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 788753-2 | 3-Major | BT788753 | GATEWAY_ICMP monitor marks node down with wrong error code | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4 |
| 786517-5 | 3-Major | BT786517 | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | 16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.5 |
| 720440-6 | 3-Major | BT720440 | Radius monitor marks pool members down after 6 seconds | 16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
| 914681-2 | 4-Minor | BT914681 | Value of tmm.quic.log.level can differ between TMSH and GUI | 16.1.0, 16.0.1.1, 15.1.0.5 |
| 714502-3 | 4-Minor | BT714502 | bigd restarts after loading a UCS for the first time | 16.0.0, 15.1.0.5, 14.1.2.7 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 789421-4 | 3-Major | BT789421 | Resource-administrator cannot create GTM server object through GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
| 774257-4 | 5-Cosmetic | BT774257 | tmsh show gtm pool and tmsh show gtm wideip print duplicate object types | 16.0.0, 15.1.0.5, 14.1.2.7 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 904593-1 | 2-Critical | BT904593 | Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled | 16.1.0, 15.1.0.5, 14.1.2.7 |
| 865461-1 | 2-Critical | BT865461 | BD crash on specific scenario | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 850641-2 | 2-Critical | BT850641 | Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies | 16.0.0, 15.1.0.5 |
| 900797-2 | 3-Major | BT900797 | Brute Force Protection (BFP) hash table entry cleanup | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
| 900793-1 | 3-Major | K32055534 , BT900793 | APM Brute Force Protection resources do not scale automatically | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
| 900789-2 | 3-Major | BT900789 | Alert before Brute Force Protection (BFP) hash are fully utilized | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
| 892653-1 | 3-Major | BT892653 | Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
| 880789-3 | 3-Major | BT880789 | ASMConfig Handler undergoes frequent restarts | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 874753-3 | 3-Major | BT874753 | Filtering by Bot Categories on Bot Requests Log shows 0 events | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 871905-2 | 3-Major | K02705117 , BT871905 | Incorrect masking of parameters in event log | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.5 |
| 868721-1 | 3-Major | BT868721 | Transactions are held for a long time on specific server related conditions | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 863609-4 | 3-Major | BT863609 | Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 854177-5 | 3-Major | BT854177 | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
| 850677-4 | 3-Major | BT850677 | Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 848445-1 | 3-Major | K86285055 , BT848445 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer ★ | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
| 833685-5 | 3-Major | BT833685 | Idle async handlers can remain loaded for a long time doing nothing | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
| 809125-5 | 3-Major | BT809125 | CSRF false positive | 16.0.0, 15.1.0.5, 14.1.2.7, 12.1.5.1 |
| 799749-2 | 3-Major | BT799749 | Asm logrotate fails to rotate | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 783165-1 | 3-Major | BT783165 | Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 742549-3 | 3-Major | BT742549 | Cannot create non-ASCII entities in non-UTF ASM policy using REST | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.6 |
| 722337-2 | 3-Major | BT722337 | Always show violations in request log when post request is large | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
| 640842-5 | 3-Major | BT640842 | ASM end user using mobile might be blocked when CSRF is enabled | 16.0.0, 15.1.0.5, 14.1.2.7 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 828937-1 | 2-Critical | K45725467 , BT828937 | Some systems can experience periodic high IO wait due to AVR data aggregation | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4 |
| 902485-3 | 3-Major | BT902485 | Incorrect pool member concurrent connection value | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
| 841305-2 | 3-Major | BT841305 | HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log | 16.1.0, 16.0.1, 15.1.0.5 |
| 838685-4 | 3-Major | BT838685 | DoS report exist in per-widget but not under individual virtual | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 884797-4 | 3-Major | BT884797 | Portal Access: in some cases data is not delivered via WebSocket connection | 16.0.0, 15.1.0.5, 14.1.2.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 921773-2 | 3-Major | BT921773 | Diameter initial negotiation is not rejected when no common application is set | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4 |
| 904373-3 | 3-Major | BT904373 | MRF GenericMessage: Implement limit to message queues size | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1 |
| 876953-2 | 3-Major | BT876953 | Tmm crash while passing diameter traffic | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4 |
| 876077-1 | 3-Major | BT876077 | MRF DIAMETER: stale pending retransmission entries may not be cleaned up | 16.1.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
| 868381-1 | 3-Major | BT868381 | MRF DIAMETER: Retransmission queue unable to delete stale entries | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
| 866021-1 | 3-Major | BT866021 | Diameter Mirror connection lost on the standby due to "process ingress error" | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
| 824149-5 | 3-Major | BT824149 | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
| 815877-2 | 3-Major | BT815877 | Information Elements with zero-length value are rejected by the GTP parser | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.3 |
| 696348-5 | 3-Major | BT696348 | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
| 788513-6 | 4-Minor | BT788513 | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
| 793005-1 | 5-Cosmetic | BT793005 | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 802421-6 | 2-Critical | BT802421 | The /var partition may become 100% full requiring manual intervention to clear space | 16.0.0, 15.1.0.5, 14.1.2.7 |
| 757279-3 | 3-Major | BT757279 | LDAP authenticated Firewall Manager role cannot edit firewall policies | 15.1.0.5, 14.1.2.8, 13.1.1.5 |
| 896917 | 4-Minor | BT896917 | The fw_zone_stat 'Hits' field may not increment in some scenarios | 15.1.0.5 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 839597-6 | 3-Major | BT839597 | Restjavad fails to start if provision.extramb has a large value | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 886717-1 | 3-Major | BT886717 | TMM crashes while using SSL Orchestrator. | 16.0.0, 15.1.0.5 |
| 886713-1 | 4-Minor | BT886713 | Error log seen in case of SSL Orchestrator configured with http service during connection close. | 16.0.0, 15.1.0.5, 14.1.2.5 |
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 900757-2 | CVE-2020-5902 | K52145254 , BT900757 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4 |
| 895525-2 | CVE-2020-5902 | K52145254 , BT895525 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 909237-6 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 909233-6 | CVE-2020-8616 | K97810133 , BT909233 | DNS Hardening | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 905905-1 | CVE-2020-5904 | K31301245 , BT905905 | TMUI CSRF vulnerability CVE-2020-5904 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
| 895993-2 | CVE-2020-5902 | K52145254 , BT895993 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 895981-2 | CVE-2020-5902 | K52145254 , BT895981 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
| 895881-1 | CVE-2020-5903 | K43638305 , BT895881 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
| 891457-2 | CVE-2020-5939 | K75111593 , BT891457 | NIC driver may fail while transmitting data | 16.1.0, 16.0.1, 15.1.0.4, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
| 859089-7 | CVE-2020-5907 | K00091341 , BT859089 | TMSH allows SFTP utility access | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 909673 | 2-Critical | BT909673 | TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms | 17.1.0, 15.1.0.4 |
| 882557-2 | 3-Major | BT882557 | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
| 878893-3 | 3-Major | BT878893 | During system shutdown it is possible the for sflow_agent to core | 16.0.0, 15.1.0.4 |
| 858769-6 | 3-Major | K82498430 , BT858769 | Net-snmp library must be upgraded to 5.8 in order to support SHA-2 | 16.0.0, 15.1.0.4 |
| 829193-4 | 3-Major | BT829193 | REST system unavailable due to disk corruption | 16.0.0, 15.1.0.4, 14.1.3.1, 13.1.3.6 |
| 826265-5 | 3-Major | BT826265 | The SNMPv3 engineBoots value restarts at 1 after an upgrade | 16.0.0, 15.1.0.4 |
| 812493-4 | 3-Major | BT812493 | When engineID is reconfigured, snmp and alert daemons must be restarted ★ | 16.0.0, 15.1.0.4 |
| 810381-2 | 3-Major | BT810381 | The SNMP max message size check is being incorrectly applied. | 16.0.0, 15.1.0.4, 14.1.2.8, 13.1.3.5 |
| 743234-6 | 3-Major | BT743234 | Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons | 16.0.0, 15.1.0.4 |
| 774617-3 | 4-Minor | BT774617 | SNMP daemon reports integer truncation error for values greater than 32 bits | 16.0.0, 15.1.0.4, 14.1.4 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910177 | 2-Critical | BT910177 | Poor HTTP/3 throughput | 15.1.0.4 |
| 848777-3 | 3-Major | BT848777 | Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. | 16.0.0, 15.1.0.4, 14.1.2.7 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 892621-1 | 3-Major | BT892621 | Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software | 16.0.0, 15.1.0.4, 14.1.3 |
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 889505 | 3-Major | BT889505 | Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available | 16.0.0, 15.1.0.3 |
| 888569 | 3-Major | BT888569 | Added PBA stats for total number of free PBAs, and percent free PBAs | 16.0.0, 15.1.0.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 795649-5 | 3-Major | BT795649 | Loading UCS from one iSeries model to another causes FPGA to fail to load | 16.0.0, 15.1.0.3, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 883513-1 | 3-Major | BT883513 | Support for QUIC and HTTP/3 draft-27 | 16.0.0, 15.1.0.3 |
| 828601-1 | 3-Major | BT828601 | IPv6 Management route is preferred over IPv6 tmm route | 16.0.0, 15.1.0.3, 14.1.2.7, 13.1.3.5 |
| 758599-3 | 3-Major | BT758599 | IPv6 Management route is preferred over IPv6 tmm route | 16.0.0, 15.1.0.3, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 846713-1 | 2-Critical | BT846713 | Gtm_add does not restart named | 16.0.0, 15.1.0.3 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 903905-2 | 2-Critical | BT903905 | BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances | 16.0.0, 15.1.0.3 |
| 889477-1 | 2-Critical | BT889477 | Modern customization does not enforce validation at password changing | 16.0.0, 15.1.0.3 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 888625 | 3-Major | BT888625 | CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks | 16.0.0, 15.1.0.3, 14.1.2.7 |
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 879025-2 | CVE-2020-5913 | K72752002 , BT879025 | When processing TLS traffic, LTM may not enforce certificate chain restrictions | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5, 12.1.5.2 |
| 871633-1 | CVE-2020-5859 | K61367237 , BT871633 | TMM may crash while processing HTTP/3 traffic | 16.0.0, 15.1.0.2 |
| 846917-1 | CVE-2019-10744 | K47105354 , BT846917 | lodash Vulnerability: CVE-2019-10744 | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
| 846365-1 | CVE-2020-5878 | K35750231 , BT846365 | TMM may crash while processing IP traffic | 16.0.0, 15.1.0.2, 15.0.1.2, 14.1.2.3 |
| 830401-1 | CVE-2020-5877 | K54200228 , BT830401 | TMM may crash while processing TCP traffic with iRules | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 819197-2 | CVE-2019-13135 | K20336394 , BT819197 | BIGIP: CVE-2019-13135 ImageMagick vulnerability | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 819189-1 | CVE-2019-13136 | K03512441 , BT819189 | BIGIP: CVE-2019-13136 ImageMagick vulnerability | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 818169-1 | CVE-2022-26372 | K23454411 , BT818169 | TMM may consume excessive resources when processing DNS profiles with DNS queing enabled | 16.0.0, 15.1.0.2, 14.1.4.6, 13.1.5 |
| 636400 | CVE-2019-6665 | K26462555 , BT636400 | CPB (BIG-IP->BIGIQ log node) Hardening | 15.1.0.2, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
| 873469-2 | CVE-2020-5889 | K24415506 , BT873469 | APM Portal Access: Base URL may be set to incorrectly | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 864109-1 | CVE-2020-5889 | K24415506 , BT864109 | APM Portal Access: Base URL may be set to incorrectly | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 858025-1 | CVE-2021-22984 | K33440533 , BT858025 | BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
| 838881-1 | CVE-2020-5853 | K73183618 , BT838881 | APM Portal Access Vulnerability: CVE-2020-5853 | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 12.1.5.2, 11.6.5.2 |
| 832021-3 | CVE-2020-5888 | K73274382 , BT832021 | Port lockdown settings may not be enforced as configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 832017-3 | CVE-2020-5887 | K10251014 , BT832017 | Port lockdown settings may not be enforced as configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 829121-1 | CVE-2020-5886 | K65720640 , BT829121 | State mirroring default does not require TLS | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
| 829117-1 | CVE-2020-5885 | K17663061 , BT829117 | State mirroring default does not require TLS | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
| 789921-5 | CVE-2020-5881 | K03386032 , BT789921 | TMM may restart while processing VLAN traffic | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
| 868097-3 | CVE-2020-5891 | K58494243 , BT868097 | TMM may crash while processing HTTP/2 traffic | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 846157-1 | CVE-2020-5862 | K01054113 , BT846157 | TMM may crash while processing traffic on AWS | 16.0.0, 15.1.0.2, 15.0.1.2, 14.1.2.3 |
| 838909-3 | CVE-2020-5893 | K97733133 , BT838909 | BIG-IP APM Edge Client vulnerability CVE-2020-5893 | 15.1.0.2, 13.1.4, 12.1.5.2, 11.6.5.2 |
| 823893-7 | CVE-2020-5890 | K03318649 , BT823893 | Qkview may fail to completely sanitize LDAP bind credentials | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 870389-3 | 3-Major | BT870389 | Increase size of /var logical volume to 1.5 GiB for LTM-only VE images | 16.0.0, 15.1.0.2, 14.1.2.5 |
| 858229-5 | 3-Major | K22493037 , BT858229 | XML with sensitive data gets to the ICAP server | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 854493-5 | 2-Critical | BT854493 | Kernel page allocation failures messages in kern.log | 16.0.0, 15.1.0.2, 14.1.2.8 |
| 841953-7 | 2-Critical | BT841953 | A tunnel can be expired when going offline, causing tmm crash | 16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3 |
| 841581 | 2-Critical | BT841581 | License activation takes a long time to complete on Google GCE platform | 15.1.0.2 |
| 841333-7 | 2-Critical | BT841333 | TMM may crash when tunnel used after returning from offline | 16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3 |
| 817709-3 | 2-Critical | BT817709 | IPsec: TMM cored with SIGFPE in racoon2 | 16.1.0, 15.1.0.2, 14.1.2.8, 13.1.5 |
| 811701-3 | 2-Critical | BT811701 | AWS instance using xnet driver not receiving packets on an interface. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7 |
| 811149-2 | 2-Critical | BT811149 | Remotely-authenticated users are unable to authenticate through the serial console | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.8 |
| 866925-5 | 3-Major | BT866925 | The TMM pages used and available can be viewed in the F5 system stats MIB | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
| 865225-1 | 3-Major | BT865225 | 100G modules may not work properly in i15000 and i15800 platforms | 16.1.0, 15.1.0.2, 14.1.5.1, 13.1.3.4 |
| 852001-1 | 3-Major | BT852001 | High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 830717 | 3-Major | BT830717 | Appdata logical volume cannot be resized for some cloud images ★ | 16.0.0, 15.1.0.2 |
| 829317-5 | 3-Major | BT829317 | Memory leak in icrd_child due to concurrent REST usage | 16.0.0, 15.1.0.2, 14.1.3.1, 14.1.3, 13.1.4 |
| 828873-3 | 3-Major | BT828873 | Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor | 16.0.0, 15.1.0.2 |
| 812981-6 | 3-Major | BT812981 | MCPD: memory leak on standby BIG-IP device | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
| 802281-3 | 3-Major | BT802281 | Gossip shows active even when devices are missing | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5 |
| 793121-5 | 3-Major | BT793121 | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.2 |
| 742628-1 | 3-Major | BT742628 | A tmsh session initiation adds increased control plane pressure | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.3 |
| 605675-6 | 3-Major | BT605675 | Sync requests can be generated faster than they can be handled | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3, 11.6.5.2 |
| 831293-5 | 4-Minor | BT831293 | SNMP address-related GET requests slow to respond. | 16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
| 755317-3 | 4-Minor | BT755317 | /var/log logical volume may run out of space due to agetty error message in /var/log/secure | 16.0.0, 15.1.0.2, 14.1.2.5 |
| 722230-1 | 4-Minor | BT722230 | Cannot delete FQDN template node if another FQDN node resolves to same IP address | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.4, 12.1.5.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 860881-3 | 2-Critical | BT860881 | TMM can crash when handling a compressed response from HTTP server | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 839401-1 | 2-Critical | BT839401 | Moving a virtual-address from one floating traffic-group to another does not send GARPs out. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5 |
| 837617-1 | 2-Critical | BT837617 | Tmm may crash while processing a compression context | 16.0.0, 15.1.0.2, 14.1.4.4 |
| 872965-1 | 3-Major | BT872965 | HTTP/3 does not support draft-25 | 16.0.0, 15.1.0.2 |
| 862597-7 | 3-Major | BT862597 | Improve MPTCP's SYN/ACK retransmission handling | 16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5 |
| 853613-4 | 3-Major | BT853613 | Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 852873-2 | 3-Major | BT852873 | Proprietary Multicast PVST+ packets are forwarded instead of dropped | 16.0.0, 15.1.0.2, 14.1.2.7 |
| 852861-1 | 3-Major | BT852861 | TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario | 16.0.0, 15.1.0.2 |
| 851445-1 | 3-Major | BT851445 | QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams | 16.0.0, 15.1.0.2 |
| 850973-1 | 3-Major | BT850973 | Improve QUIC goodput for lossy links | 16.0.0, 15.1.0.2 |
| 850933-1 | 3-Major | BT850933 | Improve QUIC rate pacing functionality | 16.0.0, 15.1.0.2 |
| 847325-3 | 3-Major | BT847325 | Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 818853-1 | 3-Major | BT818853 | Duplicate MAC entries in FDB | 16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5 |
| 809597-5 | 3-Major | BT809597 | Memory leak in icrd_child observed during REST usage | 16.0.0, 15.1.0.2, 14.1.3, 13.1.4 |
| 714372-5 | 3-Major | BT714372 | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.4.4 |
| 705112-6 | 3-Major | BT705112 | DHCP server flows are not re-established after expiration | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3, 12.1.4.1, 11.5.9 |
| 859113-1 | 4-Minor | BT859113 | Using "reject" iRules command inside "after" may causes core | 16.0.0, 15.1.0.2, 14.1.2.5 |
| 839245-3 | 4-Minor | BT839245 | IPother profile with SNAT sets egress TTL to 255 | 16.0.0, 15.1.0.2, 14.1.2.5 |
| 824365-5 | 4-Minor | BT824365 | Need informative messages for HTTP iRule runtime validation errors | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.3, 13.1.3.6 |
| 822025 | 4-Minor | BT822025 | HTTP response not forwarded to client during an early response | 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 760471-1 | 3-Major | BT760471 | GTM iQuery connections may be reset during SSL key renegotiation. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.3, 13.1.3.5, 12.1.5.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 852437-3 | 2-Critical | K25037027 , BT852437 | Overly aggressive file cleanup causes failed ASU installation | 16.0.0, 15.1.0.2, 14.1.2.5 |
| 846073-1 | 2-Critical | BT846073 | Installation of browser challenges fails through Live Update | 16.0.0, 15.1.0.2 |
| 850673-1 | 3-Major | BT850673 | BD sends bad ACKs to the bd_agent for configuration | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
| 842161-1 | 3-Major | BT842161 | Installation of Browser Challenges fails in 15.1.0 | 16.0.0, 15.1.0.2 |
| 793017-3 | 3-Major | BT793017 | Files left behind by failed Attack Signature updates are not cleaned | 16.0.0, 15.1.0.2, 14.1.2.3 |
| 778261-2 | 3-Major | BT778261 | CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate | 16.0.0, 15.1.0.2, 15.0.1.1 |
| 739618-3 | 3-Major | BT739618 | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | 15.1.0.2, 14.1.2.3, 14.1.0, 13.1.3.2 |
| 681010-4 | 3-Major | K33572148 , BT681010 | 'Referer' is not masked when 'Query String' contains sensitive parameter | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 838709-4 | 2-Critical | BT838709 | Enabling DoS stats also enables page-load-time | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
| 870957-4 | 3-Major | BT870957 | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
| 863161-1 | 3-Major | BT863161 | Scheduled reports are sent via TLS even if configured as non encrypted | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
| 835381-3 | 3-Major | BT835381 | HTTP custom analytics profile 'not found' when default profile is modified | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 830073-2 | 3-Major | BT830073 | AVRD may core when restarting due to data collection device connection timeout | 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
| 865053-3 | 4-Minor | BT865053 | AVRD core due to a try to load vip lookup when AVRD is down | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 863069-1 | 4-Minor | BT863069 | Avrmail timeout is too small | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 876393-1 | 2-Critical | BT876393 | General database error while creating Access Profile via the GUI | 16.0.0, 15.1.0.2 |
| 871761-1 | 2-Critical | BT871761 | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
| 871653-1 | 2-Critical | BT871653 | Access Policy cannot be created with 'modern' customization | 16.0.0, 15.1.0.2 |
| 866685-1 | 3-Major | BT866685 | Empty HSTS headers when HSTS mode for HTTP profile is disabled | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 866161-1 | 3-Major | BT866161 | Client port reuse causes RST when the security service attempts server connection reuse. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 853325-1 | 3-Major | BT853325 | TMM Crash while parsing form parameters by SSO. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.5 |
| 852313-4 | 3-Major | BT852313 | VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 850277-1 | 3-Major | BT850277 | Memory leak when using OAuth | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4, 13.1.3.4 |
| 844781-3 | 3-Major | BT844781 | [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4 |
| 844685-1 | 3-Major | BT844685 | Per-request policy is not exported if it contains HTTP Connector Agent | 16.0.0, 15.1.0.2 |
| 844573-1 | 3-Major | BT844573 | Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret. | 15.1.0.2 |
| 844281-3 | 3-Major | BT844281 | [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4 |
| 835309-1 | 3-Major | Some strings on BIG-IP APM Server pages are not localized | 16.0.0, 15.1.0.2 | |
| 832881-1 | 3-Major | BT832881 | F5 Endpoint Inspection helper app is not updated | 16.0.0, 15.1.0.2 |
| 832569-3 | 3-Major | BT832569 | APM end-user connection reset | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 831781-4 | 3-Major | BT831781 | AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 803825-5 | 3-Major | BT803825 | WebSSO does not support large NTLM target info length | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4 |
| 761303-5 | 3-Major | BT761303 | Upgrade of standby BIG-IP system results in empty Local Database | 16.0.0, 15.1.0.2, 15.0.1.3 |
| 744407-1 | 3-Major | BT744407 | While the client has been closed, iRule function should not try to check on a closed session | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4 |
| 706782-5 | 3-Major | BT706782 | Inefficient APM processing in large configurations. | 17.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.8 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 853545-1 | 3-Major | BT853545 | MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event | 16.0.0, 15.1.0.2, 14.1.2.5 |
| 842625-5 | 3-Major | BT842625 | SIP message routing remembers a 'no connection' failure state forever | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.4 |
| 840821-1 | 3-Major | BT840821 | SCTP Multihoming not working within MRF Transport-config connections | 16.0.0, 15.1.0.2 |
| 825013-1 | 3-Major | BT825013 | GENERICMESSAGE::message's src and dst may get cleared in certain scenarios | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.7 |
| 803809-4 | 3-Major | BT803809 | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | 16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.4 |
| 859721-1 | 4-Minor | BT859721 | Using GENERICMESSAGE create together with reject inside periodic after may cause core | 16.0.0, 15.1.0.2, 14.1.2.5 |
| 836357-5 | 4-Minor | BT836357 | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 852557-3 | 2-Critical | BT852557 | Tmm core while using service chaining for SSL Orchestrator | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 864329-3 | 3-Major | BT864329 | Client port reuse causes RST when the backend server-side connection is open | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 852481-3 | 3-Major | BT852481 | Failure to check virtual-server context when closing server-side connection | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
| 852477-3 | 3-Major | BT852477 | Tmm core when SSL Orchestrator is enabled | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 834853 | 3-Major | BT834853 | Azure walinuxagent has been updated to v2.2.42 | 15.1.0.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 862557-1 | 3-Major | BT862557 | Client-ssl profiles derived from clientssl-quic fail validation | 16.0.0, 15.1.0.1 |
Cumulative fix details for BIG-IP v15.1.10.6 that are included in this release
999901-3 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.
Links to More Info: K68816502 , BT999901
Component: Local Traffic Manager
Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.
This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).
Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.
Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.
Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.
Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.
Fix:
TMM now loads LTM policies with external data-groups as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
999881-4 : Tcl command 'string first' not working if payload contains Unicode characters.
Links to More Info: BT999881
Component: Local Traffic Manager
Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.
Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.
Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.
Workaround:
You can use any of the following workarounds:
-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
999317-8 : Running Diagnostics report for Edge Client on Windows does not follow best practice
Links to More Info: K03544414 , BT999317
Component: Access Policy Manager
Symptoms:
Running Diagnostics report for Edge Client on Windows does not follow best practice
Conditions:
Running Diagnostics report for Edge client on Windows system
Impact:
Edge client does not follow best practice
Workaround:
No workaround.
Fix:
Edge Client on Windows now follows best practice
Fixed Versions:
17.0.0, 15.1.3.1
999125-2 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
999097-3 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
998701-2 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.
Links to More Info: BT998701
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.
Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation
Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
998473-2 : NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Links to More Info: BT998473
Component: Access Policy Manager
Symptoms:
NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Conditions:
1. NTLM front-end authentication is enabled.
2. Active Directory users are subscribed to more than one hundred groups.
Impact:
NTLM authentication for Active Directory users which are subscribed to more than hundred groups will fail.
Workaround:
None
Fix:
A fix has been provided to the sequence number handling which is used to calculate the RPC checksum as part of ID 949477.
Fixed Versions:
16.1.0, 15.1.4.1
998225-4 : TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.
Links to More Info: BT998225
Component: TMOS
Symptoms:
TMM crashes during the primary blade transition.
Conditions:
-- Using bidirectional forwarding detection.
-- Primary blade transition occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes on primary blade transition.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
998221-3 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
998085-1 : BIG-IP DataSafe GUI does not save changes
Links to More Info: BT998085
Component: Fraud Protection Services
Symptoms:
Due to a JavaScript error, the BIG-IP DataSafe GUI does not save changes.
Conditions:
-- Provision FPS.
-- License DataSafe.
-- Configure the system using the GUI.
Impact:
Configurations made for DataSafe using the BIG-IP Configuration Utility GUI cannot be saved.
Workaround:
Use tmsh to configure the BIG-IP system.
Fix:
BIG-IP DataSafe GUI is working properly and configurations are now saved.
Fixed Versions:
16.1.0, 15.1.3
997929-3 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
Links to More Info: BT997929
Component: Local Traffic Manager
Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.
If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.
Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.
-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.
Impact:
The virtual server stops processing traffic.
Workaround:
To recover, you can do either of the following:
-- Restart tmm:
bigstart restart tmm
-- Change the virtual server's port back to 'any' (0).
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
997761-2 : Subsessionlist entries leak if there is no RADIUS accounting agent in policy
Links to More Info: BT997761
Component: Access Policy Manager
Symptoms:
Subsessionlist entries are not cleaned up when subsessions are deleted. For long-lived main sessions, use cases such as API protection, the number of leaked subsessionlist entries increases over time, resulting in increasing memory consumption. If high availability (HA) is configured, the standby device can experience even more memory pressure when a very large number of subsessionlist entries are sent to it for mirroring.
Conditions:
This issue occurs if the main session is long-lived and there is no RADIUS accounting agent in the policy.
Impact:
TMM may run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.0, 15.1.5
997641 : APM policy ending with redirection results in policy execution failure
Links to More Info: BT997641
Component: Access Policy Manager
Symptoms:
After successful authentication, the APM end user client connection gets reset.
/var/log/apm shows errors:
err tmm2[18140]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_rewrite_pdp_response_to_302, Line: 19766
Conditions:
Access policy has a path ending with a redirect.
Impact:
APM end user clients cannot access the backend resources protected by the policy.
Workaround:
None
Fix:
Fixed an issue with APM policies not working when they ended with redirect.
Fixed Versions:
15.1.4
997561-3 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
997429 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled
Links to More Info: BT997429
Component: Advanced Firewall Manager
Symptoms:
Some DoS-related log messages may be missing
Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.
Impact:
Applications dependent on log frequency may be impacted.
Workaround:
Configure the mitigation limit about 10% over the attack limit.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
997313-3 : Unable to create APM policies in a sync-only folder ★
Links to More Info: BT997313
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
997169 : AFM rule not triggered
Links to More Info: BT997169
Component: Advanced Firewall Manager
Symptoms:
An AFM rule is not triggered when it should be.
Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route
Impact:
A firewall rule is not triggered and the default deny rule is used.
Workaround:
Alter the route to use an IP address and not a pool.
Fix:
Firewall rules are now triggered when gateway pools are used.
Fixed Versions:
17.1.2, 15.1.4.1
997137-3 : CSRF token modification may allow WAF bypass on GET requests
Links to More Info: K80945213 , BT997137
Component: Application Security Manager
Symptoms:
Under certain conditions a parameter is not processed as expected.
Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter
Impact:
Malicious request will bypass signatures and will not raise any attack signature violation
Workaround:
N/A
Fix:
The parameter is now processed as expected.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
996649-4 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
996593-2 : Password change through REST or GUI not allowed if the password is expired
Links to More Info: BT996593
Component: TMOS
Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:
Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.
Impact:
Expired password cannot be updated through REST or the GUI.
Workaround:
Update password using tmsh:
tmsh modify auth password <username>
Fix:
You can now change an expired password through REST or the GUI.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
996381-3 : ASM attack signature may not match as expected
Links to More Info: K41503304 , BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
996113-1 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
996001-1 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
995853-2 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.
Links to More Info: BT995853
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.
Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.
Impact:
GSLB Server object creation fails.
Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.
Fix:
GSLB Server object creation no longer fails.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
995849-2 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c
Links to More Info: BT995849
Component: TMOS
Symptoms:
Tmm crashes while processing a large number of tunnels.
Conditions:
-- A large number of ipsec tunnels
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Memory allocation failures are handled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
995629-3 : Loading UCS files may hang if ASM is provisioned ★
Links to More Info: BT995629
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.
Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.
Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html
Fix:
Loading UCS files no longer hangs if ASM is provisioned.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4.1
995433 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT
Links to More Info: BT995433
Component: Advanced Firewall Manager
Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.
Conditions:
This is encountered when viewing PPTP log entries.
Impact:
IPV6 addresses in PPTP logs are truncated.
Workaround:
None
Fix:
The full IPv6 address is now logged in PPTP logs.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5
995201-4 : IP fragments for the same flow are dropped if they are received on different VLANs and route domains.
Links to More Info: BT995201
Component: Local Traffic Manager
Symptoms:
When duplicate IP fragments for the same flow (same connection tuple and flow ID) are simultaneously received on different VLANs or route domains, IP datagram reassembly fails.
Conditions:
-- Multicast traffic where identical fragments arrive on two different VLANs.
-- IP fragments for the same flow are received on different VLANs.
-- Alternatively, IP fragments for the same flow are received on different route domains.
Impact:
IP fragments that fail reassembly are dropped.
Workaround:
None
Fix:
The tm.ipfragreassemblestrict db var is disabled by default. When enabled IPv6 or IPv4 fragments arriving on different interfaces are queued separately.
Note: In order to resolve this issue, a version with this fix is necessary and the tm.ipfragreassemblestrict must be set to enable.
Fixed Versions:
16.1.0, 15.1.7
995097-3 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
Links to More Info: BT995097
Component: TMOS
Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.
For instance, after reloading the configuration, the following section:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { "example.com" }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { "example.com" }
}
}
}
Becomes:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { example.com }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { example.com }
}
}
}
This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.
Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.
The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).
Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.
The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.
As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.
Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.
Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.
For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config
On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:
bigstart restart dhclient dhclient6
Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.
Fix:
The BIG-IP system user is no longer responsible for knowing which dhcp-options require quoting and which do not. This determination is now done internally by mcpd, which uses the correct syntax for each supersede-option when writing the /etc/dhclient.conf file. This means that, as the BIG-IP system user, you are not required to quote anything when manipulating management-dhcp supersede-options in tmsh.
For instance, you can enter the following command:
tmsh modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { one.example.com two.example.com } } }
And the system inserts the following instruction in the /etc/dhclient.conf file:
supersede domain-search "one.example.com", "two.example.com" ;
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
995029-3 : Configuration is not updated during auto-discovery
Links to More Info: BT995029
Component: Access Policy Manager
Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:
-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token
Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).
Impact:
JWT auto-discovery fails and the configuration is not updated.
Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.
Fix:
Fixed an issue with auto-discovery and JWKs.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2
994985-2 : CGNAT GUI shows blank page when applying SIP profile
Links to More Info: BT994985
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
Fix:
The GUI shows virtual server config page with all config values
Fixed Versions:
17.0.0, 15.1.4, 14.1.4.2
994305-1 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
Links to More Info: BT994305
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools are not available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools are not available.
Workaround:
None.
Fix:
The version of open-vm-tools has been updated to 11.1.5.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
994269-2 : Message 'double flow removal' is logged in LTM log file
Links to More Info: BT994269
Component: Local Traffic Manager
Symptoms:
The LTM log contains messages similar to the following:
Oops @ 0x290cfa0:1129: double flow removal.
Conditions:
FastL4 virtual server with iRule containing the FLOW_INIT command.
Impact:
The memory_usage_stat and tmm/umem_usage_stat might reflect incorrect values under increased traffic load when the underlying double flow removal messages persist continuously on the blades.
Excessive message logging by TMM may impact traffic.
Workaround:
None
Fixed Versions:
16.1.0, 15.1.10
994125-2 : NetHSM Sanity results are not reflecting in GUI test output box
Links to More Info: BT994125
Component: Local Traffic Manager
Symptoms:
Cannot see the netHSM sanity test results in GUI when selected hsm test.
Conditions:
NA
Impact:
Cannot see netHSM test results from GUI.
Workaround:
Use TMSH to see netHSM test results.
Fix:
Can test the selected HSM and partition and view the test results.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3
994033-2 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
993921-4 : TMM SIGSEGV
Links to More Info: BT993921
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use 'pool XXXX member XXXX' iRule command.
Fix:
This rarely occurring issue is now fixed.
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5.1
993913-2 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
993613-5 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
993517-3 : Loading an upgraded config can result in a file object error in some cases
Links to More Info: BT993517
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
993489-3 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
993481-3 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
Fix:
Skipped initialization of structures.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
993457-2 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
993269-1 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
Links to More Info: BT993269
Component: Advanced Firewall Manager
Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.
DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.
Conditions:
-- DoS timestamp cookies are enabled, and either of the following:
-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.
Impact:
Traffic is dropped due to incorrect timestamps.
Workaround:
Disable timestamp cookies on the affected VLAN.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
992865 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4
992813-2 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
Links to More Info: BT992813
Component: TMOS
Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.
As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.
For example, you may be returned the following error when attempting to supersede the domain-search option:
01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search
Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.
Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.
Impact:
You are unable to instantiate the desired management-dhcp configuration.
Workaround:
None
Fix:
The list of dhcp-options known to mcpd has been updated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
992213-2 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2
992121-1 : REST "/mgmt/tm/services" endpoint is not accessible
Links to More Info: BT992121
Component: TMOS
Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.
Conditions:
When accessing /mgmt/tm/services through REST API
Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.
Workaround:
None
Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
992097-2 : Incorrect hostname is seen in logging files
Links to More Info: BT992097
Component: TMOS
Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".
Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.
Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.
Workaround:
None
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5
992053-1 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
Fix:
Updated pva_stats to reflect server side flow.
Fixed Versions:
17.1.0, 15.1.4.1
990849-2 : Loading UCS with platform-migrate option hangs and requires exiting from the command ★
Links to More Info: BT990849
Component: TMOS
Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:
Platform migrate loaded successfully. Saving configuration.
Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate
Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html
Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.
Workaround:
None.
Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4.1
990461-3 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade ★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
990073 : BIG-IP software v13.1.3.6, v14.1.4, v15.1.2.1, v16.0.1.1 or later require APM Clients 7.1.8.5, 7.1.9.8, or 7.2.1.1 ★
Links to More Info: BT990073
Component: Access Policy Manager
Symptoms:
APM end user clients fail to establish VPN access using the browser to BIG-IP APM systems running 13.1.3.6, 14.1.4, 15.1.2.1, or 16.0.1.1 with APM Client versions 7.1.8.4, 7.1.9.7, 7.2.1 or earlier in their respective software branches.
You may observe the following error message in a pop up dialog of the browser when the network access fails to launch:
=============
"F5 VPN - Your session could not be established"
"Your session could not be established.
The session reference number: nnnnnnnn
Application will be closed"
=============
Conditions:
-- This can occur after upgrading to the following BIG-IP versions:
- 13.1.3.6
- 14.1.4
- 15.1.2.1
- 16.0.1.1
-- APM end user clients are running 7.1.8.4 or earlier, 7.1.9, 7.1.9.7, or 7.2.1.
Impact:
APM end user clients, using the browser, cannot establish VPN access to the BIG-IP system.
Workaround:
Edge Clients (apmclients) versions 7.1.8.4, v7.1.9, and v7.1.9.7 (and earlier), do not work with BIG-IP versions beginning with v16.0.1.1, v15.1.2.1, v14.1.4, or v13.1.3.6. You must use later Edge Client versions.
-- If you are running 7.1.8.4 and earlier, upgrade to 7.1.8.5.
-- If you are running 7.1.9 or 7.1.9.7, upgrade to 7.1.9.8.
-- If you are running 7.2.1, upgrade to 7.2.1.1.
You can find versions 7.1.8.5, 7.1.8.9 and 7.2.1.1 on the F5 Downloads site :: https://downloads.f5.com/esd/index.jsp
For more information, see K13757: BIG-IP Edge Client version matrix :: https://support.f5.com/csp/article/K13757 and K01733249: What version of BIG-IP Edge Client should I use on my APM? :: https://support.f5.com/csp/article/K01733249
Fix:
BIG-IP APM releases now include the appropriately corresponding APM Clients.
Fixed Versions:
15.1.9
989753-2 : In HA setup, standby fails to establish connection to server
Links to More Info: BT989753
Component: Service Provider
Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:
err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config
Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.
Impact:
Standby BIG-IP system fails to establish a connection to the server.
Workaround:
None.
Fix:
Standby is now able to establish a connection to the server.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
989701-5 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
989517-2 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.
You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.
Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.
Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
989501-1 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
988793 : SecureVault on BIG-IP tenant does not store unit key securely
Links to More Info: BT988793
Component: TMOS
Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.
Conditions:
BIG-IP tenant running on the VELOS platform.
Impact:
The BIG-IP tenant does not utilize secure storage for unit key.
Workaround:
None
Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.
Fixed Versions:
17.1.0, 15.1.4
988761-1 : Cannot create Protected Object in GUI
Links to More Info: BT988761
Component: Advanced Firewall Manager
Symptoms:
GUI Page stuck in loading phase and never completes the Protected Object creation step
Conditions:
This occurs in normal operation
Impact:
Cannot create Protected Objects using the GUI
Workaround:
Use tmsh to create Protected Objects
Fix:
GUI Page no longer gets stuck in loading phase and completes the Protected Object creation step.
Fixed Versions:
16.1.0, 15.1.4
988645 : Traffic may be affected after tmm is aborted and restarted
Links to More Info: BT988645
Component: TMOS
Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.
Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.
Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.
Workaround:
Reboot the tenant
Fix:
Fixed system behavior when tmm is aborted and restarted.
Fixed Versions:
17.1.0, 15.1.4
988589-5 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv
Links to More Info: K68251873
988533-1 : GRE-encapsulated MPLS packet support
Links to More Info: BT988533
Component: TMOS
Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).
Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.
Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.
Workaround:
None
Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.
Fixed Versions:
17.0.0, 15.1.4.1, 14.1.4.5
988165-2 : VMware CPU reservation is now enforced.
Links to More Info: BT988165
Component: TMOS
Symptoms:
CPU reservation is not enabled which can result in insufficient CPU resource for virtual edition guest.
Conditions:
BIG-IP Virtual Edition running in VMware.
Impact:
Performance may be lower than expected particularly if ESXi is over subscribed and traffic volume is high.
Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.
Fix:
The VMware CPU reservation of 2GHz per core is now automatically enabled in the OVF file. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will see 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
988005-1 : Zero active rules counters in GUI
Links to More Info: BT988005
Component: Advanced Firewall Manager
Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).
Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules
Impact:
Incorrect information on active rules count is seen in the UI.
Workaround:
Disable firewall inline editor.
Fix:
The active rules count column now displays the correct number of times a rule has been hit.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
987885-4 : Half-open unclean SSL termination might not close the connection properly
Links to More Info: BT987885
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
987637-2 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
Links to More Info: BT987637
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.
Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server
Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0, 15.1.4
987605-2 : DDoS: ICMP attacks are not hardware-mitigated
Links to More Info: BT987605
Component: Advanced Firewall Manager
Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.
Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.
Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.
Workaround:
None
Fix:
Until the hardware is fixed, the software uses the SPVA in hardware to mitigate these attacks.
Fixed Versions:
15.1.4
987345-1 : Disabling periodic-refresh-log has no effect
Links to More Info: BT987345
Component: Advanced Firewall Manager
Symptoms:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is not honored. You might see messages similar to the following logged in /var/log/ltm or sent to remote logging destinations:
info tmm[6215]: 23003168 "Port Block Periodic Log","10.10.10.10","0","","10.10.10.10","0","1024","1031","16164968240","","unknown".
Conditions:
PBA periodic-refresh-log set to '0'.
Impact:
System provides unnecessary, excessive logging.
Workaround:
None
Fix:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is now honored."Port Block Periodic Log" messages are no longer logged with this configuration setting.
Fixed Versions:
16.1.0, 15.1.4.1
987341-2 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.
Links to More Info: BT987341
Component: Access Policy Manager
Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.
Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.
Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
987301-1 : Software install on vCMP guest via block-device may fail with error 'reason unknown'
Links to More Info: BT987301
Component: TMOS
Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.
-- /var/log/liveinstall may contain an error similar to:
I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty
-- /var/log/kern.log may contain an error similar to:
Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712
Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:
tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3
Impact:
Sometimes the EHF installation fails on the guest.
Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
987113-1 : CMP state degraded while under heavy traffic
Links to More Info: BT987113
Component: TMOS
Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.
Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.
Impact:
System performance drops dramatically.
Workaround:
Lower traffic load.
Fix:
Fixed an inconsistent CMP state.
Fixed Versions:
17.1.0, 15.1.4, 14.1.5
987077-1 : TLS1.3 with client authentication handshake failure
Links to More Info: BT987077
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.
Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.
Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.
Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6
986937-1 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Links to More Info: BT986937
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
Fix:
The error no longer occurs on child policy creation.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4
985953-3 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
985925-1 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
985537-1 : Upgrade Microsoft Hyper-V driver ★
Links to More Info: BT985537
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host.
When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.
Conditions:
-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.
-- Running performance tests of VE in Azure.
Impact:
The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.
Workaround:
None.
Fix:
The Microsoft Hyper-V driver has been updated to v4.3.5.
Fixed Versions:
16.1.0, 15.1.4
985433-2 : Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset.
Links to More Info: BT985433
Component: Local Traffic Manager
Symptoms:
Some client connections are being reset with rst-cause 'Unknown reason'.
Conditions:
--- Standard virtual server with the TCP and HTTP profiles.
--- The HTTP profile is configured to insert the X-Forwarded-For header.
--- The client supplies an empty X-Forwarded-For header in the HTTP request.
Impact:
Affected client connections are reset, leading to application failures.
Workaround:
You can work around this issue by disabling the header insertion in the HTTP profile and instead using an iRule similar to the following example:
when HTTP_REQUEST {
HTTP::header replace X-Forwarded-For [IP::remote_addr]
}
Fix:
Insertion of the X-Forwarded-For header now works as expected, regardless of input client data.
Fixed Versions:
16.1.0, 15.1.4.1
984765-1 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) ★
Links to More Info: BT984765
Component: Access Policy Manager
Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.
Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.
Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.
Workaround:
To resolve the issue temporarily, use either of the following:
-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.
-- Run the command:
bigstart restart nlad
The problem can reappear after a week, so you must repeat these steps each time the issue occurs.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
984749-2 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."
Links to More Info: BT984749
Component: Global Traffic Manager (DNS)
Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".
Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache."
Impact:
Client Cache Hit/Miss Statistics ratio affected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
984657-3 : Sysdb variable not working from tmsh
Links to More Info: BT984657
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
Fix:
After the fix able to verify sysdb variables from tmsh
Fixed Versions:
16.1.5, 16.0.1.2, 15.1.4.1
984593-2 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
984585-1 : IP Reputation option not shown in GUI.
Links to More Info: BT984585
Component: TMOS
Symptoms:
Cannot configure IP Reputation option from the GUI.
Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.
Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.
Workaround:
Use tmsh to configure IP Reputation.
Fix:
The IP Reputation option is now shown in the GUI.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
982993-4 : Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail
Links to More Info: BT982993
Component: Local Traffic Manager
Symptoms:
Gateway ICMP monitors configured with IPv6 destinations and IPv6 transparent nexthop do not work if the IPv6 destination address is not directly connected, but reachable via an intermediate hop.
Conditions:
An IPv6 monitor's destination address is not directly connected, but reachable via intermediate hop.
Impact:
Monitor status remains DOWN.
Workaround:
Consider monitoring the actual target.
Fixed Versions:
16.1.0, 15.1.9
982869-1 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0
Links to More Info: BT982869
Component: Service Provider
Symptoms:
Tmm may crash.
Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes under these conditions.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
982785-3 : Guided Configuration hardening
Links to More Info: K52322100
982757-5 : APM Access Guided Configuration hardening
Links to More Info: K53197140
981917-2 : CVE-2020-8286 - cUrl Vulnerability
Links to More Info: K15402727
981785-3 : Incorrect incident severity in Event Correlation statistics
Links to More Info: BT981785
Component: Application Security Manager
Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".
Conditions:
Usually happens for the first incident after ASM startup.
Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.
Workaround:
Use severity info from the Incidents list.
Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
981689-2 : TMM memory leak with IPsec ALG
Links to More Info: BT981689
Component: Carrier-Grade NAT
Symptoms:
TMM crash due to out of memory.
Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.
Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm memory leak related to IPsec ALG connections.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.2
981385-3 : AVRD does not send HTTP events to BIG-IQ DCD
Links to More Info: BT981385
Component: Application Visibility and Reporting
Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).
Conditions:
This happens under normal operation.
Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4
981069-1 : Reset cause: "Internal error ( requested abort (payload release error))"
Links to More Info: BT981069
Component: Application Security Manager
Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"
Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type
Impact:
Traffic is affected.
Workaround:
Any of the following actions can resolve the issue:
1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Fix:
Fixed an issue that was triggering resets on traffic.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
980821-2 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.
Links to More Info: BT980821
Component: Local Traffic Manager
Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.
Conditions:
There are two virtual servers configured:
- One with a specific port and ip-protocol 'any'
- One with port any and a specific ip-protocol
Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.
Workaround:
Create individual listeners for specific protocols.
For example, given the configuration:
ltm virtual vs-port80-protoAny {
destination 10.1.1.1:80
ip-protocol any
...
}
ltm virtual vs-portAny-protoTCP {
destination 10.1.1.1:0
ip-protocol TCP
...
}
Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
ltm virtual vs-port80-protoTCP {
destination 10.1.1.1:80
ip-protocol TCP
...
}
ltm virtual vs-port80-protoUDP {
destination 10.1.1.1:80
ip-protcol UDP
...
}
Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2
980617-3 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles
Links to More Info: BT980617
Component: Local Traffic Manager
Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.
Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured
Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.
Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.
Fixed Versions:
17.0.0, 16.1.1, 15.1.10
980593 : LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table
Links to More Info: BT980593
Component: Advanced Firewall Manager
Symptoms:
LSN logging stats are always 0 (zero) for log_attempts and log_failures in tmctl table fw_lsn_log_stat if lsn_legacy_mode is set as disabled.
Conditions:
The lsn_legacy_mode value is disabled.
Impact:
The log_attempts and log_failures are always 0 in tmctl table fw_lsn_log_stat.
Workaround:
None
Fix:
Fixed an issue with log_attempts and log_failures.
Fixed Versions:
16.1.0, 15.1.5.1
980325-5 : Chmand core due to memory leak from dossier requests.
Links to More Info: BT980325
Component: TMOS
Symptoms:
Chmand generates a core file when get_dossier is run continuously.
Due to excessive dossier requests, there is a high consumption of virtual address memory. The program is terminated with signal SIGSEGV, Segmentation fault when the limit of virtual address allocation is hit. On affected versions this will be about 2.5 GiB.
Conditions:
Repeated/continuous dossier requests during licensing operations.
Impact:
Chmand crashes; potential traffic impact while chmand restarts.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
979877-10 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information
979213-2 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Links to More Info: BT979213
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
978833-2 : Use of CRL-based Certificate Monitoring Causes Memory Leak
Links to More Info: BT978833
Component: Local Traffic Manager
Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.
Conditions:
CRL certificate validator is configured.
Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.
Workaround:
None.
Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
977657-2 : SELinux errors when deploying a vCMP guest.
Links to More Info: BT977657
Component: TMOS
Symptoms:
An error occurs:
SELinux avc: denied { write } for pid=9292 comm="rpm" name="rpm".
Conditions:
The error occurs when the system is started back up after provisioning VCMP.
Impact:
SELinux avc is denied write permission for rpm_var_lib_t.
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5
977153-1 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Local Traffic Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
977053-2 : TMM crash on standby due to invalid MR router instance
Links to More Info: BT977053
Component: Service Provider
Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.
Conditions:
-- HA environment.
-- Connection mirroring is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM on the standby device no longer crashes under these conditions.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
977005-1 : Network Firewall Policy rules-list showing incorrect 'Any' for source column
Links to More Info: BT977005
Component: Advanced Firewall Manager
Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.
Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.
Impact:
GUI shows 'Any' extra text under the source column
Workaround:
None
Fix:
The GUI no longer shows extra text
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2
976669-2 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
Links to More Info: BT976669
Component: TMOS
Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.
Conditions:
This can occur after rebooting or replacing a secondary blade.
Impact:
When the FIPS integrity checks fail the blades won't fully boot.
Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
To mitigate, copy the missing files from the primary blade to the secondary blade.
From the primary blade, issue the following command towards the secondary blade(s).
rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/
Fix:
Critical files are not deleted during secondary blade reboot.
Fixed Versions:
17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6
976525-3 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
Links to More Info: BT976525
Component: Local Traffic Manager
Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.
Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.
Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.
Workaround:
Use either of the following workarounds:
-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable
-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.
Fix:
Transparent monitors now have the correct source IP addresses when gateway pools are in use and snat.hosttraffic is enabled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5
976505-2 : Rotated restnoded logs will fail logintegrity verification.
Links to More Info: BT976505
Component: TMOS
Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restnoded logs fail logintegrity verification.
Workaround:
None
Fix:
Restnoded logs are now verified successfully by the logintegrity utility.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
976501-2 : Failed to establish VPN connection
Links to More Info: BT976501
Component: Access Policy Manager
Symptoms:
VPN client exits with message "Failed to establish VPN connection"
Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser
Impact:
Client will be unable to launch the VPN tunnel from the browser.
Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4, 13.1.3.6
976433-2 : Use of OCSP responder may leak X509 store instances
Links to More Info: BT976433
Component: Local Traffic Manager
Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.
Conditions:
OCSP responder configured.
Impact:
Memory usage grows over time which eventually can lead to traffic disruption
Workaround:
None
Fixed Versions:
16.1.0, 15.1.10
976365 : Traffic Classification hardening ★
Links to More Info: BT976365
Component: Traffic Classification Engine
Symptoms:
Traffic Classification IM packages do not follow current best practices.
Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user
Impact:
Traffic Classification IM packages do not follow current best practices.
Workaround:
No Workaround
Fix:
Traffic Classification IM packages now follow current best practices.
Fixed Versions:
16.1.0, 15.1.3.1, 14.1.4.3
976337-1 : i40evf Requested 4 queues, but PF only gave us 16.
Links to More Info: BT976337
Component: TMOS
Symptoms:
During BIG-IP system boot, a message is logged:
i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.
Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)
Impact:
A message is logged but it is benign and can be ignored.
Fixed Versions:
16.1.2.2, 15.1.5.1
975809-1 : Rotated restjavad logs fail logintegrity verification.
Links to More Info: BT975809
Component: TMOS
Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restjavad logs fail logintegrity verification.
Workaround:
None
Fix:
Restjavad logs are now verified successfully by the logintegrity utility.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
974985-2 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable
Links to More Info: BT974985
Component: Application Security Manager
Symptoms:
Non http traffic isn't forwarded to the backend server
Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-http traffic
Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>
Fix:
Fix DOSL7::disable command handler in the tmm code
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
974881-2 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic
Links to More Info: BT974881
Component: Service Provider
Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.
Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to handling certain events in an iRule.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
974501-1 : Excessive memory usage by mirroring subsystem when remirroring
Links to More Info: BT974501
Component: Local Traffic Manager
Symptoms:
Aggressive sweeper messages are seen in /var/log/ltm similar to the following:
Dec 31 02:35:44 bigip1 warning tmm[25306]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory). (26227799/30854144 pages)
In severe cases, tmm might restart and generate a core file due to an out of memory condition.
Conditions:
The active BIG-IP has a large number of mirrored fastL4 connections.
The active BIG-IP reconnects the statemirror connection to the standby BIG-IP. This is indicated by messages similar to the following in /var/log/ltm:
Dec 31 02:35:37 bigip1 err tmm[25306]: 01340001:3: high availability (HA) Connection with peer 10.25.0.11:1029 for traffic-group /Common/traffic-group-1 established.
Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections. In severe cases, tmm might restart causing traffic interruption.
Fix:
The memory utilization when remirroring fastL4 flows has been improved to allow remirroring to handle a larger number of connections.
Fixed Versions:
16.1.0, 15.1.2.1
974241-1 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
Links to More Info: BT974241
Component: TMOS
Symptoms:
Mcpd exists with error similar to:
01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'
Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled
Impact:
Mcpd restarts leading to failover.
Workaround:
Use standard customization and not modern customization.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
974205-3 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6
973673-1 : CPU spikes when the LDAP operational timeout is set to 180 seconds
Links to More Info: BT973673
Component: Access Policy Manager
Symptoms:
By default, the LDAP operation timeout is 180 seconds, and this can cause CPU spikes.
Conditions:
-- BIG-IP configured with a per-request access policy.
-- A high traffic load containing a lot of LDAP Auth and LDAP Query operations occurs.
Impact:
High LDAP traffic load can cause cpu spikes and traffic disruption.
Fix:
Reduced LDAP operational timeout to 50 sec for per-request based LDAP Auth and LDAP Query requests as accessV2 mpi request timeout is 60 sec only.
Fixed Versions:
16.1.0, 15.1.5
973261-2 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
Links to More Info: BT973261
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:
err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.
Conditions:
GTM HTTPS monitor with non-default cert/key.
Impact:
Unable to use HTTPs monitor.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
973201-2 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions ★
Links to More Info: BT973201
Component: TMOS
Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.
Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.
Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.
Workaround:
None
Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4
971297-2 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade ★
Links to More Info: BT971297
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.
Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded
Impact:
The keys are stored locally following the upgrade.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
971217-2 : AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.
Links to More Info: BT971217
Component: Local Traffic Manager
Symptoms:
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.
Conditions:
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check.
-- Client sends HTTP POST request with Content-Length:0
Impact:
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".
Workaround:
None.
Fix:
POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations and will not incorrectly be reported.
Behavior Change:
POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations within the AFM HTTP protocol security profile.
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5
970829-5 : iSeries LCD incorrectly displays secure mode
Links to More Info: K03310534 , BT970829
Component: Device Management
Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.
Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.
Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:
-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.
The restjavad-audit.*.log may contain similar messages
[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}
Workaround:
None
Fix:
The LCD now functions normally, and no authentication errors appear in the logs.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
970329-3 : ASM hardening
Links to More Info: K70134152 , BT970329
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
969737-1 : Snmp requests not answered if V2 traps are configured
Links to More Info: BT969737
Component: TMOS
Symptoms:
SNMP requests are not answered except the ones sent to the localhost ip address.
Conditions:
V2 traps are configured, for example:
tmsh modify sys snmp v2-traps add { ...
Impact:
SNMP external requests fail
Workaround:
Move all traps configured under 'v2-traps' to 'traps' in the configuration
Fixed Versions:
16.1.0, 15.1.10
969713-1 : IPsec interface mode tunnel may fail to pass packets after first IPsec rekey
Links to More Info: BT969713
Component: TMOS
Symptoms:
IPsec tunnel initially works until the IPsec (ESP) SA is re-negotiated.
Conditions:
-- IKEv2
-- IPsec tunnel uses interface mode ipsec-policy
-- IPsec SAs are re-negotiated, for example after the SA lifetime expires
-- Traffic selector narrowing occurs due to the BIG-IP and remote peer having different selectors configured
Impact:
IPsec tunnel suddenly stops forwarding packets across the tunnel
Workaround:
-- Configure the traffic-selectors to be identical on both the BIG-IP and remote IPsec peer.
Fix:
IPsec tunnel forwards packets after IPsec SAs are re-established.
Fixed Versions:
16.1.0, 15.1.4
969637-2 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade ★
Links to More Info: BT969637
Component: Local Traffic Manager
Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"
Conditions:
-- A small subset of the following BIG-IP platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
Configuration load fails and the device does not come online.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
969509-4 : Possible memory corruption due to DOS vector reset
Links to More Info: BT969509
Component: Advanced Firewall Manager
Symptoms:
Unpredictable result due to possible memory corruption
Conditions:
DOS vector configuration change
Impact:
Memory corruption
Fix:
Added correct logic to reset DOS vector.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
969385-2 : Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers.
Links to More Info: BT969385
Component: BIG-IP Risk Engine
Symptoms:
Automatic attach/detach BeWAF policy to a virtual server stops working for all virtual servers if at least one virtual server has a regular ASM policy with TAP profile
Conditions:
Define Virtual Servers with DOS profiles, along with Virtual Servers that are managed by cloud (Cortex)
Impact:
Detaching virtual servers from DOS can cause the attach option to be disabled.
Workaround:
Do not define virtual servers with cloud along with virtual servers managed by cloud (Applications).
Fix:
None
Fixed Versions:
16.0.1.2, 15.1.3
969317-3 : "Restrict to Single Client IP" option is ignored for vmware VDI
Links to More Info: BT969317
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
969213-1 : VMware: management IP cannot be customized via net.mgmt.addr property
Links to More Info: BT969213
Component: TMOS
Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.
Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.
Impact:
Management IP cannot be customized in VMware during the VM setup.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
969105-2 : HA failover connections via the management address do not work on vCMP guests running on VIPRION
Links to More Info: BT969105
Component: TMOS
Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.
BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.
HA failover connections using self IPs are unaffected.
Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)
Impact:
Failover state determination over the management port is permanently down.
Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).
To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid
The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.
Add this line to the end of /config/startup:
(sleep 120; touch /var/run/chmand.pid) &
Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.
Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:
#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready
# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.
You may also request an Engineering Hotfix from F5.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
968741-1 : Traffic Intelligence pages not visible
Links to More Info: BT968741
Component: Traffic Classification Engine
Symptoms:
When trying to access TCE Signature Update Page from the GUI:
Traffic Intelligence -> Applications -> Signature Update
The page will not load.
Conditions:
Clicking on Traffic Intelligence -> Applications -> Signature Update will show a blank page.
Impact:
You will not be able access the Traffic Intelligence -> Applications -> Signature page in the GUI.
Workaround:
None
Fix:
TMUI pages for Traffic classification will be accessible from TMUI : Traffic Intelligence -> Applications -> Signature
Fixed Versions:
16.1.0, 15.1.4
968733-6 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
968657-2 : Added support for IMDSv2 on AWS
Links to More Info: BT968657
Component: TMOS
Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:
get_dossier call on the command line fails with:
01170003:3: halGetDossier returned error (1): Dossier generation failed.
This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.
Conditions:
AWS instances started with IMDSv2.
Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.
Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
968641-2 : Fix for zero LACP priority
Links to More Info: BT968641
Component: Local Traffic Manager
Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.
Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.
Impact:
BIG-IP may be unable to connect to Cisco trunks.
Workaround:
None.
Fix:
Eliminate LACP priority equal 0
Fixed Versions:
16.0.1.2, 15.1.3, 14.1.4
968581-2 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description
Links to More Info: BT968581
Component: Local Traffic Manager
Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.
Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.
Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.
Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
968533 : Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector.
Links to More Info: BT968533
Component: Advanced Firewall Manager
Symptoms:
When a PUSH flood vector is programmed to hardware after a flood is detected, rate limiting is performed on all the PUSH packets even when "Only Count Suspicious Events" is enabled.
Conditions:
-- Push flood vector is triggered.
-- Rate limiting is enabled for the push flood vector.
-- The issue is observed only on the hardware platform.
Impact:
The packets with PUSH flag for the good connections also get dropped even though "Only Count Suspicious Events" is enabled.
Workaround:
None
Fix:
Fixed an issue with rate limiting on PUSH packets.
Fixed Versions:
15.1.4.1
968421-2 : ASM attack signature doesn't matched
Links to More Info: K30291321 , BT968421
Component: Application Security Manager
Symptoms:
A specific attack signature doesn't match as expected.
Conditions:
Undisclosed conditions.
Impact:
Attack signature does not match as expected, request is not logged.
Workaround:
N/A
Fix:
Attack signature now matches as expected.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4.2, 13.1.4.1, 12.1.6, 11.6.5.3
967905-2 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Links to More Info: BT967905
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
967889-1 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)
Links to More Info: BT967889
Component: Advanced Firewall Manager
Symptoms:
Custom signature of virtual server shows incorrect attack information.
Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)
Impact:
GUI shows incorrect information for custom signature
Fix:
GUI shows correct information for custom signature
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
967745 : Last resort pool error for the modify command for Wide IP
Links to More Info: BT967745
Component: TMOS
Symptoms:
System reports error for the modify command for Wide IP.
01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.
Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.
Impact:
The object is not modified, and the system reports an error.
Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Append the command with last-resort-pool a <pool_name>, for example:
modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test
Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4
967249-2 : TMM may leak memory early during its startup process, and may continue to do so indefinitely.
Links to More Info: BT967249
Component: Local Traffic Manager
Symptoms:
TMM leaks memory in the packet and xdata components. The aggressiveness of the leak depends on how much traffic TMM receives from the Linux host subsystem.
Conditions:
- A BIG-IP system running more than 1 TMM instance.
- Early during its startup process, TMM begins receiving traffic from the Linux host subsystem destined to the network (e.g., remote syslog traffic routed to its destination through TMM).
- Depending on the system's configuration, TMM attempts to set up flow forwarding for the aforementioned traffic. This may happen, for instance, if the egress VLAN is configured for 'cmp-hash src-ip'.
- TMM hasn't fully completed its startup process yet.
Impact:
TMM leaks memory.
If the flow set up during early TMM startup continues to receive a constant stream of new packets, then the flow may live on indefinitely, and TMM may continue to leak memory indefinitely.
In the example of remote syslog traffic, this could happen, for instance, if the box keeps logging messages at a sustained rate.
Eventually, TMM may be unable to allocate any more memory and crash. Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue by ensuring that TMM does not receive any traffic from the Linux host subsystem for forwarding during early startup.
In the example of remote syslog destinations, you could specify the management IP address of the system as the source IP address for the traffic, thus forcing the traffic out of the management port instead of TMM. This implies the management port has a suitable working route to the destination.
Fixed Versions:
16.1.0, 15.1.7
967101-2 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.
Links to More Info: BT967101
Component: Local Traffic Manager
Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)
Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.
Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
967093-1 : In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail
Links to More Info: BT967093
Component: Local Traffic Manager
Symptoms:
In SSL forward proxy, the client side handshake may fail with the message: fwdp lookup error.
Conditions:
The handshake failure occurs when the certificate chain consists of different key types. For example, the following cert chain may fail the handshake:
root CA (rsa) --> intermediate CA1 (rsa) --> intermediate CA2 (ec) --> end-entity cert (ec)
The signing CA which is intermediate CA2 has a key of EC type, but cert is signed by RSA signature. The end-entity cert has a key of EC type, but cert is signed by ECDSA.
In this case, the signer cert has different signature from that of the end-entity cert.
Impact:
SSL forward proxy handshake fails.
Fix:
Fixed an issue with SSL forward handshakes.
Fixed Versions:
17.0.0, 15.1.5
966949-2 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
966701-2 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP
Links to More Info: BT966701
Component: Service Provider
Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.
Conditions:
-- SCTP transport profile
-- MRF generic msg router profile
Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing
Fix:
Enable the return type in generic msg filter when data received over SCTP transport
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
966681-1 : NAT translation failures while using SP-DAG in a multi-blade chassis
Links to More Info: BT966681
Component: Carrier-Grade NAT
Symptoms:
NAT translation fails
Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans
Impact:
Traffic failure, performance degraded
Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096
Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
966461-6 : Tmm memory leak
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm leaks memory for DNSSEC requests.
Conditions:
NetHSM is configured but disconnected.
or
Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.
Impact:
Tmm memory utilization increases over time.
Workaround:
None
Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.
tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
966421-3 : Connection stall happened when the shutdown received before all egress data
Links to More Info: BT966421
Component: Local Traffic Manager
Symptoms:
If the SSL receives shutdown before receiving all egress data, it will not close the connection until the idle timeout.
Conditions:
Shutdown event received by the SSL before all egress is received.
Impact:
Connections are not closing until the idle timeout.
Workaround:
None
Fix:
If shutdown arrives before the remaining egress data, the connection might not immediately close.
Fixed Versions:
16.1.0, 15.1.9
966277-1 : BFD down on multi-blade system
Links to More Info: BT966277
Component: TMOS
Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.
Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots
Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
966073-1 : GENEVE protocol support
Links to More Info: BT966073
Component: TMOS
Symptoms:
BIG-IP software does not support the GENEVE protocol.
Conditions:
-- AWS Gateway load balancer is in use, which uses the GENEVE protocol
Impact:
GENEVE protocol is unsupported.
Workaround:
None.
Fix:
BIG-IP software now supports the GENEVE protocol.
Fixed Versions:
16.1.0, 15.1.4.1
965897-2 : Disruption of mcpd with a segmentation fault during config sync
Links to More Info: BT965897
Component: Advanced Firewall Manager
Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop
Numerous messages may be logged in the "daemon" logfile of the following type:
emerg logger[2020]: Re-starting mcpd
Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs
Impact:
Continuous restarts of mcpd process on the peer device.
Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.
# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
965837-2 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection
Links to More Info: BT965837
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.
Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
Fixed a TMM crash related to ping access.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
965785-2 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
Links to More Info: BT965785
Component: Application Security Manager
Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.
Conditions:
There is no specific condition, the problem occurs rarely.
Impact:
Sync process requires an additional ASM restart
Workaround:
Restart ASM after sync process finished
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
965777-2 : Per-request policy authentication becomes unresponsive
Links to More Info: BT965777
Component: Access Policy Manager
Symptoms:
Per-request policy execution can appear to be slow during subroutine evaluation, and apmd appears to take a large amount of CPU.
Conditions:
The per-request policy is using subroutine to execute an authentication related agent that is dispatched to apmd for completion. These typically involve authentication agents that interact with an external authentication server, such as LDAP, RADIUS, or AD.
Impact:
Connectivity may be impaired or lost.
Workaround:
Failover the high availability (HA) pair, or restart apmd.
Fixed Versions:
16.1.0, 15.1.6.1
965617-3 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode
Links to More Info: BT965617
Component: Advanced Firewall Manager
Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB
Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support
Impact:
More resources loading during DDoS attack
Fix:
Correct free spot search with offloading to HSB
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
965581-2 : Statistics are not reported to BIG-IQ
Links to More Info: BT965581
Component: Application Visibility and Reporting
Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.
Conditions:
A BIG-IP system is attached to BIG-IQ.
Impact:
No statistics collected.
Fix:
The avrd process no longer fails, and statistics are collected as expected.
Fixed Versions:
17.1.0, 15.1.4, 14.1.4
965485-3 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
Links to More Info: K41523201
965457-4 : OSPF duplicate router detection might report false positives
Links to More Info: BT965457
Component: TMOS
Symptoms:
OSPF duplicate router detection might report false positives
Conditions:
Router sends LSA that is looped in network and sent back to its origin.
Impact:
Cosmetic
Fixed Versions:
16.1.0, 15.1.10
965229-2 : ASM Load hangs after upgrade ★
Links to More Info: BT965229
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
965205-2 : BIG-IP dashboard downloads unused widgets
Links to More Info: BT965205
Component: TMOS
Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.
Conditions:
This occurs when viewing the BIG-IP dashboard.
Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
965037-1 : SSL Orchestrator does not send HTTP CONNECT tunnel payload to services
Links to More Info: BT965037
Component: Local Traffic Manager
Symptoms:
In some cases, when Services in SSL Orchestrator (service-connect agent in per-request policy) is inserted after Category lookup for CONNECT request hostname, the HTTP CONNECT tunnel payload/data is not sent to services.
Conditions:
SSL Orchestrator use case and Services are inserted after Category lookup for CONNECT request hostname
Impact:
HTTP CONNECT tunnel payload is not sent to services
Workaround:
None
Fix:
HTTP CONNECT tunnel payload is now sent to services.
Fixed Versions:
16.1.0, 15.1.4.1
964941-1 : IPsec interface-mode tunnel does not initiate or respond after config change
Links to More Info: BT964941
Component: TMOS
Symptoms:
After reconfiguring an interface-mode IPsec tunnel, the IPsec tunnel may fail to initiate or negotiate as a Responder.
Conditions:
-- IPsec interface mode
-- Changing the IPsec tunnel configuration
Impact:
Remote networks cannot be reached because BIG-IP refuses to negotiate IPsec tunnel.
Workaround:
Reboot or restart tmm.
For ikev1 peers it will also be necessary to restart tmipsecd after restarting tmm.
Fix:
Valid changes to the IPsec tunnel configuration result in the tunnel negotiation happening.
Fixed Versions:
16.1.0, 15.1.4
964897-2 : Live Update - Indication of "Update Available" when there is no available update
Links to More Info: BT964897
Component: Application Security Manager
Symptoms:
Live Update notifies you that an update is available even though there is no available update.
Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status
Impact:
Live Update erroneously indicates that an update is available.
Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat
Fix:
Fixed an issue with Live Update notification.
Fixed Versions:
17.0.0, 16.0.1.2, 15.1.3, 14.1.4
964625-3 : Improper processing of firewall-rule metadata
Links to More Info: BT964625
Component: Advanced Firewall Manager
Symptoms:
The 'mcpd' process may suffer a failure and be restarted.
Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.
Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.
Workaround:
Reduce the number of firewall policy rules.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
964585-3 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update
Links to More Info: BT964585
Component: Protocol Inspection
Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.
Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.
Impact:
- The error message does not accurately explain the cause of the problem.
Workaround:
None.
Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
964577-3 : IPS automatic IM download not working as expected
Links to More Info: BT964577
Component: Protocol Inspection
Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.
IPS automatic IM download considers the BIG-IP software major and minor version numbers.
However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.
Conditions:
Auto download of IM package for IPS.
Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.
Workaround:
Manually download the IM package and upload it onto the BIG-IP system.
Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
964533-3 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
Fix:
Log level has been changed so this issue no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
964245-2 : ASM reports and enforces username always
Links to More Info: BT964245
Component: Application Security Manager
Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.
Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.
Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.
Workaround:
None
Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
964125-2 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
964037 : Error: Exception response while loading properties from server
Links to More Info: BT964037
Component: Access Policy Manager
Symptoms:
The General Customization interface for Endpoint Security in the GUI cannot be used for Access Profile with modern customization due to interface error.
Conditions:
-- Access Profile with modern customization
-- General Customization interface for Endpoint Security
Impact:
You are unable to modify Endpoint Security interface strings
Fixed Versions:
15.1.4.1
963869-2 : Remote Desktop app fails to launch from webtop when Per-request Policy is added to virtual server.
Links to More Info: BT963869
Component: Access Policy Manager
Symptoms:
Users are unable to launch the Remote Desktop app from the webtop.
Conditions:
-- APM is licensed and provisioned.
-- Remote Desktop is configured and attached to the per-session policy.
-- A per-request policy is attached to the virtual server.
Impact:
Users cannot access the remote desktop application.
Workaround:
Don't attach the per-request policy to the virtual server if it's not required.
Fix:
Remote Desktop app no longer fails to launch from the webtop when per-request policy is added to virtual server.
Fixed Versions:
16.1.0, 15.1.9
963713-1 : HTTP/2 virtual server with translate-disable can core tmm
Links to More Info: BT963713
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing HTTP/2 traffic
Conditions:
-- HTTP/2 virtual server
-- Port and address translation disabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not configure an HTTP/2 virtual server with translate-disable
Fix:
Tmm does not crash anymore.
Fixed Versions:
16.1.0, 15.1.4
963705-3 : Proxy ssl server response not forwarded
Links to More Info: BT963705
Component: Local Traffic Manager
Symptoms:
A server response may not be forwarded after TLS renegotiation.
Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs
Impact:
Server response may not be not forwarded
Fix:
Proxy ssl will now forward server response after renegotiation
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
963541-2 : Net-snmp5.8 crash
Links to More Info: BT963541
Component: TMOS
Symptoms:
Snmpd crashes.
Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.
Impact:
Snmpd crashes.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
963485-1 : Performance issue with data guard
Links to More Info: BT963485
Component: Application Security Manager
Symptoms:
End user clients encounter poor network performance. Due to a correlation with ID 963461 it can lead to a crash.
Conditions:
-- The server response is compressed.
-- Data guard is enabled.
Impact:
Slow response time.
Workaround:
-- Disable data guard or block the data instead of masking it.
-- Force server sending uncompressed response using an iRule:
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}
Fixed Versions:
16.1.0, 15.1.4
963461-1 : ASM performance drop on the response side
Links to More Info: BT963461
Component: Application Security Manager
Symptoms:
Clients encounter a longer time to respond from the BIG-IP
Conditions:
-- One of the following features is enabled:
- convictions
- csrf
- ajax.
-- The response is HTML
-- The response has many tags
Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
963237-3 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.
Links to More Info: BT963237
Component: Advanced Firewall Manager
Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.
Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.
Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server
Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
963049-1 : Unexpected config loss when modifying protected object
Links to More Info: BT963049
Component: TMOS
Symptoms:
A virtual server configuration is changed unexpectedly.
Conditions:
- Create virtual server with two client SSL profiles
- Modify same virtual server in Protected Objects panel.
Impact:
Virtual servers client SSL profiles are removed if you have more than one profile.
Workaround:
None
Fix:
Virtual server client SSL profiles are no longer removed from the config if the update happens through Protected Objects panel in the GUI.
Fixed Versions:
16.1.0, 15.1.3
963017-2 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed
Links to More Info: BT963017
Component: TMOS
Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):
err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid
In addition, a message similar to the following may appear on the serial console while the system is booting:
[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:
# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since <...>
Main PID: #### (code=exited, status=1/FAILURE)
<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.
However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.
Conditions:
This may occur under the following conditions:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
- BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
- VIPRION B4450 blades
Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.
This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.
Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check
Fix:
This incorrect status reporting has been corrected.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
962817-2 : Description field of a JSON policy overwrites policy templates description
Links to More Info: BT962817
Component: Application Security Manager
Symptoms:
Creating a UTF-8 policy using a template for the first time creates a binary policy the system uses the next time you create a UTF-8 policy with the same template.
If the creation occurs via JSON policy import, the description field of the JSON policy overwrites the description from the template, and the next time you create a UTF-8 policy using the same template, the system uses the description from the first JSON policy.
Conditions:
Create an initial UTF-8 policy with some template using a JSON policy with a custom description.
Impact:
The next time you create a UTF-8 policy with the same template, unless you provide a description, the system uses the one from the initially created JSON policy instead the template.
Workaround:
Before creating the second policy, remove the binary file that was created from the first run. For example if the template used was Fundamental:
rm -f /ts/install/policy_templates/fundamental.bin
Fix:
The binary file now contains the correct description.
Fixed Versions:
17.0.0, 16.0.1.1, 15.1.3
962589-2 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Links to More Info: BT962589
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
962497 : BD crash after ICAP response
Links to More Info: BT962497
Component: Application Security Manager
Symptoms:
BD crash when checking ICAP job after ICAP response
Conditions:
BD is used with ICAP feature
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
962433-4 : HTTP::retry for a HEAD request fails to create new connection
Links to More Info: BT962433
Component: Local Traffic Manager
Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.
Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version
Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.
Fixed Versions:
15.1.4, 14.1.4.3, 13.1.4.1
962249-2 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Links to More Info: BT962249
Component: TMOS
Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Conditions:
This message shows always on all platforms.
Impact:
No functional impact.
Fix:
Does not show this message on non-epva platforms.
Fixed Versions:
17.1.0, 15.1.4
962177-2 : Results of POLICY::names and POLICY::rules commands may be incorrect
Links to More Info: BT962177
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1
961509-2 : ASM blocks WebSocket frames with signature matched but Transparent policy
Links to More Info: BT961509
Component: Application Security Manager
Symptoms:
WebSocket frames receive a close frame
Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled
Impact:
WebSocket frame blocked in transparent mode
Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No
Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
961229-1 : The responses for EDNS/Non-EDNS UDP queries against DNS Express zone were truncated
Links to More Info: BT961229
Component: Global Traffic Manager (DNS)
Symptoms:
-- EDNS UDP query against DNS Express zone for larger responses get truncated.
--Non-EDNS query against DNS Express zone was truncated completely including the ANSWER section.
Conditions:
--Configure UDP and TCP listeners with DNS profile that has DNSX enabled and BIND disabled.
--Perform EDNS/Non-EDNS queries against the listener.
Impact:
No proper DNS responses.
Workaround:
Perform either of the following workarounds:
1. Enable DNS Express minimal-responses using DB key dnsexpress.minimalresponse. For detailed information, please refer to K41004650: Enable DNS Express minimal-responses for the Authority and Additional Records sections
2. Disable truncating UDP DNS response using DB key dns.udptruncate. For detailed information, please refer to K91537308: Overview of the truncating rule when DNS response size is over 512 Bytes
Fixed Versions:
16.1.0, 15.1.7
960749-2 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
Links to More Info: BT960749
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes, dumps a core file, and restarts.
Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.
-- The DNS Cache or Network DNS Resolver objects receive traffic.
Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.
Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3
960677-2 : Improvement in handling accelerated TLS traffic
Links to More Info: BT960677
Component: Local Traffic Manager
Symptoms:
Rare aborted TLS connections.
Conditions:
None
Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.
Workaround:
None
Fix:
The aborted connections will no longer be aborted and will complete normally.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
960437-2 : The BIG-IP system may initially fail to resolve some DNS queries
Links to More Info: BT960437
Component: Global Traffic Manager (DNS)
Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.
Subsequent queries for the same domain name, however, work as expected.
Only some domain names are affected.
Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.
- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).
- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.
In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.
For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.
1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.
You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3
960369-2 : Negative value suggested in Traffic Learning as max value
Links to More Info: BT960369
Component: Application Security Manager
Symptoms:
Negative value suggested in Traffic Learning as max value
Conditions:
A huge parameter value is seen in traffic
Impact:
Wrong learning suggestion issued
Workaround:
Manually change maximum allowed value on the parameter to ANY
Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
959985-1 : Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi.
Links to More Info: BT959985
Component: TMOS
Symptoms:
Virtual hardware version setting for BIG-IP VE VMware templates (virtualHW.version) are set to version 10 and must change to version 13, so more versions of vSphere ESXi (for example, ESXi v6.0 and later) can support deploying BIG-IP Virtual Edition.
Conditions:
Using BIG-IP Virtual Edition VMware hardware templates set to v10 running in most, later versions of VMware ESXi.
Impact:
BIG-IP Virtual Edition VMware hardware templates result in performance issues and deployment errors/failures.
Workaround:
None
Fix:
Changed the BIG-IP Virtual Edition VMware hardware template version setting (virtualHW.version) to 13 and deployed them successfully using later versions of VMware ESXi.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
959889-2 : Cannot update firewall rule with ip-protocol property as 'any'
Links to More Info: BT959889
Component: TMOS
Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.
Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update
Impact:
Cannot update the firewall rule from GUI.
Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
959629-2 : Logintegrity script for restjavad/restnoded fails
Links to More Info: BT959629
Component: TMOS
Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:
find: '14232restnoded_log_pattern': No such file or directory.
Conditions:
When the logintegrity script runs.
Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.
Workaround:
Modify the script file /usr/bin/rest_logintegrity:
1. mount -o remount,rw /usr
2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original
3. vi /usr/bin/rest_logintegrity
4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log
With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log
5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)
With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)
6. mount -o remount,ro /usr
Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
959609 : Autodiscd daemon keeps crashing
Links to More Info: BT959609
Component: Advanced Firewall Manager
Symptoms:
Autodiscd daemon keeps crashing.
Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.
Impact:
Auto discovery feature is not working as expected
Workaround:
None.
Fix:
Auto discovery feature now works as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
958833-1 : After mgmt ip change via GUI, brower is not redirected to new address
Links to More Info: BT958833
Component: TMOS
Symptoms:
After changing the management IP address via the GUI, the browser is not redirected, and reports Unable to connect BIG-IP device.
Conditions:
Change the Management IP address from the GUI and submit the change.
Impact:
Browser does not get redirected to the new address
Workaround:
Access the GUI by manually going to the new Management IP.
Fix:
GUI page is redirected to new Management IP address.
Fixed Versions:
16.1.0, 15.1.10, 14.1.5.1
958465-2 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization
Links to More Info: BT958465
Component: TMOS
Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.
The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.4
958353-2 : Restarting the mcpd messaging service renders the PAYG VE license invalid.
Links to More Info: BT958353
Component: TMOS
Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.
Conditions:
Restarting the mcpd messaging service.
Impact:
The license becomes expired. A message is displayed in the console:
mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).
Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).
Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
958325-1 : Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB
Links to More Info: BT958325
Component: Global Traffic Manager (DNS)
Symptoms:
Dangling monitor rule after pool deletion.
# tmsh delete gtm monitor tcp tcp_test
01070083:3: Monitor /Common/tcp_test is in use
Conditions:
Using transaction to delete pool and create pool of same name with different monitor.
Impact:
Unable to delete the remaining monitor.
Workaround:
Run:
1. # bigstart restart mcpd
Or
2. Do not combine deletion and re-create pool in the same transaction.
Fixed Versions:
16.1.0, 15.1.10
958093-3 : IPv6 routes missing after BGP graceful restart
Links to More Info: BT958093
Component: TMOS
Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.
Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.
Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
958085-3 : IM installation fails with error: Spec file not found ★
Links to More Info: BT958085
Component: Traffic Classification Engine
Symptoms:
IM installation fails with an error message:
ERROR Error during switching: Spec file not found
Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.
Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.
Workaround:
None.
Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
957965-1 : Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent'
Links to More Info: BT957965
Component: Application Security Manager
Symptoms:
Request is blocked by 'CSRF attack detected' violation.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- CSRF protection enabled in an ASM policy
Impact:
False positive request blocking occurs.
Workaround:
Disable 'CSRF attack detected' violation in the ASM policy.
Fix:
'CSRF attack detected' now works as expected.
Fixed Versions:
16.1.0, 15.1.4
957905-2 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.
Links to More Info: BT957905
Component: Service Provider
Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.
SIP Responses that don't contain a content_length header are accepted and forwarded to the client.
The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.
Conditions:
SIP request / response without content_length header.
Impact:
RFC 6731 non compliance.
Workaround:
N/A
Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.
content_length header is treated as optional for UDP and SCTP.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
957897-1 : Unable to modify gateway-ICMP monitor fields in the GUI
Links to More Info: BT957897
Component: TMOS
Symptoms:
While modifying a gateway-ICMP monitor you see the following error:
01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.
Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.
Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.
Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]
For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description
Fix:
You can now update the Gateway-ICMP monitor fields via the GUI.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
957637-2 : The pfmand daemon can crash when it starts.
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.
The crash may happen more than once, until the process finally settles and is able to start correctly.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
957453-2 : Javascript parser incompatible with ECMAScript 6/7+ javascript versions
Links to More Info: BT957453
Component: Access Policy Manager
Symptoms:
A web application failed to function on the client side.
Conditions:
-- APM proxying a web application.
-- Web application uses ES6/7 or higher javascript.
Impact:
The web application failed to function.
Workaround:
None
Fix:
The fix is implemented in two steps:
STEP 1:
Initial implementation with bug ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.
With this fix, a custom iRule workaround can be applied to fix a limited set of possible cases.
STEP 2:
With bug ID 957453, the implementation of the light rewriter on the server side is also completed.
No iRule workaround is required to support ES6/7+ javascript versions after the implementation of bug ID 957453.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
957337-1 : Tab complete in 'mgmt' tree is broken
Links to More Info: BT957337
Component: TMOS
Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:
(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"
Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete
Impact:
You are unable to configure objects in mgmt.
This issue also prevents users with the admin role from accessing the following REST endpoints:
shared/authz/users
shared/echo-js
The error returned was HTTP/1.1 401 F5 Authorization Required
Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
957029-1 : MRF Diameter loop-detection is enabled by default
Links to More Info: BT957029
Component: Service Provider
Symptoms:
The default value of Message Routing Framework (MRF) Diameter loop detection is enabled.
Conditions:
Default diameter session profile loop detection configuration.
Impact:
System performance is impacted even if MRF Diameter loop detection is not used.
Workaround:
Disable loop detection in all message routing Diameter profiles when it is not needed.
Fix:
MRF Diameter loop detection is now disabled by default.
Note: If you expect MRF Diameter loop detection to be enabled, you must manually change the value after upgrading.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
956913-2 : HTTPS traffic may fail for Inbound topology gateway mode
Links to More Info: BT956913
Component: Access Policy Manager
Symptoms:
HTTPS traffic may fail for Inbound topology gateway mode.
Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Inbound topology with gateway mode is selected and gateway iRule is attached to wildcard virtual.
-- HTTPS Traffic is intercepted.
-- SNI is not sent in clientHello.
Impact:
HTTPS traffic may fail.
Workaround:
Pass SNI from the client if not already sent in clientHello.
Fix:
HTTPS traffic does not fail anymore for inbound topology.
Fixed Versions:
16.1.0, 15.1.9
956645-2 : Per-request policy execution may timeout.
Links to More Info: BT956645
Component: Access Policy Manager
Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.
Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.
Impact:
Some clients will fail to connect to their destination.
Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).
Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.
Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9, 14.1.4.5
956589-1 : The tmrouted daemon restarts and produces a core file
Links to More Info: BT956589
Component: TMOS
Symptoms:
The tmrouted daemon restarts and produces a core file.
Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover
Impact:
Traffic disrupted while tmrouted restarts.
Workaround:
None
Fix:
Tmrouted daemon should not restart during blade reset
Fixed Versions:
16.1.0, 15.1.2.1, 14.1.4.6, 13.1.5
956373-2 : ASM sync files not cleaned up immediately after processing
Links to More Info: BT956373
Component: Application Security Manager
Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate
Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition
Impact:
If the files are large it may lead to "lack of disk space" problem.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1
956293-2 : High CPU from analytics-related REST calls - Dashboard TMUI
Links to More Info: BT956293
Component: TMOS
Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.
Conditions:
Leaving UI dashboard page left open.
Impact:
System performance is impacted if the dashboard page is kept open.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
956133-3 : MAC address might be displayed as 'none' after upgrading. ★
Links to More Info: BT956133
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.
Impact:
Traffic disrupted when the MAC address is set to 'none'.
Workaround:
N/A
Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.
Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.4
956105-2 : Websocket URLs content profiles are not created as expected during JSON Policy import
Links to More Info: BT956105
Component: Application Security Manager
Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import
Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.
Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.
Workaround:
The content profiles can be manually associated after the import process using REST or GUI.
Fix:
Setting the correct profile reference during import.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3
956013-1 : System reports{{validation_errors}}
Links to More Info: BT956013
Component: Policy Enforcement Manager
Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses
Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.
Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.
Workaround:
None.
Fixed Versions:
16.1.2.1, 15.1.5, 14.1.4.5
955953-2 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'
Links to More Info: BT955953
Component: TMOS
Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.
Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
955773-1 : Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4
Links to More Info: BT955773
Component: Advanced Firewall Manager
Symptoms:
TMM specific stats shows unrealistic values.
Conditions:
The respective TMMs have shortage of NAT PBAs.
Impact:
No functional impact. Only on stats reporting side impact.
Fixed Versions:
17.1.2, 15.1.10
955617-2 : Cannot modify properties of a monitor that is already in use by a pool
Links to More Info: BT955617
Component: Local Traffic Manager
Symptoms:
If the monitor is associated with a node or pool, then modifying monitor properties other than the destination address is displaying incorrect error. For example, modifying the receive string results in following error:
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
This error should only be generated if the destination address of an associated monitor is being modified, but this error message is generated when other parameters are modified.
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties cannot be modified if they are in use by a pool.
Workaround:
Remove the monitor, modify it, and then add it again.
Fix:
Monitor properties can be modified even when the monitor is attached to the node or pool, updated values reflect in the node or pool.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
955057-2 : UCS archives containing a large number of DNS zone files may fail to restore. ★
Links to More Info: BT955057
Component: TMOS
Symptoms:
This issue can manifest in the following ways:
- Failure to restore a UCS archive to the currently active boot location (i.e. restoring a backup).
- Failure to restore a UCS archive to a different boot location by means of using the cpcfg utility (or the the "Install Configuration" option when changing boot locations in the Web UI).
- Failure to restore a UCS archive as part of a software upgrade (if rolling forward the configuration was requested, which is the default BIG-IP behavior).
In all cases, error messages similar to the following example are returned to the user:
/bin/sh: /bin/rm: Argument list too long
Fatal: executing: /bin/sh -c rm -fr /var/named/config/namedb/*
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
Conditions:
This issue occurs when a large number of DNS zone files are already present in the /var/named/config/namedb directory of the boot location to which the UCS archive is being restored.
Impact:
The UCS archive fails to restore. Additionally:
- If the UCS archive was being restored on the currently active boot location, the named and zrd daemons may not be running after the failure, leading to traffic outages.
- If the UCS archive was being restored as part of an upgrade, the installation will fail and the destination boot location will be marked as failed (thus preventing a BIG-IP Administrator from activating it).
Workaround:
Depending on the failure mode, perform one of the following workarounds:
- If you were restoring a UCS archive on the currently active boot location, run the following command, and then attempt the UCS archive restore operation again:
find /var/named/config/namedb -mindepth 1 -delete
- If you encountered the failure during an upgrade, it should mean you were installing an Engineering Hotfix (otherwise the /var/named/config/namedb directory on the destination boot location would have been empty).
Installing an Engineering Hotfix will actually perform two separate installations - first the base version, and then the hotfix on top of that. Each installation restores the source location's UCS archive.
The UCS installation performed during the base installation will work, and the one performed during the hotfix installation will fail (because DNS zone files are already in place now, and they will fail to be deleted).
In this case, you can work around the issue by performing two distinct installations (to the same destination boot location). First the base version by itself, and then the hotfix installation by itself:
Perform the first installation with the liveinstall.moveconfig and liveinstall.saveconfig db keys disabled. Perform the second installation after enabling the liveinstall.moveconfig and liveinstall.saveconfig db keys again.
- If you encountered the failure while using the cpcfg utility (or equivalent WebUI functionality), take a UCS archive instead, download it off of the BIG-IP or save it in a shared directory (e.g. /var/tmp), boot the system into the destination boot location, run the below command, and then restore the UCS archive:
find /var/named/config/namedb -mindepth 1 -delete
Fix:
The UCS restore operation succeeds, even when a large number of DNS Bind zone files are present.
Fixed Versions:
16.1.0, 15.1.9
955017-2 : Excessive CPU consumption by asm_config_event_handler
Links to More Info: BT955017
Component: Application Security Manager
Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync
Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.
Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.
Workaround:
Disable the signature staging action item for all policies.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
954001-5 : REST File Upload hardening
Component: Device Management
Symptoms:
REST file upload does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Only upload trusted files to the BIG-IP.
Fix:
REST file uploads now follow best security practices.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
953845-1 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
Links to More Info: BT953845
Component: Local Traffic Manager
Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.
This can occur when using administrative commands such as:
-- tmsh run util fips-util init
-- fipsutil init
-- tmsh run util fips-util loginreset -r
-- fipsutil loginreset -r
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
+ vCMP guest on i5820-DF / i7820-DF
+ vCMP guest on 10350v-F
Impact:
BIG-IP is unable to communicate with the onboard HSM.
Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.
Immediately before doing this:
-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:
sys fipsuser f5cu {
password $M$Et$b3R0ZXJzCg==
}
Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6
953729-2 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
953677-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
953601-3 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions
Links to More Info: BT953601
Component: Local Traffic Manager
Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.
Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.
Impact:
HTTPS monitor shows pool members or nodes down when they are up.
Workaround:
Restart bigd or remove and add monitors.
Fix:
In case of handshake failure, BIG-IP will try TLS 1.2 version.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
953393-2 : TMM crashes when performing iterative DNS resolutions.
Links to More Info: BT953393
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes and produces a core file.
Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.
To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.
The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).
Fix:
TMM no longer crashes.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1
952557-2 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com
Links to More Info: BT952557
Component: Access Policy Manager
Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.
Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.
Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.
Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.
For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.
Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
952545-2 : 'Current Sessions' statistics of HTTP2 pool may be incorrect
Links to More Info: BT952545
Component: Service Provider
Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552
Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.
Workaround:
None.
Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
952521-2 : Memory allocation error while creating an address list with a large range of IPv6 addresses ★
Links to More Info: BT952521
Component: Advanced Firewall Manager
Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"
Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.
Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.
Workaround:
Use CIDR notation or multiple, smaller IP ranges.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
952509-2 : Cross origin AJAX requests are blocked in case there is no Origin header
Links to More Info: BT952509
Component: Application Security Manager
Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.
Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.
Impact:
Request is blocked.
Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.
Fix:
Check referrer header also when modifying CORS headers.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
951133-2 : Live Update does not work properly after upgrade ★
Links to More Info: BT951133
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4
950917-1 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Links to More Info: BT950917
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1
950849-4 : B4450N blades report page allocation failure. ★
Links to More Info: BT950849
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This occurs on B4450N blades regardless of configuration.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You must perform the workaround on each blade installed in the system.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands:
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures on B4450 (A114) blades.
Fixed Versions:
16.1.0, 15.1.3.1, 14.1.4.4
950673-3 : Hardware Syncookie mode not cleared when deleting/changing virtual server config.
Links to More Info: BT950673
Component: TMOS
Symptoms:
Modifying a virtual server can cause BIG-IP to get stuck in hardware syncookie mode.
Conditions:
-- A virtual server is in hardware syncookie mode.
-- Modifying or deleting the virtual server
For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779
Impact:
Device is stuck in hardware syncookie mode and generates syncookies.
Workaround:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts traffic.
Fixed Versions:
16.1.0, 15.1.4
950253-1 : Source address translation occurs with self IP after NAT policy removal from Virtual Server
Links to More Info: BT950253
Component: Advanced Firewall Manager
Symptoms:
Address translation occurs after removal of the NAT Policy from Virtual Server
Conditions:
Attach the policy with virtual server and remove it and check the traffic flow
Impact:
Source translation happens with self IP
Workaround:
Restart tmm:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts network traffic.
Fix:
The No Translation flag is reset after policy removal if source address translation is set to None
Fixed Versions:
16.1.0, 15.1.9
950201-4 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
950153-2 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
950077-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
950069-2 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"
Links to More Info: BT950069
Component: Global Traffic Manager (DNS)
Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.
Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols
Impact:
Unable to edit the record.
Workaround:
Two workarounds available:
1. Use zonerunner to delete the record and then recreate it with the desired RDATA value
2. Manually edit the bind zone file (see K7032)
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
949889-3 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
949857-5 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync
949721-2 : QUIC does not send control frames in PTO packets
Links to More Info: BT949721
Component: Local Traffic Manager
Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.
Conditions:
A control frame is in-flight when the PTO timer fires.
Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.
Workaround:
None.
Fix:
Retransmittable control frames are now sent when the PTO timer fires.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4.1
949593-3 : Unable to load config if AVR widgets were created under '[All]' partition ★
Links to More Info: BT949593
Component: Application Visibility and Reporting
Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.
Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.
Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.
Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':
# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config
This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.
Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.
Fixed Versions:
17.0.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
949477-1 : NTLM RPC exception: Failed to verify checksum of the packet
Links to More Info: BT949477
Component: Access Policy Manager
Symptoms:
NTLM authentication fails with the error:
RPC exception: Failed to verify checksum of the packet.
Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.
Impact:
User authentication fails.
Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.
2. Disable encryption for nlad:
# vim /etc/bigstart/startup/nlad
change:
exec /usr/bin/${service} -use-log-tag 01620000
to:
exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no
3. Restart nlad to make the change effective, and to force the schannel to be re-established:
# bigstart restart nlad
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
949145-5 : Improve TCP's response to partial ACKs during loss recovery
Links to More Info: BT949145
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
949105-2 : Error log seen on Category Lookup SNI requests for same connection
Links to More Info: BT949105
Component: Access Policy Manager
Symptoms:
Client connections are reset and you see an error in /var/log/apm : "(ERR_NOT_FOUND) Category Lookup failed or a Category Lookup agent is not present in the policy before Response Analytics"
Conditions:
-- Category Lookup agent (lookup type SNI) in the per-request policy before Request or Response Analytics agent
-- Multiple requests sent in the same SSL connection.
Impact:
Connections are reset or they follow the fallback branch for subsequent requests in the same SSL connection
Fix:
Fixed an issue with Category Lookup SNI requests for same connection
Fixed Versions:
16.1.0, 15.1.10
948985-2 : Workaround to address Nitrox 3 compression engine hang
Links to More Info: BT948985
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 compression engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chips: 5xxx, 7xxx, 12250, and B2250.
You can check if your platform has nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable, and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable HTTP compression or use software compression.
Fix:
Added db key compression.nitrox3.dispatchsize to control the request size.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
948805-1 : False positive "Null in Request"
Links to More Info: BT948805
Component: Application Security Manager
Symptoms:
A false positive violation "Null in Request" is thrown erroneously.
Conditions:
-- BIG-IP receives a query string in the "Referrer" header
Impact:
False positive violation "Null in Request" is thrown
Workaround:
None
Fix:
Fixed a false positive violation.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5
948757-2 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
Links to More Info: BT948757
Component: Local Traffic Manager
Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.
Conditions:
A snat-translation address is configured with ARP enabled.
Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.
Workaround:
None.
Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.
Fixed Versions:
16.1.0, 16.0.1, 15.1.2, 14.1.3.1
948717-3 : F5-pf_daemon_cond_restart uses excessive CPU ★
Links to More Info: BT948717
Component: TMOS
Symptoms:
The script /etc/init.d/f5-pf_daemon_cond_restart spawns a lot of ephemeral processes that collectively use about 10-15% of a core, regardless of the number of cores.
This is contributing to higher CPU usage after upgrading from an earlier version
Conditions:
On upgrade to a 15.1.x version, high CPU usage is observed.
Impact:
Higher CPU utilization on control plane, typically the equivalent of about 10-15% (of one core) extra.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.3.1
948573-4 : Wr_urldbd list of valid TLDs needs to be updated
Links to More Info: BT948573
Component: Traffic Classification Engine
Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.
Conditions:
New TLD is being queried
Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.
Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
948417-2 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic
Links to More Info: BT948417
Component: Performance
Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)
Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking
Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)
Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)
Individual VMs & VMs in an availability set
First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
Azure CLI
az vm deallocate \
--resource-group myResourceGroup \
--name myVM
Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.
Once stopped, disable Accelerated Networking on the NIC of your VM:
Azure CLI
az network nic update \
--name myNic \
--resource-group myResourceGroup \
--accelerated-networking false
Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
Azure CLI
az vm start --resource-group myResourceGroup \
--name myVM
Fixed Versions:
16.1.0, 15.1.4
948241-2 : Count Stateful anomalies based only on Device ID
Links to More Info: BT948241
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
948113-3 : User-defined report scheduling fails
Links to More Info: BT948113
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
948073-2 : Dual stack download support for IP Intelligence Database
Links to More Info: BT948073
Component: Advanced Firewall Manager
Symptoms:
IP Intelligence cannot function if the BIG-IP management IP network is strict IPv6.
Conditions:
- IP Intelligence License installed
- Management IP is configured with only IPv6 addresses.
Impact:
The BIG-IP systems configured with IPv6 management networks cannot use IP Intelligence features even though they have installed IP Intelligence licenses.
Workaround:
None
Fix:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.
Behavior Change:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.
Fixed Versions:
17.0.0, 15.1.4
948065-3 : DNS Responses egress with an incorrect source IP address.
Links to More Info: BT948065
Component: Local Traffic Manager
Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.
Conditions:
Large responses of ~2460 bytes from local BIND
Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.
Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.
Note: This workaround has limitations, as some records in 'Additional Section' are truncated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
947925-1 : TMM may crash when executing L7 Protocol Lookup per-request policy agent
Links to More Info: BT947925
Component: SSL Orchestrator
Symptoms:
TMM may crash when executing the L7 Protocol Lookup per-request policy agent.
Conditions:
-- APM or SSL Orchestrator is licensed and provisioned.
-- L7 Protocol Lookup agent is included in the per-request policy for APM/SWG use cases.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM does not crash anymore when executing the L7 Protocol Lookup agent in the per-request policy.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.3
947865-2 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
Links to More Info: BT947865
Component: TMOS
Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:
err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer
Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.
Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
947529-2 : Security tab in virtual server menu renders slowly
Links to More Info: BT947529
Component: TMOS
Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.
Conditions:
Large number of virtual servers using the same ASM policy
Impact:
Loading of Security tab of a virtual server takes a long time
Workaround:
NA
Fix:
Security tab of a virtual server loads fast
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
947341-1 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
Links to More Info: BT947341
Component: Application Security Manager
Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------
2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.
Conditions:
ASM/AVR provisioned
Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.
Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
2. To identify the empty partitions, look into:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"
3. For every partition that is empty, manually (or via shell script) execute this sql:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"
Note: <empty_partition_name> must be substituted with the partition name, for example p100001.
4. Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5. pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
This release increases the default 'open_files_limit' to '10000'.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1
947125-2 : Unable to delete monitors after certain operations
Links to More Info: BT947125
Component: Local Traffic Manager
Symptoms:
Unable to delete monitor with an error similar to:
01070083:3: Monitor /Common/my-mon is in use.
Conditions:
-- Monitors are attached directly to pool members, or node-level monitors exist.
-- Issuing the "reloadlic" command, which causes the configuration to get rebuilt implicitly.
Impact:
Unable to delete object(s) no longer in use.
Workaround:
When the system enters this state, save and reload the configuration using the following command:
tmsh save sys config && tmsh load sys config
Fix:
None
Fixed Versions:
17.1.0, 15.1.9
946953-1 : HTTP::close used in iRule might not close connection.
Links to More Info: BT946953
Component: Local Traffic Manager
Symptoms:
HTTP::close used in an iRule might not close the connection. For example:
when HTTP_REQUEST {
HTTP::close
HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
}
Conditions:
Using HTTP::close along with HTTP::respond
Impact:
HTTP connection can be re-used.
Workaround:
Explicitly add close header in the HTTP::respond. For example:
HTTP::respond 200 content "OK" Connection close
Fix:
Fixed an issue where HTTP::close might not close a connection.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3
946745-2 : 'System Integrity: Invalid' after Engineering Hotfix installation
Links to More Info: BT946745
Component: TMOS
Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
946481-1 : Virtual Edition FIPS not compatible with TLS 1.3
Links to More Info: BT946481
Component: Local Traffic Manager
Symptoms:
A TLS 1.3 handshake failure occurs when using openssl's AES-GCM cipher in FIPS mode.
Conditions:
FIPS mode and attempting TLS 1.3 with cipher AES-GCM
Impact:
Handshake failure for TLS 1.3
Workaround:
Disable FIPS mode, or alternately use non AES-GCM cipher for TLS 1.3.
Fix:
TLS 1.3 AES-GCM in FIPS mode now works correctly.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6
946185-1 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.' ★
Links to More Info: BT946185
Component: iApp Technology
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
946125-2 : Tmm restart adds 'Revoked' tokens to 'Active' token count
Links to More Info: BT946125
Component: Access Policy Manager
Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)
Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm
Impact:
User is denied access even though token limit per user is not reached
Fix:
Fixed an issue where users were unable to log in after a tmm restart.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
946089-2 : BIG-IP might send excessive multicast/broadcast traffic.
Links to More Info: BT946089
Component: TMOS
Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.
Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.
Impact:
Excessive multicast/broadcast traffic.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
946081-1 : Getcrc tool help displays directory structure instead of version
Links to More Info: BT946081
Component: Application Security Manager
Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.
Conditions:
Displaying help in getcrc utility.
Impact:
Version information is not displayed.
Fix:
Getcrc utility help now displays version information.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
945997-2 : LTM policy applied to HTTP/2 traffic may crash TMM
Links to More Info: BT945997
Component: Local Traffic Manager
Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.
Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
945853-2 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession
Links to More Info: BT945853
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during a configuration change.
Conditions:
This occurs under the following conditions:
-- Create/modify/delete multiple virtual servers in quick succession.
-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes during a configuration change.
Fixed Versions:
16.1.3, 15.1.3
945789-1 : Live update cannot resolve hostname if IPv6 is configured.
Links to More Info: BT945789
Component: Application Security Manager
Symptoms:
Live update does not work when BIG-IP DNS is configured to use IPv6.
Conditions:
BIG-IP DNS uses IPv6.
Impact:
-- Unable to install latest updates to signatures.
-- Unable to import user-defined signatures.
Workaround:
If possible, use IPv4 for DNS.
An alternative workaround could be to configure a working IPv4 address in the "/etc/hosts" file, by issuing the following command from the advanced shell (bash):
echo "165.160.15.20 callhome.f5.net" >> /etc/hosts
Fix:
Replaced deprecated gethostbyname which does not work well with IPv6 with getaddrinfo.
Fixed Versions:
16.1.0, 15.1.4.1
945601-4 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
Links to More Info: BT945601
Component: Local Traffic Manager
Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omitted.
Conditions:
Policy contains multiple rules which employ TCP address matching condition.
Impact:
Incorrect LTM policy is applied.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.9
945265-4 : BGP may advertise default route with incorrect parameters
Links to More Info: BT945265
Component: TMOS
Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.
Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.
Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.
Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>
Fix:
BGP suppresses a route advertisement between BGP speakers configured in the same AS with the same router-id.
Behavior Change:
BGP now suppresses a route advertisement between BGP speakers configured in the same AS with the same router-id.
Previously, the route was not acceptable to peers until the BGP session was cleared, resulting in potentially incorrect parameters.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
944785-2 : Admd restarting constantly. Out of memory due to loading malformed state file
Links to More Info: BT944785
Component: Anomaly Detection Services
Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.
Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.
Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption
Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD
If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD
Fix:
No more memory corruption, no OOM nor ADMD restarts.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.2, 14.1.3.1
944641-1 : HTTP2 send RST_STREAM when exceeding max streams
Links to More Info: BT944641
Component: Local Traffic Manager
Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.
Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.
Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.
Workaround:
None.
Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.4, 14.1.4
944513-2 : Apache configuration file hardening
Links to More Info: BT944513
Component: TMOS
Symptoms:
Apache configuration file did not follow security best practice.
Conditions:
Normal system operation with httpd enabled.
Impact:
Apache configuration file did not follow security best practice.
Workaround:
None
Fix:
Apache configuration file has been hardened to follow security best practice.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.6
944441-2 : BD_XML logs memory usage at TS_DEBUG level
Links to More Info: BT944441
Component: Application Security Manager
Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)
Conditions:
These messages can occur when XML/JSON profiles are configured.
Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.
Workaround:
None
Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
944381-1 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.
Links to More Info: BT944381
Component: Local Traffic Manager
Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.
Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.
Impact:
The handshake should fail but complete successfully
Fix:
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3.
After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
944121-1 : Missing SNI information when using non-default domain https monitor running in TMM mode.
Links to More Info: BT944121
Component: In-tmm monitors
Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.
In-TMM monitors do not send any packet when TLS1.3 monitor is used.
Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.
- Another Condition :
TLS1.3 Monitor is used
Impact:
The TLS connection might fail in case of SNI
No SYN packet is sent in case of TLS1.3 monitor
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
943913-3 : ASM attack signature does not match
Links to More Info: K30150004 , BT943913
Component: Application Security Manager
Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.
Conditions:
- ASM enabled
- Undisclosed attack signature variation
Impact:
ASM attack signature does not match or trigger further processing.
Workaround:
N/A
Fix:
ASM now processes traffic as expected.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1
943793-2 : Neurond continuously restarting.
Links to More Info: BT943793
Component: TMOS
Symptoms:
Neurond continuously restarts.
Conditions:
-- BIG-IP iSeries hardware platform
-- issuing the command "service --status-all"
Impact:
Neuron communications will be impacted.
Workaround:
N/A
Fix:
Fix for handling neurond.init script treating unknown arg as "start": Added code for default case to handle all unknown args.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4
943669-1 : B4450 blade reboot
Links to More Info: BT943669
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when needed.
Fixed Versions:
16.1.2.2, 15.1.2
943653-2 : Allow 32-bit processes to use larger area of virtual address space
Links to More Info: BT943653
Component: TMOS
Symptoms:
-- The mcpd daemon terminates due to lack of memory
-- The merged daemon logs 'Cannot allocate memory' error
Conditions:
-- May be caused by large configurations
-- May be caused by heap fragmentation over time
Impact:
32-bit processes may fragment/exhaust their heaps and may not have sufficient contiguous memory to function correctly.
Note that the only two 32-bit processes where this has been seen on are mcpd and merged.
Workaround:
None
Fix:
Using a different memory layout for 32-bit processes allows them to use more of the virtual address space.
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5
943577-2 : Full sync failure for traffic-matching-criteria with port list under certain conditions
Links to More Info: BT943577
Component: TMOS
Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:
err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
- the same traffic-matching-criteria is attached to the same virtual server
- the original port-list is modified (e.g. a description is changed)
- the TMC is changed to reference a _different_ port-list
Impact:
Unable to sync configurations.
Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.
If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.
1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:
tmsh save sys config
(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
cat /config{/partitions/*,}/bigip{_base,}.conf |
awk '
BEGIN { p=0 }
/^(ltm traffic-matching-criteria|net port-list) / { p=1 }
/^}/ { if (p) { p=0; print } }
{ if (p) print; }
' ) > /var/tmp/portlists-and-tmcs.txt
2. Copy /var/tmp/portlists-and-tmcs.txt to the target system
3. On the target system, load that file:
tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt
3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
tmsh save sys config
clsh touch /service/mcpd/forceload
clsh reboot
4. On the source system, force a full-load sync to the device-group:
tmsh run cm config-sync force-full-load-push to-group <name of sync-group>
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
943109-2 : Mcpd crash when bulk deleting Bot Defense profiles
Links to More Info: BT943109
Component: TMOS
Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.
Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.
Impact:
Crash of mcpd causing failover.
Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.
Fix:
There is no longer a crash of mcpd when deleting a large number of Bot Defense in a bulk using TMSH.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
943101-2 : Tmm crash in cipher group delete.
Links to More Info: BT943101
Component: Local Traffic Manager
Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.
Conditions:
Deleting a cipher group associated with multiple profiles.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an issue with cipher group delete.
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
942965-2 : Local users database can sometimes take more than 5 minutes to sync to the standby device
Links to More Info: BT942965
Component: Access Policy Manager
Symptoms:
Local db sync to standby devices take more than 5 minutes to sync
Conditions:
High availability (HA) setup
- add a local db user in the active device
- Wait for it to get synced to the standby device
- Sometimes the sync may not happen in 5 minutes.
Impact:
Sync of the changes to the local user db may take several minutes to sync to the standby devices.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.5, 14.1.4.5
942617-3 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable
Links to More Info: BT942617
Component: Application Security Manager
Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.
Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables
Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.
Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.
Fix:
Trim() to delete the whitspaces.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
942581-1 : Timestamp cookies do not work with hardware accelerated flows
Links to More Info: BT942581
Component: Advanced Firewall Manager
Symptoms:
Time stamp cookies and hardware accelerated flows are mutually exclusive.
Conditions:
Time stamp cookie enabled for TCP flows on a VLAN with hardware offload enabled as well.
Impact:
Reduced traffic throughput and increased CPU usage
Fix:
FPGA and software enhancement to allow hardware accelerate of TCP flows that have time stamp cookie enabled.
Fixed Versions:
16.1.0, 15.1.2
942549-2 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Links to More Info: BT942549
Component: TMOS
Symptoms:
During boot of a i15xxx system you see the message:
Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Conditions:
This issue can occur on any i15xxx device, although some devices exhibit the failure consistently and others never exhibit the issue.
Impact:
When this failure occurs in a system, the system is inoperable.
Workaround:
In order to workaround this issue, the system must be updated to install a script that is capable of resetting the hardware device during the HSB load process.
If it's not possible to install an EHF with the updated script or a version of BIG-IP with the fix, then it can be installed manually by providing the fw_update_post.init file and replacing it in /etc/init.d/fw_update_post. It is recommended that the existing fw_update_post is backed-up and this is only done in cases where the EHF or a fixed version of BIG-IP cannot be installed.
Fix:
A 'Dataplane INOPERABLE - Only 7 HSBs found. Expected 8' condition caused by a PCIE linking failure is resolved by an updated HSB load script which correctly resets BIG-IP i15xxx system hardware during boot.
Persistent 'Dataplane INOPERABLE' messages, after this fix is installed, indicate an unrelated failure.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
942497-1 : Declarative onboarding unable to download and install RPM
Links to More Info: BT942497
Component: TMOS
Symptoms:
Installation of declarative onboarding RPM fails.
Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.
Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.
Workaround:
RPMs must be installed manually.
Fix:
The installation directory was updated to fix the RPM installation issue.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1
942185-2 : Non-mirrored persistence records may accumulate over time
Links to More Info: BT942185
Component: Local Traffic Manager
Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.
Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Persistence records are now reliably expired at the appropriate time.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
941929-2 : Google Analytics shows incorrect stats, when Google link is redirected.
Links to More Info: BT941929
Component: Application Security Manager
Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
-- Google link is responded to (by the server) with a redirect.
-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
None
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
941893-3 : VE performance tests in Azure causes loss of connectivity to objects in configuration
Links to More Info: BT941893
Component: TMOS
Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.
Conditions:
Running performance tests of VE in Azure.
Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.
Workaround:
Reboot from the Azure console to restore functionality.
Fixed Versions:
16.1.0, 15.1.4
941853-1 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Links to More Info: BT941853
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
941625-1 : BD sometimes encounters errors related to TS cookie building
Links to More Info: BT941625
Component: Application Security Manager
Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:
-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.
-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.
Impact:
The cookie is not built and an error is logged.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
941621-2 : Brute Force breaks server's Post-Redirect-Get flow
Links to More Info: K91414704 , BT941621
Component: Application Security Manager
Symptoms:
Brute Force breaks server's Post-Redirect-Get flow
Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.
Impact:
Brute Force breaks server's Post-Redirect-Get flow
Workaround:
None
Fix:
Support PRG mechanism in brute force mitigations.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4
941481-2 : iRules LX - nodejs processes consuming excessive memory
Links to More Info: BT941481
Component: Local Traffic Manager
Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.
You can check the iRule LX plugins memory usage using the command:
tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):
Memory (bytes)
Total Virtual Size 946.8M
Resident Set Size 14.5K
Conditions:
-- iRulesLX in use.
Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.
Workaround:
Restart the iRule LX plugin that is leaking memory:
tmsh restart ilx plugin <PLUGIN_NAME>
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
941257-1 : Occasional Nitrox3 ZIP engine hang
Links to More Info: BT941257
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.
You can check if your platform has the nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable http compression
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
941249-2 : Improvement to getcrc tool to print cookie names when cookie attributes are involved
Links to More Info: BT941249
Component: Application Security Manager
Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server
Conditions:
This is applicable when domain and path cookie attributes are present in response from server
Impact:
ASM cookie name which is displayed is incorrect
Workaround:
None
Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
941169-4 : Subscriber Management is not working properly with IPv6 prefix flows.
Links to More Info: BT941169
Component: Policy Enforcement Manager
Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.
Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).
Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.2.1, 14.1.4
941089-3 : TMM core when using Multipath TCP
Links to More Info: BT941089
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
Fixed Versions:
15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
940897-3 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
Links to More Info: BT940897
Component: Application Security Manager
Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".
Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.
Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.
Workaround:
N/A
Fix:
No false positives detected.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6
940885-2 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter
Links to More Info: BT940885
Component: TMOS
Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.
Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.
Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.
Fix:
Added the CX5 Ex device ID to the BIG-IP's Mellanox SR-IOV driver so that it can be used with that adapter.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
940665-1 : DTLS 1.0 support for PFS ciphers
Links to More Info: BT940665
Component: Local Traffic Manager
Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.
* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA
Conditions:
DTLS 1.0 is configured in an SSL profile.
Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
940401-2 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Links to More Info: BT940401
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3
940261-3 : Support IPS package downloads via HTTP proxy.
Links to More Info: BT940261
Component: Protocol Inspection
Symptoms:
IPS package download via HTTP proxy does not work.
2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.
Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered
Impact:
The IPS IM package fails to download.
Workaround:
No workaround.
Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
940249-2 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached
Links to More Info: BT940249
Component: Application Security Manager
Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.
Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.
Impact:
Data after last allowed element is not masked.
Fix:
Now the values are masked.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6, 11.6.5.3
940225-2 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
940209 : Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.
Links to More Info: BT940209
Component: Local Traffic Manager
Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, the BIG-IP system may not properly close established server-side connections causing subsequent HTTP/2 requests to stall.
Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.
Impact:
HTTP/2 requests intermittently stall due to the existing server-side TCP connection remaining open.
Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.
Fix:
HTTP/2 requests no longer stall, as the server side TCP connection is properly closed.
Fixed Versions:
15.1.2, 14.1.4
940177-1 : Certificate instances tab shows incorrect number of instances in certain conditions
Links to More Info: BT940177
Component: TMOS
Symptoms:
The SSL Certificate instances tab shows an incorrect number of instances when the Cert name and the Key name match. This does not occur when the cert and key are different names.
Conditions:
-- SSL certificate and key names match
-- Viewing the SSL certificate list in the GUI
Impact:
All the custom profiles will be listed when only select instances for ca-bundle cert are expected
Fix:
The correct number of instances of certificates is now displayed.
Fixed Versions:
16.1.0, 15.1.5
940021-3 : Syslog-ng hang may lead to unexpected reboot
Links to More Info: BT940021
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.
The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.
Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).
Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.
Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.
Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.
This fix is not a complete fix. You will still need to remove unused syslog-ng servers from the BIG-IP configuration.
ID 1040277 ( https://cdn.f5.com/product/bugtracker/ID1040277.html ) tracks the remaining issue.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6
939961-2 : TCP connection is closed when necessary after HTTP::respond iRule.
Links to More Info: BT939961
Component: Local Traffic Manager
Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.
Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.
Impact:
TCP connection lives longer than needed.
Workaround:
N/A
Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.2
939877-1 : OAuth refresh token not found
Links to More Info: BT939877
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4
939757-4 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
939541-2 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
Links to More Info: BT939541
Component: TMOS
Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
TMM no longer shuts down prematurely during initialization.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
939529-2 : Branch parameter not parsed properly when topmost via header received with comma separated values
Links to More Info: BT939529
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
939421-2 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow
939085-2 : /config/ssl/ssl.csr directory disappears after creating certificate archive
Links to More Info: BT939085
Component: Local Traffic Manager
Symptoms:
Creating a certificate archive removes the /config/ssl/ssl.csr directory.
Conditions:
This occurs while creating a certificate archive.
Impact:
Missing /config/ssl/ssl.csr directory is causing Integrity Check to fail on an intermittent basis.
Workaround:
Recreate /config/ssl/ssl.csr directory and set correct file permissions:
mkdir /config/ssl/ssl.csr
chmod 755 /config/ssl/ssl.csr/
chcon -R --reference=/config/ssl/ssl.crt/ /config/ssl/ssl.csr
Fix:
The ssl.csr directory is no longer deleted on archive creation.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6
938233-2 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
Links to More Info: K93231374
938165-1 : TMM Core after attempted update of IP geolocation database file
Links to More Info: BT938165
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.
Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Revert to using the previously working version of the IP-geolocation file.
For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.
Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
938149-1 : Port Block Update log message is missing the "Start time" field
Links to More Info: BT938149
Component: Advanced Firewall Manager
Symptoms:
Port Block Update log message is missing the "Start time" field.
Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.
Impact:
NAT Log information is not usable for accounting purpose.
Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.2.1
937769-2 : SSL connection mirroring failure on standby with sslv2 records
Links to More Info: BT937769
Component: Local Traffic Manager
Symptoms:
Standby device in TLS/SSL connection-mirroring config does not handle SSLv2 records correctly.
Conditions:
SSLv2 records processed by standby high availability (HA) device.
Impact:
Standby device fails handshake, active will finish handshake resulting in non mirrored connection.
Fix:
Standby ssl connection mirroring now handles sslv2 records correctly
Fixed Versions:
16.1.0, 15.1.5.1
937749-3 : The 'total port blocks' value for NAT stats is limited to 64 bits of range
Links to More Info: BT937749
Component: Advanced Firewall Manager
Symptoms:
The 'total port blocks' value, which can be found in PBA 'tmctl' tables, 'tmsh show', and SNMP, is limited to 64 bits of range. The upper 64 bits of the value are not taken into account.
Conditions:
This always occurs, but affects only systems whose configuration makes the 'total port blocks' value exceed 64 bits of range.
Impact:
Incorrect statistics.
Workaround:
None.
Note: For those who really need this value, it is still possible to manually calculate it, but that is not a true workaround.
Fixed Versions:
16.1.0, 15.1.3
937649-3 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Links to More Info: BT937649
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
937541-2 : Wrong display of signature references in violation details
Links to More Info: BT937541
Component: Application Security Manager
Symptoms:
The number '1' is added to the signature reference in violation details in the Request Log.
Conditions:
You click the '?' icon near signature name to view signature details and there are references for this signature
Impact:
The number 1 is shown before the link
Fix:
Signature References are shown correctly in violation details of Request Log
Fixed Versions:
17.0.0, 15.1.9
937281-3 : SSL Orchestrator pool members are limited to 20 with Standalone license
Links to More Info: BT937281
Component: SSL Orchestrator
Symptoms:
BIG-IP limits the SSL Orchestrator Standalone license to only allow six pool members.
Conditions:
-- SSL Orchestrator add-on license is installed
Impact:
You are only able to configure six pool members in SSLO.
Workaround:
None.
Fix:
BIG-IP supports up to 20 pool members (up from 6) with the SSL Orchestrator standalone license.
Fixed Versions:
16.1.0, 16.0.0.1, 15.1.1
936773-2 : Improve logging for "double flow removal" TMM Oops
Links to More Info: BT936773
Component: Local Traffic Manager
Symptoms:
/var/log/tmm contains this entry
notice Oops @ 0x286feeb:1127: double flow removal
Conditions:
The conditions under which this message is logged are unknown or may vary. This item is for logging the flow tuple and virtual server name to aid in diagnosing the cause.
Impact:
None
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
936557-2 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
Links to More Info: BT936557
Component: Local Traffic Manager
Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.
Conditions:
This issue occurs when the following conditions are true:
-- Standard TCP virtual server.
-- TCP profile with Verified Accept enabled.
-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.
Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.
Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.
Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
936501-6 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled
Links to More Info: BT936501
Component: TMOS
Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:
"file not allowed"
Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf
Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
936441-2 : Nitrox5 SDK driver logging messages
Links to More Info: BT936441
Component: Local Traffic Manager
Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):
Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1
The above set of messages seems to be logged at about 2900-3000 times a second.
These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.
Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.
Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
936125-2 : SNMP request times out after configuring IPv6 trap destination
Links to More Info: BT936125
Component: TMOS
Symptoms:
SNMP request is times out.
Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.
Impact:
No response is returned for SNMP request.
Workaround:
Restart SNMP daemon by running the following TMSH command:
restart sys service snmpd
Fix:
N/A
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3
936093-2 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
935945-1 : GTM HTTP/HTTPS monitors cannot be modified via GUI
Links to More Info: BT935945
Component: Global Traffic Manager (DNS)
Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:
01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.
Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.
Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.
Workaround:
If 'recv-status-code' has never been set, use tmsh instead.
Note: You can set 'recv-status-code' using tmsh, for example:
tmsh modify gtm monitor http http-default recv-status-code 200
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
935801-4 : HSB diagnostics are not provided under certain types of failures
Links to More Info: BT935801
Component: TMOS
Symptoms:
In rare cases where the HSB detects an error and triggers a high-availability (HA) failover, HSB-specific diagnostic data is not provided.
An example are XLMAC errors, which can be seen in the TMM logs:
<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.
Conditions:
The HSB detects an internal error.
Impact:
There is less HSB data for analysis when an internal HSB occurs.
Workaround:
None.
Fix:
Dump HSB registers on all HSB-initiated high-availability (HA) failovers.
Fixed Versions:
16.1.0, 15.1.2, 14.1.4.5
935593-4 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
Links to More Info: BT935593
Component: Local Traffic Manager
Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.
Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.
Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.
Workaround:
Do not use TCP timestamp rewrite.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5
935293-2 : 'Detected Violation' Field for event logs not showing
Links to More Info: BT935293
Component: Application Security Manager
Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.
Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.
Impact:
You cannot see the violation details.
Workaround:
Disabling parameter learning helps.
Note: This happens only with a large number of parameters. Usually it works as expected.
Fix:
The eventlog is reserving space for violations.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5
935249-2 : GTM virtual servers have the wrong status
Links to More Info: BT935249
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).
Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.
Fix:
The HTTP status code is now correctly searched only in the first line of the response.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
935193-1 : With APM and AFM provisioned, single logout ( SLO ) fails
Links to More Info: BT935193
Component: Local Traffic Manager
Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:
-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message
Conditions:
Failures occur with Redirect SLO.
Impact:
SAML single logout does not work.
Workaround:
Use POST binding SLO requests.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
935177-2 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
Links to More Info: BT935177
Component: TMOS
Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.
Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.
The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
934993-2 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams
Links to More Info: BT934993
Component: Local Traffic Manager
Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.
Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.
Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.
Workaround:
None.
Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2
934941-2 : Platform FIPS power-up self test failures not logged to console
Links to More Info: BT934941
Component: TMOS
Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.
Conditions:
A FIPS failure occurs during the power-up self test.
Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.3, 14.1.3.1
934721-2 : TMM core due to wrong assert
Links to More Info: BT934721
Component: Application Visibility and Reporting
Symptoms:
TMM crashes with a core
Conditions:
AFM and AVR provisioned and collecting ACL statistics.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.
Fix:
Fixed a tmm crash related to ACL statistics
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1
934697-3 : Route domain is not reachable (strict mode)
Links to More Info: BT934697
Component: Local Traffic Manager
Symptoms:
Network flows are reset and following errors are found in /var/log/ltm:
Route domain not reachable (strict mode).
Conditions:
This might occur in either one of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.
or
Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.
Other
=====
Tunnel scenario's such as IPSec where client and encrypted traffic are in different route domains.
Impact:
Traffic is not sent to the node that is in a route domain.
The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.
Workaround:
Specify the node along with Route Domain ID.
-- For iRules, change from this:
when HTTP_REQUEST {
node 10.10.10.10 80
}
To this (assuming route domain 1):
when HTTP_REQUEST {
node 10.10.10.10%1 80
}
-- For LTM policies, change from this:
actions {
0 {
forward
select
node 10.2.35.20
}
}
To this (assuming route domain 1):
actions {
0 {
forward
select
node 10.2.35.20%1
}
}
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
934461-2 : Connection error with server with TLS1.3 single-dh-use.
Links to More Info: BT934461
Component: Local Traffic Manager
Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.
Conditions:
14.1 with TLS1.3 single-dh-use.
Impact:
Connection failure in 14.1 versions.
Workaround:
Disable single-dh-use, or disable tls1.3.
Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
934393-2 : APM authentication fails due to delay in sessionDB readiness
Links to More Info: BT934393
Component: Access Policy Manager
Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.
Conditions:
-- APM configured.
-- SAML SP configured.
Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.
Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all
Note: Restarting all services causes temporary traffic disruption.
Fix:
The sessionDB readiness has been corrected so that authentication succeeds.
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
934241-2 : TMM may core when using FastL4's hardware offloading feature
Links to More Info: BT934241
Component: TMOS
Symptoms:
TMM cores.
Conditions:
FastL4's hardware offloading is used.
Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.
Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.
Workaround:
Disable PVA/EPVA on all FastL4 profiles
Fix:
Fix the internal logic error.
Fixed Versions:
16.1.0, 15.1.0.5
934065-1 : The turboflex-low-latency and turboflex-dns are missing in early 15.1.x and 16.0.x releases
Links to More Info: BT934065
Component: TMOS
Symptoms:
The turboflex-low-latency and turboflex-dns profiles are missing from early 15.1.x and 16.0.x software releases.
Conditions:
The turboflex-low-latency or turboflex-dns in use.
Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.
Workaround:
None.
Fix:
The turboflex-low-latency and turboflex-dns profiles are restored.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3
933777-1 : Context use and syntax changes clarification
Links to More Info: BT933777
Component: Application Visibility and Reporting
Symptoms:
There are two context and syntax-related issues:
-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.
-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.
Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.
Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.
Workaround:
None
Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Fixed Versions:
16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
933577-1 : Changes to support DNS Flag Day
Links to More Info: BT933577
Component: Global Traffic Manager (DNS)
Symptoms:
It is important for DNS software vendors to comply with DNS standards, and to use a default EDNS buffer size (1232 bytes) that will not cause fragmentation on typical network links.
Conditions:
IP fragmentation can cause transmission failures when large DNS messages are sent via UDP.
Impact:
Even when fragmentation does work, it may not be secure; it is theoretically possible to spoof parts of a fragmented DNS message, without easy detection at the receiving end.
Fix:
Create a db variable "dns.maxudp" to set a maximum UDP buffer size
Fixed Versions:
16.1.0, 15.1.7
933461-4 : BGP multi-path candidate selection does not work properly in all cases.
Links to More Info: BT933461
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3
933409-2 : Tomcat upgrade via Engineering Hotfix causes live-update files removal ★
Links to More Info: BT933409
Component: TMOS
Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.
Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.
Impact:
Live-update functionality does not work properly.
Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.
Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
933405-2 : Zonerunner GUI hangs when attempting to list Resource Records
Links to More Info: K34257075 , BT933405
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.
Conditions:
Attempt to list Resource Records in Zonerunner GUI.
Impact:
Zonerunner hangs.
Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4
933329-2 : The process plane statistics do not accurately label some processes
Links to More Info: BT933329
Component: TMOS
Symptoms:
The plane process statistics can be used to track the statistics of processes even though the process ID has changed over time. The processes are characterized as belonging to the control plane, data plane, or analysis plane. Some of the processes are incorrectly labeled.
Conditions:
Viewing the plane process statistics when diagnosing plane usage on the BIG-IP system.
Impact:
The percentage of usage of each plane can be confusing or incorrect.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.10
933129-2 : Portal Access resources are visible when they should not be
Links to More Info: BT933129
Component: Access Policy Manager
Symptoms:
For Access Policy created with Customization type: modern, Portal Access resource is still present on user's webtop after the checkbox "Publish on Webtop" is disabled in config
Conditions:
-- Access Policy created with Customization type: modern
-- Disable the checkbox "Publish on Webtop" for any Portal Access resource
Impact:
Disabled Portal Access resource visible on the webtop when it should be hidden.
Workaround:
Re-create Access Policy with Customization type: standard
Fix:
Disabled Portal Access resource is hidden on user's webtop
Fixed Versions:
16.0.0, 15.1.4.1
932937-2 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
Links to More Info: BT932937
Component: Local Traffic Manager
Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.
Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.
Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.
Workaround:
Use an iRule to prevent connections from hanging:
when HTTP_REJECT {
after 1
}
Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1
932893-2 : Content profile cannot be updated after redirect from violation details in Request Log
Links to More Info: BT932893
Component: Application Security Manager
Symptoms:
BIG-IP issues a redirect to the content profile form that contains relevant violation details in the Request Log. If you follow this redirect and try to update profile, the action fails.
Conditions:
This occurs if you follow the redirect to the content profile page from the violation details page in the Request Log, and then try to update the profile
Impact:
You are unable to update the content profile.
Workaround:
Go to the list content profile page, and update the content profile from there.
Fix:
Update of content profiles works in all cases, including redirect from violation details in Request Log
Fixed Versions:
16.1.0, 15.1.9
932825-2 : Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device
Links to More Info: BT932825
Component: Local Traffic Manager
Symptoms:
When the standby system in a High Availability (HA) group becomes active, it sends out gratuitous ARPs to advertise its ownership of IP addresses and direct traffic to itself. In rare conditions, when becoming active, other processes may send out traffic before Gratuitous ARPs are generated.
Conditions:
-- HA configured
-- Protocols in use that generate frequent and fast signaling messages
Impact:
This has been observed as an issue for IPsec during failover, causing tunnel stability issues after failover. No other protocols are known to be affected by the issue.
Workaround:
None
Fix:
When the standby device in an HA pair becomes active, Gratuitous ARPs are prioritized over other traffic.
Fixed Versions:
16.1.0, 15.1.1
932737-2 : DNS & BADOS high-speed logger messages are mixed
Links to More Info: BT932737
Component: Anomaly Detection Services
Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.
Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.
Impact:
Reporting will be confusing.
Fixed Versions:
16.0.1.2, 15.1.3, 14.1.4
932497-3 : Autoscale groups require multiple syncs of datasync-global-dg
Links to More Info: BT932497
Component: TMOS
Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.
Conditions:
Browser Challenges update image is automatically downloaded.
Impact:
Peers are not synced.
Workaround:
Manually sync datasync-global-db group.
Fix:
Perform full sync for each change when having multiple live update changes in a row.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
932485-3 : Incorrect sum(hits_count) value in aggregate tables
Links to More Info: BT932485
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
932437-2 : Loading SCF file does not restore files from tar file ★
Links to More Info: BT932437
Component: TMOS
Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.
Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:
01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.
Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles
Impact:
Restoring SCF does not restore contents of file objects.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
932233-2 : '@' no longer valid in SNMP community strings
Links to More Info: BT932233
Component: TMOS
Symptoms:
The '@' character is no longer valid in SNMP community strings.
Conditions:
Attempting to use the '@' character in SNMP community strings.
Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.
Workaround:
Use a community string that does not contain the '@' character.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2
932213-2 : Local user db not synced to standby device when it is comes online after forced offline state
Links to More Info: BT932213
Component: Access Policy Manager
Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.
Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.
Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.
Workaround:
None
Fix:
Fixed the issue by handling the forced offline scenario.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5
932137-5 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Links to More Info: BT932137
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
932133-2 : Payloads with large number of elements in XML take a lot of time to process
Links to More Info: BT932133
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
932045-3 : Memory leak when creating/deleting LTM node object
Links to More Info: BT932045
Component: Local Traffic Manager
Symptoms:
A memory leak occurs in the tmm process when creating/deleting an LTM node object.
Conditions:
-- Create a node object.
-- Delete the node object.
Impact:
This gradually causes tmm memory pressure, and eventually severe outcome is possible such as aggressive mode sweeper and tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Refrain continuous creation/deletion of LTM nodes.
Fix:
Memory gets freed accordingly while deleting LTM node objects.
Fixed Versions:
16.1.0, 15.1.9
932033 : Chunked response may have DATA frame with END_STREAM prematurely
Links to More Info: BT932033
Component: Local Traffic Manager
Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, BIG-IP systems may send the END_STREAM flag before transmitting a whole payload.
Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.
Impact:
A browser may not receive the whole payload, or it may not recognize that the payload has been delivered fully (partially prior to the DATA frame with END_STREAM flag, partially after the frame).
Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.
Fix:
BIG-IP systems no longer send a DATA frame with END_STREAM flag prematurely when a connection to a client is congested.
Fixed Versions:
15.1.2, 14.1.4
930905-4 : Management route lost after reboot.
Links to More Info: BT930905
Component: TMOS
Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.
Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).
-- The instance is rebooted.
Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.
Workaround:
Use either of the following workarounds:
-- Delete the route completely and reinstall the route.
-- Restart mcpd:
bigstart restart mcpd
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
930825-4 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
Links to More Info: BT930825
Component: TMOS
Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the system fails over to the peer unit, goes offline, and closes down links.
The TMM logs contain messages similar to the following:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice high availability (HA) action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice high availability (HA) failover action is cleared.
Followed by a failover event message.
Conditions:
It is unknown under what conditions the XLMAC errors occur.
Impact:
The BIG-IP system fails over.
Workaround:
None.
Fix:
The system now reboots (rather than restarts services) when these XLMAC errors occur.
Fixed Versions:
16.1.0, 15.1.6.1
930741-2 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
Links to More Info: BT930741
Component: TMOS
Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.
One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.
Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.
Impact:
Traffic disruption caused by the reboot.
Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.
Fixed Versions:
16.1.0, 15.1.2, 14.1.3.1, 13.1.3.6
930633-3 : Delay in using new route updates by existing connections on BIG-IP.
Links to More Info: BT930633
Component: TMOS
Symptoms:
If routes are updated in BIG-IP by static or dynamic methods, the existing connections will not use the new routes until ~1-8 seconds later.
Conditions:
Routes for existing connections on the BIG-IP are updated.
Impact:
Performance might be degraded when routes are updated for existing connections on BIG-IP.
Fix:
Added DB varible "tmm.inline_route_update". When enabled, packets are checked for new routes before sending out. Its disabled by default.
Behavior Change:
A new db variable has been added, called tmm.inline_route_update. It is disabled by default. When enabled, packets are checked for new routes before sending out.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.5
930393-3 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
Links to More Info: BT930393
Component: TMOS
Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.
Conditions:
-- Using IKEv1 and one of the following:
+ Performing an upgrade.
+ IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.
Impact:
IPsec tunnel is down permanently.
Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.
Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
930385-3 : SSL filter does not re-initialize when an OCSP object is modified
Links to More Info: BT930385
Component: Local Traffic Manager
Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.
Then, modify the OCSP object to DNS resolver ns2.
After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.
Conditions:
An OCSP object is configured and modified.
Impact:
The wrong nameserver is used after modification to the OCSP object.
Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
930005-2 : Recover previous QUIC cwnd value on spurious loss
Links to More Info: BT930005
Component: Local Traffic Manager
Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.
Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.
Impact:
Inefficient use of bandwidth in the presence of packet reordering.
Workaround:
None.
Fix:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.
Behavior Change:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3
929913-2 : External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events
Links to More Info: BT929913
Component: Advanced Firewall Manager
Symptoms:
DNS logs on LTM side do not print the all src_IP, per-srcIP, etc.
Conditions:
-- DNS logging is enabled
-- A DNS flood is detected
Impact:
Some information related to DNS attack event is missing such as src_IP, Per-SrcIP and Per-DstIP events.
Fix:
DNS now logs all src_IP, Per-SrcIP and Per-DstIP events.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
929909-2 : TCP Packets are not dropped in IP Intelligence
Links to More Info: BT929909
Component: Advanced Firewall Manager
Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets
Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned
Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.
Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
929429-2 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
929213-1 : iAppLX packages not rolled forward after BIG-IP upgrade ★
Links to More Info: BT929213
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
Fix:
A new database key has been added, 'sys db iapplxrpm.timeout', which allows the RPM build timeout value to be increased.
sys db iapplxrpm.timeout {
default-value "60"
scf-config "true"
value "60"
value-range "integer min:30 max:600"
}
For example:
tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad
Increasing the db key and restarting restjavad should not be traffic impacting.
After increasing the timeout, the RPM build process that runs during a UCS save should be successful, and the resulting UCS should include the iAppsLX packages as expected.
Note: The maximum db key value of 600 may be needed in some cases.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
929077-2 : Bot Defense allow list does not apply when using default Route Domain and XFF header
Links to More Info: BT929077
Component: Application Security Manager
Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.
Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.
Impact:
Request from an IP address that is on the allow list is blocked.
Workaround:
Allow the IP address using an iRule.
Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4
929001-3 : ASM form handling improvements
Links to More Info: K48321015 , BT929001
Component: Application Security Manager
Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.
Conditions:
- Brute force protection is configured
Impact:
Enforcement not triggered as expected.
Workaround:
N/A
Fix:
ASM now processes forms as expected.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3
928997-2 : Less XML memory allocated during ASM startup
Links to More Info: BT928997
Component: Application Security Manager
Symptoms:
Smaller total_xml_memory is selected during ASM startup.
For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.
Conditions:
Platforms with 16GiB, 32GiB, or more RAM
Impact:
Less XML memory allocated
Workaround:
Use this ASM internal parameter to increase XML memory size.
additional_xml_memory_in_mb
For more details, refer to the https://support.f5.com/csp/article/K10803 article.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
928857-2 : Use of OCSP responder may leak X509 store instances
Links to More Info: BT928857
Component: Local Traffic Manager
Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
928805-2 : Use of OCSP responder may cause memory leakage
Links to More Info: BT928805
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
928789-2 : Use of OCSP responder may leak SSL handshake instances
Links to More Info: BT928789
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.
Workaround:
No workaround.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
928717-3 : [ASM - AWS] - ASU fails to sync
Links to More Info: BT928717
Component: Application Security Manager
Symptoms:
Live Update configuration is not updated.
Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.
Impact:
Automatic signature updates (ASU) fail to sync.
Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:
1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
928697-2 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
Links to More Info: BT928697
Component: TMOS
Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.
Conditions:
The initiator sends more than one proposal.
Impact:
Diagnosing connection issues is more difficult.
Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
928685-2 : ASM Brute Force mitigation not triggered as expected
Links to More Info: K49549213 , BT928685
Component: Application Security Manager
Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.
Conditions:
- ASM enabled
- Brute Force mitigation enabled
Impact:
Brute Force mitigation is not triggered as expected.
Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when ASM_REQUEST_DONE
{
if { [catch { HTTP::username } ] } {
log local0. "ERROR: bad username";
ASM::raise bad_auth_header_custom_violation
}
}
Fix:
Brute Force mitigation is now triggered as expected.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1
928553-3 : LSN64 with hairpinning can lead to a tmm core in rare circumstances
Links to More Info: BT928553
Component: Carrier-Grade NAT
Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.
Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.
Impact:
Tmm cores. Traffic disrupted while tmm restarts.
Workaround:
Disable full proxy config of hairpinning.
Fix:
Tmm does not crash anymore.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
928029-2 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis
Links to More Info: BT928029
Component: TMOS
Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".
Conditions:
Run "switchboot" command
Impact:
A confusing popup message is displayed.
Workaround:
NA
Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"
Fixed Versions:
17.1.0, 15.1.4, 14.1.3
927993-1 : Built-in SSL Orchestrator RPM installation failure
Links to More Info: K97501254 , BT927993
Component: SSL Orchestrator
Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:
Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.
Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.
Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.
Workaround:
Step 1. Run the following commands in the BIG-IP command line:
# Get ID for f5-ssl-orchestrator-dg-data:
id=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')
# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id\"}}" shared/iapp/blocks/$id
# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done
# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
---
Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.
Fix:
Built-in SSL Orchestrator RPM installation failure.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 14.1.3, 13.1.3.6, 12.1.5.3
927941-5 : IPv6 static route BFD does not come up after OAMD restart
Links to More Info: BT927941
Component: TMOS
Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"
Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.
Impact:
BFD session is not shown in 'show bfd session'.
Workaround:
Restart tmrouted:
bigstart restart tmrouted
Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
927901-4 : After BIG-IP reboot, vxnet interfaces come up as uninitialized
Links to More Info: BT927901
Component: TMOS
Symptoms:
1. After BIG-IP reboots, the vxnet interfaces come up as uninitialized.
2. The driver does not log any issues:
echo "device driver [client-specific driver info] mlxvf5" >> /config/tmm_init.tcl
Conditions:
Running BIG-IP Virtual Edition (VE) v15.1.0.4 software.
Impact:
Vxnet driver requires manual intervention after reboot.
Workaround:
Tmsh enable/disable interface brings it back up until next reboot.
Fixed Versions:
15.1.0.5
927713-1 : Clsh reboot hangs when executed from the primary blade.
Links to More Info: BT927713
Component: Local Traffic Manager
Symptoms:
-- When 'clsh reboot' is executed on the primary blade, it internally calls ssh reboot on all secondary blades and then reboots the primary blade. The 'clsh reboot' script hangs, and there is a delay in rebooting the primary blade.
-- Running 'ssh reboot' on secondary blades hangs due to sshd sessions getting killed after network interface down.
Conditions:
-- Running 'clsh reboot' on the primary blade.
-- Running 'ssh reboot' on secondary blades.
Impact:
A secondary blade is not rebooted until clsh or ssh closes the connection to that blade.
Workaround:
Perform a reboot from the GUI.
Fix:
Running 'clsh reboot' on the primary blade or 'ssh reboot' on a secondary blade no longer hangs, so operations complete as expected.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.5
927617-2 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
Links to More Info: BT927617
Component: Application Security Manager
Symptoms:
A valid request that should be passed to the backend server is blocked.
Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.
-- The cookie header that contain the valid cookie value is encoded to base64.
Impact:
A request is blocked that should not be.
Workaround:
Disable 'Base64 Decoding' for the desired cookie.
Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
927033-2 : Installer fails to calculate disk size of destination volume ★
Links to More Info: BT927033
Component: TMOS
Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:
error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.
Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:
[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map
Impact:
Unable to successfully upgrade.
Workaround:
Create the expected symlink manually:
cd /dev/md
ln -s ../md127 _none_\:0
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
926997-1 : QUIC HANDSHAKE_DONE profile statistics are not reset
Links to More Info: BT926997
Component: Local Traffic Manager
Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.
Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.
Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.
Workaround:
Restart tmm to reset all statistics:
Impact of Workaround: Traffic disrupted while tmm restarts.
bigstart restart tmm
Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1
926973-1 : APM / OAuth issue with larger JWT validation
Links to More Info: BT926973
Component: Access Policy Manager
Symptoms:
When the access profile type is OAuth-RS or ALL, and sends a request with a Bearer token longer than 4080 bytes in the Authorization header to the virtual server, OAuth fails with ERR_NOT_SUPPORTED.
Conditions:
Bearer token longer than 4080 bytes
Impact:
APM oauth fails with ERR_NOT_SUPPORTED.
Workaround:
None.
Fix:
OAuth can now handle bearer tokens longer than 4080 bytes.
Fixed Versions:
16.1.0, 15.1.5
926929-3 : RFC Compliance Enforcement lacks configuration availability
Links to More Info: BT926929
Component: Local Traffic Manager
Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.
Conditions:
The configuration has a virtual server with an HTTP profile.
Impact:
Some applications that require certain constructions after a header name may not function.
Workaround:
None
Fix:
A configuration item has been introduced to manage RFC-compliance options.
In releases 13.1.4, 14.1.4, 15.1.2.1 and 16.0.1.2 and in subsequent releases in those families, a global flag is used to control the enforcement:
sys db tmm.http.rfc.allowwsheadername
The possible values are "enabled" and "disabled"; the default is "enabled".
In release 16.1.0 and subsequent releases, there are two per-profile options; these have been added to the Configuration Utility's configuration page for HTTP profiles, in the 'Enforcement' section:
-- Enforce RFC Compliance
-- Allow Space Header Name
The following sample output shows how the RFC-compliance and whitespace-enforcement settings might appear in tmsh, if enabled:
(tmos)# list ltm profile http http-wsheader
ltm profile http http-wsheader {
app-service none
defaults-from http
enforcement {
allow-ws-header-name enabled
rfc-compliance enabled
}
proxy-type reverse
}
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4, 13.1.4
926845-5 : Inactive ASM policies are deleted upon upgrade
Links to More Info: BT926845
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
926593-2 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
Links to More Info: BT926593
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.
Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.
Impact:
IPv6 virtual servers are marked down unexpectedly.
Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
926341-2 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade ★
Links to More Info: BT926341
Component: Application Visibility and Reporting
Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.
Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.
Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.
Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.
When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5
925989 : Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4 ★
Links to More Info: BT925989
Component: Local Traffic Manager
Symptoms:
After upgrade to v15.1.0.4, config does not load. Logs show:
-- err mcpd[11863]: 01b50049:3: FipsUserMgr Error: Master key load failure.
-- err mcpd[11863]: 01070712:3: Caught configuration exception (0), FIPS 140 operations not available on this system.
-- err tmsh[14528]: 01420006:3: Loading configuration process failed.
Conditions:
-- Upgrading to v15.1.0.4.
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
Cannot upgrade to v15.1.0.4, and the system is offline.
Important: Although you cannot prevent this from happening (except by not upgrading to 15.1.0.4), you can boot back into the previous configuration to recover BIG-IP system operation.
Workaround:
None.
Fixed Versions:
15.1.0.5
925797-2 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pool members
Links to More Info: BT925797
Component: TMOS
Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.
The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.
One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.
Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.
Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.
Workaround:
None.
Fix:
The mcpd process no longer runs out of memory with the stated configuration.
Fixed Versions:
16.1.0, 15.1.9
925573-6 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted
Links to More Info: BT925573
Component: Access Policy Manager
Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.
Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.
Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
15.1.3, 14.1.4
925469-1 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
Links to More Info: BT925469
Component: TMOS
Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.
Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.
-- Configure a new key with Subject Alternative Name (SAN).
Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.
Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
924945-3 : Fail to detach HTTP profile from virtual server
Links to More Info: BT924945
Component: Application Visibility and Reporting
Symptoms:
The virtual server might stay attached to the initial HTTP profile.
Conditions:
Attaching new HTTP profiles or just detaching an existing one.
Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.
Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.3
924929-2 : Logging improvements for VDI plugin
Links to More Info: BT924929
Component: Access Policy Manager
Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.
Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts
Impact:
Event names are not displayed in the APM log.
Workaround:
None.
Fix:
Event names along with the exceptions are also seen in the APM log file.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6
924857-1 : Logout URL with parameters resets TCP connection
Links to More Info: BT924857
Component: Access Policy Manager
Symptoms:
TCP connection reset when 'Logout URI Include' configured.
Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
/logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
/logoff.html?a=b
Impact:
TCP connection resets, reporting BIG-IP APM error messages.
'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.
Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.
Workaround:
None
Fix:
The system now ignores unsupported query parameters.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.2, 14.1.4.5
924521-2 : OneConnect does not work when WEBSSO is enabled/configured.
Links to More Info: BT924521
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.
Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.
Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server-side connections.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.3
924493-2 : VMware EULA has been updated
Links to More Info: BT924493
Component: TMOS
Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.
Conditions:
The EULA is presented to the user when deploying an OVF template.
Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).
Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.
Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.
Fix:
The EULA presented in VMware was out of date and has been updated.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
924429-2 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
Links to More Info: BT924429
Component: TMOS
Symptoms:
While restoring a UCS archive, you get an error similar to the following example:
/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.
The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.
This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.
Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.
Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.
Workaround:
None.
Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
924349-2 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP
Component: Service Provider
Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.
Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses
Impact:
Unable to see multiple HostIPAddress in CER/CEA
Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1
924301-1 : Incorrect values in REST response for DNS/SIP
Links to More Info: BT924301
Component: Application Visibility and Reporting
Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.
Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached
Impact:
An incorrect value is calculated in the REST response.
Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2
923821-3 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
Fix:
Captcha will now be triggered after successful CSI challenge.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
923301-2 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group
Links to More Info: BT923301
Component: Application Security Manager
Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.
Conditions:
Automatic installation of ASU on manual sync setup.
Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.
Workaround:
Manually sync the device group.
Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
923221-4 : BD does not use all the CPU cores
Links to More Info: BT923221
Component: Application Security Manager
Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.
Conditions:
BIG-IP software is installed on a device with more than 32 cores.
Impact:
ASM does not use all of the available CPU cores.
Workaround:
Run the following commands from bash shell.
1. # mount -o remount,rw /usr
2. Modify the following file on the BIG-IP system:
/usr/local/share/perl5/F5/ProcessHandler.pm
Important: Make a backup of the file before editing.
3. Change this:
ALL_CPUS_AFFINITY => '0xFFFFFFFF',
To this:
ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',
4. # mount -o remount,ro /usr
5. Restart the asm process:
# bigstart restart asm.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
923125-2 : Huge amount of admd processes caused oom
Links to More Info: BT923125
Component: Anomaly Detection Services
Symptoms:
The top command shows that a large number of admd processes are running.
Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.
Impact:
Memory is exhausted.
Workaround:
Restart admd:
bigstart restart admd
Fix:
This issue no longer occurs.
Fixed Versions:
16.1.0, 15.1.2, 14.1.3.1
922785-2 : Live Update scheduled installation is not installing on set schedule
Links to More Info: BT922785
Component: Application Security Manager
Symptoms:
A scheduled live update does not occur at the scheduled time.
Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.
Impact:
Automated installation does not initiate
Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14
Fixed Versions:
17.0.0, 16.0.1.2, 15.1.3, 14.1.4
922737-4 : TMM crashes with a sigsegv while passing traffic
Links to More Info: BT922737
Component: SSL Orchestrator
Symptoms:
TMM crashes with a sigsegv while passing traffic.
Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server with service profile applied on the same BIG-IP system.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
922665-2 : The admd process is terminated by watchdog on some heavy load configuration process
Links to More Info: BT922665
Component: Anomaly Detection Services
Symptoms:
The watchdog process in the BIG-IP ASM monitors terminates the admd process.
Conditions:
On some heavy load configuration process, such as version upgrade.
Impact:
Restart of admd daemon. The restarts may be continuous. No stress-based anomaly detection or behavioral statistics aggregation until admd restarts.
Workaround:
For the case of continuous restarts, a partial solution is to disable admd during busy periods such as upgrades. To do so, issue the following two commands, in sequence, after the upgrade is complete:
bigstart stop admd
bigstart start admd
Fixed Versions:
16.1.0, 15.1.5, 14.1.4.5
922597-2 : BADOS default sensitivity of 50 creates false positive attack on some sites
Links to More Info: BT922597
Component: Anomaly Detection Services
Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.
Conditions:
This can occur for some requests that have high latency and low TPS.
Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.
Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500
For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.
The results is that the attack is declared later than for the default value, but it is declared and the site is protected.
Fix:
Default sensitivity value 500 now illuminates false positive DoS attacks declaration.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
922413-2 : Excessive memory consumption with ntlmconnpool configured
Links to More Info: BT922413
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
922297-2 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs
Links to More Info: BT922297
Component: TMOS
Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.
You see the following log entries in /var/log/tmm:
-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...
In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:
-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...
Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.
Impact:
TMM does not start.
Workaround:
Configure fewer network interfaces or vCPUs.
Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
922261-2 : WebSocket server messages are logged even it is not configured
Links to More Info: BT922261
Component: Application Security Manager
Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.
Impact:
Remote logging server overloaded with unexpected WebSocket messages.
Workaround:
Set response-logging=illegal in all remote logging profiles.
Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
922185-1 : LDAP referrals not supported for 'cert-ldap system-auth' ★
Links to More Info: BT922185
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
922105-3 : Avrd core when connection to BIG-IQ data collection device is not available
Links to More Info: BT922105
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
921881-2 : Use of IPFIX log destination can result in increased CPU utilization
Links to More Info: BT921881
Component: Local Traffic Manager
Symptoms:
-- Increased baseline CPU.
- The memory_usage_stats table shows a continuous increase in mds_* rows.
Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.
Impact:
Increased baseline CPU may result in exhaustion of CPU resources.
Workaround:
Limiting changes to associated configuration can slow the effects of this issue.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
921773-2 : Diameter initial negotiation is not rejected when no common application is set
Links to More Info: BT921773
Component: Service Provider
Symptoms:
If CER received with supported-application that was not set, then capability negotiation should be rejected. In such case CEA should be returned with DIAMETER_NO_COMMON_APPLICATION (5010).
Conditions:
There is no common application during capability negotiation.
Impact:
Even if there is no common application during CER/CEA exchange, connection is established which is unexpected.
Workaround:
None
Fix:
During capability negotiation, if there is no common application, then CEA would be returned with DIAMETER_NO_COMMON_APPLICATION (5010) and no connection exists.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4
921721-1 : FIPS 140-2 SP800-56Arev3 compliance
Links to More Info: BT921721
Component: Local Traffic Manager
Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.
Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.
Impact:
BIG-IP will comply with the older standard.
Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.
Fixed Versions:
16.1.0, 15.1.3, 14.1.3
921697-3 : Attack signature updates fail to install with Installation Error. ★
Links to More Info: BT921697
Component: Application Security Manager
Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:
/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)
/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781
Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.
2. Installing a new ASU file
Impact:
The attack signature update fails.
Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.
Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:
1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg
2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800
3. Restart ASM.
# bigstart restart asm
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6
921677-2 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
Links to More Info: BT921677
Component: Application Security Manager
Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:
Bot defense profile <profile full name> error: match-order should be unique.
Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.
2. Delete item with the value: match-order 2 (in tmsh), and save.
3. Switch to the GUI, add new allow list item, and save.
Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.
Workaround:
Drag between two items, and then drag back.
Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
921625-2 : The certs extend function does not work for GTM/DNS sync group
Links to More Info: BT921625
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.
As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.
The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.
You might see messages similar to the following:
-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....
Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.
-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.
Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.
Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
921541-3 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Links to More Info: BT921541
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
Fix:
The HTTP session hang no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
921441-2 : MR_INGRESS iRules that change diameter messages corrupt diam_msg
Links to More Info: BT921441
Component: Service Provider
Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.
There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found
Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:
ltm rule Diameter - iRule {
when MR_INGRESS {
DIAMETER:: host origin "hostname.realm.example"
}
}
-- Traffic arrives containing CER and ULR messages.
Impact:
Using the iRule to change the host origin corrupts the diameter message.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
921421-3 : iRule support to get/set UDP's Maximum Buffer Packets
Links to More Info: BT921421
Component: Local Traffic Manager
Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.
Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.
Impact:
Unable to dynamically change the max buffer packets setting in an iRule.
Workaround:
None
Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts
Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
921369 : Signature verification for logs fails if the log files are modified during log rotation
Links to More Info: BT921369
Component: TMOS
Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.
Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs
Impact:
Signature verification may fail on rotated log files.
Fix:
Fixed an issue with signature verification failing on valid log files.
Fixed Versions:
16.1.0, 15.1.1
921365-1 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby
Links to More Info: BT921365
Component: TMOS
Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.
Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs
This is a timing issue and can occur intermittently during a normal failover.
Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.
Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).
Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4
921361-2 : SSL client and SSL server profile names truncated in GUI
Links to More Info: BT921361
Component: TMOS
Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.
Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.
Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.
Note: The fields remain at the limited width even when the browser window is maximized.
Workaround:
Use tmsh to see the full SSL client and SSL server name.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1
921181 : Wrong error message upon bad credential stuffing configuration
Links to More Info: BT921181
Component: BIG-IP Risk Engine
Symptoms:
When you try to configure credential stuffing and provide invalid parameters, you see a misleading error:
HTML Tag-like Content in the Request URL/Body
Conditions:
Configuration of bad ApplicationID, Access Token or wrong service type, generates a validation error, but the error message is confusing.
Impact:
A misleading error is displayed.
Workaround:
None.
Fix:
Wrong error message upon bad credential stuffing configuration has been corrected.
Fixed Versions:
15.1.2.1
921149-1 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
Links to More Info: BT921149
Component: TMOS
Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.
Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.
Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.
Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
921065 : BIG-IP systems not responding to DPD requests from initiator after failover
Links to More Info: BT921065
Component: TMOS
Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.
Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.
Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.
Workaround:
None.
Fix:
Fixed an issue with the BIG-IP system not responding to DPD requests after failover.
Fixed Versions:
16.1.0, 15.1.4
921001-4 : After provisioning change, pfmand might keep interfaces down on particular platforms
Links to More Info: BT921001
Component: TMOS
Symptoms:
After a provisioning change, pfmand might keep interfaces down.
Conditions:
-- Provisioning change on the following platforms:
+ i850
+ i2600 / i2800
+ i4600 / i4800
+ 2000- and 4000-series
-- Link Down Time on Failover configured to a non-zero value (the default is '10').
Impact:
Interfaces remain DOWN.
Workaround:
Follow this procedure:
1. Set db failover.standby.linkdowntime to '0'.
2. To bring interfaces UP again, restart pfmand:
bigstart restart pfmand
Fixed Versions:
16.1.0, 15.1.9
920961-2 : Devices incorrectly report 'In Sync' after an incremental sync
Links to More Info: BT920961
Component: Application Security Manager
Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.
Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).
Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.
Workaround:
Modify the underlying LTM policy to be 'legacy':
# tmsh modify ltm policy <LTM Policy Name> legacy
Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
920361-2 : Standby device name sent in Traffic Statistics syslog/Splunk messages
Links to More Info: BT920361
Component: Advanced Firewall Manager
Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.
Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.
Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.
Workaround:
None.
Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.
Fixed Versions:
16.1.0, 15.1.1, 14.1.3.1
920301-1 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy
Links to More Info: BT920301
Component: TMOS
Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.
Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.
Impact:
High CPU Usage.
Workaround:
None.
Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.
Fixed Versions:
15.1.2, 14.1.3.1
920205-4 : Rate shaping might suppress TCP RST
Links to More Info: BT920205
Component: Local Traffic Manager
Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.
Conditions:
Rate shaping is configured.
Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.
Workaround:
Do not use rate-shaping.
Fix:
TCP RSTs are no longer dropped by the rate-shaping instance.
Fixed Versions:
16.1.0, 15.1.9
920197-3 : Brute force mitigation can stop mitigating without a notification
Links to More Info: BT920197
Component: Application Security Manager
Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.
Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).
Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
920149-1 : Live Update default factory file for Server Technologies cannot be reinstalled
Links to More Info: BT920149
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4
919745-2 : CSV files downloaded from the Dashboard have the first row with all 'NaN
Links to More Info: BT919745
Component: TMOS
Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'
Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.
Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.
Workaround:
None.
Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8
919553-2 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
Links to More Info: BT919553
Component: Global Traffic Manager (DNS)
Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.
Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
919465-2 : A dwbld core on configuration changes on IP Intelligence policy
Links to More Info: BT919465
Component: Advanced Firewall Manager
Symptoms:
A dwbld core occurs on configuration changes on IP Intelligence policy.
Conditions:
Configuration changes on IP Intelligence policy with assigned feed-list.
Impact:
A dwbld restart. Enforcement of dynamic white/black configuration does not occur while dwbld restarts.
Workaround:
None.
Fix:
Feed-list entries should not be present in list of entries with expiration.
Fixed Versions:
16.0.0, 15.1.5
919381-1 : Extend AFM subscriber aware policy rule feature to support multiple subscriber groups
Component: Advanced Firewall Manager
Symptoms:
Currently AFM does not have support to match rules against multiple subscriber policies
Conditions:
-- AFM provisioned
-- You wish to match rules against multiple subscriber policies
Impact:
AFM rules cannot be matched against multiple subscriber policies
Workaround:
None
Fix:
Enhancing the AFM rules matching against multiple subscriber policies
Fixed Versions:
16.1.0, 15.1.2.1
919317-5 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes
Links to More Info: BT919317
Component: TMOS
Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.
Conditions:
ECMP routes reachable via recursive nexthops.
Impact:
NSM is stuck at 100% CPU usage.
Workaround:
Avoid using EMCP routes reachable via recursive nexthops.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
919305-2 : Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS.
Links to More Info: BT919305
Component: TMOS
Symptoms:
Appliance mode does not enable on BIG-IP 14.1.x tenants deployed on VELOS.
Conditions:
A BIG-IP 14.1.3 tenant is deployed on VELOS with Appliance Mode enabled.
Impact:
The appliance mode restriction is not working as expected. The root account still has bash access.
Workaround:
N/A
Fix:
Appliance mode will now function when configured on a BIG-IP tenant deployed on VELOS.
Fixed Versions:
17.1.0, 15.1.4
919301-3 : GTP::ie count does not work with -message option
Links to More Info: BT919301
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
919001-2 : Live Update: Update Available notification is shown twice in rare conditions
Links to More Info: BT919001
Component: Application Security Manager
Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.
Conditions:
This can be encountered on the first load of the Live Update page.
Impact:
Notification is shown twice.
Workaround:
None.
Fix:
Notification is shown only once in all cases.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8
918933-2 : The BIG-IP ASM system may not properly perform signature checks on cookies
Links to More Info: K88162221 , BT918933
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.6, 12.1.5.3, 11.6.5.3
918905-2 : PCCD restart loop when using more than 256 FQDN entries in Firewall Rules
Links to More Info: BT918905
Component: Advanced Firewall Manager
Symptoms:
PCCD enters a restart loop, until the configuration is changed such that 256 or fewer FQDN entries are in use. Errors are reported to the terminal screen:
pccd[23494]: 015d0000:0: pccd encountered a fatal error and will be restarted shortly...
Conditions:
Greater than 256 FQDN entries are in use in Firewall Rules.
Impact:
PCCD goes into a restart loop. PCCD is not functional until there are 256 or fewer entries.
Workaround:
Use 256 or fewer FQDN entries in Firewall Rules.
To aid in the removal of extra rules when using tmsh, you can prevent PCCD restart messages from flooding the console:
1. Stop PCCD to halt the restart messages:
bigstart stop pccd
2. Modify the configuration.
3. Bring PCCD back up:
bigstart start pccd
Fix:
PCCD restart loop no longer occurs when using more than 256 FQDN entries in Firewall Rules.
Fixed Versions:
16.1.0, 15.1.10
918717-2 : Exception at rewritten Element.innerHTML='<a href></a>'
Links to More Info: BT918717
Component: Access Policy Manager
Symptoms:
If the "href" attribute of an anchor tag in a web application does not have any value, an exception will be thrown.
Conditions:
-- Rewrite enabled
-- The href attribute of an anchor tag on a web page does not have a value, for example:
<script>
d = document.createElement('div')
try {
d.innerHTML = "<a href b=1>click</a>"
}catch(e){
alert(e.message);
}
</script>
Impact:
Web page does not load properly.
Workaround:
Find the "href" attributes of anchor tag and give some empty value to it:
Before:
<a href></a>
After:
<a href=""></a>
Fix:
Fixed an issue with rewrite of anchors that contain an empty href attribute.
Fixed Versions:
16.1.0, 15.1.4.1
918597-5 : Under certain conditions, deleting a topology record can result in a crash.
Links to More Info: BT918597
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
918409-2 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
Links to More Info: BT918409
Component: TMOS
Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.
Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.
Impact:
Traffic disrupted on the tmm process that is looping indefinitely.
Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.
Note: The change does not persist across software installs.
a. mount -o remount,rw /usr
b. Edit /defaults/daemon.conf and put these contents at the top of the file:
sys daemon-ha tmm24 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm25 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm26 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm27 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
c. mount -o remount,ro /usr
2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:
tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
918317-2 : SSL Orchestrator resets subsequent requests when HTTP services are being used.
Links to More Info: BT918317
Component: SSL Orchestrator
Symptoms:
When connections are reused for subsequent requests, the subsequent requests might get aborted with reset cause 'connector service reconnected'.
Conditions:
SSL Orchestrator with HTTP services and multiple requests in a connection.
Impact:
Subsequent requests might get aborted with reset cause 'connector service reconnected'.
Workaround:
None
Fix:
SSL Orchestrator no longer aborts subsequent requests in the same connection.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
918277-2 : Slow Ramp does not take into account pool members' ratio weights
Links to More Info: BT918277
Component: Local Traffic Manager
Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.
Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.
Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.
Workaround:
None.
Fix:
Ratio weights are now taken into account for pool members.
Fixed Versions:
16.1.0, 15.1.9
918209-3 : GUI Network Map icons color scheme is not section 508 compliant
Links to More Info: BT918209
Component: TMOS
Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.
Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.
Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.
Workaround:
None.
Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8
918169-1 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
Links to More Info: BT918169
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when all of the following conditions are true:
-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).
-- The server's HTTP response does not terminate with a newline.
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by performing any one of the following actions:
-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.
-- Ensure the server's HTTP response ends with a newline.
Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.6
918097-3 : Cookies set in the URI on Safari
Links to More Info: BT918097
Component: Application Security Manager
Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.
Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.
Impact:
A cookie is set on the URL.
Workaround:
None.
Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.
Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.
This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable
Default value is the original behavior (enable), which sets the cookie in the URl.
NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
918081-1 : Application Security Administrator role cannot create parent policy in the GUI
Links to More Info: BT918081
Component: Application Security Manager
Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created
Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.
Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.
Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.
Fix:
The Application Security Administrator role can now create the parent policy when required.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1
917005-5 : ISC BIND Vulnerability: CVE-2020-8619
Links to More Info: K19807532
916969-3 : Support of Microsoft Identity 2.0 platform
Links to More Info: BT916969
Component: Access Policy Manager
Symptoms:
BIG-IP does not support Template for Microsoft Identity Platform 2.0.
Conditions:
This is encountered if you want to use Template for Microsoft Identity Platform 2.0 as an identity provider.
Impact:
Unable to configure Microsoft Identity Platform 2.0 on BIG-IP.
Workaround:
OAuth provider has a custom template which provides the ability to configure and discover using new endpoints.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
916781-1 : Validation error while attaching DoS profile to GTP virtual
Links to More Info: BT916781
Component: Service Provider
Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.
Conditions:
Attach DoS security profile to GTP virtual server.
Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.
Workaround:
None.
Fix:
Create GTP virtual profile and attach DoS security profile to it. No validation error should be reported.
Fixed Versions:
16.1.0, 16.0.1, 15.1.4
916753-2 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core
Links to More Info: BT916753
Component: Global Traffic Manager (DNS)
Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.
Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:
RESOLV::lookup @/Common/my_dns_virtual www.example.com
Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.
For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:
instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2
916589-2 : QUIC drops 0RTT packets if CID length changes
Links to More Info: BT916589
Component: Local Traffic Manager
Symptoms:
QUIC sometimes rejects valid 0RTT packets.
Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.
Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.
Workaround:
None.
Fix:
Fixed an issue with 0RTT packets when using QUIC.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.0.5
915957-1 : The wocplugin may get into a restart loop when AAM is provisioned
Links to More Info: BT915957
Component: Local Traffic Manager
Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.
Conditions:
Application Acceleration Manager (AAM) is provisioned
Impact:
AAM is not functional
Workaround:
None
Fix:
The wocplugin is now correctly provisioned and runs without restarts.
Fixed Versions:
15.1.2, 14.1.3
915825-2 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
Links to More Info: BT915825
Component: TMOS
Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.
Configuration error: Can't associate folder (/User/Drafts) folder does not exist.
Conditions:
This occurs in the following scenario:
1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.
Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.
Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.
Fixed Versions:
16.1.0, 15.1.1, 14.1.3.1, 13.1.3.5
915773-1 : Restart of TMM after stale interface reference
Links to More Info: BT915773
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
915713-2 : Support QUIC and HTTP3 draft-29
Links to More Info: BT915713
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.
Conditions:
Browser requests draft-29.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-29 and draft-28, and has removed draft-27 support.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1
915689-1 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
Links to More Info: BT915689
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.
Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.
Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.
Workaround:
None.
Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
915605-6 : Image install fails if iRulesLX is provisioned and /usr mounted read-write ★
Links to More Info: K56251674 , BT915605
Component: Local Traffic Manager
Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.
tmsh show software status will report the status for the target volume as one of the following:
-- Could not access configuration source.
-- Unable to get hosting system product info.
Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.
Impact:
Unable to upgrade or more generally install an image on a new or existing volume.
Workaround:
Re-mount /usr as read-only:
mount -o remount,ro /usr
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
915509-1 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
Links to More Info: BT915509
Component: Access Policy Manager
Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).
Conditions:
RADIUS Auth with 'show-extended-error' enabled.
Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5
915497-2 : New Traffic Class Page shows multiple question marks.
Links to More Info: BT915497
Component: TMOS
Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.
Conditions:
This is encountered when creating a new Traffic Class.
Impact:
Multi-byte characters are displayed incorrectly.
Workaround:
None.
Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.0.5, 14.1.3.1
915489-2 : LTM Virtual Server Health is not affected by iRule Requests dropped
Links to More Info: BT915489
Component: Anomaly Detection Services
Symptoms:
Virtual Server Health should not take into account deliberate drop requests.
Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.
Impact:
Server Health reflects it is overloading status more precisely.
Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.
Fix:
Virtual Server Health is no longer affected while dropping requests using iRules.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
915305-5 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
Links to More Info: BT915305
Component: TMOS
Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.
Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.
Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.
Workaround:
Use static routing to provide a path to remote tunnel endpoint.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4
915281-2 : Do not rearm TCP Keep Alive timer under certain conditions
Links to More Info: BT915281
Component: Local Traffic Manager
Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.
Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.
Impact:
Continuous rearming results in consuming CPU resources unnecessarily.
Workaround:
None.
Fix:
Rearming of TCP Keep Alive timer is improved.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3
914761-3 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
Links to More Info: BT914761
Component: TMOS
Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:
Unexpected Error: UCS saving process failed.
Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.
Impact:
UCS file is not successfully saved and backup fails.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8
914681-2 : Value of tmm.quic.log.level can differ between TMSH and GUI
Links to More Info: BT914681
Component: Local Traffic Manager
Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.
Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.
Impact:
Misleading log level displayed in the GUI.
Workaround:
Use TMSH to set and view values for tmm.quic.log.level.
Fix:
GUI values for tmm.quic.log.level are now displayed properly.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.0.5
914649-3 : Support USB redirection through VVC (VMware virtual channel) with BlastX
Links to More Info: BT914649
Component: Access Policy Manager
Symptoms:
USB is unavailable after opening VMware View Desktop.
Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client
Impact:
USB is unavailable after opening VMware View Desktop
Workaround:
None.
Fix:
USB is now available after opening VMware View Desktop
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6
914293-3 : TMM SIGSEGV and crash
Links to More Info: BT914293
Component: Anomaly Detection Services
Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.
Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.
Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.
Fix:
Fixed a tmm crash related to iRules and Behavioral DoS policies.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
914277-2 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
Links to More Info: BT914277
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.
Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.
Fix:
Automatic downloads are quietly synced and do not have an impact on the device group sync status.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.4
914245-2 : Reboot after tmsh load sys config changes sys FPGA firmware-config value
Links to More Info: BT914245
Component: TMOS
Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.
Chmand reports errors:
chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]
Conditions:
Running either of the following commands:
tmsh load sys config
/etc/init.d/fw_update_post reload
Impact:
Firmware update fails.
Workaround:
Use this procedure:
1. Mount /usr:
mount -o rw,remount /usr
2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload
3. Reload systemctl:
systemctl daemon-reload
4. Reload the file:
/etc/init.d/fw_update_post reload
Fix:
Added the reload option in fw_update_post service file.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
914081-1 : Engineering Hotfixes missing bug titles
Links to More Info: BT914081
Component: TMOS
Symptoms:
In Bug Tracker, some BIG-IP Engineering Hotfixes published after March 18, 2019 do not display the summary titles for fixed bugs.
Conditions:
BIG-IP Engineering Hotfixes published in Bug Tracker after March 18, 2019.
Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.
Workaround:
For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.
Fix:
BIG-IP Engineering Hotfixes now include the summary titles for fixed bugs published in Bug Tracker.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
913849-1 : Syslog-ng periodically logs nothing for 20 seconds
Links to More Info: BT913849
Component: TMOS
Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.
Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)
Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.
Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.
Workaround:
None.
Fix:
F5 patched syslog-ng to use a lower 1-second, 0-retries timeout back in 13.0.0, but this patch was made ineffective by the upgrade to centos 7 in 14.1.0. This fixes the patch so that it works again.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
913829-4 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
Links to More Info: BT913829
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.
For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.
Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.
Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.
You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
913761-2 : Security - Options section in navigation menu is visible for only Administrator users
Links to More Info: BT913761
Component: Application Security Manager
Symptoms:
The Security - Options section in the left navigation menu is visible for only for user accounts configured with the Administrator role.
Conditions:
You logged in as a user configured with a role other than Administrator.
Impact:
No direct access to many settings that are available only for user account configured with the Administrator role.
Workaround:
Direct links to the pages work for those with the appropriate roles.
Fix:
Security - Options section is available for all user roles when at least one of the following is enabled:
-- ASM
-- DoS
-- FPS
-- AFM
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.1
913757-1 : Error viewing security policy settings for virtual server with FTP Protocol Security
Links to More Info: BT913757
Component: Application Security Manager
Symptoms:
The system reports an error message when trying to navigate to 'Security :: Policies' under virtual server properties:
An error has occurred while trying to process your request.
Conditions:
-- An FTP or SMTP profile with protocol security enabled is attached to a virtual server.
-- Attempt to navigate to 'Security :: Policies'.
Impact:
-- No policies appear. You cannot perform any operations on the 'Security :: Policies' screen.
-- The following error message appears instead:
An error has occurred while trying to process your request.
Workaround:
As long as an FTP or SMTP profile with protocol security enabled is defined under virtual server properties (in another words, it is attached to a virtual server), this issue recurs. There are no true workarounds, but you can avoid the issue by using any of the following:
-- Use another profile, such as HTTP.
-- Set the FTP/SMTP profile under the virtual server settings to None.
-- Remove the profile via the GUI or the CLI (e.g., you can remove the profile from the virtual server in tmsh using this command:
tmsh modify ltm virtual /Common/test-vs { profiles delete { ftp_security } }
Fix:
You can now attach FTP or SMTP profile with protocol security enabled and navigate to 'Security :: Policies' without error.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1
913729-5 : Support for DNSSEC Lookaside Validation (DLV) has been removed.
Links to More Info: BT913729
Component: Global Traffic Manager (DNS)
Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.
Conditions:
Attempting to use DLV.
Impact:
Cannot use DLV.
Workaround:
None. DLV is no longer supported.
Fix:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV). If you roll forward a configuration that contains this feature, the system removes it from the configuration and prints a log message.
Behavior Change:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV).
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
913453-5 : URL Categorization: wr_urldbd cores while processing urlcat-query
Links to More Info: BT913453
Component: Traffic Classification Engine
Symptoms:
The webroot daemon (wr_urldbd) cores.
Conditions:
This can occur while passing traffic when webroot is enabled.
Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.
Workaround:
None.
Fix:
Fixed a core with wr_urldb.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
913433-3 : On blade failure, some trunked egress traffic is dropped.
Links to More Info: BT913433
Component: TMOS
Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.
Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
913413-3 : 'GTP::header extension count' iRule command returns 0
Links to More Info: BT913413
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
Fix:
'GTP::header extension count' command now returns number of header extension correctly.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913409-3 : GTP::header extension command may abort connection due to unreasonable TCL error
Links to More Info: BT913409
Component: Service Provider
Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.
Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message
Impact:
TCL error log is shown and connection is aborted
Workaround:
None
Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913393-3 : Tmsh help page for GTP iRule contains incorrect and missing information
Links to More Info: BT913393
Component: Service Provider
Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.
Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.
Impact:
User may not be able to use related iRule command properly.
Workaround:
None
Fix:
Tmsh help page for GTP iRule is updated
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913373-2 : No connection error after failover with MRF, and no connection mirroring
Links to More Info: BT913373
Component: Service Provider
Symptoms:
-- Unable to establish MRF connection after failover.
-- Error reports 'no connection'.
Conditions:
- MRF configured.
- Using iRule for routing.
-- Failover occurs.
Impact:
Unable to establish new connection until existing sessions time out. No message is reported explaining the circumstances.
Workaround:
Any of the following:
-- Enable connection mirroring on the virtual server.
-- Disable session mirroring.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
913249-2 : Restore missing UDP statistics
Links to More Info: BT913249
Component: Local Traffic Manager
Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
Conditions:
Viewing UDP statistics.
Impact:
Unable to view these UDP statistics.
Workaround:
None.
Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
913137-1 : No learning suggestion on ASM policies enabled via LTM policy
Links to More Info: BT913137
Component: Application Security Manager
Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.
Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.
This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.
Impact:
No learning suggestions.
Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.
Fix:
Policy builder now classifies non-bot traffic and applies learning suggestions.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2
913085-1 : Avrd core when avrd process is stopped or restarted
Links to More Info: BT913085
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
912945-2 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Links to More Info: BT912945
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
Fix:
Fixed an issue with client SSL profile selection.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
912517-2 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT912517
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle, or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
For BIG-IP versions prior to 17.0.0, a database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
912425-3 : Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash
Links to More Info: BT912425
Component: Local Traffic Manager
Symptoms:
Modification of in-TMM monitors may result in TMM crashing, or the changes to the monitor configuration not taking effect, or only taking effect for some monitor instances.
Conditions:
TMM may crash under some of the following conditions:
-- Performing configuration sync
-- Deleting and recreating monitor and SSL profile configurations.
Changes to monitor configuration may not take effect under the following conditions:
-- Modifying the SSL profile assigned to a monitor.
-- A monitor instance is currently in progress.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Disable in-TMM monitors.
Fix:
This issue is now fixed.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
912289-1 : Cannot roll back after upgrading on certain platforms ★
Links to More Info: BT912289
Component: Local Traffic Manager
Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
- BIG-IP v12.1.6 or later in the v12.x branch of code
- BIG-IP v13.1.4 or later in the v13.x branch of code
- BIG-IP v14.1.4 or later in the v14.x branch of code
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
-- Upgrade the software to one of the following software versions:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
-- Attempt to roll back to a previous version.
Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.
Workaround:
None.
Fix:
Contact F5 Support for the reversion process if this is required.
Behavior Change:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
The particular platforms are:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
The particular software versions are:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
Fixed Versions:
16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6
912253-1 : Non-admin users cannot run show running-config or list sys
Links to More Info: BT912253
Component: TMOS
Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
The list /sys or list /sys telemd commands trigger the following error:
01070823:3: Read Access Denied: user (oper) type (Telemd configuration).
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
912149-5 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Links to More Info: BT912149
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/:
asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
912089-2 : Some roles are missing necessary permission to perform Live Update
Links to More Info: BT912089
Component: Application Security Manager
Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.
Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.
Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.
Workaround:
None.
Fix:
The following roles can now perform live-update:
- Administrator
- Web Application Security Administrator
- Resource Administrator
- Application Security Operations Administrator
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
912001-3 : TMM cores on secondary blades of the Chassis system.
Links to More Info: BT912001
Component: Global Traffic Manager (DNS)
Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:
tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307
Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.
Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.
Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
911809-2 : TMM might crash when sending out oversize packets.
Links to More Info: BT911809
Component: TMOS
Symptoms:
TMM crashes with an assert; Drop assertion similar to the following:
notice panic: ../dev/ndal/ndal.c:758: Assertion "pkt length cannot be greater than MAX_PKT_LEN" failed.
Conditions:
-- Xnet driver is used in BIG-IP Virtual Edition (VE).
-- TMM tries to send oversize packets.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
911729-2 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value
Links to More Info: BT911729
Component: Application Security Manager
Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.
Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.
Impact:
Redundant learning suggestion is issued.
Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.
Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.
Fixed Versions:
17.0.0, 16.1.5, 16.0.1.2, 15.1.4, 14.1.4.2
911585-3 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
Links to More Info: BT911585
Component: Policy Enforcement Manager
Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.
Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)
Impact:
Session is not established.
Workaround:
None.
Fix:
Enhanced application to accept new sessions under problem conditions.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
911141-3 : GTP v1 APN is not decoded/encoded properly
Links to More Info: BT911141
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.
Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
911041-3 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
Links to More Info: BT911041
Component: Local Traffic Manager
Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.
Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.
Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.2.1, 14.1.3.1
910905-1 : TMM crash when processing virtual server traffic with TLS/SSL session cache enabled
Links to More Info: BT910905
Component: Local Traffic Manager
Symptoms:
A tmm core occurs unexpectedly and causes a failover event.
Conditions:
This can occur while tmm is in normal operation. An internal error occurs when deleting an old SSL session during SSL handshake.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed incorrect internal deletion of expired SSL sessions.
Fixed Versions:
15.1.5.1, 14.1.4.4
910673-4 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
Links to More Info: BT910673
Component: Local Traffic Manager
Symptoms:
Thales installation script fails with error message.
ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.
Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.
Impact:
Thales/nCipher NetHSM client software installation fails.
Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
910653-5 : iRule parking in clientside/serverside command may cause tmm restart
Links to More Info: BT910653
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.
Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.
For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.
Fix:
iRule parking in clientside/serverside command no longer causes tmm to restart.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
910633-1 : Continuous 'neurond restart' message on console
Links to More Info: BT910633
Component: Performance
Symptoms:
Neurond continuously restarts after some configuration changes.
Conditions:
-- iSeries platform
-- Changes are made to the underlying firmware and an automatic reboot is not triggered.
Impact:
-- Features that utilize Neuron are not available.
-- Continuous 'neurond restart' messages are logged to the console
Workaround:
For some TurboFlex changes, a reboot is required.
Note: If neurond is restarting after turboflex profile-config changed to turboflex-security then the following will workaround the issue:
tmsh stop sys service neurond
tmsh modify sys provision afm level nominal
tmsh service start neurond
reboot
Fix:
Neurond no longer continuously restarts after certain configuration changes.
Fixed Versions:
16.0.0, 15.1.4
910521-2 : Support QUIC and HTTP draft-28
Links to More Info: BT910521
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-25 and draft-27. IETF has released draft-28.
Conditions:
Browser requests draft-28.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-28 and draft-27, and has removed draft-25 support.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5
910417-2 : TMM core may be seen when reattaching a vector to a DoS profile
Links to More Info: BT910417
Component: Advanced Firewall Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.2, 14.1.4
910253-2 : BD error on HTTP response after upgrade ★
Links to More Info: BT910253
Component: Application Security Manager
Symptoms:
After upgrade, some requests can cause BD errors on response:
BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040
IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Upgrading BIG-IP systems to v15.0.0 or later from versions earlier than v15.0.0.
-- ASM policy is configured on a virtual server.
Impact:
For some requests, the response can arrive truncated or not arrive at all.
Workaround:
Add an iRule that deletes ASM cookies:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Note: Performing this workaround affects cookie-related violations (they may need to be disabled to use this workaround), session, and login protection.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3
910213-2 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status
Links to More Info: BT910213
Component: Local Traffic Manager
Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.
Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.
As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.
Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"
Conditions:
Using the LB::down command in an iRule.
Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.
If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.
Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.
Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.
There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
910201-3 : OSPF - SPF/IA calculation scheduling might get stuck infinitely
Links to More Info: BT910201
Component: TMOS
Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.
Conditions:
SPF/IA calculation gets suspended;
This occurs for various reasons; BIG-IP end users have no influence on it occurring.
Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.
Workaround:
Restart the routing daemons:
# bigstart restart tmrouted
Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.
If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
910177 : Poor HTTP/3 throughput
Links to More Info: BT910177
Component: Local Traffic Manager
Symptoms:
HTTP/3 throughput is poor.
Conditions:
Virtual Server configured with an HTTP/3 profile.
Impact:
Performance might be severely degraded.
Workaround:
There is no alternative other than not using the HTTP/3 profile.
Fix:
Erroneously enabled debug logs are now turned off, so performance is improved.
Fixed Versions:
15.1.0.4
910097-2 : Changing per-request policy while tmm is under traffic load may drop heartbeats
Links to More Info: BT910097
Component: Access Policy Manager
Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash
Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
909997-3 : Virtual server status displays as unavailable when it is accepting connections
Links to More Info: BT909997
Component: Local Traffic Manager
Symptoms:
After a rate limit is triggered and released, the virtual server status in the GUI remains as 'unavailable'. The virtual server resumes accepting new connections while the GUI shows the virtual server is unavailable.
Conditions:
-- The virtual server has a source address list configured.
-- Address lists define more than one address.
-- The connections are over the rate limit, and the virtual server status is marked unavailable.
-- The number of connections falls below the limit.
Impact:
Actual virtual server status is not reflected in GUI.
Workaround:
If the deployment design allows, you can use either of the following workarounds:
-- Remove the source address list from the virtual server.
-- Have a single address in the source address list.
Fixed Versions:
16.1.0, 15.1.9
909673 : TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms
Links to More Info: BT909673
Component: TMOS
Symptoms:
TMM crashes when VLAN SYN cookie feature is used.
Conditions:
-- Configuring for VLAN SYN cookie use.
-- Running on iSeries i2800/i2600 and i4800/i4600 platforms.
Impact:
Tmm crashes and traffic processing stops. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
VLAN SYN cookie processing now functions as expected.
Fixed Versions:
17.1.0, 15.1.0.4
909237-6 : CVE-2020-8617: BIND Vulnerability
Links to More Info: K05544642
909197-3 : The mcpd process may become unresponsive
Links to More Info: BT909197
Component: TMOS
Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.
Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.
Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
Fixed handling of malformed messages by mcpd, so the problem should no longer occur.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4
909161-3 : A core file is generated upon avrd process restart or stop
Links to More Info: BT909161
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
908873-1 : Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core
Links to More Info: BT908873
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached.
-- Certain scenarios where the proxy goes into passthrough mode.
This was encountered during internal testing of a certain iRule configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.2
908621-2 : Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core
Links to More Info: BT908621
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached to it.
-- Certain scenarios where the proxy goes into passthrough mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now correctly manages proxy handling of passthrough mode in specific scenarios, so the tmm crash no longer occurs.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4.1
908601-2 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
Links to More Info: BT908601
Component: TMOS
Symptoms:
When the BIG-IP system boots, mcpd continually restarts.
Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.
Impact:
The BIG-IP system is unable to complete the boot process and become active.
Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.
Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.
You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.
If the system is already in the defective state, use this shell command, and then reboot:
touch /.tmos.platform.init
The problem should be resolved.
Fix:
Running 'diskinit' from MOS with the '--style=volumes' option no longer causes continuous mcpd restarts.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
908517-3 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
Links to More Info: BT908517
Component: TMOS
Symptoms:
LDAP authentication fails with an error message:
err nslcd[2867]: accept() failed: Too many open files
Conditions:
This problem occurs when user-template is used instead of Bind DN.
Impact:
You cannot logon to the system using LDAP authentication.
Workaround:
None.
Fix:
LDAP authentication now succeeds when user-template is used.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
908065-2 : Logrotation for /var/log/avr blocked by files with .1 suffix
Links to More Info: BT908065
Component: Application Visibility and Reporting
Symptoms:
AVR logrotate reports errors in /var/log/avr:
error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged
Conditions:
Files ending with .1 exist in the log directory.
Impact:
Logrotate does not work. This might fill the disk with logs over time.
Workaround:
Remove or rename all of the .1 log files.
Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
908021-1 : Management and VLAN MAC addresses are identical
Links to More Info: BT908021
Component: TMOS
Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.
Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.
Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.
Workaround:
None.
Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.
Fixed Versions:
16.1.0, 15.1.3, 14.1.3.1, 13.1.3.5
907765-1 : BIG-IP system does not respond to ARP requests if it has a route to the source IP address
Links to More Info: BT907765
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system receives an ARP request from a source IP address for which it has a route configured via another interface, the BIG-IP system does not send an ARP reply.
Conditions:
-- BIG-IP system receives an ARP who-is request for one of its self ip addresses.
-- The source IP address is in a different network, and the BIG-IP system has an L3 route configured for it via a different interface from where the ARP request was received
Impact:
The BIG-IP system does not send an ARP reply.
Workaround:
None.
Fix:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.
Behavior Change:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.
Fixed Versions:
16.1.0, 15.1.4
907549-1 : Memory leak in BWC::Measure
Links to More Info: BT907549
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
Memory is not leaked.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5
907337-2 : BD crash on specific scenario
Links to More Info: BT907337
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
A specific scenario that results in memory corruption.
Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.
Workaround:
None.
Fix:
This BD crash no longer occurs.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
907025-3 : Live update error" 'Try to reload page'
Links to More Info: BT907025
Component: Application Security Manager
Symptoms:
When trying to update Attack Signatures. the following error message is shown:
Could not communicate with system. Try to reload page.
Conditions:
Insufficient disk space to update the Attack Signature.
Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.
Workaround:
This following procedure restores the database to its default, initial state:
1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.
2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script
3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.
4. Add the following lines to create the live update database schema and set the SA user as expected:
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC
5. Restart the tomcat process:
bigstart restart tomcat
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
906889-4 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Links to More Info: BT906889
Component: TMOS
Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:
Packets In 2 shows as 016 in the GUI
Packets Out 0 shows as 8 in the GUI
Workaround:
View statistics in tmsh.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
906885-1 : Spelling mistake on AFM GUI Flow Inspector screen
Links to More Info: BT906885
Component: Advanced Firewall Manager
Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.
Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).
Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.2.1, 14.1.2.8
906273-2 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
905557-1 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
Links to More Info: BT905557
Component: Global Traffic Manager (DNS)
Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.
Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure HSL with only a single log destination.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4, 13.1.5
904845-2 : VMware guest OS customization works only partially in a dual stack environment.
Links to More Info: BT904845
Component: TMOS
Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).
By default, DHCP is enabled on the management interface.
During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.
Conditions:
Applying a customization profile to VMware VM in a dual stack environment.
Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.
Workaround:
Configure the mgmt interface addresses using the config script.
Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1
904785-1 : Remotely authenticated users might not be able to log in over the serial console
Links to More Info: BT904785
Component: TMOS
Symptoms:
Remotely-authenticated users logging into BIG-IP through the serial console are immediately logged out after entering their username and password.
Logging in as the same user over SSH is successful.
Conditions:
Attempting to log in over serial console when using remote authentication (RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.
Impact:
Remotely-authenticated users cannot log in over the serial console.
Workaround:
You can work around this issue by using one of the following alternative processes:
-- Log in over SSH instead
-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using the command: 'tmsh modify auth remote-user remote-console-access tmsh' or or from the UI.
Fix:
Remotely-authenticated users are now able to successfully log in to BIG-IP through the serial console.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
904725-1 : Add new macro dialogue not working for AD auth and resources and password change
Links to More Info: BT904725
Component: Access Policy Manager
Symptoms:
In VPE, when Add Macro button is clicked, a dialogue is opened in which when AD auth and resources and password change option are selected from the macro template dropdown and clicked on Save button, an error dialogue displays with 500 error.
Conditions:
- Add new Macro button to be in enabled status.
- Select AD auth and resources and password change template from macro template dropdown.
- Click Save.
Impact:
Addition of Macro template is not working when AD auth and resources and password change is selected as a template.
Workaround:
After performing the required actions when page is refreshed or coming back from another page, the failed macro template is appeared.
Fix:
The AD auth and resources and password change template is now accepted for macro addition.
Fixed Versions:
16.0.0, 15.1.9
904705-2 : Cannot clone Azure marketplace instances.
Links to More Info: BT904705
Component: TMOS
Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.
Conditions:
Applies to any Azure marketplace instance.
Impact:
Cannot clone Azure marketplace instances.
Workaround:
None.
Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
904593-1 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
Links to More Info: BT904593
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the primary device, before the primary has a chance to sync the configuration to the new device, causing the configuration in the primary device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
Impact:
Configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
Fixed Versions:
16.1.0, 15.1.0.5, 14.1.2.7
904509-1 : TMM crash SIGSEGV - spmdb_subscriber_info_deserialize() in spm/spmdb_deser.c
Links to More Info: BT904509
Component: Policy Enforcement Manager
Symptoms:
The spmdb_subscriber_info_deserialize does not handle the ERR_MEM properly and crashes the TMM.
Conditions:
- BIG-IP with PEM license,
- PEM subscribers at large scale, memory issue might occur in TTM.
Impact:
TMM crashes and service is disrupted.
Workaround:
None
Fix:
The ERR_MEM from TMM is handled correctly to avoid crash.
Fixed Versions:
16.0.0, 15.1.9
904373-3 : MRF GenericMessage: Implement limit to message queues size
Links to More Info: BT904373
Component: Service Provider
Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.
Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.
Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.
Workaround:
None.
Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1
904133-1 : Creating a user-defined signature via iControl REST occasionally fails with a 400 response code
Links to More Info: BT904133
Component: Application Security Manager
Symptoms:
Creating user-defined signature via iControl REST occasionally fails with a 400 response code.
Conditions:
You create a user-defined signature via iControl REST via this endpoint:
POST https://<BIG-IP>/mgmt/tm/asm/signatures
Impact:
Signature creation fails with 400 response code:
{
"code": 400,
"message": "remoteSender:10.10.10.10, method:POST ",
"originalRequestBody": "{...}",
"referer": "10.10.10.10",
"restOperationId": 6716673,
"kind": ":resterrorresponse"
}
Fix:
Creating user-defined signatures via REST works correctly.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.4.4
904053-2 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never
Links to More Info: BT904053
Component: Application Security Manager
Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.
Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.
Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.
Workaround:
Disable Learning mode for the Policy disables Cookie hashing.
Note: This affects all learning, not just Cookie hashing.
Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6
904041-2 : Ephemeral pool members may be incorrect when modified via various actions
Links to More Info: BT904041
Component: Local Traffic Manager
Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.
For example:
A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.
B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.
Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"
Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.
Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.
Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.
For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.
Fix:
FQDN ephemeral pool members now better reflect expected states after the corresponding FQDN template pool member is modified by one of several actions such as config load, config sync and BIG-IP restart.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
903905-2 : BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances
Links to More Info: BT903905
Component: Access Policy Manager
Symptoms:
When a BIG-IP device has been running for 8 weeks or longer without a restart of TMM or a system reboot, BIG-IP services can be disrupted.
Conditions:
-- BIG-IP device has been running for 8 weeks or longer without a TMM restart or system reboot.
-- The BIG-IP system's internal risk-policy subsystem (used by the security features) has not been configured to communicate with an external risk-policy server.
-- In a vCMP configuration, the BIG-IP 'host' instance is susceptible, since no security features can be configured in its context.
-- A BIG-IQ device running any BIG-IQ v8.x release prior to 8.1.0.1 is also susceptible.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None.
Fix:
This issue has been resolved and no longer occurs.
Fixed Versions:
16.0.0, 15.1.0.3
903581-1 : The pkcs11d process cannot recover under certain error condition
Links to More Info: BT903581
Component: Local Traffic Manager
Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.
Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.
Impact:
SSL handshake failure.
Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d
Fix:
Allow pkcs11d to re-initialize on error.
Fixed Versions:
16.1.0, 15.1.2.1
903573 : AD group cache query performance
Links to More Info: BT903573
Component: Access Policy Manager
Symptoms:
Active Directory queries are slow.
Conditions:
This issue occurs under the following conditions:
-- Active Directory (AD) authentication used.
-- There are lots of AD caches in the environment, and users are in deeply nested groups.
Impact:
Active Directory query time can be excessive.
Workaround:
None
Fix:
Improved the AD cache optimization.
Fixed Versions:
16.1.0, 15.1.4
903561-3 : Autodosd returns small bad destination detection value when the actual traffic is high
Links to More Info: BT903561
Component: Advanced Firewall Manager
Symptoms:
Bad destination detection threshold cannot accurately reflect the actual traffic pattern.
Conditions:
-- Enable bad destination and fully automatic mode.
-- Actual traffic is high.
Impact:
A small bad destination detection value is returned.
Workaround:
None.
Fix:
Fixed the threshold update algorithm.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
903357-2 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
Links to More Info: BT903357
Component: Application Security Manager
Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.
Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.
Impact:
Bot Defense list page loading time can take more than 30 seconds.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1, 14.1.2.7
902485-3 : Incorrect pool member concurrent connection value
Links to More Info: BT902485
Component: Application Visibility and Reporting
Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.
Conditions:
This is encountered when viewing the pool-traffic report.
Impact:
Incorrect stats reported in the pool-traffic report table
Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:
From this:
formula=round(sum(server_concurrent_conns),2)
Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)
Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
902417-2 : Configuration error caused by Drafts folder in a deleted custom partition ★
Links to More Info: BT902417
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3
902401-5 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device
Links to More Info: BT902401
Component: TMOS
Symptoms:
The ospfd process generates a core.
Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.
Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.
Workaround:
None.
Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
902377-2 : HTML profile forces re-chunk even though HTML::disable
Links to More Info: BT902377
Component: Local Traffic Manager
Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.
Conditions:
Using HTML::disable in an HTTP_RESPONSE event.
Impact:
The HTML profile still performs a re-chunk.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
901929-2 : GARPs not sent on virtual server creation
Links to More Info: BT901929
Component: Local Traffic Manager
Symptoms:
When a virtual server is created, GARPs are not sent out.
Conditions:
-- Creating a new virtual server.
Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.
Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.
Fix:
GARPs are now sent when a virtual server is created.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
901669-4 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
Links to More Info: BT901669
Component: TMOS
Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.
-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.
Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.
Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.
The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.
Impact:
The 'tmsh show cm failover-status' command indicates an error.
Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:
tmsh restart sys service sod
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
901061-2 : Safari browser might be blocked when using Bot Defense profile and related domains.
Links to More Info: BT901061
Component: Application Security Manager
Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.
Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.
Impact:
Some requests might be blocked.
Workaround:
None.
Fix:
Set the cookie so all requests in the target domain will contain it.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
901041-3 : CEC update using incorrect method of determining number of blades in VIPRION chassis ★
Links to More Info: BT901041
Component: Traffic Classification Engine
Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.
Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.
Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.
Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.
Workaround:
Install the package manually on each slot.
Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
900933-1 : IPsec interoperability problem with ECP PFS
Links to More Info: BT900933
Component: TMOS
Symptoms:
IPsec tunnels fails to remain established after initially working.
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.
This may also immediately present as a problem when trying to establish a second tunnel to the same peer.
Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).
Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.
Workaround:
Do not use ECP for PFS.
Fix:
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.5
900797-2 : Brute Force Protection (BFP) hash table entry cleanup
Links to More Info: BT900797
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.
Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.
Workaround:
N/A
Fix:
Mitigated entries are kept in the hash table.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
900793-1 : APM Brute Force Protection resources do not scale automatically
Links to More Info: K32055534 , BT900793
Component: Application Security Manager
Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.
Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.
Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.
Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.
Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
900789-2 : Alert before Brute Force Protection (BFP) hash are fully utilized
Links to More Info: BT900789
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.
Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.
Impact:
No alert is sent when entries are evicted.
Workaround:
None.
Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
899009 : Azure Active Directory deployment fails on BIG-IP 15.1
Links to More Info: BT899009
Component: Access Policy Manager
Symptoms:
In restnoded.log you see an error:
severe: [[azureUtils] ] Cannot get key data. Worker not available :/tm/access/certkey-file-helper/available, details: URI path /tm/access/certkey-file-helper/available not registered. Please verify URI is supported and wait for /available suffix to be responsive.
Conditions:
Azure Active Directory is enabled.
Impact:
Azure Active Directory can not be deployed on BIG-IP 15.1
Fixed Versions:
15.1.2.1
898997-2 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
Links to More Info: BT898997
Component: Service Provider
Symptoms:
GTP message parsing fails and log maybe observed as below:
GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).
Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes
Impact:
- message parsing fails, traffic maybe interupted
Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.7
898929-4 : Tmm might crash when ASM, AVR, and pool connection queuing are in use
Links to More Info: BT898929
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file.
Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Disable connection queuing on the pool.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
898741-2 : Missing critical files causes FIPS-140 system to halt upon boot
Links to More Info: BT898741
Component: Application Security Manager
Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.
Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing
Impact:
System halts during boot because of sys-eicheck.py failure.
Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.
If the missing files are due to missing signature update files:
- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.
Fixed Versions:
16.1.0, 15.1.1, 14.1.2.7
898705-5 : IPv6 static BFD configuration is truncated or missing
Links to More Info: BT898705
Component: TMOS
Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.
-- IPv6 static BFD configuration entries go missing during a daemon restart.
Conditions:
IPv6 static BFD configuration.
Impact:
The IPv6 static BFD configuration does not persist during reloads.
-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
898461-2 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
Links to More Info: BT898461
Component: TMOS
Symptoms:
The following SCTP iRule commands:
-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port
Are unavailable in the following MRF iRule events:
-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS
Attempts to use these commands in these events result in errors similar to:
01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].
Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.
Impact:
Unable to use these iRule commands within these iRule events.
Workaround:
None.
Fix:
These iRule commands are now available within these iRule events.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1
898441-1 : Enable logging of IKE keys
Links to More Info: BT898441
Component: TMOS
Symptoms:
IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.
Conditions:
-- The BIG-IP system has an IPsec IKEv2 tunnel configured.
-- debug level logging is enabled.
Impact:
Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.
Workaround:
None, although the remote peer may log this information.
Fix:
Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
898365-1 : XML Policy cannot be imported
Links to More Info: BT898365
Component: Application Security Manager
Symptoms:
XML Export does not work in configurations that have metacharacters or method overrides defined on URLs.
Conditions:
A policy that has metacharacter or method overrides defined on a URL is exported to XML format.
Impact:
Such a policy cannot be imported.
Workaround:
Use binary export/import or move/remove the problematic elements from the XML file:
* <mandatory_body>
* <operation_id>
Fix:
XML Policy export generates files that correctly correspond to the expected schema and can be imported.
Fixed Versions:
16.0.0, 15.1.4
898093-2 : Removing one member from a WideIP removes it from all WideIPs.
Links to More Info: BT898093
Component: Global Traffic Manager (DNS)
Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.
Conditions:
Use the 'Remove' button.
Impact:
Unintended configuration changes via GUI.
Workaround:
Use the 'Manage' button, rather than the 'Remove' button.
Fixed Versions:
16.0.0, 15.1.1
897509-1 : IPsec SAs are missing on HA standby, leading to packet drops after failover
Links to More Info: BT897509
Component: TMOS
Symptoms:
IPsec Security Associations (SAs) are missing on the standby high availability (HA) device.
Conditions:
-- HA mirroring is configured
-- IKEv2 tunnels are started
Impact:
During an HA failover, IPsec tunnels may be disrupted because the newly active device is not aware of some IPsec SAs.
Workaround:
None
Fix:
IPsec SAs are now mirrored correctly to the HA standby device. Note that HA failover for IPsec tunnels is supported only when IKEv2 tunnels are in use.
Fixed Versions:
16.1.0, 15.1.4.1
897137 : NAT traffic across BIG-IP was dropped and TMM can crash if attached FW policy with subscriber ID enabled to the virtual server
Links to More Info: BT897137
Component: Advanced Firewall Manager
Symptoms:
TMM will be crashed and BIG-IP will drop the traffic if attached FW policy with subscriber ID enabled to the virtual server.
Conditions:
- Attach a FW policy with subscriber ID enabled to the virtual server.
Impact:
TMM crashes and BIG-IP traffic is dropped.
Workaround:
None
Fix:
TMM does not crash.
Fixed Versions:
15.1.9
896917 : The fw_zone_stat 'Hits' field may not increment in some scenarios
Links to More Info: BT896917
Component: Advanced Firewall Manager
Symptoms:
The fw_zone_stat 'Hits' field does not reflect the current stats.
Conditions:
When the firewall rule has multiple VLANs defined as destinations (in a zone).
Impact:
The counter for all VLANs does not hit : fw_zone_stat. The corresponding stat value does not increment.
Workaround:
None.
Fixed Versions:
15.1.0.5
896861-2 : PTR query enhancement for RESOLVER::name_lookup
Links to More Info: BT896861
Component: Global Traffic Manager (DNS)
Symptoms:
Currently RESOLVER::name_lookup does not have PTR reverse domain mapping.
Conditions:
RESOLVER::name_lookup needs an additional iRule to make PTR query work
Impact:
Need an additional iRule to convert to reverse IP PTR query to work
Workaround:
Use an iRule to convert ip address reverse mapping
Fix:
Address IP address reverse mapping for PTR query
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3
896817-2 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
Links to More Info: BT896817
Component: TMOS
Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:
01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.
Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.
Impact:
Unable to replace configuration using TMSH's 'replace' verb.
Workaround:
None.
Fix:
When merging a configuration that modifies the list of iRules a virtual server uses using the TMSH 'replace' verb, no error is encountered.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
896709-3 : Add support for Restart Desktop for webtop in VMware VDI
Links to More Info: BT896709
Component: Access Policy Manager
Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.
Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.
Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.
Workaround:
None.
Fix:
APM now supports restart desktop option on webtop for VMware VDI.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6
896553-3 : On blade failure, some trunked egress traffic is dropped.
Links to More Info: BT896553
Component: TMOS
Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.
Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)
Workaround:
Attach interfaces to all blades.
Fix:
Failed blades are detected within a second.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4, 13.1.3.6
896473-2 : Duplicate internal connections can tear down the wrong connection
Links to More Info: BT896473
Component: TMOS
Symptoms:
Handling of duplicate internal connections can tear down and clean up the newest connection. Instead it should always remove the oldest.
Conditions:
When internal connections are re-established.
Impact:
The cleanup of previous connections may incorrectly tear down the new connection. Error messages are reported in the log when this happens, for example:
Duplicate connections between BCM56XXD1 and stpd7749-2. Closing the new one.
Workaround:
None.
Fix:
The system now always removes the oldest connection.
Fixed Versions:
16.0.0, 15.1.3
896285-2 : No parent entity in suggestion to add predefined-filetype as allowed filetype
Links to More Info: BT896285
Component: Application Security Manager
Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.
Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.
Impact:
No parent entity appears in the sugestion.
Workaround:
None.
Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7
896217-2 : BIG-IP GUI unresponsive
Links to More Info: BT896217
Component: TMOS
Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.
Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.
Impact:
GUI becomes unresponsive.
Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
896125-2 : Reuse Windows Logon Credentials feature does not work with modern access policies
Links to More Info: BT896125
Component: Access Policy Manager
Symptoms:
Client users are not automatically logged on to the Edge client using previously entered Microsoft Windows credentials, while client users on Windows computers are prompted with a logon page to enter the credentials.
Conditions:
-- Access policy "customization type" should be set to "modern"
-- In connectivity profile, click Customize Package :: Windows.
-- Under Available Components, select the check box to enable User Logon Credentials Access Service.
Impact:
Unable to automatically logon to Edge client and user is prompted for credentials
Workaround:
Use standard access policy in the virtual server.
Fixed Versions:
16.1.0, 15.1.4
895837-3 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified
Links to More Info: BT895837
Component: TMOS
Symptoms:
Virtual server configured with:
-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0
-- The configuration uses a destination port list.
Conditions:
Modify the virtual server's port-list to a different one.
Impact:
Mcpd generates a core, and causes services to restart and failover.
Workaround:
None.
Fix:
Mcpd no longer crashes when modifying a traffic-matching-criteria's destination port list.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
895781-2 : Round Robin disaggregation does not disaggregate globally
Links to More Info: BT895781
Component: TMOS
Symptoms:
Traffic is not disaggregated uniformly as expected.
Conditions:
-- A multi-blade chassis with one HSB.
-- Traffic is received on blade one.
-- The imbalance is more pronounced when the IP variation is small.
Impact:
Some TMMs may use relatively more CPU.
Workaround:
None.
Fix:
Traffic is now disaggregated uniformly in a round robin fashion.
Fixed Versions:
16.0.0, 15.1.4
895557-2 : NTLM profile logs error when used with profiles that do redirect
Links to More Info: BT895557
Component: Local Traffic Manager
Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).
When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.
Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).
Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.
For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2
895153 : HTTP::has_responded returns incorrect values when using HTTP/2
Links to More Info: BT895153
Component: Local Traffic Manager
Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always return the value 'false'.
Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.
Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.
Workaround:
None.
Fix:
HTTP::has_responded is now properly detected in iRules where HTTP/2 is used.
Fixed Versions:
15.1.2, 14.1.3.1
895013-2 : Learning of login pages does not work
Links to More Info: BT895013
Component: Application Security Manager
Symptoms:
Learning of login pages does not work.
Conditions:
The internal parameter pb_force_sampling is turned on.
Impact:
Automatic learning of login pages by the policy builder fails.
Workaround:
Configure login pages manually or turn off the force sampling internal parameter.
Fix:
Fixed an issue with login page learning.
Fixed Versions:
16.1.0, 16.0.0, 15.1.10
894885-3 : [SAML] SSO crash while processing client SSL request
Links to More Info: BT894885
Component: Access Policy Manager
Symptoms:
-- Tmm crashes while processing a client SSO request.
-- Graphs show a high SWAP consumption and there are also some OOM events, although the process being terminated is avrd.
Log messages:
-- notice sod[4759]: 01140045:5: HA reports tmm NOT ready.
-- notice sod[4759]: 010c0050:5: Sod requests links down.
Conditions:
SAML SSO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a crash that occurred while handling SSL Orchestrator traffic.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2
894565-1 : Autodosd.default crash with SIGFPE
Links to More Info: BT894565
Component: Access Policy Manager
Symptoms:
The autodosd process crashes occasionally due to the division by zero.
Conditions:
It happens when the autodosd process receives zero value from tmm.
Impact:
Autodosd is rebooted.
Fix:
The autodosd process does not crash with SIGFPE.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
894133-1 : After ISO upgrade the SSL Orchestrator guided configuration user interface is not available. ★
Links to More Info: BT894133
Component: TMOS
Symptoms:
After the ISO upgrade, any attempt to access the SSL Orchestrator guided configuration user interface results in the following error:
The requested URL /iapps/f5-iappslx-ssl-orchestrator/sgc/sgcIndex.html was not found on this server.
Conditions:
Upgrade the BIG-IP system.
Impact:
Cannot perform SSL Orchestrator configuration tasks using the SSL Orchestrator guided configuration user interface.
Workaround:
(1) Query the f5-iappslx-ssl-orchestrator package ID (9beb912b-4f1c-3f95-94c3-eb1cbac4ab99), and use the returned ID in the following step.
restcurl shared/iapp/installed-packages | jq -r '.items[] | select(.appName=="f5-iappslx-ssl-orchestrator") | .id'
9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
(2) Delete existing f5-iappslx-ssl-orchestrator package references.
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
(3) Stop the REST framework daemons.
bigstart stop restjavad restnoded
(4) Make sure the /var/iapps/www/ directory exists.
mkdir -p /var/iapps/www/
(5) Create the RPMS.save directory.
mkdir -p /var/config/rest/iapps/RPMS.save
(6) Check if the current f5-iapplx-ssl-orchestrator RPM (e.g., 14.1.0-5.5.8) is present at the default location.
ls -la /var/config/rest/iapps/RPMS/
-- If it is not present, try to get it from either the /usr/share/packages/f5-iappslx-ssl-orchestrator/ directory or from the remote high availability (HA) peer device (/var/config/rest/iapps/RPMS/). Make sure the RPM version matches the current SSL Orchestrator configuration/version (e.g., 14.1.0-5.5.8). If you cannot find a copy of your original RPM locally, download the latest RPM available for your chosen BIG-IP version from downloads.f5.com.
-- Once obtained, copy the RPM to /var/config/rest/iapps/RPMS/ (locally).
(7) Copy the current f5-iapplx-ssl-orchestrator (e.g., 14.1.0-5.5.8) RPM to the RPMS.save directory.
cp /var/config/rest/iapps/RPMS/f5-iappslx-ssl-orchestrator-14.1.0-5.5.8.noarch.rpm /var/config/rest/iapps/RPMS.save/
(8) Make sure you have only one f5-iappslx-ssl-orchestrator RPM in the RPMS.save/ directory and that it matches the RPM version. Remove other RPMs, if any.
(9) Remove the current SSL Orchestrator user interface artifacts.
rm -rf /var/iapps/www/f5-iappslx-ssl-orchestrator/
rm -rf /var/config/rest/iapps/f5-iappslx-ssl-orchestrator
(10) Restart the REST framework.
bigstart restart restjavad restnoded
(11) Wait at least 30 seconds.
(12) Open TMUI (the GUI) on the affected device, and navigate to SSL Orchestrator :: Configuration.
(13) The SSL Orchestrator Self-Guided Configuration page should initialize and eventually load successfully.
Fix:
After ISO upgrade the SSL Orchestrator guided configuration user interface is now available.
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.5
894081-2 : The Wide IP members view in the WebUI may report the incorrect status for a virtual server.
Links to More Info: BT894081
Component: Global Traffic Manager (DNS)
Symptoms:
A virtual server which is actually down and should show red is reported as up and shows green.
Conditions:
This issue happens when a virtual server is marked down by the system due to inheriting the status of its parent link.
Note: This issue only affects Link Controller systems, and not DNS/GTM systems.
Impact:
The WebUI cannot be used to reliably assess the status of Wide IP members (virtual servers).
Workaround:
Use the tmsh utility in one of the following ways to inspect the status of Wide IP members:
# tmsh show gtm pool a members
# tmsh show gtm server virtual-servers
Fixed Versions:
16.0.0, 15.1.10
893885-3 : The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation
Links to More Info: BT893885
Component: TMOS
Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.
Conditions:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on Trusted Platform Module (TPM)-supported BIG-IP platforms.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
893721-2 : PEM-provisioned systems may suffer random tmm crashes after upgrading ★
Links to More Info: BT893721
Component: Traffic Classification Engine
Symptoms:
TMM crashes with SIGSEGV and a core file is written to /var/core/
Conditions:
This affects systems where PEM is provisioned and where the classification engine is running.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2
893281-3 : Possible ssl stall on closed client handshake
Links to More Info: BT893281
Component: Local Traffic Manager
Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.
Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.
Impact:
Some ssl client connection remain until idle timeout.
Fix:
Allow transmit of any pending crypto during ssl shutdown.
Fixed Versions:
16.1.0, 15.1.0.5, 14.1.2.7
893061-2 : Out of memory for restjavad
Links to More Info: BT893061
Component: Application Security Manager
Symptoms:
REST framework not available due to Out of memory error
Conditions:
Long list of Live Update installations
Impact:
Live Update GUI is not responding.
Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)
# tmsh modify sys db provision.extramb value 1000
2) Allow restjavad to access the extra memory:
# tmsh modify sys db restjavad.useextramb value true
3) Save the config:
# tmsh save sys config
4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.
5) Increase the restjavad maxMessageBodySize property:
# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
"maxMessageBodySize": 134217728,
"localhostRestnodedConnectionLimit": 8,
"defaultEventHandlerTimeoutInSeconds": 60,
"minEventHandlerTimeoutInSeconds": 15,
"maxEventHandlerTimeoutInSeconds": 60,
"maxActiveLoginTokensPerUser": 100,
"generation": 6,
"lastUpdateMicros": 1558012004824502,
"kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
"selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}
Ensure the command returns output showing the limit has been increased (as shown above).
6) Reboot the unit.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
892941-2 : F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat)
Links to More Info: K20105555 , BT892941
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.4
892937-2 : F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat)
Links to More Info: K20105555 , BT892937
Component: Access Policy Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.4
892861-3 : Cannot configure aaa OAuth provider - invalid x509 file
Links to More Info: BT892861
Component: Access Policy Manager
Symptoms:
An error is encountered when trying to create Ping or Custom type OAuth provider:
General error: 01070712:3: unable to validate certificate, invalid x509 file (/Common/textcert.crt). in statement [SET TRANSACTION END].
Conditions:
-- Access :: Federation : OAuth Client / Resource Server : Provider:: Create
-- Select 'custom' or 'ping' as the type.
-- Attempt a Discover operation to the <provider-hostname> on a server representing a custom- or ping-type provider, and then save the settings.
Impact:
Operation fails. Cannot use Ping or a Custom type OAuth provider.
Workaround:
None
Fix:
Admin can now create Ping or Custom as OAuth provider wihtout error.
Fixed Versions:
16.1.0, 15.1.9
892677-1 : Loading config file with imish adds the newline character
Links to More Info: BT892677
Component: TMOS
Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.
In particular, this affects the bigip_imish_config Ansible module.
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Regex expressions are not created properly.
Workaround:
You can use either of the following workarounds:
-- Delete and re-add the offending commands using the imish interactive shell.
-- Restart tmrouted:
bigstart restart tmrouted
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6
892653-1 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
Links to More Info: BT892653
Component: Application Security Manager
Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI
Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html
Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7
892637-1 : Microservices cannot be added or modified
Links to More Info: BT892637
Component: Application Security Manager
Symptoms:
The 'Add' button is grayed out on Security :: Application Security :: Microservices, where in previous version, minimal microservice creation/modification was available.
Conditions:
-- Navigate to Security :: Application Security :: Microservices.
-- Attempt to add a microservice.
Impact:
Cannot add or modify a microservice in this version, where it was available in previous versions.
Workaround:
None
Fix:
The 'Add' button is now available to create basic microservices for Application Security.
Fixed Versions:
16.0.0, 15.1.1
892621-1 : Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software
Links to More Info: BT892621
Component: Advanced Firewall Manager
Symptoms:
BDoS Signature mitigated in software.
Conditions:
IP packets size metric in BDoS signature.
Impact:
BDoS Signature with IP packet size metric mitigated only in software for IPv6 packets.
Workaround:
None.
Fix:
IP packets size metric bin calculation algorithm for IPv6 packets in software now matches hardware version.
Fixed Versions:
16.0.0, 15.1.0.4, 14.1.3
892485-2 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.
Links to More Info: BT892485
Component: Local Traffic Manager
Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.
Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.
Impact:
A wrong OCSP status may be reported in the SSL handshake.
Fix:
After the fix, the correct OCSP status entry is returned and SSL handshake continues with the correct OCSP status.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6
892385 : HTTP does not process WebSocket payload when received with server HTTP response
Links to More Info: BT892385
Component: Local Traffic Manager
Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.
Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.
Impact:
-- WebSocket connection hangs.
Workaround:
None.
Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5
892073-3 : TLS1.3 LTM policy rule based on SSL SNI is not triggered
Links to More Info: BT892073
Component: Local Traffic Manager
Symptoms:
A policy rule based on SSL SNI at SSL client hello is not triggered for a TLS1.3 connection.
Conditions:
-- LTM policy rule specifying SSL client hello SNI.
-- TLS1.3 connection.
Impact:
Policy rule not triggered for TLS1.3.
Workaround:
None.
Fix:
LTM policy rules at client hello SNI are now triggered for TLS1.3.
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.4.6
891729-2 : Errors in datasyncd.log ★
Links to More Info: BT891729
Component: Fraud Protection Services
Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM
Conditions:
Upgrades from version 13.x to 14.0.0 or higher.
Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.
Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.
If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.
Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
891721-3 : Anti-Fraud Profile URLs with query strings do not load successfully
Links to More Info: BT891721
Component: TMOS
Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:
010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.
Conditions:
Adding a query string to a URL for an anti-fraud profile.
Impact:
After a BIG-IP config save, loading of new bigip.conf fails.
Workaround:
Follow this procedure:
1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.
Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7
891613-1 : RDP resource with user-defined address cannot be launched from webtop with modern customization
Links to More Info: BT891613
Component: Access Policy Manager
Symptoms:
RDP resource with a user-defined address cannot be launched from the webtop when configured with modern customization.
After requesting the RDP file for a remote address, the RDP file fails to download and the system reports an error message:
Logon failed. Connection to your resource failed. Please click the Try Again button to try again or Close button to close this dialog.
Conditions:
-- Webtop with modern customization.
-- RDP resource with a user-defined address is assigned to the webtop.
Impact:
Cannot use remote desktop resource with user-defined addresses.
Workaround:
As the problem is with modern access policy with modern webtop, a quick workaround:
1. Create a standard access policy with standard webtop (it is similar to modern access policy and modern webtop):
-- 1.1 GUI: Access :: Profiles / Policies :: Create :: {choose Customization Type as 'Standard').
-- 1.2 GUI: Access :: Webtops :: Create :: {choose Customization Type as 'Standard').
Recreate similar access policy as modern access policy that is showing this problem.
If manually re-creating similar standard access policy is not possible, there is no workaround.
Fix:
Now, RDP resources with user-defined addresses can be used as expected on webtops with modern customization.
Fixed Versions:
16.1.0, 15.1.4.1
891505-3 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
Links to More Info: BT891505
Component: Access Policy Manager
Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.
Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.
Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
When fixed, TMM works as expected and no longer leaks memory.
Fixed Versions:
16.0.0, 15.1.4, 14.1.2.8
891477-3 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
Links to More Info: BT891477
Component: TMOS
Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7
891385-2 : Add support for URI protocol type "urn" in MRF SIP load balancing
Links to More Info: BT891385
Component: Service Provider
Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.
Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.
Impact:
SIP messages with urn URIs are rejected.
Fix:
Added support for the urn URI protocol type.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1
891373-2 : BIG-IP does not shut a connection for a HEAD request
Links to More Info: BT891373
Component: Local Traffic Manager
Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.
Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.
Impact:
Connection remains idle until it expires normally, consuming network resources.
Workaround:
None.
Fix:
When an HTTP HEAD request contains 'Connection: close' header and a OneConnect profile is configured on a virtual server, the BIG-IP system shuts a connection down after a response is served.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
891337-1 : 'save_master_key(master): Not ready to save yet' errors in the logs
Links to More Info: BT891337
Component: TMOS
Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.
Conditions:
UCS load or configuration synchronization that includes encrypted objects.
Impact:
Many errors seen in the logs.
Workaround:
None.
Fix:
Fixed an issue causing 'save_master_key(master): Not ready to save yet' errors.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
891093-1 : iqsyncer does not handle stale pidfile
Links to More Info: BT891093
Component: Global Traffic Manager (DNS)
Symptoms:
Stale /var/run/iqsyncer.pid file is causing a new iqsyncer application to exit immediately after start.
Conditions:
iqsyncer applications is killed by Linux kernel or any other reason causing a stale iqsyncer pid file
Impact:
Gtm config changes and gtm_add operations are blocked
Workaround:
Remove iqsyncer pid file manually or reboot
Fix:
Stale iqsyncer pid file condition handled in iqsyncer application
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
890881-4 : ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
Links to More Info: BT890881
Component: Local Traffic Manager
Symptoms:
Traffic drop occurs.
Conditions:
Source MAC in the ARP header and the Ethernet header do not match.
Impact:
The BIG-IP system drops these packets.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5
890721-2 : SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment
Links to More Info: BT890721
Component: SSL Orchestrator
Symptoms:
SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment. Reset cause is "cl side error (No error)".
Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to virtual server.
Impact:
SSL Orchestrator/BIG-IP rejects the client connection.
Workaround:
Modify 'tmm.access.prp_global_timeout' sys db value from default 5 seconds to some appropriate value like 30 or 60 seconds.
Example:
Following command sets this sys db variable value to 60 seconds.
#tmsh modify sys db tmm.access.prp_global_timeout value 60
Fix:
SSLo no longer rejects the client's connection if an initial ingress data arrives 5 seconds after tcp connection establishment and per-request policy execution has finished.
Fixed Versions:
16.1.0, 15.1.9
890513-2 : MCPD fails to load configuration from binary database
Links to More Info: BT890513
Component: TMOS
Symptoms:
Mcpd errors are found in /var/log/ltm:
-- err mcpd[16068]: 01070734:3: Configuration error: MCPProcessor::initializeDB: basic_string::_S_create
-- err mcpd[16068]: 01070596:3: An unexpected failure has occurred, basic_string::_S_create, exiting...
-- err mcpd[16978]: 01b50049:3: FipsUserMgr Error: Master key load failure.
Conditions:
-- Restart MCPD (e.g. by rebooting the BIG-IP)
-- This affects BIG-IP v15.1.0.4 running on all platforms with the exception of the following:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
MCPD does not restore the configuration from its binary database, but instead re-reads the text config files (bigip.conf, et al.).
Workaround:
None.
Fix:
MCPD is again able to restore its configuration from the binary database during startup
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.4
890421-2 : New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers ★
Links to More Info: BT890421
Component: TMOS
Symptoms:
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217
Conditions:
When 15.0.1.2 is upgraded to 15.1.0 then the traps would be renumbered.
Impact:
This may be confusing for SNMP clients expecting specific trap IDs.
Workaround:
None.
Fix:
The traps have been correctly numbered in 15.0.1.3.
Behavior Change:
New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers. These traps will be renumbered when you upgrade 15.0.1.2 to 15.1.0.
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.3
890277-3 : Full config sync to a device group operation takes a long time when there are a large number of partitions.
Links to More Info: BT890277
Component: TMOS
Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.
Conditions:
Full config sync on device with large number of partitions.
Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.
Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.
Workaround:
Enable Manual Incremental Sync.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
890229-1 : Source port preserve setting is not honored
Links to More Info: BT890229
Component: Local Traffic Manager
Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.
Conditions:
This issue occurs when both of the following conditions are met:
-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
- Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
- Configuring a VLAN's 'CMP Hash' setting to a non-default value.
- Using a special variable such as non-default udp.hash or tcp.hash.
Impact:
Applications relying on a specific, fixed source port might not work as expected.
Workaround:
Set source-port to preserve-strict.
Fix:
Now source-port preserve setting does best effort to preserve the source port.
Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve db variable introduced in v15.1.0 is no longer supported.
The source-port preserve setting now does best effort to preserve the source port.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5
890169-2 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
889813-2 : Show net bwc policy prints bytes-per-second instead of bits-per-second
Links to More Info: BT889813
Component: TMOS
Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.
Conditions:
Running the tmsh command:
tmsh show net bwc policy
Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10, 14.1.4.5
889605-3 : iApp with Bot profile is unavailable if application folder includes a subpath
Links to More Info: BT889605
Component: iApp Technology
Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.
Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.
Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.
Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu
Fix:
Open the iApps >> Applications view in TMUI and load the iApp.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
889601-3 : OCSP revocation not properly checked
Links to More Info: K14903688 , BT889601
Component: Local Traffic Manager
Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.
Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles
Impact:
The SSL handshake continues eve if a certificate is revoked.
Fix:
OCSP revocation checking now working properly.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
889505 : Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available
Links to More Info: BT889505
Component: Advanced Firewall Manager
Symptoms:
Several SNMP OIDs need to be added to provide the total number of port block allocations (PBAs) and the percentage of PBAs that are available.
Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.
Impact:
Need to manually calculate the values.
Workaround:
Make manual calculations from the current stats or configuration.
Fix:
-- Can now directly gather the total number of PBA and percentage of ports available.
There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.
Behavior Change:
The following new MIBs are now available:
F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatPercentFreePortBlocksSnmp
F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaPercentFreePortBlocksSnmp
Fixed Versions:
16.0.0, 15.1.0.3
889477-1 : Modern customization does not enforce validation at password changing
Links to More Info: BT889477
Component: Access Policy Manager
Symptoms:
You can change the password even if there are different values in the fields 'New Password' and 'Confirm Password' or if 'Confirm Password' is empty.
Conditions:
-- Access Policy with 'Modern' customization.
-- Configure an access policy with 'Logon Page' and 'AD Auth' agents.
-- When forced to change passwords, type different values in 'New Password' and 'Confirm Password', or leave 'Confirm Password' empty.
Impact:
The system allows the password change, even though the 'New Password' and 'Confirm Password' do not match.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.3
889209-2 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
Links to More Info: BT889209
Component: Local Traffic Manager
Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.
Conditions:
Enabled sflow receiver is configured.
Impact:
Egress traffic is dropped.
Workaround:
Disable Sflow receiver, save configuration, reboot. (You should not re-enable the sflow receiver in versions where this bug is present)
Fixed Versions:
16.0.0, 15.1.1, 14.1.4
889165-3 : "http_process_state_cx_wait" errors in log and connection reset
Links to More Info: BT889165
Component: Local Traffic Manager
Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:
err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside
Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server
Impact:
Possible connection failure.
Fix:
Fixed incorrect early release of HUDEVT_ACCEPTED during ssl handshake irules.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
889041-3 : Failover scripts fail to access resolv.conf due to permission issues
Links to More Info: BT889041
Component: TMOS
Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:
/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file
Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.
Impact:
Failover does not complete. Floating IP addresses do not move to the active device.
Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0
Impact of workaround: these commands disable SELinux policy enforcement.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
889029-2 : Unable to login if LDAP user does not have search permissions
Links to More Info: BT889029
Component: TMOS
Symptoms:
A user is unable to log in using remote LDAP.
Conditions:
-- BIG-IP systems are configured to use LDAP authentication.
-- Remote user has no search permissions on directory
Impact:
Authentication does not work.
Workaround:
Grant search permissions to the user in LDAP.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
888869-2 : GUI reports General Database Error when accessing Instances Tab of SSL Certificates
Links to More Info: BT888869
Component: TMOS
Symptoms:
A General Database Error message is shown when you click the Instances tab of a certificate bundle / certificate / Key listed under the System :: Certificate Management : Traffic Certificate Management : SSL Certificate List.
Conditions:
-- The selected SSL Certificate does not have a certificate or key listed under it.
-- You click the instances tab of the properties page of the SSL Certificate.
Impact:
GUI shows an error screen.
Workaround:
Avoid clicking the instance tab if there is no key or certificate associated with the SSL Certificate / Bundle.
Fixed Versions:
16.1.0, 15.1.5
888625 : CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks
Links to More Info: BT888625
Component: Carrier-Grade NAT
Symptoms:
There is a difference in active port block counter between statistics collected in TMM and actual allocations in 'lsndb list pba'.
Conditions:
The issue happens when the port block allocation process fails after incrementing the active port blocks counter.
Impact:
No functional impact. But the stats counters will be incorrect.
Fix:
Update the active port block counter correctly when port block allocation fails.
Fixed Versions:
16.0.0, 15.1.0.3, 14.1.2.7
888569 : Added PBA stats for total number of free PBAs, and percent free PBAs
Links to More Info: BT888569
Component: Advanced Firewall Manager
Symptoms:
There are several port block allocation (PBA) statistics that need to be added.
Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.
Impact:
Need to manually calculate the values.
Workaround:
Make manual calculations from the current stats or configuration.
Fix:
The first and second item described are available using the 'tmsh show' command, and the third item is available in the tmstat tables (e.g., reported in response to the command 'tmctl lsn_pool_pba_stat' as total_port_blocks).
-- Total number of port blocks available:
The total amount of port blocks available according to the PBA configuration. For example, if you have 3 IP addresses for NAT pool/source translation and blocks of 128 ports, and ports from 1024 to 65535, then this stat indicates that you have a total of 1509 port blocks. This number is the result of (64511 (ports available) / 128 (ports per block)) * 3 (number of IP addresses)).
-- Percentage of port available (percentage is available in TMSH only):
Using the same example, where there are 1509 total blocks and currently are assigned 600 blocks, then there are 909 blocks free. This stat show that are 60.23% of ports available. (100*free ports / total ports).
-- Directly gather the values.
There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.
Behavior Change:
The following new tmstat value is now available, in both 'tmctl fw_lsn_pool_pba_stat' and 'tmctl lsn_pool_pba_stat:
total_port_blocks
The relevant TMSH show commands have been updated to include these new values:
-- Total Port Blocks
-- Percent Free Port Blocks
Fixed Versions:
16.0.0, 15.1.0.3
888517-2 : Busy polling leads to high CPU ★
Links to More Info: BT888517
Component: Local Traffic Manager
Symptoms:
TMM is running at 100 percent CPU even under a light network load. A high number of packet drops and queue full events are reported.
Conditions:
- BIG-IP Virtual Edition.
- There are underlying network performance issues causing the transmit queue to be full. For example, a non-SR-IOV virtual machine environment.
- Upgrading from BIG-IP v12.x to BIG-IP v14.x or above.
Impact:
Busy polling runs the TMM CPU usage to 100 percent.
Workaround:
Correct the underlying networking/virtualization issue.
Fix:
Providing visible information with an error message when there is busy polling over a period of time. "Marking down interface because its txq[<queue_num>] has been full for n seconds."
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
888497-2 : Cacheable HTTP Response
Links to More Info: BT888497
Component: TMOS
Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.
Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.
Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.
Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.
Workaround:
Disable caching in browsers.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3
888341-7 : HA Group failover may fail to complete Active/Standby state transition
Links to More Info: BT888341
Component: TMOS
Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:
-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.
Note: You can confirm sod process uptime in tmsh:
# tmsh show /sys service sod
Conditions:
HA Group failover configured.
Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:
o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).
Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.
Workaround:
There is no workaround.
The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
888289-1 : Add option to skip percent characters during normalization
Links to More Info: BT888289
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
888285-1 : Sensitive positional parameter not masked in 'Referer' header value
Links to More Info: K18304067 , BT888285
Component: Application Security Manager
Symptoms:
When the URI and 'Referer' header share the same positional parameter, the 'Referer' positional parameter is not masked in logs.
Conditions:
Sending a request with positional parameter in URI and 'Referer' header.
Impact:
'Referer' header positional parameter value is not masked in logs.
Workaround:
None.
Fix:
'Referer' positional parameter value is masked as expected.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8
888261-1 : Policy created with declarative WAF does not use updated template.
Links to More Info: BT888261
Component: Application Security Manager
Symptoms:
When importing a declarative policy with an updated template, the operation uses the old version of the template, which is saved on the machine.
Conditions:
Declarative policy is created from a user-defined template and then re-created after updating the template.
Impact:
The re-created declarative policy is based on the old template, which is saved without the changes that were made in the template.
Workaround:
Create new template and use it when recreating the declarative policy.
Fix:
While creating the policy, if the saved template on the machine is older than the template file, the system replaces the file on the machine and uses the updated template.
Fixed Versions:
16.0.0, 15.1.1
888145-2 : When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property
Links to More Info: BT888145
Component: Access Policy Manager
Symptoms:
The entityID property of SAML Service Provider (SP) object ('apm aaa saml') accepts only a valid URI as the value if host is empty. All other values are deemed invalid.
This creates a less than optimal configuration experience in certain use-cases. For instance, when the deployment contains two SAML SP configuration objects that are essentially identical, with the only difference being the entityID value, validation prevents reusing the same object, and mandates creation of two independent configuration objects.
Conditions:
-- The BIG-IP system is used as a SAML SP with two or more SP configuration objects.
-- The only difference between two (or more) configured SP configuration objects is the value of entityID.
Impact:
None. This is a usability enhancement.
Workaround:
Creating multiple SP objects.
Fix:
This enhancement supports configuring an APM session variable in the entityID property of SAML SP ('apm aaa saml') objects, thus reducing the number of nearly duplicate SP configuration objects.
NOTE: When a session variable is used in the entityID property of a SAML SP object, the SAML metadata exported by such object must be edited manually to replace the session variables with valid FQDN names before the metadata is shared with external parties.
Fixed Versions:
16.1.0, 15.1.3
888113-3 : TMM may core when the HTTP peer aborts the connection
Links to More Info: BT888113
Component: Local Traffic Manager
Symptoms:
TMM cores in the HTTP proxy.
Conditions:
-- HTTP and HTTP Router profiles are configured on the virtual server.
-- The HTTP peer aborts the connection unexpectedly.
Impact:
Failover (in a DSC), or outage (standalone) as traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores in the HTTP proxy when the HTTP peer aborts the connection.
Fixed Versions:
16.0.0, 15.1.2
887749-2 : Observed crash when resetting stats for GTM server devices in a GTM sync group.
Links to More Info: BT887749
Component: Global Traffic Manager (DNS)
Symptoms:
GTMD may crash when we run the reset stats command for GTM server devices in a GTM sync group.
Conditions:
Run reset stats command for GTM server devices through TMSH in a GTM sync group.
Impact:
GTMD crash
Fix:
No GTMD core when running reset stats command multiple times in a GTM sync group.
Fixed Versions:
16.0.0, 15.1.7
887505-1 : Coreexpiration script improvement
Links to More Info: BT887505
Component: TMOS
Symptoms:
Script fails with:
stat: cannot stat '/shared/core/*.core.*': No such file or directory.
In addition, the system reports a message in /var/log/user and /var/log/messages when there are no core files:
Deleting file /shared/core/*.core.*
Conditions:
Coreexpiration script is run.
Impact:
No core is produced. In addition, there is no core deleted.
Workaround:
To resolve the issue, add the following line to the script:
for filename in /shared/core/*.core.*; do
+ [ -e "$filename" ] || continue
# Time of last modification as seconds since Epoch
Fixed Versions:
16.1.0, 15.1.3
887117-2 : Invalid SessionDB messages are sent to Standby
Links to More Info: BT887117
Component: TMOS
Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:
SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.
Impact:
Standby drops these messages
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1
887089-1 : Upgrade can fail when filenames contain spaces
Links to More Info: BT887089
Component: TMOS
Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.
The file's content is also significant because that determines the md5sum value.
Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:
Not enough free disk space to install!
Conditions:
Filenames with spaces in /config directory.
Impact:
Upgrade or loading of UCS fails.
Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.
Fixed Versions:
16.1.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3
887017-3 : The dwbld daemon consumes a large amount of memory
Links to More Info: BT887017
Component: Advanced Firewall Manager
Symptoms:
The dwbld daemon shows very large memory consumption after adding addresses to the shun-list.
Conditions:
-- Adding a large number of IP addresses to the shun-list (millions of IP addresses).
-- Viewing dwbl memory usage using:
config # top -p $(pidof dwbld)
Impact:
Excessive memory consumption. If memory is exhausted, enforcement does not occur.
Workaround:
None.
Fix:
Improvements to dwbld memory handling have been implemented.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
886865-1 : P3P header is added for all browsers, but required only for Internet Explorer
Links to More Info: BT886865
Component: Application Security Manager
Symptoms:
The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.
Conditions:
Bot Defense Profile is attached to a virtual server.
Impact:
Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.
Workaround:
The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header.
It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.
Fix:
The profile now adds the P3P header only to Internet Explorer browsers. There is still the option to add the header to all browsers (i.e., keep the old behavior, in case there is another browser that requires this) by setting a db variable:
tmsh modify sys db botdefense.always_add_p3p_header value enable
Fixed Versions:
16.1.0, 15.1.5, 14.1.4.5
886841-1 : Allow LDAP Query and HTTP Connector for API Protection policies
Links to More Info: BT886841
Component: Access Policy Manager
Symptoms:
APM has several types of access policies for different deployment types, such as general per-request policies, OAuth policies, full webtop portal policies, and so on. One type of policy is designed for API clients, called API Protection.
API Protection requests are generally authenticated by user information present in an HTTP authorization header. APM then uses this authorization header data to authenticate users against an AAA server.
In addition to authentication, some deployments of API Protection also require authorization decisions to be performed against out-of-band data from external servers, typically group membership data from an external HTTP or LDAP server.
Conditions:
Administrators attempt to use HTTP Connector or LDAP Query in an API Protection type access policy.
Impact:
Administrators are not able to use HTTP Connector or LDAP Query in API Protection policies.
Fix:
Starting with 16.0, APM allows administrators to use HTTP Connector or LDAP Query inside of API Protection policies to make authorization decisions, greatly expanding the flexibility of APM's API Protection feature.
Fixed Versions:
16.0.0, 15.1.5
886729-2 : Intermittent TMM crash in per-request-policy allow-ending agent
Links to More Info: BT886729
Component: Access Policy Manager
Symptoms:
TMM crash.
Conditions:
When user trying to access a URL with unique hostname in the current session.
Impact:
TMM crash. No access to the URL. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This intermittent TMM crash no longer occurs.
Fixed Versions:
16.0.0, 15.1.1
886717-1 : TMM crashes while using SSL Orchestrator.
Links to More Info: BT886717
Component: SSL Orchestrator
Symptoms:
On a multiple process TMM system, if a TMM process crashes, other TMM processes crash.
Conditions:
-- SSL Orchestrator is running in a system with multiple TMM processes and one of the TMM processes crashes.
-- SSL Orchestrator has been configured with HTTP (explicit or transparent) services.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Subsequent TMM core is no longer seen when any other TMM process cores.
Fixed Versions:
16.0.0, 15.1.0.5
886713-1 : Error log seen in case of SSL Orchestrator configured with http service during connection close.
Links to More Info: BT886713
Component: SSL Orchestrator
Symptoms:
An error is logged:
tmm2[24575]: 01c50003:3: Service : encountered error: ERR_UNKNOWN File: ../modules/hudfilter/service/service.c Function: hud_service_handler, Line: 778
Conditions:
SSL Orchestrator is configured with a http service and a connection closes.
Impact:
An error is logged, but it can be safely ignored.
Workaround:
N/A
Fix:
Error log is no longer seen in case of SSL Orchestrator configured with http service.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.5
886693-3 : System might become unresponsive after upgrading. ★
Links to More Info: BT886693
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:
-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
886689-6 : Generic Message profile cannot be used in SCTP virtual
Links to More Info: BT886689
Component: TMOS
Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:
01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)
Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.
Impact:
You are unable to combine the Generic Message profile with the SCTP profile.
Fix:
Generic Message profile can be used in SCTP virtual
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1
886649-2 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Links to More Info: BT886649
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
886533-3 : Icap server connection adjustments
Links to More Info: BT886533
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
885869-2 : Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
Links to More Info: BT885869
Component: Global Traffic Manager (DNS)
Symptoms:
iQuery incorrectly interprets iQuery SSL certificate times when they are using GenericTime instead of UTCTime.
Conditions:
An iQuery certificate using GenericTime instead of UTCTime.
Note that this would only occur with a date beyond the year 2049.
Impact:
Internal years are interpreted to be much later than they should be.
Workaround:
Use SSL certificates with UTCTime instead of GenericTime.
Fix:
Fixed an issue in iQuery SSL where GenericTime-formatted years interpreted incorrectly.
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.4
885765-3 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT885765
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.
Conditions:
When processing a large number of configuration updates.
Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
885201-2 : BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
Links to More Info: BT885201
Component: Global Traffic Manager (DNS)
Symptoms:
Err (error) level messages in /var/log/gtm log when DNS (GTM) SSL monitors such as https are used and are unable to connect to the monitored target IP address:
err big3d[4658]: 01330014:3: CSSLSocket:: Unable to get the session.
These messages do not indicate the IP address or port of the target that failed to connect, and this ambiguity may cause concern.
Conditions:
-- SSL-based DNS (GTM) monitor assigned to a target, for example https
-- TCP fails to connect due to a layer 2-4 issue, for example:
- No route to host.
- Received a TCP RST.
- TCP handshake timeout.
Impact:
The system reports unnecessary messages; the fact that the monitor failed is already detailed by the pool/virtual status change message, and the target changing to a red/down status.
These messages can be safely ignored.
Workaround:
If you want to suppress these messages, you can configure a syslog filter.
For more information, see K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.
Fix:
Added debug messages for SSL probing with a new DB variable Log.Big3dprobeplus.level
Fixed Versions:
16.1.0, 15.1.3, 14.1.4.1
884945-2 : Latency reduce in case of empty parameters.
Links to More Info: BT884945
Component: Application Security Manager
Symptoms:
Traffic load with many empty parameters may lead to increased latency.
Conditions:
Sending requests with many empty parameters
Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.
Workaround:
None
Fix:
Ignore empty parameters
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
884797-4 : Portal Access: in some cases data is not delivered via WebSocket connection
Links to More Info: BT884797
Component: Access Policy Manager
Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.
Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client
Impact:
Data is not delivered to the client browser via the WebSocket connection.
Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.5
884425-2 : Creation of new allowed HTTP URL is not possible
Links to More Info: BT884425
Component: Application Security Manager
Symptoms:
When pressing 'Create' button in
Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs page, the requested page is not loaded.
Conditions:
Policy with about 5000 and more parameters causes long loading time, which results in loading failure.
Impact:
The requested page (New Allowed HTTP URL...) is not loaded.
Workaround:
Use fewer parameters (less than 5000) per policy.
Fixed Versions:
16.0.0, 15.1.3, 14.1.3.1
884165-3 : Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG
Links to More Info: BT884165
Component: TMOS
Symptoms:
Frequent config syncs and spamming of logs are occurring on BIG-IP devices in a high availability (HA) configuration.
Conditions:
Datasync CAPTCHA table is re-generated while CAPTCHA is being consumed by users.
Impact:
Sync to the datasync groups cause the sync status of the devices to fluctuate.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5
883889-3 : Tmm might crash when under memory pressure
Links to More Info: BT883889
Component: Access Policy Manager
Symptoms:
Tmm might crash and restart when under memory pressure
Conditions:
SSL Orchestrator with service chaining (Security policy uses services).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
A condition where high tmm memory utilization results in memory corruption has been resolved.
Fixed Versions:
16.0.0, 15.1.5, 14.1.4.5
883853-2 : Bot Defense Profile with staged signatures prevents signature update ★
Links to More Info: BT883853
Component: Application Security Manager
Symptoms:
When a trying to install a new bot defense signature, the installation fails with the following log message:
com.f5.liveupdate.update.dosbotsignatures.file.Update.applyChanges.pl|INFO|Feb 10 13:22:12.924|7347|F5::Dos::BotSignatures::load_from_xml,,Cannot send updated objects to mcp: 01070265:3: The Bot Defense Signature (/Common/Headless Chromium, Chrome) cannot be deleted because it is in use by a Bot Defense Profile Signature Staging.
Conditions:
-- A Bot Defense Profile has a staged signature.
-- The staged signature points to something that does not exist in the update file.
Impact:
The new file cannot be installed.
Workaround:
Enforce the staged signature.
Fix:
Before deleting the signature, the installation process checks to see whether the signature is staged, and if it is, the process unstages it.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.2
883841-1 : APM now displays icons of all sizes what Horizon VCS supports.
Links to More Info: BT883841
Component: Access Policy Manager
Symptoms:
If the application icon's size is not 32x32, a default icon is displayed on the webtop.
Conditions:
1. Open Horizon VCS
2. Associate a custom icon to the application (size other
than 32x32) and save the changes.
3. Connect to virtual server or Native client
Impact:
A default icon is displayed for the applications which has icons of sizes not supported by APM.
Workaround:
In Horizon VCS, associate the application with an icon that is 32x32.
Fix:
Application icons of all sizes what View Connection Server supports are supported by APM.
Fixed Versions:
16.0.0, 15.1.5.1
883597-1 : Add a way to look up URLs in one specified custom category
Links to More Info: BT883597
Component: Access Policy Manager
Symptoms:
There is no way to look up URLs in one specified custom category.
Conditions:
Category lookup iRule or agent using custom categories is in the policy
Impact:
There is no way to use iRules to look up URLs in one specified custom category. If there are multiple custom categories and the URL is only in one of them, the Category Lookup agent and iRule will look through all custom categories even if you only want to look in one.
Workaround:
None.
Fix:
You can now use iRules to look up URLs in one specified custom category.
CATEGORY::lookup <url> custom -custom_cat_match <category name>
Behavior Change:
There is now an iRule to look up URLs in one specified custom category.
CATEGORY::lookup <url> custom -custom_cat_match <category name>
Fixed Versions:
16.0.0, 15.1.10
883593-1 : Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low
Links to More Info: BT883593
Component: TMOS
Symptoms:
Flows are dropped.
This can affect FTP active data channels.
Conditions:
"PVA Offload Initial Priority" is set to High or Low (setting to Medium works)
Impact:
Flows are dropped, traffic is disrupted.
Workaround:
None
Fix:
Fix the problem so that setting "PVA Offload Initial Priority" to High/Low does not impact traffic.
Fixed Versions:
16.0.0, 15.1.9
883577-4 : ACCESS::session irule command does not work in HTTP_RESPONSE event
Links to More Info: BT883577
Component: Access Policy Manager
Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm
No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)
Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.
Impact:
Cannot create APM session using the ACCESS::session irule command.
Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4.1
883529-1 : HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path
Links to More Info: BT883529
Component: Local Traffic Manager
Symptoms:
HTTP/2 request is not forwarded and RST_STREAM with PROTOCOL_ERROR is sent back to the client.
Conditions:
HTTP/2 request with method OPTIONS and pseudo header :path value equal to something other than '*' (asterisk).
Impact:
HTTP/2 request with Method OPTIONS is limited to :path '*' only. Any other URIs are not forwarded to the server but are rejected with RST_STREAM with PROTOCOL_ERROR.
Workaround:
None.
Fix:
HTTP/2 request with Method OPTIONS now allows the URI to be something other than '*'. This request is not rejected, but is forwarded to the server.
Fixed Versions:
16.0.0, 15.1.1
883513-1 : Support for QUIC and HTTP/3 draft-27
Links to More Info: BT883513
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-24 and draft-25. IETF released draft-27 in February 2020, and major browser vendors have announced they intend to widely deploy support for it, unlike previous drafts.
Conditions:
Browser requests draft-27.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-27. (The QUIC community skipped draft-26), has deleted draft-24 support from the implementation, and deprecates support for draft-25.
Fixed Versions:
16.0.0, 15.1.0.3
883133-2 : TLS_FALLBACK_SCSV with TLS1.3
Links to More Info: BT883133
Component: Local Traffic Manager
Symptoms:
Possible handshake failure with some combinations of TLS Fallback Signaling Cipher Suite Value (SCSV) and SSL profile protocol versions.
Conditions:
-- Using fallback SCSV suites.
-- Using certain client SSL profile protocol versions (e.g., the virtual server is configured for TLS1.3, and the client is configured for TLS1.0 - TLS1.2).
Impact:
Possible handshake failure.
Workaround:
None.
Fix:
The BIG-IP system now correctly handles all combinations of fallback SCSV and supported protocol versions.
Fixed Versions:
16.1.0, 15.1.9
883105-1 : HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect
Links to More Info: BT883105
Component: Local Traffic Manager
Symptoms:
If a virtual server is configured with both client-side and server-side using HTTP/2, and with translate-address disabled, the connection to the server-side does not succeed.
Conditions:
-- HTTP/2 profiles on both client-side and server-side, using an http-router profile.
-- Translate-address is disabled.
Impact:
Connections fail.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.2
883049-2 : Statsd can deadlock with rrdshim if an rrd file is invalid
Links to More Info: BT883049
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
Fix:
Now detecting and rectifying truncation of RRD files.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
882769-1 : Request Log: wrong filter applied when searching by Response contains or Response does not contain
Links to More Info: BT882769
Component: Application Security Manager
Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed
Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter
Impact:
You are unable to search by response in the GUI
Workaround:
There is no way to search in GUI, but you can search using REST API
Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters
Fixed Versions:
16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5
882713-3 : BGP SNMP trap has the wrong sysUpTime value
Links to More Info: BT882713
Component: TMOS
Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.
Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition
Impact:
The sysUpTime in the trap generated by BGP is incorrect.
Workaround:
None.
Fix:
Fixed an incorrect calculation of sysUpTime.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
882709-4 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors ★
Links to More Info: BT882709
Component: TMOS
Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.
Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.
Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).
Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.
Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:
net vlan external {
interfaces {
1.1 {
tagged
}
}
tag 4000
}
-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.
-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.
Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.
-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.
Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.
Behavior Change:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
882557-2 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
Links to More Info: BT882557
Component: TMOS
Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:
ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.
Impact:
TMM continually restarts.
Workaround:
Use the sock driver instead of virtio.
In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:
# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
Configure a socket driver:
echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl
Reboot the instance
Fixed Versions:
16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4
882549-2 : Sock driver does not use multiple queues in unsupported environments
Links to More Info: BT882549
Component: Local Traffic Manager
Symptoms:
In some unsupported environments, the underlying sock driver uses only only 1 queue. You can confirm whether it does so by executing the tmctl command to check the rxq column (which shows 0):
tmctl -d blade -i tmm/ndal_rx_stats' and
You can verify this on the tx side as well.
Conditions:
This occurs in certain unsupported environments.
Note: When you run 'ethtool -l', you can see: 'command not supported'.
Impact:
When multi-q is present, the use of single queue can impact performance when using the sock driver.
Workaround:
Use other available drivers.
You can check the available drivers by executing the tmctl command:
tmctl -d blade -i tmm/device_probed
Fix:
Fixed an issue with the sock driver.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
882377-3 : ASM Application Security Editor Role User can update/install ASU
Links to More Info: BT882377
Component: Application Security Manager
Symptoms:
Live Update modifications are allowed for Application Security Editor Role.
Conditions:
Login as Application Security Editor user and try to install ASU.
Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.2.5
882157-1 : One thread of pkcs11d consumes 100% without any traffic.
Links to More Info: BT882157
Component: Local Traffic Manager
Symptoms:
One thread of pkcs11d consumes 100% without any traffic.
Conditions:
-- The BIG-IP system is licensed with NetHSM, and service pkcs11d is running.
-- The MCDP service is restarted.
Impact:
NetHSM configurations and statistics updates are not updated.
Workaround:
Restart the pkcs11d service:
tmsh restart sys service pkcs11d
Fix:
The system now watches for errors and prevents this error from occurring.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
881757-1 : Unnecessary HTML response parsing and response payload is not compressed
Links to More Info: BT881757
Component: Application Security Manager
Symptoms:
When either DoS Application Profile or Bot Defense profiles are used, or a complex LTM policy is used, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload.
Second effect is that the Bot Defense Profile and L7 DoS profile are always, not conditionally, considered internally as a profile that modifies a body that satisfies HTTP profile chunking configuration 'sustain' (default mode) triggering client-side chunking. This causes a response in the server-side that is unchunked to be always chunked in client-side with the mode set to 'sustain'.
Conditions:
One of these options:
-- Bot Defense Profile is associated with the Virtual Server.
-- DoS Profile is associated with the Virtual Server and has Application (L7) enabled.
-- Policy is associated with the Virtual Server and has complex LTM Policy: multiple Policies, or additional rules.
Impact:
-- Response payload sent by the backend server is uncompressed.
-- Performance impact caused by response parsing.
Workaround:
For version 15.1.0 and later, you can use the following workaround:
Disable the option for modification of Referer header:
tmsh modify sys db asm.inject_referrer_hook value false
Note: Using this brings back the impact of ID792341 (see https://cdn.f5.com/product/bugtracker/ID792341.html).
For versions earlier than 15.1.0, there is no workaround.
Fix:
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.1, 14.1.4.2
881641 : Errors on VPN client status window in non-English environment
Links to More Info: BT881641
Component: Access Policy Manager
Symptoms:
If Network Access resource or AppTunnel resource is being accessed using user interface language other than English, JavaScript errors may be shown in VPN client status window.
Conditions:
- Customization Type of Access policy is Modern
- Access Policy with languages other than English
- Network Access resource or AppTunnel resource assigned to this Access Policy
- standalone VPN client in non-English environment
Impact:
VPN connection or AppTunnel connection cannot be established.
Fix:
Now standalone VPN client can work correctly in non-English environment
Fixed Versions:
16.0.0, 15.1.4
881401-1 : TMM crash at Tcl_AfterCancelByUF() while deleting connections.
Links to More Info: BT881401
Component: Local Traffic Manager
Symptoms:
TMM crashed while deleting connections.
Conditions:
1.There are a high volume of connections remaining (those connections born from a virtual server which has iRule with "after XXX -periodic" iRule command) and connections are deleted.
2. A huge number of DNS requests are sent from the same source IP/port to a datagram_LB enabled UDP listener, which results in a huge number of flows in the same bucket and connections are deleted.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.0.0, 15.1.5.1
881085-3 : Intermittent auth failures with remote LDAP auth for BIG-IP managment
Links to More Info: BT881085
Component: TMOS
Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.
Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).
Impact:
There might be intermittent remote-auth failures.
Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
880917-1 : A BD memory leak
Links to More Info: BT880917
Component: Application Security Manager
Symptoms:
A memory leak is observed in the bd process. The bd process memory increases over time.
Conditions:
A few bytes leak on every request under specific conditions.
Impact:
Slowly the bd memory increases until OOM killer is invoked by the kernel.
Workaround:
N/A
Fix:
The memory leak in the bd process was fixed.
Fixed Versions:
16.0.0, 15.1.10
880789-3 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT880789
Component: Application Security Manager
Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.
Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.
Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None.
Fix:
The botd handler is now restored to a more robust process lifecycle.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
880753-3 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server
Links to More Info: K38157961 , BT880753
Component: Application Security Manager
Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.
Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).
Impact:
Some requests might not be processed by the Bot Defense profile.
Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable
Fix:
The mechanism which caused this issue is now correctly enabled.
Fixed Versions:
16.0.0, 15.1.1, 15.0.1.4, 14.1.2.7
880625-3 : Check-host-attr enabled in LDAP system-auth creates unusable config
Links to More Info: BT880625
Component: TMOS
Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.
Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.
Impact:
LDAP-based auth does not function.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
880289 : FPGA firmware changes during configuration loads ★
Links to More Info: BT880289
Component: TMOS
Symptoms:
FPGA firmware on distributed denial-of-service (DDoS) Hybrid Defender products might be changed unexpectedly during a configuration load or license update.
Conditions:
Configuration load or license update.
Impact:
FPGA firmware changes unexpectedly, a reboot might be required to stabilize.
Workaround:
None
Fix:
A race condition to select the correct Turboflex profile has been eliminated.
Fixed Versions:
16.1.0, 15.1.4
880165-2 : Auto classification signature update fails
Links to More Info: BT880165
Component: TMOS
Symptoms:
During classification update, you get an error:
"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"
An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".
Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.
It can occur when something goes wrong during license activation, but license activation ultimately succeeds.
Impact:
When this issue occurs, auto classification signature update will fail.
Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
879841-4 : Domain cookie same-site option is missing the "None" as value in GUI and rest
Links to More Info: BT879841
Component: Application Security Manager
Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.
Conditions:
You want to have SameSite=none attribute added to a domain cookie.
Impact:
You are unable to set SameSite=None
Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
879829-2 : HA daemon sod cannot bind to ports numbered lower than 1024
Links to More Info: BT879829
Component: TMOS
Symptoms:
If the network high availability (HA) daemon sod is configured to use a port number that is lower than 1024, the binding fails with a permission-denied error. This affects binding to ports on both management and self IP addresses.
Example log messages:
/var/log/ltm
err sod[2922]: 010c003b:3: bind fails on recv_sock_fd addr 1.2.3.4 port 1023 error Permission denied.
notice sod[2992]: 010c0078:5: Not listening for unicast failover packets on address 1.2.3.4 port 1023.
/var/log/auditd/audit.log
type=AVC msg=audit(1578067041.047:17108): avc: denied { net_bind_service } for pid=2922 comm="sod" capability=10 scontext=system_u:system_r:f5sod_t:s0 tcontext=system_u:system_r:f5sod_t:s0 tclass=capability
Conditions:
-- high availability (HA) daemon sod is configured to use a port lower than 1024 for network high availability (HA) operations.
-- Version 13.1.0 or later.
Impact:
A network high availability (HA) connection configured to use a port number lower than 1024 on an affected version does not function.
Workaround:
Change the port number to 1024 or higher.
Note: UDP port 1026 is the default.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
879777-3 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge
Links to More Info: BT879777
Component: Application Security Manager
Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.
Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.
Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.
Workaround:
Use "validate in a bulk" option.
Fix:
Retrieving the cookie from the related domain even if the page is qualified.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8
879745-4 : TMM may crash while processing Diameter traffic
Links to More Info: K82530456
879413-1 : Statsd fails to start if one or more of its *.info files becomes corrupted
Links to More Info: BT879413
Component: Local Traffic Manager
Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:
-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.
Conditions:
Corrupted *.info file in /var/rrd.
Impact:
Stats are no longer accurate.
Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):
found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done
Fix:
The system now detects corrupt *.info files and deletes and recreates them.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
879409-3 : TMM core with mirroring traffic due to unexpected interface name length
Links to More Info: BT879409
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.
Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now validates the length of the interface name before processing the HA message at the receiver side and ignores the HA message if the interface name length is wrong.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1
879405-1 : Incorrect value in Transparent Nexthop property
Links to More Info: BT879405
Component: TMOS
Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN after a change is made via the DOS menu then another change is made on the advanced menu.
Conditions:
Starting with a working config if the admin makes changes
From the DoS menu
- DoS configuration -> protected objects -> protected objects list
- Select virtual server (eg: test_vpn_443) -> open Network & General -> set enabled on vlans to "test" and Transparent nexthop to "test" -> save
# Now make a change that cannot be made via the DoS menu
From the Advanced menu
- Local Traffic -> Virtual server -> Virtual server list -> select virtual server (test_vpn_443)
- Note that "Transparent Nexthop" is set to "none" despite being set to "test" in bigip.conf and DoS menu
- Change clientssl profile (or whatever change) -> update
# Now go back and check the impact
From the DoS menu
- DoS configuration -> protected objects -> protected objects list
- Select virtual server (eg: test_vpn_443) -> open Network & General -> you can see that Transparent nexthop has been set to "none"
At this point connectivity could be broken and transparent nexthop will need to be reconfigured via the DoS menu.
Impact:
Incorrect value shown in Transparent Nexthop property field. which can cause connectivity to be lost between the affected locations.
Workaround:
There are multiple possible options:
either:
Use tmsh to complete the action successfully.
or
Do not configure the same VLAN group for the VLAN list and Transparent Next Hop
or
use the advanced menu as it performs as expected.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2
879401-1 : Memory corruption during APM SAML SSO
Links to More Info: K90423190 , BT879401
Component: Access Policy Manager
Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted. You might experience several types of unexpected actions, including a TMM restart and core-file generation.
Conditions:
-- BIG-IP system is configured as SAML SP.
-- External SAML IdP sends SLO request.
Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
BIG-IP systems configured as SAML SP no longer cause memory corruption when handling certain traffic.
Fixed Versions:
16.0.0, 15.1.3, 14.1.2.5
879189-1 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
Links to More Info: BT879189
Component: TMOS
Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.
Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual server, but the module supporting the profile is not provisioned.
Impact:
The Network Map shows an error message.
Workaround:
Provision the module that supports the profile.
Fix:
The button text has been modified to be more informative.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
879001-1 : LDAP data is not updated consistently which might affect authentication.
Links to More Info: BT879001
Component: TMOS
Symptoms:
Change not updated in LDAP when the system auth source ('systemauth.source' DB key/'Auth Source Type') is set to Active Directory.
This change is not applied when the setting is modified (e.g., from local or LDAP to Active Directory, or from Active Directory to LDAP). Instead, the change is applied only when MCPD is rewriting the file for other reasons.
Conditions:
Changing the 'systemauth.source' DB key/'Auth Source Type':
-- From local to Active Directory.
-- From LDAP to Active Directory.
-- From Active Directory to LDAP.
Impact:
LDAP data is not updated consistently, and authentication might fail.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.9
878925-2 : SSL connection mirroring failover at end of TLS handshake
Links to More Info: BT878925
Component: Local Traffic Manager
Symptoms:
In some cases, HTTP requests may fail if system failover occurs immediately after the TLS handshake finishes.
Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.
Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.
Workaround:
None.
Fix:
System now updates the high availability (HA) state at end of the TLS handshake to prevent this issue if failover occurs at end of the handshake but before client/server data.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4.1
878893-3 : During system shutdown it is possible the for sflow_agent to core
Links to More Info: BT878893
Component: TMOS
Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.
Conditions:
BIG-IP reboot can cause the sflow_agent to core.
Impact:
There is a core file in the /var/core directory after a system reboot.
Fix:
Fixed an issue causing a core of sflow_agent during shutdown.
Fixed Versions:
16.0.0, 15.1.0.4
878641-2 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
Fix:
Certificate request message now may contain CAs
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
878433-1 : Updated daemon may crash at shutdown
Links to More Info: BT878433
Component: TMOS
Symptoms:
The updated daemon crashes during shutdown.
Conditions:
Updated daemon active on system and then shuts down.
Impact:
Updated daemon cores at shutdown, no other functional impact outside writing of core file.
Workaround:
None
Fix:
Updated daemon no longer cores at shutdown.
Fixed Versions:
16.1.0, 15.1.10
877145-4 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
Links to More Info: BT877145
Component: TMOS
Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.
One other edge case that looks similar to this was fixed in ID1146373
Conditions:
This can be encountered intermittently while using iControl REST.
Impact:
Login failure.
Workaround:
None.
Fix:
Fixed an issue related to authenticating to the iControl REST endpoint /mgmt/TOC.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.3
877109-1 : Unspecified input can break intended functionality in iHealth proxy
Links to More Info: K04234247
876957-1 : Reboot after tmsh load sys config changes sys FPGA firmware-config value
Links to More Info: BT876957
Component: TMOS
Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.
Chmand reports errors:
chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]
Conditions:
Running either of the following commands:
tmsh load sys config
/etc/init.d/fw_update_post reload
Impact:
Firmware update fails.
Workaround:
Use this procedure:
1. Mount /usr:
mount -o rw,remount /usr
2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload
3. Reload systemctl:
systemctl daemon-reload
4. Reload the file:
/etc/init.d/fw_update_post reload
Fix:
Added the reload option in fw_update_post service file.
Fixed Versions:
16.0.0, 15.1.1, 14.1.4.1
876953-2 : Tmm crash while passing diameter traffic
Links to More Info: BT876953
Component: Service Provider
Symptoms:
Tmm crashes with the following log message.
-- crit tmm1[11661]: 01010289:2: Oops @ 0x2a3f440:205: msg->ref > 0.
Conditions:
This can be encountered while passing diameter traffic when one or more of the pool members goes down and retransmissions occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash while passing diameter traffic.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4
876937-3 : DNS Cache not functioning
Links to More Info: BT876937
Component: TMOS
Symptoms:
DNS queries are not being cached on the BIG-IP device.
Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache).
-- Device receives DNS queries.
Impact:
DNS queries are forwarded, but the BIG-IP system does not cache them.
Workaround:
None.
Fix:
DNS queries are now cached when DNS Cache is enabled.
Behavior Change:
Full DNS cache functionality has been restored. This results in performance degradation. You might notice it in OCSP performance, when compared to releases in which full DNS cache functionality is not present.
By default, DNS cache is disabled. To recapture performance, enable DNS cache.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.3
876805-3 : Modifying address-list resets the route advertisement on virtual servers.
Links to More Info: BT876805
Component: TMOS
Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the address list is modified.
This issue has also been shown to cause inconsistent ICMP response behavior when 'selective' mode is used.
Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all virtual addresses.
-- Modify the address list.
Impact:
-- Modifications made to virtual addresses are lost.
-- Possible ICMP response issues when 'selective' mode is used (e.g., responses when all pool members are disabled, or no responses when pool members are enabled).
Workaround:
None
Fix:
Virtual address properties are now preserved when an address list is modified.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
876801-5 : Tmm crash: invalid route type
Links to More Info: BT876801
Component: Local Traffic Manager
Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:
tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **
Conditions:
The issue is intermittent.
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.
Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4, 13.1.4
876677-1 : When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup.
Links to More Info: BT876677
Component: Global Traffic Manager (DNS)
Symptoms:
When running the debug version of TMM, if a particular DNS lookup takes more than 30 seconds, TMM may assert with a message in the /var/log/tmm file similar to the following example:
notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.
Conditions:
-- Using the debug TMM
-- Using the RESOLV::lookup iRule command
-- The DNS server targeted by the aforementioned command is running slowly or malfunctioning
Impact:
TMM crashes and, in redundant configurations, the unit fails over.
Workaround:
Do not use the debug TMM.
Fix:
The debug assert was removed and replaced by a debug log.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
876581-2 : JavaScript engine file is empty if the original HTML page cached for too long
Links to More Info: BT876581
Component: Fraud Protection Services
Symptoms:
JavaScript engine file is empty.
Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.
Impact:
No FPS protection for that HTML page.
Workaround:
You can use either workaround:
-- Use an iRule to disable caching for protected HTML pages.
-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).
Fix:
FPS now also removes ETag headers from protected HTML pages.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
876569-3 : QAT compression codec produces gzip stream with CRC error
Links to More Info: BT876569
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
Fix:
The system now handles gzip errors seen with QAT compression.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
876393-1 : General database error while creating Access Profile via the GUI
Links to More Info: BT876393
Component: Access Policy Manager
Symptoms:
While trying to create an Access profile, the GUI reports a general database error. There are errors in /var/log/tomcat:
profiles.ProfileUtils$SettingsHandler:error - java.sql.SQLException: Column not found: SOURCE in statement [INSERT into
profile_access
Conditions:
This occurs when you try to create an Access Profile of type SSO from the GUI.
Impact:
You are unable to create the profile using the GUI.
Workaround:
You can create the Access Profile using TMSH.
tmsh create access access_test_sso type sso accept-languages add { en } sso-name sso_test1
Fix:
Access Profile of type SSO can now be created and edited from the GUI.
Fixed Versions:
16.0.0, 15.1.0.2
876077-1 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up
Links to More Info: BT876077
Component: Service Provider
Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.
Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
Stale pending retransmission entries are cleaned up properly.
Fixed Versions:
16.1.0, 15.1.0.5, 15.0.1.4, 14.1.2.5
875909-1 : Added internal parameter to address Chrome samesite default change
Links to More Info: BT875909
Component: Application Security Manager
Symptoms:
False-positive violations related to domain cookies enforcement (such as modified domain cookies, dynamic parameters extractions).
Conditions:
-- Using Google Chrome browser.
-- The ASM protected site is sending cookies (that are configured as enforced) with resources that are accessible through third party sites.
Impact:
False-positive violations.
Workaround:
An iRule can add the SameSite=None attribute to ASM generated cookies with the Set-cookie command.
Fix:
Added an internal parameter, ts_cookie_add_attrs, that allows the BIG-IP system administrator to add a string at the end of the ASM Set-Cookie HTTP response header. Using this internal parameter, the administrator can add the SameSite=None string to opt-out from the Chrome browser modification and have the ASM cookie behave as before. This change is global and affects all ASM system cookies, except those set via JavaScript.
Fixed Versions:
16.0.0, 15.1.10
875401-2 : PEM subcriber lookup can fail for internet side new connections
Links to More Info: BT875401
Component: Policy Enforcement Manager
Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.
Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm
Impact:
PEM subscriber lookup can fail on the internet side
Workaround:
No workaround.
Fix:
PEM subcriber lookup now always succeeds for internet side new connections,
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.4
874949-1 : TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.
Links to More Info: BT874949
Component: Access Policy Manager
Symptoms:
TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.
Conditions:
Client traffic is run through virtual server with APM per-request policy that contains empty variable assign agent.
Impact:
TMM may crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
When client traffic is run through virtual server with APM per-request policy that contains empty variable assign agent, TMM will not crash.
Fixed Versions:
16.0.0, 15.1.4
874941-2 : HTTP authentication in the access policy times out after 60 seconds
Links to More Info: BT874941
Component: Access Policy Manager
Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.
Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.
Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.
Workaround:
None.
Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.
1. A db key to configure Connection Timeout for HTTP Server configuration:
+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout
2. A db key to configure Request Timeout for HTTP Server configuration:
+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout
Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.
The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.
Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.
Fixed Versions:
16.1.2.2, 15.1.6.1, 14.1.5
874753-3 : Filtering by Bot Categories on Bot Requests Log shows 0 events
Links to More Info: BT874753
Component: Application Security Manager
Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.
When filtering for only Bot Category: Browser Automation, nothing Shows up.
Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log
Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.
Workaround:
None.
Fix:
Filtering by Bot Categories on Bot Requests Log is now fixed on the GUI page.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
874677-1 : Traffic Classification auto signature update fails from GUI ★
Links to More Info: BT874677
Component: Traffic Classification Engine
Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.
The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.
Conditions:
Performing Traffic Classification auto signature update using the GUI.
Impact:
Fails to update the classification signature automatically.
Workaround:
You can use either of the following:
-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.
Fix:
Fixed the hitless upgrade script to download the IM packages from the EDSM server for point releases.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4.3
874221-1 : DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd
Links to More Info: BT874221
Component: Global Traffic Manager (DNS)
Symptoms:
DNS response recursion desired (rd) flag does not match the DNS query when using the iRule command DNS::header rd.
Conditions:
-- iRule command DNS::header rd is used to set DNS query rd bit to a different value.
-- At least one wide IP is configured.
Impact:
DNS response rd flag does not match the DNS query. This is not RFC compliant.
Workaround:
Do not configure any wide IPs.
Fixed Versions:
16.1.0, 15.1.5.1
873677-7 : LTM policy matching does not work as expected
Links to More Info: BT873677
Component: Local Traffic Manager
Symptoms:
Policy matching may fail to work as expected
Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.
This may also be triggered by very complex policies with large numbers of rules.
Impact:
LTM policy matching does not work as expected.
Workaround:
None.
Fix:
LTM Policy matching now works correctly with large complex policies containing many rules or conditions.
Fixed Versions:
16.0.0, 15.1.6.1
873641-1 : Re-offloading of TCP flows to hardware does not work
Links to More Info: BT873641
Component: TMOS
Symptoms:
Once Hardware evicts the EPVA TCP flows due to Idle timeout, tmm does not reinsert the flows back when it receives a packet belonging to that flow.
Conditions:
This occurs when the TCP connection is kept idle for ~20 seconds.
Impact:
Performance can be impacted. Hardware acceleration will be disabled for the flows once the flow is removed from hardware due to Idle timeout.
Fix:
Fix will re-offload the flows to HW once SW starts receiving packets due to HW eviction of flows by Idle timeout.
Fixed Versions:
16.0.0, 15.1.4.1
873617-2 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.
Links to More Info: BT873617
Component: Fraud Protection Services
Symptoms:
DataSafe is not available with an AWAF license.
Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart
Impact:
DataSafe is not available.
Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.
Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
873545-2 : SSL Orchestrator Configuration GUI freezes after management IP change.
Links to More Info: BT873545
Component: SSL Orchestrator
Symptoms:
Changing the management IP address of the SSL Orchestrator BIG-IP device can result in an unresponsive SSL Orchestrator configuration interface in the TMUI. All other menus continue to work fine.
Conditions:
Change the management IP address of the SSL Orchestrator BIG-IP device.
Impact:
The SSL Orchestrator configuration interface in the TMUI becomes unresponsive and the BIG-IP SSL Orchestrator device administrator is not able to perform SSL Orchestrator management and configuration tasks.
Workaround:
After the SSL Orchestrator BIG-IP device management IP address change, use the following steps to get the SSL Orchestrator user interface to render correctly:
1. Wait for the management IP address change to become effective: (That is, the BIG-IP admin/user can log in to the BIG-IP console using the new management IP address).
2. In the BIG-IP terminal run the following commands:
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
3. The SSL Orchestrator UI/topology should become available in approximately 30 - 60 seconds (subject to topology size, etc.)
Fix:
SSL Orchestrator Configuration GUI freezes after management IP change.
Fixed Versions:
15.1.10, 14.1.4.5
873249-1 : Switching from fast_merge to slow_merge can result in incorrect tmm stats
Links to More Info: BT873249
Component: Local Traffic Manager
Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.
Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.
Impact:
Incorrect reporting for TMM stats.
Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.
These files are roll-ups and will be re-created as necessary.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
873013-5 : Alertd could leak memory if nokia alarm is enabled and nokiasnmpd is not running
Links to More Info: BT873013
Component: TMOS
Symptoms:
If the nokiasnmp daemon has not started running when the nokia alarm configuration is enabled then the alert daemon leaks memory when issuing traps.
Conditions:
Enabling nokia alarm handling and not starting the nokiasnmp daemon. The first time the alarm handling is configured, the alert and nokiasnmp daemons must be restarted.
Impact:
Memory is leaked when traps are issued in this configuration.
Fix:
The code has been fixed to properly handle this error condition and not leak memory.
Fixed Versions:
16.0.0, 15.1.10
872965-1 : HTTP/3 does not support draft-25
Links to More Info: BT872965
Component: Local Traffic Manager
Symptoms:
Clients attempting to connect with QUIC version 25 and ALPN h3-25 are unable to connect.
Conditions:
An end user client attempts to connect using QUIC version 25 and ALPN h3-25.
Impact:
Attempts to use HTTP/3 with some clients may fail.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-24 and draft-25.
Fixed Versions:
16.0.0, 15.1.0.2
872721-3 : SSL connection mirroring intermittent failure with TLS1.3
Links to More Info: BT872721
Component: Local Traffic Manager
Symptoms:
Intermittent failure of standby connection mirroring TLS1.3 handshake.
Conditions:
TLS1.3 and connection mirroring. More easily reproduces with ecdsa signature.
Impact:
Standby device fails tls handshake, active success so connection succeeds but not mirrored.
Fix:
Standby device now uses correct signature size if it differs from active device.
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.4.5
872645-2 : Protected Object Aggregate stats are causing elevated CPU usage
Links to More Info: BT872645
Component: Advanced Firewall Manager
Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.
Conditions:
AFM, ASM, or DoS features are provisioned.
Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.
Workaround:
None.
Fix:
Protected Object Aggregate stats no longer cause elevated CPU usage.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1
872049-1 : Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command
Links to More Info: BT872049
Component: Advanced Firewall Manager
Symptoms:
Value in mitigation thresholds are above infinite value (4294967295)
Conditions:
Multiplier based mitigation mode for Dos static vectors after run relearn thresholds command
Impact:
Incorrect display value for DoS thresholds in GUI and tmctl
Fix:
Do not apply multiplayer for infinite threshold value (4294967295).
Fixed Versions:
16.0.0, 15.1.2
872037-2 : DNS::header rd does not set the Recursion desired
Links to More Info: BT872037
Component: Global Traffic Manager (DNS)
Symptoms:
iRule command DNS::header rd not working as expected.
Conditions:
Virtual server configured with an iRule command to set DNS::header rd.
Impact:
The DNS::header rd iRule command does not set the Recursion Desired flag in DNS headers.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.5.1
871985-1 : No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection
Links to More Info: BT871985
Component: Advanced Firewall Manager
Symptoms:
There are no hardware mitigation for DoS attacks
Conditions:
Auto-threshold mode and detection for attacked destinations should be activate for DoS static vector
Impact:
DoS attack mitigation performed only by software
Fix:
Improved search in already hardware offloaded entities
Fixed Versions:
16.0.0, 15.1.2
871905-2 : Incorrect masking of parameters in event log
Links to More Info: K02705117 , BT871905
Component: Application Security Manager
Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.
Conditions:
The request contains a CSRF token and sensitive parameters.
Impact:
Sensitive parameters values can be masked incorrectly in the event log.
Workaround:
None.
Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.5
871761-1 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
Links to More Info: BT871761
Component: Access Policy Manager
Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.
Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.
Impact:
APM end users are unable to get a logon page.
Workaround:
Disable the XML profile for the APM virtual server.
Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
871657-1 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
Links to More Info: BT871657
Component: TMOS
Symptoms:
Mcpd restarts and produces a core file.
Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.
Impact:
Mcpd crash and restart results in high availability (HA) failover.
Workaround:
Use a lowercase 'a' or 's' as the flag value.
Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3
871653-1 : Access Policy cannot be created with 'modern' customization
Links to More Info: BT871653
Component: Access Policy Manager
Symptoms:
Per-Request Policy (PRP) Access Policy with Customization Type set to Modern cannot be created due to internal error.
Conditions:
Creating a PRP Access Policy with Customization Type set to Modern.
Impact:
Administrator cannot use modern customization.
Workaround:
1. In bigip.conf find the following line:
apm policy customization-source /Common/standard { }
2. Add the following line:
apm policy customization-source /Common/modern { }
3. Save the changes.
4. Load the config:
tmsh load sys config
Fix:
Now modern customization can be used for any Access Policy.
Fixed Versions:
16.0.0, 15.1.0.2
871561-5 : Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)' ★
Links to More Info: BT871561
Component: TMOS
Symptoms:
Software upgrades to an Engineering Hotfix on a vCMP guest might fail with one of the following messages:
failed (Software compatibility tests failed.)
failed (The requested product/version/build is not in the media.)
The failed installation is also indicated by log messages in /var/log/ltm similar to:
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (The requested product/version/build is not in the media.)
Conditions:
This may occur when performing a software upgrade to an engineering hotfix on a vCMP guest running affected versions of BIG-IP software, when the software images are present on the vCMP host.
This can be accomplished by running the following command from the vCMP guest console:
tmsh install sys software block-device-hotfix <hotfix-image-name> volume <volume.name>
Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host.
Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.
Then restart the lind service on the vCMP Guest:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.
Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:
1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
isoinfo -d -i /dev/cdrom
Note: Pay attention to the volume ID in the output from within the vCMP guest.
2. Unlock (eject) the image:
eject -r -F /dev/cdrom && vcmphc_tool -e
3. Verify the CD drive is now empty:
isoinfo -d -i /dev/cdrom
The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>
4. Restart lind:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
Fix:
Software upgrades on a vCMP guest complete successfully even when the software images are present on the vCMP hypervisor.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
870957-4 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
Links to More Info: BT870957
Component: Application Visibility and Reporting
Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.
Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.
Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.
Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
$ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
$ bigstart restart monpd
Fix:
Dividing the TMM value with 100 to fit correct scale.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
870389-3 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
Links to More Info: BT870389
Component: TMOS
Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.
Conditions:
This applies to deployments that use declarative onboarding for configuration.
Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.
Workaround:
The workaround is to manually extend the /var logical volume.
For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.
Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.
Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5
870385-5 : TMM may restart under very heavy traffic load
Links to More Info: BT870385
Component: Advanced Firewall Manager
Symptoms:
TMM occasionally restarts when running heavy workloads. The crash is a timing-related issue between different tmm threads, and thus happens only occasionally.
Conditions:
-- AFM is provisioned with DoS functionality.
-- The BIG-IP system is under heavy workload.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer restarts under these conditions.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.2.8
870381-1 : Network Firewall Active Rule page does not load
Links to More Info: BT870381
Component: Advanced Firewall Manager
Symptoms:
In the BIG-IP GUI, the Network Firewall Active Rule page is blank and nothing is visible.
Conditions:
This occurs when viewing the Active Rule page.
Impact:
You are unable to view active Rules in GUI.
Workaround:
None.
Fix:
Network Firewall Active Rule page is now visible in the GUI.
Fixed Versions:
16.0.0, 15.1.2.1
869653-1 : VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction
Links to More Info: BT869653
Component: Access Policy Manager
Symptoms:
VCMP secondary blade restarts when creating more than one access profile in a transaction.
Conditions:
- In one transaction
- Create more than one access profiles
Impact:
Blade restarts and traffic is disrupted.
Fix:
All VCMP blades will continue to work when creating more than one access profile in a transaction.
Fixed Versions:
16.0.0, 15.1.4
869361-1 : Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated
Links to More Info: BT869361
Component: Global Traffic Manager (DNS)
Symptoms:
Load balance methods for Link Controller inbound wide IP are always set to default values when the load balancing method is updated through GUI.
Conditions:
-- Multiple inbound wide IPs are configured;
-- Load balancing methods are updated through GUI once.
Impact:
Unable to manage wide IPs through the GUI.
Workaround:
Use tmsh to manage Inbound WideIPs.
Fixed Versions:
16.0.0, 15.1.1
869049-4 : Charts discrepancy in AVR reports
Links to More Info: BT869049
Component: Application Visibility and Reporting
Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.
Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).
Impact:
Stats on DB get corrupted and incorrect.
Workaround:
None.
Fix:
Aggregation store-procedure is now fixed.
Fixed Versions:
17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1
868781-1 : TMM crashes while processing MRF traffic
Links to More Info: BT868781
Component: Service Provider
Symptoms:
TMM panic occurs when processing overflowed the MPI messages due to incorrectly calculated master key length:
../dev/mpi/mpi_mem.c:1129: Assertion "tail not past head" failed.
Conditions:
-- Message Routing Framework (MRF) traffic of type Diameter and SIP.
-- Auto-initialization enabled on peer, but can happen without auto-initialization enabled, just at a less-predictable rate.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM crash no longer occurs under these conditions.
Fixed Versions:
16.0.0, 15.1.1, 14.1.4.2, 13.1.4.1
868721-1 : Transactions are held for a long time on specific server related conditions
Links to More Info: BT868721
Component: Application Security Manager
Symptoms:
Long request buffers are kept around for a long time in bd.
Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.
Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.
Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.
Fix:
Add a check for this scenario so transactions will be released correctly.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
868641-3 : Possible TMM crash when disabling bot profile for the entire connection
Links to More Info: BT868641
Component: Application Security Manager
Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.
Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.
Fix:
TMM no longer crashes when disabling bot defense profile for the entire connection.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.7
868381-1 : MRF DIAMETER: Retransmission queue unable to delete stale entries
Links to More Info: BT868381
Component: Service Provider
Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.
Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5
868209-3 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
Links to More Info: BT868209
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.
This defect will also cause active FTP data connections over vlan-group to fail.
Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.
OR
- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.
Impact:
Server-side connections will fail.
Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)
Fixed Versions:
16.1.0, 15.1.2.1, 14.1.4
868053-3 : Live Update service indicates update available when the latest update was already installed
Links to More Info: BT868053
Component: Application Security Manager
Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.
Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.
Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.
Workaround:
None.
Fix:
The Live Update service no longer displays a false message regarding updates available.
Fixed Versions:
16.0.0, 15.1.3, 14.1.3.1
867825-4 : Export/Import on a parent policy leaves children in an inconsistent state
Links to More Info: BT867825
Component: Application Security Manager
Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.
Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.
Impact:
The children on the different devices are left unexpectedly in different states.
Fix:
Import/Replace for a parent policy for sections that remain inherited will now delete elements that were removed from the parent policy instead of disinheriting them.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.4, 13.1.5
867793-1 : BIG-IP sending the wrong trap code for BGP peer state
Links to More Info: BT867793
Component: TMOS
Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.
Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.
Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.
Workaround:
None.
Fix:
BIG-IP now sends the correct trap code for BGP peer state.
Behavior Change:
The bgpPeerState for bgpBackwardTransNotification now reports the state after the state machine transition, i.e., the state into which the system is transitioning. In earlier releases, it reported the state prior to the state machine transition, which would always report idle because all backwards state transitions are into idle.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.4
867373-4 : Methods Missing From ASM Policy
Links to More Info: BT867373
Component: Application Security Manager
Symptoms:
If the ASM http-methods are missing from the MCP configuration, importing an XML ASM policy creates a policy that has no allowed methods and will block all traffic.
Conditions:
-- BIG-IP system configuration is loaded without the required asm_base.conf.
-- An XML ASM policy is loaded.
Impact:
All traffic is blocked for the policy.
Workaround:
Recreate the required methods (GET, POST, etc.) in the policy.
Fix:
Lack of defined ASM http-methods in MCP no longer affects policy loading.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
867181-1 : ixlv: double tagging is not working
Links to More Info: BT867181
Component: TMOS
Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).
Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.
Impact:
The BIG-IP's VLAN tag is lost.
Fix:
Both VLAN tags are now present in packets.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
867013-2 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
Links to More Info: BT867013
Component: TMOS
Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.
Conditions:
This can be encountered when there are a large number of policies configured in ASM.
Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.
Workaround:
None.
Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5
866925-5 : The TMM pages used and available can be viewed in the F5 system stats MIB
Links to More Info: BT866925
Component: TMOS
Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.
Conditions:
When system resource decisions are being made, the information about memory usage is important.
Impact:
It is not feasible to query each BIG-IP device separately.
Workaround:
None.
Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
866685-1 : Empty HSTS headers when HSTS mode for HTTP profile is disabled
Links to More Info: BT866685
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.
Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.
Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
HTTP::header remove "Strict-Transport-Security"
}
}
Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
866613-4 : Missing MaxMemory Attribute
Links to More Info: BT866613
Component: Application Visibility and Reporting
Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.
Conditions:
This is encountered when viewing the System Monitor report.
Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').
Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.
Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.
Fix:
The MaxMemory attribute is now reported in System Monitor statistics.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5
866481-2 : TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode
Links to More Info: BT866481
Component: Local Traffic Manager
Symptoms:
TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode.
Conditions:
-- HTTP profile is attached to the virtual server.
-- The httprouter profile is attached to the virtual server.
-- HTTP goes into passthrough mode for any variety of reasons.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when HTTP-MR proxy attempts goes into passthrough mode.
Fixed Versions:
16.0.0, 15.1.2
866161-1 : Client port reuse causes RST when the security service attempts server connection reuse.
Links to More Info: BT866161
Component: Access Policy Manager
Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.
Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.
Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.
Workaround:
None.
Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
866109-2 : JWK keys frequency does not support fewer than 60 minutes
Links to More Info: BT866109
Component: Access Policy Manager
Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:
01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.
Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.
Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.
Workaround:
Use a value of 60 minutes or higher.
Fix:
Auto discovery frequency now supported values lower than 60 minutes.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.2, 13.1.4.1
866073-2 : Add option to exclude stats collection in qkview to avoid very large data files
Links to More Info: BT866073
Component: TMOS
Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:
qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938
Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.
Impact:
Qkview files may not be able to be parsed by the iHealth service.
Also, memory allocation error messages may be displayed when generating qkview.
Workaround:
None.
Fix:
Qkview now has a -x option that can be used to exclude statistics collection in the stat_module.xml file.
Behavior Change:
Qkview now has a -x option that can be used to exclude statistics collection.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
866021-1 : Diameter Mirror connection lost on the standby due to "process ingress error"
Links to More Info: BT866021
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.
Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.
Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.
Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2
865461-1 : BD crash on specific scenario
Links to More Info: BT865461
Component: Application Security Manager
Symptoms:
BD crash on specific scenario
Conditions:
A brute force attack mitigation using captcha or client side challenge.
Impact:
BD crash, failover.
Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
865329-1 : WCCP crashes on "ServiceGroup size exceeded" exception
Links to More Info: BT865329
Component: TMOS
Symptoms:
Under general usage; WCCP crashes with a "ServiceGroup size exceeded" exception.
Conditions:
Have WCCP service groups configured.
Impact:
WCCP throws an exception and crashes.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.5.1
865289-1 : TMM crash following DNS resolve with Bot Defense profile
Links to More Info: BT865289
Component: Application Security Manager
Symptoms:
TMM may crash when Bot Defense is enabled and network DNS is configured.
Conditions:
This can occur when is Bot Defense enabled and network DNS is configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when Bot Defense is enabled and network DNS is configured.
Fixed Versions:
16.0.0, 15.1.2.1
865241-1 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
Links to More Info: BT865241
Component: TMOS
Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.
Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.
The conditions that cause this to occur are unknown.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
865225-1 : 100G modules may not work properly in i15000 and i15800 platforms
Links to More Info: BT865225
Component: TMOS
Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.
Conditions:
-- Using OPT-0039 or OPT-0031 modules.
-- Running on i15000 and i15800 platforms.
Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.
Impact:
You might see traffic drop.
Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.0.2, 14.1.5.1, 13.1.3.4
865177-4 : Cert-LDAP returning only first entry in the sequence that matches san-other oid
Links to More Info: BT865177
Component: TMOS
Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists
Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids
Impact:
Only the first matching oid is returned.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1
865053-3 : AVRD core due to a try to load vip lookup when AVRD is down
Links to More Info: BT865053
Component: Application Visibility and Reporting
Symptoms:
AVRD cores during startup.
Conditions:
Avrd receives a SIGTERM while it is starting.
Impact:
This can lead to an AVRD core.
Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
864897-2 : TMM may crash when using "SSL::extensions insert"
Links to More Info: BT864897
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
iRule with "SSL::extensions insert"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.0.0, 15.1.7
864797-2 : Cached results for a record are sent following region modification
Links to More Info: BT864797
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the contents of a topology region record may result in DNS queries temporarily being directed as if the change had not happened for queries from the IP address of the last end user client to use topology load balancing.
Conditions:
-- A client at a single IP address makes multiple queries that are load balanced using topology, both before and after a change to a topology region record, where that change also modifies the result the single client receives.
-- If a query from a different client IP address is received and load balanced using topology, then the issue is corrected until the next change to a topology region record.
Impact:
After changing the contents of a topology region record, the last end user client to send a query before the change may receive the wrong load balancing decision if the change affected that decision. Queries from other end user clients are load balanced correctly and cause the issue to go away until the next topology region record change.
Workaround:
This issue can be temporarily corrected by sending a DNS query that is load balanced using topology after making changes to region records.
Fix:
The system now handles regions item changes as expected, so this issue no longer occurs.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
864757-3 : Traps that were disabled are enabled after configuration save
Links to More Info: BT864757
Component: TMOS
Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.
Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.
Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
864677-1 : ASM causes high mcpd CPU usage
Links to More Info: BT864677
Component: Application Security Manager
Symptoms:
-- CPU utilization is high on the odd-numbered cores.
-- Messages appear at 60-second intervals in /var/log/ts/asm_start.log:
update_GTM_score
Conditions:
-- One or more virtual servers have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.
Impact:
Elevated CPU usage.
Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.
-- Restart ASM:
bigstart restart asm
Fix:
This issue has been resolved so that CPU usage is no longer elevated under these conditions.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
864513-1 : ASM policies may not load after upgrading to 14.x or later from a previous major version ★
Links to More Info: K48234609 , BT864513
Component: TMOS
Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.
Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.
Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.
Workaround:
You can use either of the following workarounds.
-- Remove ASM Policies while upgrading:
1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
2. Upgrade.
3. Reassociate each ASM Security Policy with its original virtual server.
-- Restore the UCS on a new boot location after upgrade:
1. Prior to upgrade, create a UCS.
2. Upgrade or create a new instance of the software version at the target location.
3. Restore the UCS at the new location.
Fix:
ASM policies now load as expected after upgrading to 14.x or later from a previous major version.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.7
864329-3 : Client port reuse causes RST when the backend server-side connection is open
Links to More Info: BT864329
Component: SSL Orchestrator
Symptoms:
The BIG-IP system or SSL Orchestrator does not close server-side connections when the security service closes the connection with the BIG-IP or SSL Orchestrator. So if client reuses the port, SSL Orchestrator rejects new connections by sending RST.
Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator is licensed and provisioned and Service chain is added in the security policy.
-- Security service closes the server-side connection with SSL Orchestrator.
-- Client reuses the source port.
Impact:
The BIG-IP system or SSL Orchestrator rejects new connection from clients when a client reuses the port.
Workaround:
None.
Fix:
The BIG-IP system or SSL Orchestrator no longer rejects the client connection when the client reuses the port.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
863917-2 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
Links to More Info: BT863917
Component: Global Traffic Manager (DNS)
Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:
The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.
This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.
Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.
Impact:
Messages are logged that imply the system is overloaded when it is not.
Workaround:
Create a log filter to suppress the messages
sys log-config filter gtm-warn {
level warn
message-id 011ae116
source gtmd
}
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.5, 13.1.4.1
863609-4 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
Links to More Info: BT863609
Component: Application Security Manager
Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.
Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes
Impact:
There are differences after deploy.
Workaround:
Discover and deploy again from BIG-IQ
Fix:
Changes are deployed from BIG-IQ without causing unexpected changes.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
863401-1 : QUIC congestion window sometimes increases inappropriately
Links to More Info: BT863401
Component: Local Traffic Manager
Symptoms:
When QUIC is discovering the link bandwidth, it sometimes increases the congestion window when there is not enough available data to use the existing congestion window.
Conditions:
When the application is not generating enough data, or any streams with data are stream flow control limited.
Impact:
In some cases, the congestion window can be too large for the path and cause packet losses if it is later fully utilized.
Workaround:
None
Fix:
Correctly check for data limitations before increasing congestion window.
Fixed Versions:
16.0.0, 15.1.2.1
863285-1 : Incorrect value (icmpv6) is used when Rule List/Rule/Protocol is set to ICMPv6 via GUI. ★
Links to More Info: BT863285
Component: Advanced Firewall Manager
Symptoms:
Configuration load failes during upgrade and BIG-IQ discovery with following error in /config/bigip_base.conf:
Syntax Error:(/config/bigip_base.conf at line: 619) "ip-protocol" unknown protocol "icmpv6".
Conditions:
From the GUI, configure Rule List :: Rule :: Protocol and select 'icmpv6' from list.
Impact:
Failure to load configuration during upgrade or discovery by BIG-IQ.
Workaround:
Set the correct protocol attribute via tmsh:
modify security firewall rule-list test rules modify { test { ip-protocol ipv6-icmp } }
Fix:
The correct value is ipv6-icmp. This value is now set.
Fixed Versions:
16.0.0, 15.1.10
863165-3 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Links to More Info: BT863165
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
Fixed Versions:
16.0.0, 15.1.9
863161-1 : Scheduled reports are sent via TLS even if configured as non encrypted
Links to More Info: BT863161
Component: Application Visibility and Reporting
Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.
Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.
Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.
Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
863069-1 : Avrmail timeout is too small
Links to More Info: BT863069
Component: Application Visibility and Reporting
Symptoms:
AVR report mailer times out prematurely and reports errors:
AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.
Conditions:
Configure reports, which will be sent to e-mail
Impact:
Error response from SMTP server, and the report is not sent
Workaround:
Increase timeout in avrmail.php via bash commands
Fix:
The timeout was increased in avrmail.php
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
862937-3 : Running cpcfg after first boot can result in daemons stuck in restart loop ★
Links to More Info: BT862937
Component: TMOS
Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.
Conditions:
Running cpcfg on a volume that has already been booted into.
Impact:
Services do not come up.
Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:
# touch /.autorelabel
# reboot
On multi-blade VIPRION systems, including multi-blade vCMP guests:
# clsh touch /.autorelabel
# clsh reboot
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
862885-2 : Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error
Links to More Info: BT862885
Component: Local Traffic Manager
Symptoms:
A configuration with a virtual server-to-virtual server flow established, for example by the 'virtual' iRule command, and using a TCP stack with 'Tail Loss Probe' enabled, might encounter a race between the delayed ACK and the tail loss probe, which can lead to a tmm_panic or an OOPs message:
no trailing data.
Conditions:
-- Virtual server-to-virtual server flow established.
-- TCP profile with 'Tail Loss Probe' enabled.
-- Certain timing related traffic scenario.
Impact:
TMM generates a core and reports an OOPs message:
no trailing data.
Workaround:
Do not use a TCP stack with 'Tail Loss Probe' enabled in conjunction with a virtual server-to-virtual server flow configuration.
Fix:
Virtual server-to-virtual server with 'Tail Loss Probe' enabled can now be used without error.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5
862793-1 : ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation
Links to More Info: BT862793
Component: Application Security Manager
Symptoms:
When ASM detects "virus" (with help of external icap server), the response page will be JS-Challenge instead of blocking.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Anti-Virus protection enabled in ASM policy.
-- ASM finds a virus in a request.
Impact:
-- End user client gets JS-Challenge response instead of blocking page.
-- End user does not see ASM support ID.
-- Browser can run the JavaScript and resend the request to ASM, which is then forwarded to the backend server.
Workaround:
None.
Fix:
The software now replies with the blocking page, including the ASM support ID.
Fixed Versions:
16.0.0, 15.1.4
862693-6 : PAM_RHOST not set when authenticating BIG-IP using iControl REST
Links to More Info: BT862693
Component: TMOS
Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp
Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }
2. modify auth source type to radius
tmsh modify auth source { type radius }
3. try to authenticate to BIG-IP using iControl REST
Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id
Fixed Versions:
16.0.0, 15.1.6.1, 14.1.5.1
862597-7 : Improve MPTCP's SYN/ACK retransmission handling
Links to More Info: BT862597
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.
Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
Fix:
MPTCP's SYN/ACK retransmission handling is improved.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5
862557-1 : Client-ssl profiles derived from clientssl-quic fail validation
Links to More Info: BT862557
Component: Local Traffic Manager
Symptoms:
After configuring a clientssl-quic profile, you get a validation error:
01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/clientssl-f5quic-udp).
Conditions:
This can occur when using the clientssl-quic built-in profile to build a profile that can serve HTTP/3 over QUIC.
Impact:
You are unable to configure a clientssl profile to work with HTTP/3 + QUIC that is also customized to serve the right certificate, etc.
Workaround:
Modify the clientssl-quic profile to have the following properties:
cipher-group quic
ciphers none
This requires the following additional config objects:
ltm cipher group quic {
allow {
quic { }
}
}
ltm cipher rule quic {
cipher TLS13-AES128-GCM-SHA256,TLS13-AES256-GCM-SHA384
description "Ciphers usable by QUIC"
}
Fix:
Update the built-in configuration to pass validation.
Fixed Versions:
16.0.0, 15.1.0.1
862337-2 : Message Routing Diameter profile fails to forward messages with zero length AVPs
Links to More Info: BT862337
Component: Service Provider
Symptoms:
Message Routing Diameter profile does not forward diameter messages that include an AVP with a zero (0) length data field.
Conditions:
-- A virtual server with an Message Routing Diameter Profile.
-- A diameter message containing an AVP with a zero length data field.
Impact:
Diameter messages with zero length AVPs are not forwarded as expected.
Workaround:
None.
Fix:
Message Routing Diameter now forwards diameter messages containing zero length AVPs.
Fixed Versions:
16.0.0, 15.1.9
860881-3 : TMM can crash when handling a compressed response from HTTP server
Links to More Info: BT860881
Component: Local Traffic Manager
Symptoms:
TMM crashes while handling HTTP response
Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable compression on the server.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
860617-3 : Radius sever pool without attaching the load balancing algorithm will result into core
Links to More Info: BT860617
Component: Access Policy Manager
Symptoms:
Tmm crashes after configuring a radius server pool.
Conditions:
-- Radius server pool exists
-- Radius server pool does not have a designated load balancing algorithm.
Impact:
TMM will core while radius accounting stops. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Pool selection counter gets incremented and message will be freed.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.4.5
860517-1 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
Links to More Info: BT860517
Component: TMOS
Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.
As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash
Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.
Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.
Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.
Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3
860349-3 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
Links to More Info: BT860349
Component: TMOS
Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .
The /var/log/secure will show :
/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145
/var/log/daemon.log will show ;
/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.
> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault
Conditions:
LDAP/nslcd config , remote authentication , user-template used
The values within user-template include white spaces :
example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org
Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.
Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon
Fixed Versions:
16.0.0, 15.1.3, 14.1.2.8
860317-3 : JavaScript Obfuscator can hang indefinitely
Links to More Info: BT860317
Component: TMOS
Symptoms:
High CPU usage by obfuscator for an extended period of time.
Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.
Impact:
High CPU Usage.
Workaround:
Kill the obfuscator process
Fix:
Datasyncd daemon kills hanging obfuscator processes if they stop responding.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
860005-1 : Ephemeral nodes/pool members may be created for wrong FQDN name
Links to More Info: BT860005
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.
Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.
The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.
Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.
Workaround:
It may be possible to mitigate this issue by one or more of the following actions:
-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.
-- Reducing the number of FQDN template nodes (FQDN names to be resolved).
-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2
859721-1 : Using GENERICMESSAGE create together with reject inside periodic after may cause core
Links to More Info: BT859721
Component: Service Provider
Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.
when CLIENT_ACCEPTED {
... omitted ...
after 1000 -periodic {
... omitted ...
reject
GENERICMESSAGE::message create "test"
}
}
This relates to ID 859113.
Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event
Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5
859717-2 : ICMP-limit-related warning messages in /var/log/ltm
Links to More Info: BT859717
Component: Local Traffic Manager
Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:
warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.
Conditions:
Viewing /var/log/ltm.
Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.
Workaround:
None.
Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6
859113-1 : Using "reject" iRules command inside "after" may causes core
Links to More Info: BT859113
Component: Local Traffic Manager
Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.
when CLIENT_ACCEPTED {
... omitted ...
after 1000 -periodic {
... omitted ...
reject
GENERICMESSAGE::message create "test"
}
}
This relates to ID 859721
Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event
Fix:
Using "reject" iRules command inside "after" no longer cause core.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5
858973-1 : DNS request matches less specific WideIP when adding new wildcard wideips
Links to More Info: BT858973
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.
Conditions:
New less specific Wildcard WideIPs are created.
Impact:
DNS request matches less specific WideIP.
Workaround:
# tmsh load sys config gtm-only
or
restart tmm
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
858769-6 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2
Links to More Info: K82498430 , BT858769
Component: TMOS
Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.
Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.
Impact:
The longer keys lengths for SNMPv3 cannot be used.
Workaround:
None
Fix:
With the net-snmp 5.8 libraries there is SHA-2 support for longer SHA and AES keys. New options are: SHA-224, 256, 384, and 512 and AES-192, 192-C, 256, 256-C.
Fixed Versions:
16.0.0, 15.1.0.4
858701-1 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x ★
Links to More Info: BT858701
Component: Local Traffic Manager
Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.
-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.
Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.
Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:
If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.
Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:
Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:
Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.
You can check this value with the guishell command:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.
------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:
1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.
2. Fail over Active system to Standby status:
tmsh run sys failover standby
3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.
4. Save the config to disk:
tmsh save sys config
5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
tmsh load sys config
6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
tmsh load sys config
7. Verify it worked:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example of a fixed config:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':
tmsh load sys config
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
858453-2 : TMM may crash with forward proxy enabled when SessionDB looks for a null profile
Links to More Info: BT858453
Component: Local Traffic Manager
Symptoms:
TMM may crash with forward proxy enabled when SessionDB looks for a null profile.
Conditions:
Forward proxy is enabled.
Impact:
TMM crashes, traffic is disrupted.
Workaround:
None
Fix:
Introduced a null check to prevent the crash, TMM does not crash.
Fixed Versions:
16.0.0, 15.1.10
858429-3 : BIG-IP system sends ICMP packets on both virtual wire interfaces.
Links to More Info: BT858429
Component: Local Traffic Manager
Symptoms:
ICMP packets are forwarded to both virtual wire interfaces, which causes MAC-Flapping on the connected switches.
Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.
Impact:
Traffic is disrupted in the network.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.0.0, 15.1.1, 15.0.1.4, 14.1.2.8
858301-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003 , BT858301
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2
858297-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003 , BT858297
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2
858289-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003 , BT858289
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4
858285-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003 , BT858285
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4
858229-5 : XML with sensitive data gets to the ICAP server
Links to More Info: K22493037 , BT858229
Component: Application Security Manager
Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.
Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.
Impact:
Sensitive data will reach the ICAP server.
Workaround:
No immediate workaround except policy related changes
Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.
Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.
When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
858197-2 : Merged crash when memory exhausted
Links to More Info: BT858197
Component: TMOS
Symptoms:
Merged crashes when system memory is exhausted
Conditions:
System memory is is at 0% available.
Impact:
Merged crashes, stopping stats updates
Workaround:
Reduce the configuration on the system
Fix:
Remove function call to drop row from table on error path where row was not successfully added.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.5
858189-3 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.
Links to More Info: BT858189
Component: Device Management
Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad, restnoded, and/or icrd timeout errors.
Conditions:
Using iControl REST or an iApp to update a data-group that contains a large number of records, e.g., 75,000 or more.
Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.
Workaround:
N/A
Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.
Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:
restnoded.timeout
restjavad.timeout
icrd.timeout
The default value is 60 seconds for each of these.
A restart of restjavad and restnoded is required for the change to take effect.
tmsh restart /sys service restjavad
tmsh restart /sys service restnoded
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.7, 12.1.5.2
858005-2 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"
Links to More Info: BT858005
Component: Access Policy Manager
Symptoms:
APM Access Policy evaluation failed.
Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"
Impact:
APM end user’s session cannot be established.
Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent
Fix:
This issue is fixed by trimming spaces from IP Subnet Match agent config in VPE
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
857953-2 : Non-functional disable/enable buttons present in GTM wide IP members page
Links to More Info: BT857953
Component: Global Traffic Manager (DNS)
Symptoms:
Enable/disable buttons do not perform any action against the selected members when pressed.
Conditions:
-- GTM wide IP has members.
-- Navigate to the GTM wide IP members page.
-- Attempt to enable or disable a selected member./
Impact:
No action against the selected members occurs when the buttons are pressed.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
857845-1 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule
Links to More Info: BT857845
Component: Local Traffic Manager
Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.
Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.
Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
857633-7 : Attack Type (SSRF) appears incorrectly in REST result
Links to More Info: BT857633
Component: Application Security Manager
Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.
Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.
Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.
Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:
DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
857589-1 : On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'
Links to More Info: BT857589
Component: Access Policy Manager
Symptoms:
On the Citrix Workspace app, clicking 'Refresh Apps' after signing out fails with message "Refresh Failed" with v15.1.x
Conditions:
-- Running the Citrix Workspace all.
-- Clicking 'Refresh Apps' after signing out.
-- Running software v15.1.x.
Impact:
The system reports a 'Refresh failed' error, and the app must to be reset.
Workaround:
None.
Fix:
The system now shows a prompt/pop-up for credentials and signs-in successfully.
Fixed Versions:
16.0.0, 15.1.1
856953-4 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
Links to More Info: BT856953
Component: TMOS
Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.
Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.
Fix:
TMM no longer cores.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.2.8, 13.1.5
856909-3 : Apmd core occurs when it fails to retrieve agentInfo
Links to More Info: BT856909
Component: Access Policy Manager
Symptoms:
APMD daemon crashes.
Conditions:
When configuring 'REST API Security (Open API Spec)' application with Rate Limiting in Security.
Specific conditions required to reproduce this issue have not been identified.
Impact:
APMD crashes and restarts during configuration time. No service impact.
Workaround:
No workaround is needed because it is during configuration time and the system recovers by itself.
Fix:
In case agent information is missing in the request after deserialization, added a condition to handle the request gracefully.
Fixed Versions:
16.0.0, 15.1.9
856725-1 : Missing learning suggestion for "Illegal repeated parameter name" violation
Links to More Info: BT856725
Component: Application Security Manager
Symptoms:
Some URL/parameter related suggestions are not issued
Conditions:
The can occur on URLs that are configured with a method. It can also occur on URL-level parameters that are configured on such URLs.
Impact:
Some learning suggestions are not issued as expected
Workaround:
None
Fix:
After fix suggestions are issued as expected
Fixed Versions:
16.0.0, 15.1.3
856713-3 : IPsec crash during rekey
Links to More Info: BT856713
Component: TMOS
Symptoms:
IPsec-related tmm crash and generated core file during rekey.
Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.
Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec-related tmm crash has been fixed.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.9, 14.1.2.8
854493-5 : Kernel page allocation failures messages in kern.log
Links to More Info: BT854493
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.8
854177-5 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
Links to More Info: BT854177
Component: Application Security Manager
Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.
Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.
Impact:
Latency is introduced to ASM handling.
Workaround:
Set the fast changing nodes to static updates every hour.
Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4, 12.1.5.1
854129-2 : SSL monitor continues to send previously configured server SSL configuration after removal
Links to More Info: BT854129
Component: In-tmm monitors
Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.
Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.
Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.
Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').
Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
854001-2 : TMM might crash in case of trusted bot signature and API protected url
Links to More Info: BT854001
Component: Application Security Manager
Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.
Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.
Fix:
An issue where tmm could crash when processing a request sent to a protected API URL with a trusted bot signature has been fixed.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
853613-4 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
Links to More Info: BT853613
Component: Local Traffic Manager
Symptoms:
A TCP connection hangs occasionally.
Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.
Impact:
TCP connections hangs, and data transfer cannot be completed.
Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.
Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
853585-1 : REST Wide IP object presents an inconsistent lastResortPool value
Links to More Info: BT853585
Component: Global Traffic Manager (DNS)
Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:
...
"lastResortPool": "aaaa \"\""
...
Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:
tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>
Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.
Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.
Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.6
853545-1 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
Links to More Info: BT853545
Component: Service Provider
Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.
Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.
Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.
Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.
Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5
853325-1 : TMM Crash while parsing form parameters by SSO.
Links to More Info: BT853325
Component: Access Policy Manager
Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.
Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.
Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.
Workaround:
Do not use Passthrough mode with SSO.
Fix:
TMM does not crash when Passthrough mode is enabled in SSO, and SSO receives any valid form in a response.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.5
853161-4 : Restjavad has different behavior for error responses if the body is over 2k
Links to More Info: BT853161
Component: TMOS
Symptoms:
The error Response body from iControl REST is truncated at 2048 characters. If an iControl REST response sends an error that is longer than 2048 characters, the truncated response will not contain valid JSON.
Conditions:
This occurs when iControl REST error messages are longer than 2048 characters.
Impact:
The error response body is deformed when the length of the error body is more than 2k characters
Fix:
Restjavad no longer truncates error response messages at 2048 characters.
Fixed Versions:
16.0.0, 15.1.9
853101-2 : ERROR: syntax error at or near 'FROM' at character 17
Links to More Info: BT853101
Component: TMOS
Symptoms:
After clicking UI Security :: Network Firewall : Active Rules, /var/log/ltm reports the following error message:
--warning postgres ERROR: syntax error at or near 'FROM' at character 17.
Conditions:
Enabled turboflex-security and AFM module.
Impact:
-- Possible leak of postgres database connections.
-- A warning log message is created, but the system continues to function normally.
Workaround:
None.
Fix:
Correct is AFMProvisioned check was added to wrap database connection deallocation
Fixed Versions:
16.0.0, 15.1.2.1
852873-2 : Proprietary Multicast PVST+ packets are forwarded instead of dropped
Links to More Info: BT852873
Component: Local Traffic Manager
Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.
Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.
Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.
Workaround:
None.
Fix:
Traffic with Destination MAC as PVST+ (01:00:0c:cc:cc:cd) or STP (01:80:c2:00:00:00) is sent to the BIG-IP system, egress traffic is monitored to check that MAC is dropped when either or both of the following db variables is enabled or vice-versa:
bcm56xxd.rules.badpdu_drop
bcm56xxd.rules.lldp_drop
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.7
852861-1 : TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario
Links to More Info: BT852861
Component: Local Traffic Manager
Symptoms:
TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario.
Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL and httprouter profiles.
-- 0-RTT connection resumption in progress.
Impact:
TMM cores intermittently.
Workaround:
No workaround.
Fix:
Defer sending of early keys from SSL to QUIC. This results in delaying of ingress decryption. HTTP/3 is initialized before receiving decrypted data.
Fixed Versions:
16.0.0, 15.1.0.2
852557-3 : Tmm core while using service chaining for SSL Orchestrator
Links to More Info: BT852557
Component: SSL Orchestrator
Symptoms:
Tmm core found when using service chaining for SSL Orchestrator (SSL Orchestrator).
Conditions:
SSL Orchestrator with service chaining.
Impact:
Tmm crashes and generates a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Tmm no longer crashes while using service chaining for SSL Orchestrator.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
852481-3 : Failure to check virtual-server context when closing server-side connection
Links to More Info: BT852481
Component: SSL Orchestrator
Symptoms:
The TMM process may fail with a segment fault (SIGSEGV) panic and deposit a core file.
Conditions:
-- SSL Orchestrator configuration.
-- Closing server-side connection.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer experiences panic when server-side connections are being closed.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
852477-3 : Tmm core when SSL Orchestrator is enabled
Links to More Info: BT852477
Component: SSL Orchestrator
Symptoms:
The tmm process may fail with a segment fault (SIGSEGV) panic and deposit a core file.
Conditions:
This can occur when SSL Orchestrator is enabled and is passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Tmm no longer experiences panic when draining data from server-side connections that are being closed.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
852437-3 : Overly aggressive file cleanup causes failed ASU installation
Links to More Info: K25037027 , BT852437
Component: Application Security Manager
Symptoms:
Directory cleanup for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.
Conditions:
An ASU runs at the same time as the file cleanup task.
Impact:
The ASU fails to complete successfully.
Workaround:
The default clean interval is 300 seconds (5 minutes).
1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles
2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles
3. Upgrade the ASU immediately.
If 5 minutes is not enough, you can increase the clean interval.
1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:
From:
[CleanFiles]
Interval=300
To:
[CleanFiles]
Interval=3000
Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.
2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>
3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles
4. Install the ASU; the temp files can stay in the folder for 50 minutes.
5. After the ASU is installed, change the interval back to 300 and restart asmcrond.
6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log
Fix:
The directory cleanup does not clean up files that are being actively used for an installation.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5
852373-3 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
Links to More Info: BT852373
Component: Local Traffic Manager
Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:
TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".
Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.
Impact:
HTTP/2 traffic is not passed to the serverside.
Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside
Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.
Fixed Versions:
16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5
852313-4 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
Links to More Info: BT852313
Component: Access Policy Manager
Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431
Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.
Impact:
VMware Horizon client cannot connect to APM after some time.
Workaround:
None.
Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
852289-4 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
Links to More Info: K23278332 , BT852289
Component: Advanced Firewall Manager
Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.
Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.
Impact:
DNS over TCP is DDoS attack is not mitigated correctly.
Workaround:
Using DNS DoS vector to mitigate the attack.
Fix:
The attack mitigation by sweep and flood vector is accurate.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4
852101-1 : Monitor fails.
Links to More Info: BT852101
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.
Conditions:
TLS SIP monitor on pool member requiring client auth.
Impact:
Big3d fails external monitor SIP_monitor.
Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
852001-1 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
Links to More Info: BT852001
Component: TMOS
Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.
Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.
Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.
Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.
Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
851857-1 : HTTP 100 Continue handling does not work when it arrives in multiple packets
Links to More Info: BT851857
Component: Local Traffic Manager
Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.
Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.
Impact:
The response is not delivered to the client. Browsers may retry the request.
Workaround:
None.
Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5
851789-2 : SSL monitors flap with client certs with private key stored in FIPS
Links to More Info: BT851789
Component: Local Traffic Manager
Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.
Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.
Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.
Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.
Fix:
Optimized FIPS API calls to improve performance of SSL monitors.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.5, 12.1.5.3
851745-3 : High cpu consumption due when enabling large number of virtual servers
Links to More Info: BT851745
Component: Advanced Firewall Manager
Symptoms:
Observed autodosd CPU burst
Conditions:
Enable autodosd and a large number of virtual servers
Impact:
High cpu utilization in autodosd
Workaround:
Disable autodosd
Fix:
Autodosd no longer excessively consumes CPU cycles.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4.1
851581-3 : Server-side detach may crash TMM
Links to More Info: BT851581
Component: Local Traffic Manager
Symptoms:
TMM crash with 'server drained' panic string.
Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.
Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.
Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.
-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.
Fix:
TMM does not crash no matter when the server-side detach is triggered.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8
851477-1 : Memory allocation failures during proxy initialization are ignored leading to TMM cores
Links to More Info: BT851477
Component: Local Traffic Manager
Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.
Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.
Impact:
TMM cores when accessing uninitialized memory.
Workaround:
No workaround.
Fix:
Memory allocation failures are now detected and virtual server ends up in DENY state. No connections are accepted in this state.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1
851445-1 : QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams
Links to More Info: BT851445
Component: Local Traffic Manager
Symptoms:
QUIC profile has a field for maximum uni-streams. This represents the number of concurrent uni-streams that the peer can create. If HTTP/3 is also configured on the virtual, then the value for uni-streams should ne >=3. The peer should be able to create at least 3 uni-streams, for control, encoder and decoder.
Conditions:
QUIC, HTTP/3, SSL and httprouter profiles are configured on the virtual. QUIC client tries to establish a connection with Big-IP. HTTP/3 is negotiated in ALPN.
Impact:
If fewer than 3 max uni-streams are configured, HTTP/3 transactions will not be successful.
Workaround:
Configure correct value of max uni-streams in QUIC profile.
Fix:
Validation added to prevent a value of less than 3 to be configured when HTTP/3 is also on the virtual.
Fixed Versions:
16.0.0, 15.1.0.2
851393-1 : Tmipsecd leaves a zombie rm process running after starting up
Links to More Info: BT851393
Component: TMOS
Symptoms:
After booting the system, you notice zombie 'rm' processes:
$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
Restarting tmipsecd will kill the zombied process but will start a new one.
Conditions:
-- IPsec is enabled.
-- Booting up the system.
Impact:
A zombie 'rm' process exists. There should be no other impact.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.4.4
851345-1 : The TMM may crash in certain rare scenarios involving HTTP/2
Links to More Info: BT851345
Component: Local Traffic Manager
Symptoms:
The HTTP/2 Gateway configuration is used without the HTTP MRF Router.
The TMM may crash in rare scenarios when a stream is being torn down.
Conditions:
-- HTTP/2 is configured in the Gateway scenario.
-- The HTTP MRF Router is not used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM no longer crashes in rare scenarios when a stream is being torn down.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
851121-2 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.
Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.
In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.
The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
851045-1 : LTM database monitor may hang when monitored DB server goes down
Links to More Info: BT851045
Component: Local Traffic Manager
Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.
Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).
Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.
Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1, 13.1.3.6, 12.1.5.3
850997-1 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
Links to More Info: BT850997
Component: TMOS
Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.
Conditions:
Viewing the page at:
System :: High Availability : Fail-safe : System
Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.
Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.
Fixed Versions:
16.0.0, 15.1.9
850973-1 : Improve QUIC goodput for lossy links
Links to More Info: BT850973
Component: Local Traffic Manager
Symptoms:
QUIC gets lower goodput compared to TCP when tested on lossy links.
Conditions:
The tested links are lossy (e.g, 0.1% loss probability).
Impact:
QUIC completes the data transfer in longer time.
Workaround:
N/A
Fix:
QUIC achieves similar or better goodput compared to TCP on lossy links.
Fixed Versions:
16.0.0, 15.1.0.2
850933-1 : Improve QUIC rate pacing functionality
Links to More Info: BT850933
Component: Local Traffic Manager
Symptoms:
QUIC rate pacing becomes dis-functional under some conditions.
Conditions:
- QUIC rate pacing is in use.
- Packet size becomes slightly larger than available rate pacing bytes.
Impact:
QUIC rate pacing becomes noneffective which leads to sending data more bursty.
Workaround:
N/A
Fix:
QUIC rate pacing does not become dis-functional under some conditions anymore.
Fixed Versions:
16.0.0, 15.1.0.2
850873-3 : LTM global SNAT sets TTL to 255 on egress.
Links to More Info: BT850873
Component: Local Traffic Manager
Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.
Conditions:
Traffic is handled by global SNAT.
Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
850777-3 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
Links to More Info: BT850777
Component: TMOS
Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.
Errors similar to one below are seen in an LTM log:
err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.
Conditions:
- Static management IP address configuration.
- Instance is restarted.
Impact:
Instance is not operational after restart.
Workaround:
After instance is fully booted, reload the license with 'reloadlic'.
Fix:
In case of 1 NIC with static route, issuing "bigstart restart mcpd" will not be enough to bring system to the licensed state, issue "reboot" instead.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1
850677-4 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
Links to More Info: BT850677
Component: Application Security Manager
Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.
Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.
Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.
Workaround:
Use UTF-8.
Fix:
This release supports REST access in non-UTF-8 policies.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
850673-1 : BD sends bad ACKs to the bd_agent for configuration
Links to More Info: BT850673
Component: Application Security Manager
Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.
-- The policy may be incomplete in the bd causing incorrect enforcement actions.
Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.
Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).
-- A partial policy may exist in bd causing improper enforcement.
Workaround:
-- Unassign and reassign the policy.
-- if unassign/reassign does not help, export and then reimport the policy.
Fix:
Fixed inconsistency scenario between bd and bd_agent.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1
850641-2 : Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies
Links to More Info: BT850641
Component: Application Security Manager
Symptoms:
An incorrect parameter is created for names with non-ASCII characters, e.g., a parameter with Chinese characters in the name in a BIG-IP encoding policy.
Conditions:
Non-UTF8 policy parameters created using the GUI.
Impact:
The BIG-IP system does not enforce these parameters, and the list of parameters is not rendered correctly.
Workaround:
Create the parameter using REST API.
Fix:
Parameters are now created correctly in the GUI for any policy encoding and any characters in the parameter name.
Fixed Versions:
16.0.0, 15.1.0.5
850509-1 : Zone Trusted Signature inadequately maintained, following change of master key
Links to More Info: BT850509
Component: Global Traffic Manager (DNS)
Symptoms:
During config load or system start-up, you may see the following error:
-- 01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.
In some instances, other errors resembling the following may appear:
-- Failed to sign zone transfer query for zone DNSZONE01 using TSIG key zone01key.pl.
-- Failed to transfer DNSZONE01 from 203.0.113.53, will attempt IXFR (Retry).
Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.
Impact:
Unable to view TSIG keys. Configuration cannot be loaded. Failures of DNS zone transfers may occur.
Workaround:
None.
Fix:
When master key changes, TSIG keys are now properly re-encrypted, so this problem no longer exists.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4.4, 13.1.5
850277-1 : Memory leak when using OAuth
Links to More Info: BT850277
Component: Access Policy Manager
Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.
Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.
Impact:
Memory leak occurs in which tmm memory usage increases.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4, 13.1.3.4
850193-4 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues
Links to More Info: BT850193
Component: TMOS
Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.
Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.
Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.4
850145-1 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
Links to More Info: BT850145
Component: Local Traffic Manager
Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.
Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.
Impact:
Connection hangs and is eventually reset.
Workaround:
No workaround.
Fix:
If a connection to the server has been established, pipelined requests are now processed immediately and not queued.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
850141-1 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
849405-2 : LTM v14.1.2.1 does not log after upgrade ★
Links to More Info: BT849405
Component: TMOS
Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.
Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.
Impact:
Logs are not generated and sysstat.service is not running.
Workaround:
Once the BIG-IP system starts up, check for failed services:
systemctl list-units --failed
If results show sysstat.service as FAILED, run the following command:
restorecon -Rv /var/log/sa6 && systemctl start sysstat
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.5
849157-2 : An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck
Links to More Info: BT849157
Component: TMOS
Symptoms:
The outgoing SCTP connection does not expire after attempting to INIT the maximum number of times. It then becomes stuck and does not expire when it reaches its idle-timeout, and cannot be manually deleted.
Conditions:
An outgoing SCTP connection is permitted to attempt the INIT retransmit the maximum number of times configured with no responses (accepting or aborting) from the target endpoint.
Impact:
Stale SCTP connections are left in the system and start to use up memory. Traffic may be interrupted in certain configurations, as the system thinks it is still attempting to bring up the lost SCTP connection and does not ever try to create a new one.
Workaround:
To clear the stale connections, restart tmm:
bigstart restart tmm
Note: Restarting tmm causes an interruption to traffic.
Fix:
SCTP connections now expire properly after the maximum number of INITs have been attempted and can no longer get stuck in this case.
Fixed Versions:
16.0.0, 15.1.4
849085-1 : Lines with only asterisks filling message and user.log file
Links to More Info: BT849085
Component: TMOS
Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.
For example:
Nov 12 10:40:57 bigip1 **********************************************
Conditions:
Snmp query an OID handled by sflow, for example:
snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1
Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.
Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.
Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.
=============================================
Solution #1 - Filter out all sflow_agent logs:
1) remount /usr as read+write:
mount -o rw,remount /usr
2) Make a backup copy of the template:
cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig
3) Add write permissions to the template:
chmod +w /usr/share/defaults/config/templates/syslog.tmpl
4) Add the filter to syslog.tmpl
4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl
4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};
For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};
4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}
5) Save the changes and quit vi.
6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice
7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.
8) remount /usr as read-only
mount -o ro,remount /usr
=============================================
Solution #2 - Filter out all messages with \n or \r:
1) remount /usr as r+w:
mount -o rw,remount /usr
2) Make a backup copy of the template:
cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig
3) Add write permissions to the template:
chmod +w /usr/share/defaults/config/templates/syslog.tmpl
4) Add the filter to syslog.tmpl:
4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl
4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
};
For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};
filter f_no_multi_line {
not (message('\n') or message('\r'));
};
4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}
5) Save the changes and quit vi.
6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice
7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.
8) remount /usr as read-only:
mount -o ro,remount /usr
Fix:
The sflow log message that was a multiline message has been changed so that it is no longer multiline.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1
849029-5 : No configurable setting for maximum entries in CRLDP cache
Links to More Info: BT849029
Component: Access Policy Manager
Symptoms:
There is no setting provided to configure maximum entries the in CRLDP cache.
Conditions:
In a configuration with tens of thousands of CRLDP and hundreds of thousands or millions of certificates, certain operations might encounter an internal limit, resulting in a number of revoked certificates.
Impact:
No settings exist. Cannot set maximum entries in CRLDP cache.
Workaround:
None.
Fix:
There is now a setting for configuring maximum entries in CRLDP cache.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4
848777-3 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
Links to More Info: BT848777
Component: Local Traffic Manager
Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:
-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).
-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).
Conditions:
-- Create custom partition.
-- Create custom route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port, or port list.
-- Now, try to Sync to high availability (HA) peer.
Impact:
Sync fails with error. Configuration does not sync to peer node.
On VIPRION systems this may cause mcpd on a secondary blade to crash and fail to come up.
Workaround:
None
Fix:
Configuration now syncs to peer node successfully.
Fixed Versions:
16.0.0, 15.1.0.4, 14.1.2.7
848673-1 : Messages that originate from split tunneled frame have incorrect Portal Access message event origin.
Links to More Info: BT848673
Component: Access Policy Manager
Symptoms:
Depending on the web-application internal logic, unexpected exceptions can occur and other issues can be visible.
Conditions:
Portal Access message originates from a split tunneled frame, for example, in a split tunneling configuration:
REWRITE
*://*
BYPASS
*://*example*
*://*exmpmg*
Impact:
Web-application does not operate as expected. The
- Messages sent from the iframe with src=http://example.com to the main window with URL http://my.company.com might cause exceptions when receiving data.
Workaround:
Use a custom iRule to handle this situation.
Fix:
Portal Access message event now has the correct origin if the message originates from a split tunneled frame.
Fixed Versions:
16.0.0, 15.1.10
848445-1 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer ★
Links to More Info: K86285055 , BT848445
Component: Application Security Manager
Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.
Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.
Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.
Workaround:
Can defined the parameters as global sensitive parameters.
Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3
847325-3 : Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.
Links to More Info: BT847325
Component: Local Traffic Manager
Symptoms:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.
Conditions:
-- A OneConnect profile is combined with certain persist profiles on a virtual server.
-- The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.
-- The persistence types that are affected are:
- Source Address (but not hash-algorithm carp)
- Destination Address (but not hash-algorithm carp)
- Universal
- Cookie (only cookie hash)
- Host
- SSL session
- SIP
- Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.
Workaround:
None.
Fix:
Changing a virtual server that uses a OneConnect profile no longer triggers incorrect persistence behavior.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
847105-2 : The bigip_gtm.conf is reverted to default after rebooting with license expired ★
Links to More Info: BT847105
Component: Global Traffic Manager (DNS)
Symptoms:
The bigip_gtm.conf is reverted to default after rebooting (or upgrading to a newer BIG-IP software release).
Conditions:
-- The BIG-IP license is expired prior to the reboot or upgrade.
-- GTM is configured.
Impact:
The GTM configuration (in /config/bigip_gtm.conf) information is lost in the newly installed boot location.
Workaround:
Renew license before reboot. Always reboot with valid license.
If you have already rebooted or upgraded with an expired license, and your configuration has been lost, you can restore it using the following procedure.
1. Re-activate the BIG-IP license
2. Restore bigip_gtm.conf from the auto-created backup (.bak) file:
cp /config/bigip_gtm.conf.bak /config/bigip_gtm.conf
3. Load the replaced config:
tmsh load sys config gtm-only
If this is a the result of a software upgrade, and the .bak file is not available or has been overwritten, you can boot back to the previous volume and re-copy the configuration from there (cpcfg or via the GUI) before rebooting back to the upgraded software release.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
846713-1 : Gtm_add does not restart named
Links to More Info: BT846713
Component: Global Traffic Manager (DNS)
Symptoms:
Running gtm_add failed to restart the named daemon.
Conditions:
Run gtm_add to completion.
Impact:
Named is not restarted. No BIND functionality.
Workaround:
Restart named:
bigstart start named
Fix:
Fixed an issue preventing 'named' from restarting after running the gtm_add script.
Fixed Versions:
16.0.0, 15.1.0.3
846601-4 : Traffic classification does not update when an inactive slot becomes active after upgrade ★
Links to More Info: BT846601
Component: Traffic Classification Engine
Symptoms:
VIPRION platforms have an automated process of joining a newly inserted blade to a cluster. TMOS install, licensing, and configuration including iAppLX are synchronized from primary to the newly inserted blade automatically without manual intervention. Traffic classification update is not occurring as expected under these conditions.
Conditions:
-- Traffic classification configured.
-- Update installation.
-- VIPRION blade is inactive, and later comes online.
Impact:
Traffic policies/rules related to updated installation do not work on inactive slot when it returns to the online state.
Workaround:
To prevent this issue from occurring, ensure that all blades are online when installation begins.
If you insert a blade, run config sync manually from the active blade.
Fix:
Upgrade script now initiates install when the slot becomes active.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
846441-2 : Flow-control is reset to default for secondary blade's interface
Links to More Info: BT846441
Component: TMOS
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
The flow-control setting is reset to default (tx-rx).
Workaround:
Reload the configuration on the primary blade.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
846217-3 : Translucent vlan-groups set local bit in destination MAC address
Links to More Info: BT846217
Component: Local Traffic Manager
Symptoms:
Translucent vlan-groups may set the locally-unique bit in a destination MAC address when sending traffic to a pool member/client.
Conditions:
On versions earlier than 15.0.0:
- Translucent vlan-group is in use.
On v15.0.0 and later:
-- Translucent vlan-group is in use.
-- The connection.vgl2transparent db variable is enabled.
Impact:
Traffic handled by translucent vlan-groups may not work properly.
Workaround:
On versions earlier than 15.0.0, there is no workaround.
-- On version 15.0.0 and later, you can disable the connection.vgl2transparent db variable to mitigate the problem:
tmsh modify sys db connection.vgl2transparent value disable
Note: connection.vgl2transparent is disabled by default.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.4.4
846181-3 : Request samples for some of the learning suggestions are not visible
Links to More Info: BT846181
Component: Application Security Manager
Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.
Conditions:
'Learning Suggestion' created from only one 'Request Log' record.
Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.2
846137-4 : The icrd returns incorrect route names in some cases
Links to More Info: BT846137
Component: TMOS
Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.
Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.
Impact:
Result information is not compatible with actual result.
Workaround:
None.
Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
846073-1 : Installation of browser challenges fails through Live Update
Links to More Info: BT846073
Component: Application Security Manager
Symptoms:
Live Update of Browser Challenges fails installation.
Live Update provides an interface on the F5 Downloads site to manually install or configure automatic installation of various updates to BIG-IP ASM components, including ASM Attack Signatures, Server Technologies, Browser Challenges, and others.
Conditions:
-- From the F5 Downloads side, select a software version.
-- Click BrowserChallengesUpdates.
-- Attempt to download and install Download BrowserChallenges<version_number>.im.
Note: Browser Challenges perform browser verification, device and bot identification, and proactive bot defense.
Impact:
Browser Challenges update file cannot be installed.
Workaround:
None.
Fix:
Browser Challenges update file can now be installed via Live Update.
Fixed Versions:
16.0.0, 15.1.0.2
846057-3 : UCS backup archive may include unnecessary files
Links to More Info: BT846057
Component: Application Security Manager
Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.
Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.
Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.
Workaround:
Before running the UCS backup process, remove directories:
/var/tmp/ts_db.save_dir_*.cstmp/
Fixed Versions:
16.0.0, 15.1.3, 14.1.4, 13.1.4
845953-1 : BD crash on specific scenario
Links to More Info: BT845953
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific out of memory scenario.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
This OOM specific scenario does not cause a crash.
Fixed Versions:
16.0.0, 15.1.9
845333-6 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
Links to More Info: BT845333
Component: Local Traffic Manager
Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]
Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.
Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.
Workaround:
Make the datagroup a Tcl variable to bypass validation.
Fix:
Validation can recognize the datagroup on Transport Config objects.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
845313-3 : Tmm crash under heavy load
Links to More Info: BT845313
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes.
Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to PEM subscriber IDs.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.4
844781-3 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
Links to More Info: BT844781
Component: Access Policy Manager
Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.
Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384
Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.
Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/
Fix:
Fixed an issue with an SELinux policy blocking Portal Access from processing web applications traces.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4
844689-1 : Possible temporary CPU usage increase with unusually large named.conf file
Links to More Info: BT844689
Component: Global Traffic Manager (DNS)
Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.
Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).
Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.
Workaround:
None.
Fix:
ZoneRunner does not issue a reload command when zones are checked for updates, so no CPU usage increases occur.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
844685-1 : Per-request policy is not exported if it contains HTTP Connector Agent
Links to More Info: BT844685
Component: Access Policy Manager
Symptoms:
Per-request policy cannot be exported if it contains an HTTP Connector agent.
Conditions:
-- Create a Per Request Policy.
-- In the sub-routine section, create a new sub-routine and
attach HTTP Connector to that sub-routine.
-- After the policy creation is done, export the policy.
Impact:
Per-request policy cannot be exported and reports an error.
Workaround:
None.
Fix:
Create a valid HTTP Connector agent in tmsh and the per request policy gets exported as expected.
Fixed Versions:
16.0.0, 15.1.0.2
844597-4 : AVR analytics is reporting null domain name for a dns query
Links to More Info: BT844597
Component: Advanced Firewall Manager
Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.
Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.
Impact:
DNS domain name is reported as NULL
Workaround:
Enable the matching type vector on the DNS DoS profile.
Fix:
The domain name is now reported correctly under these conditions.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
844573-1 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
Links to More Info: BT844573
Component: Access Policy Manager
Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.
Conditions:
This is encountered when this message is logged by mcpd.
Impact:
Log message cannot be grouped with messages at the correct log level.
Workaround:
None.
Fixed Versions:
15.1.0.2
844281-3 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
Links to More Info: BT844281
Component: Access Policy Manager
Symptoms:
Java applets are not patched when accessed through APM Portal Access.
/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.
/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.
Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.
Impact:
Java applets cannot be patched by APM Portal Access rewriter.
Workaround:
None.
Fix:
Fixed an issue with SELinux policy blocking Portal Access code from reading Java Patcher certificates.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4
844085-1 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
Links to More Info: BT844085
Component: TMOS
Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:
01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.
Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.
Impact:
Unable to change the source address of a virtual server to an address list.
Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:
tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}
tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8
844045-3 : ASM Response event logging for "Illegal response" violations.
Links to More Info: BT844045
Component: Application Security Manager
Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.
Conditions:
-- Response logging is enabled
-- An illegal response occurs
Impact:
Response logging does not occur.
Workaround:
N/A
Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.
Added an internal variable:
disable_illegal_response_logging -- default value 0.
If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
843801-2 : Like-named previous Signature Update installations block Live Update usage after upgrade ★
Links to More Info: BT843801
Component: Application Security Manager
Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.
Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.
Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.
Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat
This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.
** Another Workaround incase the above does not solve the issue:
1. stop the tomcat server:
> bigstart stop tomcat
2. clean the live update db :
> cd /var/lib/hsqldb/live-update
> rm -f liveupdatedb.*
3. remove all *.im files which are not genesis file (factory-default files):
3.1 get the list of genesis files:
> less /etc/live-update-genesis.yaml | grep genes | cut -d":" -f2
3.2 go to update file directory:
> cd /var/lib/hsqldb/live-update/update-files
3.3 manually remove the *.im files that are not genesis
4. restart the tomcat server:
> bigstart start tomcat
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.7
843597-1 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
Links to More Info: BT843597
Component: TMOS
Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes. This issue can present itself in a few different ways, depending on the underlying platform. One example would be the BIG-IP failing to initialize vmxnet interfaces with messages similar to the following logged in /var/log/tmm:
notice vmxnet3[1b:00.0]: MTU: 9198
notice vmxnet3[1b:00.0]: Error: Activation command failed: 1
If the BIG-IP does successfully initialize its vmxnet interfaces, there can be unpredictable behavior (possibly with the hypervisor).
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- If the BIG-IP is able to initialize the vmxnet interfaces: Passing packets larger than 9000 bytes.
Impact:
The BIG-IP system may not be able to initialize the vmxnet3 interfaces on startup. If it is able to do so, then packets may be dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.
Workaround:
Modify the tmm_init.tcl file, adding the following line:
ndal mtu 9000 15ad:07b0
Fix:
The software now ensure that the default setting for the vmxnet3 driver MTU is 9000, which prevents the issue from occurring.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
842989-6 : PEM: tmm could core when running iRules on overloaded systems
Links to More Info: BT842989
Component: Policy Enforcement Manager
Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.
Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Reduce the load on tmm or modify the optimize the irule.
Fixed Versions:
16.1.0, 15.1.2, 14.1.4
842937-6 : TMM crash due to failed assertion 'valid node'
Links to More Info: BT842937
Component: Local Traffic Manager
Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.
Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Refrain from using ramcache may mitigate the problem.
Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.7, 12.1.5.3
842865-2 : Add support for Auto MAC configuration (ixlv)
Links to More Info: BT842865
Component: TMOS
Symptoms:
Mac addresses are forced to be the same for ixlv trunks.
Conditions:
This happens when ixlv trunks are used.
Impact:
Mac addresses may not be as depicted on the device.
Workaround:
None.
Fix:
Unicast mac filters are used for ixlv trunks.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8
842625-5 : SIP message routing remembers a 'no connection' failure state forever
Links to More Info: BT842625
Component: Service Provider
Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.
Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.
Impact:
The BIG-IP system is never be able to establish connection to the peer.
Workaround:
None.
Fix:
SIP message routing now recovers from a 'no connection' failure state.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.4
842517-2 : CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails
Links to More Info: BT842517
Component: Local Traffic Manager
Symptoms:
SSL handshake fails with error in LTM logs.pkcs11d[10407]:
err pkcs11d[10407]: 01680048:3: C_Sign: pkcs11_rv=0x00000082, CKR_OBJECT_HANDLE_INVALID
Conditions:
Key created with Safenet NetHSM is used in SSL profile for virtual server. This error is seen randomly.
Impact:
SSL handshake fails.
Workaround:
Restart the PKCS11D.
Fixed Versions:
16.1.0, 15.1.3
842425-1 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
842189-4 : Tunnels removed when going offline are not restored when going back online
Links to More Info: BT842189
Component: TMOS
Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.
Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.
Impact:
Failure of tunnel packet traffic.
Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.
Fix:
Tunnels removed when going offline are now restored when going back online.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.2.7, 13.1.3.6, 12.1.5.3
842161-1 : Installation of Browser Challenges fails in 15.1.0
Links to More Info: BT842161
Component: Application Security Manager
Symptoms:
Browser Challenges default installation fails in 15.1.0 after upgrade or resetting back to default.
BIG-IP software v15.1.0 ships with a BrowserChallenges_20191121_043810.im file that does not have a proper encryption, and when trying to install the file via the Live Update page the following error occurs:
gpg: WARNING: unsafe ownership on homedir `/ts/share/negsig/gpg_asm_sigfile_installer'
gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20
"asm_sigfile_installer"
gpg: Signature made Thu 21 Nov 2019 02:38:10 PM IST using RSA key ID BC67BA01
gpg: Can't check signature: No public key
Conditions:
Live Update file BrowserChallenges_20191121_043810.im has a different status than 'Currently Installed'.
Impact:
If the file 'BrowserChallenges_20191121_043810.im ' is the newest file then upgrade is not applicable.
Workaround:
None
Fix:
Browser Challenges update file can now be installed via Live Update.
Fixed Versions:
16.0.0, 15.1.0.2
842125-6 : Unable to reconnect outgoing SCTP connections that have previously aborted
Links to More Info: BT842125
Component: TMOS
Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.
Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.
Impact:
New connections are unable to be created resulting in dropped messages.
Workaround:
None.
Fix:
SCTP connections can now be halted and recreated to the same endpoint.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4
842029-2 : Unable to create policy: Inherited values may not be changed.
Links to More Info: BT842029
Component: Application Security Manager
Symptoms:
When you create a new child policy you see the following error in the GUI:
Could not update the Policy. Inherited values may not be changed.
Conditions:
1. Parent policy created using the Fundamental Template
a. Differentiate between HTTP/WS and HTTPS/WSS URLs is Disabled
b. Auto-Added Signature Accuracy set to High.
2. Parent policy contains a custom filter-based signature.
3. Child policy is created from the parent policy assigned.
Impact:
You are unable to create a policy via the GUI.
Workaround:
Use direct REST API calls or tmsh.
Fix:
Create policy will not fail.
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.5
842013-3 : ASM Configuration is Lost on License Reactivation ★
Links to More Info: BT842013
Component: Application Security Manager
Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.
Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded
Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'
Workaround:
In the case of license re-activation/before upgrade:
Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.
In a case of booting the system into the new version:
Option 1:
1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.
Option 2:
1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324
Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
841953-7 : A tunnel can be expired when going offline, causing tmm crash
Links to More Info: BT841953
Component: TMOS
Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.
If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.
Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.
Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm process no longer crashes under these conditions.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3
841649-4 : Hardware accelerated connection mismatch resulting in tmm core
Links to More Info: BT841649
Component: TMOS
Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.
Conditions:
One or more of the following:
-- A FastL4 virtual server that has hardware acceleration enabled.
-- A NAT or SNAT object without a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable hardware acceleration.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4.1
841581 : License activation takes a long time to complete on Google GCE platform
Links to More Info: BT841581
Component: TMOS
Symptoms:
The license installation and activation process takes a very long time to complete.
Conditions:
- BIG-IP Virtual Edition running on Google Compute Engine (GCE) Platform.
- Activating the BIG-IP license.
Impact:
It can take 2-3 minutes to report the device is licensed and 3-4 minutes for BIG-IP system to become Active after that.
Workaround:
None.
Fixed Versions:
15.1.0.2
841469-6 : Application traffic may fail after an internal interface failure on a VIPRION system.
Links to More Info: BT841469
Component: Local Traffic Manager
Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.
For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.
Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.
For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:
slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.
You can run the following command to inspect the CMP state of each slot:
clsh 'tmctl -d blade -s cmp_state tmm/cmp'
All slots should report the same state, for instance:
# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
15
=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
15
=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
15
=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
15
When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:
-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
And a CMP transition will be visible in the /var/log/tmm file similar to the following example:
-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb
For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.
Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.
Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.
Workaround:
F5 recommends the following to minimize the impact of this potential issue:
1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).
The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.
To ensure this functionality will trigger, the following configuration requirements must be met:
a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).
Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.
2) For 'regular' standalone units.
If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.
3) For a standalone chassis which belongs to a pool on an upstream load-balancer.
If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.
An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.
The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.
Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.
When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:
-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.
-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.
Fix:
The system now includes the enhancement for the 'standalone chassis which belongs to a pool' use-case, as discussed under the Workaround section.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.5, 13.1.3.4
841333-7 : TMM may crash when tunnel used after returning from offline
Links to More Info: BT841333
Component: TMOS
Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.
Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3
841305-2 : HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log
Links to More Info: BT841305
Component: Application Visibility and Reporting
Symptoms:
The HTTP/2 version appears in charts, but when clicking on the chart reports, errors are reported in monpd log and the chart is empty in the GUI, with an error reported in the GUI and in the monpd log:
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:mysql_query_safe:0209| Error (err-code 1054) executing SQL string :
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:runSqlQuery:0677| Error executing SQL query:
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/handlers/ReportRunnerHandler.cpp:runReport:0409| Results for query came back as NULL
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/ReporterUtils.cpp:throwInternalException:0105| throwing exception to client error code is 1 error msg is Internal error
Conditions:
-- Create a new policy or use an existing policy.
-- Go to Security :: Reporting : Application : Charts.
-- Select weekly charts.
Impact:
Charts are empty in the GUI, and the system logs errors in monpd.
Workaround:
None.
Fix:
Fixed an issue with HTTP stats database tables.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5
841285-1 : Sometimes apply policy is stuck in Applying state
Links to More Info: BT841285
Component: Application Security Manager
Symptoms:
The word "Applying" is displayed long after the policy has been applied.
Conditions:
This can occur when applying policies.
Impact:
It appears that Apply policy is stuck, when it is not.
Workaround:
Refresh the page, or look for the log entry in /var/log/asm
ASMConfig change: Apply Policy Task Apply Policy Task [update]: Status was set to COMPLETED.
Fix:
Apply policy state is shown correctly in GUI
Fixed Versions:
16.0.0, 15.1.9
841277-7 : C4800 LCD fails to load after annunciator hot-swap
Links to More Info: BT841277
Component: TMOS
Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.
Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.
Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.
Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable
2. Wait 10 seconds.
3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.
This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.
Fix:
The LCD now automatically reloads once a functioning annunciator card is inserted into the left slot and the top bezel is replaced. It may take up to 10 seconds for the LCD to return to normal functionality.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.3
840821-1 : SCTP Multihoming not working within MRF Transport-config connections
Links to More Info: BT840821
Component: Service Provider
Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.
Conditions:
Usage of SCTP multi-homing with a MRF transport-config.
Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
THe system is now able to create outgoing SCTP multihoming connections using a transport-config to define the connection.
Fixed Versions:
16.0.0, 15.1.0.2
840809-2 : If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged
Links to More Info: BT840809
Component: Advanced Firewall Manager
Symptoms:
When subscriber info changes, the log events for LSN_PB_UPDATE are not logged.
Conditions:
If subscriber info changes, for example, if a client is sending a radius message with IMSI A - LSN_PB_UPDATE logs are observed. And later when the IMSI is changed to B and another radius message is sent from the client, then LSN_PB_UPDATE log events are not observed.
Impact:
LSN_PB_UPDATE are not logged.
Fix:
Fix will send LSN_PB_UPDATE even if subscriber info is changed
Fixed Versions:
16.0.0, 15.1.2, 14.1.4
839749-3 : Virtual server with specific address list might fail to create via GUI
Links to More Info: BT839749
Component: Local Traffic Manager
Symptoms:
When a user tries to create a virtual server with address list, it might fail with below shown error:
01b90011:3: Virtual Server /Common/VS1's Traffic Matching Criteria /Common/testvs1 illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/testvs2 destination address, source address, service port.
Conditions:
-- One or more virtual servers that were created via the GUI already exist on the BIG-IP system.
-- Attempt to use the GUI to create another virtual server with address list.
Impact:
Cannot create the virtual server.
Fix:
You can now create virtual servers with address lists directly from the GUI.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.1, 14.1.2.8
839597-6 : Restjavad fails to start if provision.extramb has a large value
Links to More Info: BT839597
Component: Device Management
Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:
daemon.log: emerg logger: Re-starting restjavad
The system reports similar message at the command line.
No obvious cause is logged in rest logs.
Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800 MB for v12.1.0 and earlier.
+ above ~2900-3000 MB for v13.0.0 and later.
-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'
*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.
To check the values of these system DB variables use:
tmsh list sys db provision.extramb
tmsh list sys db restjavad.useextramb
Impact:
This impacts the ability to use the REST API to manage the system.
Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).
To set that at command line:
tmsh modify sys db provision.extramb value 2000
If continual restarts of restjavad are causing difficulties managing the unit on the command line:
1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad
2. Reduce the large value of provision.extramb if necessary.
3. Restart the restjavad service:
tmsh start sys service restjavad
Fix:
Restjavad memory is now capped at a sensible maximum.
If provision.extramb is set to a value higher than 2500 MB it will be considered to be 2500 MB for the purposes of restjavad, and the system logs a message similar to the following in /var/log/ltm, where XXXX is the value of provision.extramb:
notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4
839401-1 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
Links to More Info: BT839401
Component: Local Traffic Manager
Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).
Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.
Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.
Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.
Fix:
GARPs are sent out as expected.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5
839389-3 : TMM can crash when connecting to IVS under extreme overload
Links to More Info: BT839389
Component: Service Provider
Symptoms:
TMM might crash while attempting to connect internally to an internal virtual server (IVS) and the connection setup cannot be completed due to internal factors.
Conditions:
-- Extreme overload such that TMM is out of memory, or some other internal condition that prevents connection setup.
-- Connection to an internal virtual server is attempted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM does not crash while connecting to an IVS under extreme overload.
Fixed Versions:
16.0.0, 15.1.10
839245-3 : IPother profile with SNAT sets egress TTL to 255
Links to More Info: BT839245
Component: Local Traffic Manager
Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.
Conditions:
Virtual-server with ipother profile and SNAT configured.
Impact:
Traffic leaves with egress TTL set to 255.
Workaround:
None.
Fix:
TTL is now decremented by 1 on forwarded packets.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5
839121-3 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade ★
Links to More Info: K74221031 , BT839121
Component: TMOS
Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.
Conditions:
The upgrade failure is seen when all the following conditions are met:
-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.
Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.
Workaround:
There are two possible workarounds:
-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.
-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:
1. cp /config/bigip.conf /config/backup_bigip.conf
2. Run: sed -i "s/\(\!SSLv2:\|:\!SSLv2\)//g" /config/bigip.conf
3. tmsh load /sys config
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
838901-4 : TMM receives invalid rx descriptor from HSB hardware
Links to More Info: BT838901
Component: TMOS
Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.
Conditions:
The exact conditions under which this occurs are unknown.
Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4, 13.1.4
838861-3 : TMM might crash once after upgrading SSL Orchestrator ★
Links to More Info: BT838861
Component: Access Policy Manager
Symptoms:
TMM might crash due to SIGABRT.
Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.
Impact:
TMM might crash once. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Session check agent now exits and terminates the flow.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.7
838713 : LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test'
Links to More Info: BT838713
Component: TMOS
Symptoms:
During EUDSF3.9.1 Front Port LED Test on BIG-IP iSeries platforms, the LCD buttons are unresponsive.
Conditions:
-- Running the EUDSF3.9.1 Front Port LED Test.
-- Using BIG-IP iSeries platforms.
Impact:
Cannot execute the EUDSF3.9.1 Front Port LED Test on BIG-IP iSeries platforms..
Workaround:
Continue to use EUDSF 3.7.0. EUDSF3.9.1 is required only for iSeries i10010, where the test does not have this issue.
Fix:
The version EUD3.9.2 release contains a fix for this issus.
Fixed Versions:
15.1.2.1
838709-4 : Enabling DoS stats also enables page-load-time
Links to More Info: BT838709
Component: Application Visibility and Reporting
Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.
Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.
Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.
Workaround:
Can use iRules to control which pages should get the JavaScript injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
838685-4 : DoS report exist in per-widget but not under individual virtual
Links to More Info: BT838685
Component: Application Visibility and Reporting
Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.
Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.
Impact:
GUI widgets report errors and cannot show stats.
Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:
1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
$ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/
2. Change permissions to allow modifying it:
$ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
3. Change the file to include the fix:
$ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
$ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
4. Verify that the fix is as expected:
$ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php
(** You should see two lines modified:
1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')
5. Revert permissions of the file:
$ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
6. Log out and log back into the GUI, so that the new version of the file loads.
Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5
838405-3 : Listener traffic-group may not be updated when spanning is in use
Links to More Info: BT838405
Component: TMOS
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
838353-1 : MQTT monitor is not working in route domain.
Links to More Info: BT838353
Component: Local Traffic Manager
Symptoms:
MQTT monitor fails when non-default route domains are used.
Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use
Impact:
Mqtt monitor does not work in route domain.
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.4.6
838305-7 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Links to More Info: BT838305
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
838297-2 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
Links to More Info: BT838297
Component: TMOS
Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.
Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.
Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).
Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication
Workaround:
Clear the value of shadowLastChange within AD.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8
837637-1 : Orphaned bigip_gtm.conf can cause config load failure after upgrading ★
Links to More Info: K02038650 , BT837637
Component: Global Traffic Manager (DNS)
Symptoms:
Configuration fails to load after upgrade with a message:
01420006:3: Can't find specified cli schema data for x.x.x.x
Where x.x.x.x indicates an older version of BIG-IP software than is currently running.
Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.
-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.
Impact:
Configuration fails to load after upgrade.
Workaround:
Before upgrading:
If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh load sys config gtm-only
After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh restart sys service all
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
837617-1 : Tmm may crash while processing a compression context
Links to More Info: BT837617
Component: Local Traffic Manager
Symptoms:
Tmm crashes on segfault.
Conditions:
Conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.4.4
837333-1 : User cannot update blocking response pages after upgrade ★
Links to More Info: BT837333
Component: Application Security Manager
Symptoms:
Response Pages screen is stuck after user tries to save changes
Conditions:
The device is upgraded from a pre-15.1 release to a newer version
Impact:
Impossible to update blocking response pages using the GUI
Workaround:
Blocking pages can be updated using the REST API
Fix:
Database upgrade script was fixed to preserve correct Server Technology settings that lead to errors in Response Pages screen
Fixed Versions:
16.0.0, 15.1.4
837233-3 : Application Security Administrator user role cannot use GUI to manage DoS profile
Links to More Info: BT837233
Component: Advanced Firewall Manager
Symptoms:
BIG-IP GUI users configured with the Application Security Administrator role are not allowed to manage DoS profile page and settings.
Conditions:
This affects users logged in with the Application Security Administrator role
Impact:
DoS profiles cannot be edited from the GUI.
Workaround:
You can use either workaround:
-- Change the user role to one that allows managing DoS profile.
-- Have the Application Security Administrator user edit profiles from tmsh.
Fix:
The roles Application Security Operations Administrator and Application Security Administrator can now manage DoS profiles in the GUI.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
836357-5 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
Links to More Info: BT836357
Component: Service Provider
Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.
Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.
Impact:
This causes the BIG-IP system to abort the flow that originates the message.
Workaround:
None.
Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2
835381-3 : HTTP custom analytics profile 'not found' when default profile is modified
Links to More Info: BT835381
Component: Application Visibility and Reporting
Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:
-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.
Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.
Impact:
Loading configuration might fail.
Workaround:
None.
Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
835309-1 : Some strings on BIG-IP APM Server pages are not localized
Component: Access Policy Manager
Symptoms:
Some text in APM Server pages, such as the logout page, are presented in English even when using a different language.
Conditions:
Use APM with a localized language, and certain strings for pages like logout, Webtop, or EPS, would still be in English.
Impact:
Some strings are displayed in English instead of localized language.
Workaround:
None.
Fix:
BIG-IP APM Server pages have been updated to include translations for all the affected strings.
Fixed Versions:
16.0.0, 15.1.0.2
835209-3 : External monitors mark objects down
Links to More Info: BT835209
Component: Global Traffic Manager (DNS)
Symptoms:
Object to which the external monitor is attached is marked down.
Conditions:
Executing external monitors trying to access something without appropriate permissions.
Impact:
Object to which the external monitor is attached is marked down.
Workaround:
None.
Fix:
This issue no longer occurs.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4.2
835029-1 : The liveupdate.log file is not gzipped
Links to More Info: BT835029
Component: Application Security Manager
Symptoms:
After installing BIG-IP the following error messages is observed:
1. Broadcast message from root@localhost.localdomain (Mon Oct 7 16:10:02 2019):
011d0004:3: Disk partition /var/log has only 6% free
2. Broadcast message from systemd-journald@localhost.localdomain (Mon 2019-10-07 16:01:03 IDT):
alertd[8975]: 01100048:0: Log disk usage still higher than 80% after logrotate and 24 times log deletion
Conditions:
Liveupdate logs.
Impact:
Liveupdate logs are increasing in size and old logs are not gzipped, log disk usage is higher than 80%.
Workaround:
The logs can be manually gzipped or deleted.
Fix:
The liveupdate logs are rotated and gzipped.
Fixed Versions:
16.0.0, 15.1.10
834853 : Azure walinuxagent has been updated to v2.2.42
Links to More Info: BT834853
Component: TMOS
Symptoms:
Some onboarding features are not available in the current version of walinuxagent.
Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.
Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.
Workaround:
None.
Fix:
The Azure walinuxagent has been updated to v2.2.42
Fixed Versions:
15.1.0.1
834217-7 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
Links to More Info: BT834217
Component: Local Traffic Manager
Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.
Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).
Impact:
Degraded TCP performance.
Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).
Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.
Fixed Versions:
16.0.0, 15.1.9
833685-5 : Idle async handlers can remain loaded for a long time doing nothing
Links to More Info: BT833685
Component: Application Security Manager
Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.
Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.
Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.
Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.5.3
833213-1 : Conditional requests are served incorrectly with AAM policy in webacceleration profile
Links to More Info: BT833213
Component: WebAccelerator
Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.
Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.
Impact:
Client does not receive an updated resource.
Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.
Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.
Fixed Versions:
15.1.3, 15.0.1.3, 14.1.2.3, 13.1.3.4
833113-6 : Avrd core when sending large messages via https
Links to More Info: BT833113
Component: Application Visibility and Reporting
Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.
Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.
Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.
Workaround:
None.
Fix:
Fixed an avrd crash
Fixed Versions:
16.0.0, 15.1.4, 15.0.1.3, 14.1.4.3, 13.1.3.4
833049-4 : Category lookup tool in GUI may not match actual traffic categorization
Links to More Info: BT833049
Component: Access Policy Manager
Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).
Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.
Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4, 13.1.3.5
832881-1 : F5 Endpoint Inspection helper app is not updated
Links to More Info: BT832881
Component: Access Policy Manager
Symptoms:
F5 Endpoint Inspection helper app is not updated, but other components such as F5 VPN helper App is auto updated.
Conditions:
Use a browser to establish VPN
Impact:
End users cannot to receive bug fixe or feature enhancement updates.
Workaround:
Download and install F5 Endpoint Inspection helper from BIG-IP.
https://APM_SERVER/public/download/f5epi_setup.exe
Fix:
F5 Endpoint Inspection helper app is auto updated.
Fixed Versions:
16.0.0, 15.1.0.2
832805-2 : AVR should make sure file permissions are correct (tmstat_tables.xml)
Links to More Info: BT832805
Component: Application Visibility and Reporting
Symptoms:
By building rpm of avrd, few cfg files get wrong set of permissions (executable)
Conditions:
Any build of avrd rpm
Impact:
Apparently not having the right set of permissions can lead to system halt
Workaround:
Change permissions on file:
# chmod -x /etc/avr/tmstat_tables.xml
Fix:
AVR build the rpm cfg files with the right set of permissions, instead of building them as executable file, building them in 644 mode.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
832569-3 : APM end-user connection reset
Links to More Info: BT832569
Component: Access Policy Manager
Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.
Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.
Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:
-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.
Workaround:
None.
Fix:
The URL length limit has been increased from 8 KB to 32 KB.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
832133-1 : In-TMM monitors fail to match certain binary data in the response from the server
Links to More Info: BT832133
Component: In-tmm monitors
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.
- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
Either one of the following workarounds can be used:
- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
- Do not monitor the application through a binary response (if the application allows it).
Fix:
The monitor finds the recv string and shows the pool or member as available.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
831821-1 : Corrupted DAG packets causes bcm56xxd core on VCMP host
Links to More Info: BT831821
Component: TMOS
Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.
Conditions:
Unknown.
Impact:
Device goes offline, traffic disruption.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.4.5
831781-4 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
Links to More Info: BT831781
Component: Access Policy Manager
Symptoms:
Both AD Query and LDAP Auth/Query fails.
Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.
Impact:
Users may not be able to login to APM, and hence service is disrupted.
Workaround:
None.
Fix:
Users are now able to login to APM.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
831737-1 : Memory Leak when using Ping Access profile
Links to More Info: BT831737
Component: Access Policy Manager
Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.
Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.
Impact:
Memory leak occurs in which ping access memory usage increases.
Fix:
Fixed a memory link with the Ping Access profile.
Fixed Versions:
17.1.1, 16.1.5, 15.1.6.1
831517-2 : TMM may crash when Network Access tunnel is used
Links to More Info: BT831517
Component: Access Policy Manager
Symptoms:
TMM may crash.
Conditions:
-- APM session is established.
-- Network Access tunnel is established and used;
Impact:
APM end users experience Network Access tunnel disconnected. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a tmm crash.
Fixed Versions:
16.0.0, 15.1.3, 14.1.2.7
831293-5 : SNMP address-related GET requests slow to respond.
Links to More Info: BT831293
Component: TMOS
Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.
Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.
Impact:
Slow performance.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.5, 12.1.5.3
830797-3 : Standby high availability (HA) device passes traffic through virtual wire
Links to More Info: BT830797
Component: Local Traffic Manager
Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.
Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.
Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.
Workaround:
Do not configure virtual wire on standby devices.
Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.
Fixed Versions:
16.0.0, 15.1.1, 15.0.1.1, 14.1.2.3
830717 : Appdata logical volume cannot be resized for some cloud images ★
Links to More Info: BT830717
Component: TMOS
Symptoms:
When resizing the appdata logical volume, the change may not be honored. This is because sometimes the disk metadata does not support the change without unmounting and remounting the disk.
Conditions:
This issue applies to deployments that provision multiple modules requiring a large appdata logical volume.
Impact:
The appdata logical volume cannot be resized, so you must reduce the number of modules and the associated provisioning level so that the existing appdata logical volume size does support them.
Workaround:
None.
Fix:
Logic was added to disk resizing to account for scenarios where the disk must be unmounted and then remounted to make the change. If the disk must be unmounted and remounted, this also requires a reboot (automatic).
Fixed Versions:
16.0.0, 15.1.0.2
830413-3 : Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure ★
Links to More Info: BT830413
Component: TMOS
Symptoms:
Deployment of BIG-IP Virtual Edition may result in an error "Failed to generate ssh host key".
Conditions:
Azure only. Observed for instances with password-based authentication.
Impact:
A timing issues exists with host key generation. The Virtual Machine is likely to be deployed, but users and automation tools might be unable to communicate with the instance.
Workaround:
BIG-IP may still be accessible despite the error.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
830341-2 : False positives Mismatched message key on ASM TS cookie
Links to More Info: BT830341
Component: Application Security Manager
Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"
Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact
Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation
Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.
OR
2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint
Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm
Once enabled, ASM system does not trigger false positives.
Fixed Versions:
17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
830073-2 : AVRD may core when restarting due to data collection device connection timeout
Links to More Info: BT830073
Component: Application Visibility and Reporting
Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core
Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.
Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes
Workaround:
None.
Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.
Fixed Versions:
15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
829821-1 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
Links to More Info: BT829821
Component: TMOS
Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.
Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).
Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
829677-2 : .tmp files in /var/config/rest/ may cause /var directory exhaustion
Links to More Info: BT829677
Component: TMOS
Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
This issue is happening because a VIPRION process is not available because of a REST timeout.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Manually run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker
The fix also includes automatic removal of unused tmp files.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.5
829317-5 : Memory leak in icrd_child due to concurrent REST usage
Links to More Info: BT829317
Component: TMOS
Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.
Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.
Impact:
Memory slowly leaks in icrd_child.
Workaround:
None.
Fix:
Fixed a memory leak in icrd_child.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.3.1, 14.1.3, 13.1.4
829277-2 : A Large /config folder can cause memory exhaustion during live-install ★
Links to More Info: BT829277
Component: TMOS
Symptoms:
-- Live install can fail at ~96% complete.
-- System memory might be exhausted, and the kernel terminates processes as a result.
Conditions:
-- During live-install.
-- Configuration roll-forward is enabled.
-- The uncompressed UCS size is larger than the available memory.
Impact:
The kernel terminates any number of processes; any/all critical applications might become nonfunctional.
Workaround:
You can use these two techniques to mitigate this situation:
-- Any file stored under /config is considered part of the configuration, so make sure there are no large, unnecessary files included in that directory.
-- If the configuration matches or is close to total system memory size, do not roll it forward as part of live install. Instead, save the UCS manually and restore it after rebooting to the new software.
To turn off config roll forward:
setdb liveinstall.saveconfig disable
For information about manually saving and restoring configurations, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive :: https://support.f5.com/csp/article/K13132.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.3.1
829193-4 : REST system unavailable due to disk corruption
Links to More Info: BT829193
Component: TMOS
Symptoms:
-- The iControl REST commands respond with the following:
[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'
-- The GUI indicates that iAppLX sub-system is unresponsive.
-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.
Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.
Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.
Impact:
The iControl REST system is unavailable.
Workaround:
Run the following commands at the BIG-IP command prompt:
bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat
Then, reinstall any iAppLX packages that were installed.
Fixed Versions:
16.0.0, 15.1.0.4, 14.1.3.1, 13.1.3.6
828937-1 : Some systems can experience periodic high IO wait due to AVR data aggregation
Links to More Info: K45725467 , BT828937
Component: Application Visibility and Reporting
Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.
Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned (in that case, ASM, APM, PEM, AFM, or AAM must be provisioned).
Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.
Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 8 cores) or 2148 (on smaller systems).
Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.
Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 2148 on systems with the number of CPU cores fewer than or equal to 8.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4
828873-3 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
Links to More Info: BT828873
Component: TMOS
Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.
Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.
Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.
Workaround:
Steps:
1. Mount the drive:
mount -o rw,remount /usr
2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty
3. Reload the daemon:
systemctl daemon-reload
4. Restart the service:
systemctl restart f5-label
Fix:
The I/O device has been changed to the default input device '/dev/null' to resolve the issue.
Fixed Versions:
16.0.0, 15.1.0.2
828789-1 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
Links to More Info: BT828789
Component: TMOS
Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.
Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.
Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.
This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.
Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.
Fixed Versions:
16.1.0, 15.1.1, 14.1.2.8
828761-1 : APM OAuth - Auth Server attached iRule works inconsistently
Links to More Info: BT828761
Component: Access Policy Manager
Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.
Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.
Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.
Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.
Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
828601-1 : IPv6 Management route is preferred over IPv6 tmm route
Links to More Info: BT828601
Component: Local Traffic Manager
Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.
Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.
-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)
Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.
Workaround:
None.
Fix:
IPv6 routes now prioritize TMM interfaces.
Fixed Versions:
16.0.0, 15.1.0.3, 14.1.2.7, 13.1.3.5
827393-2 : In rare cases tmm crash is observed when using APM as RDG proxy.
Links to More Info: BT827393
Component: Access Policy Manager
Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.
Conditions:
APM is used as RDG proxy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm does not crash when APM is configured as RDG proxy.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
827325-1 : JWT token verification failure
Links to More Info: BT827325
Component: Access Policy Manager
Symptoms:
JWT token verification failure with error -1.
Conditions:
Token size larger than 4080.
Impact:
Request rejected and the log message simply says 'unknown error -1.'
Workaround:
None.
Fix:
The 4080 token size limitation is removed.
Fixed Versions:
16.0.0, 15.1.4
827033-1 : Boot marker is being logged before shutdown logs
Links to More Info: BT827033
Component: TMOS
Symptoms:
When rebooting the BIG-IP, the boot marker appears before the shutdown logs
localhost notice boot_marker : ---===[ HD1.1 - BIG-IP 14.1.2 Build 0.0.37 ]===---
localhost.localdomain err logger[29153]: shutting down for system shutdown on behalf of root
localhost.localdomain notice mcpd[4645]: 01070406:5: Removed publication with publisher id shell_publish
Conditions:
Issue is observed while rebooting the device
Impact:
Creates confusion when trying to debug an issue using log files.
Workaround:
None
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.4
826905-3 : Host traffic via IPv6 route pool uses incorrect source address
Links to More Info: BT826905
Component: TMOS
Symptoms:
IPv6 route pool uses an incorrect source address rather than the self IP address. As a side symptom, if there are an even number of members in the pool, only half of the pool members are attempted during load balancing.
Conditions:
--IPv6 route pool is configured.
Impact:
Failed connections from the BIG-IP host that uses an IPv6 pool route.
Workaround:
None.
Fix:
IPv6 route pool uses the correct self IP address.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
826265-5 : The SNMPv3 engineBoots value restarts at 1 after an upgrade
Links to More Info: BT826265
Component: TMOS
Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.
Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.
Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.
Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):
tmsh modify sys snmp include 'engineBoots n'
2. Restart SNMPD.
Fix:
This issue has been fixed: the engineBoots value is now kept as part of the configuration.
Fixed Versions:
16.0.0, 15.1.0.4
825689-1 : Enhance FIPS crypto-user storage
Links to More Info: K000135449 , BT825689
825501-3 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline. ★
Links to More Info: BT825501
Component: Protocol Inspection
Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.
It also shows different versions of the Active IM package on different slots.
Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.
Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.
As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality
Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
825493-1 : JWT token verification failure
Links to More Info: BT825493
Component: Access Policy Manager
Symptoms:
JSON Web Token (JWT) verification failure with error -1.
Conditions:
Token size larger than 4080.
Impact:
Request is rejected.
Workaround:
None.
Fix:
Fixed an issue with JWT token verificaton.
Fixed Versions:
16.0.0, 15.1.4
825245-4 : SSL::enable does not work for server side ssl
Links to More Info: BT825245
Component: Local Traffic Manager
Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.
Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.
Impact:
The connection will close instead of completing.
Workaround:
Do not use a disabled server-ssl profile in this situation.
Fix:
The SSL::enable iRule works as expected in the above scenario.
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.4.6
825013-1 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
Links to More Info: BT825013
Component: Service Provider
Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.
Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.
Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.
Fix:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands now return correct data.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.7
824365-5 : Need informative messages for HTTP iRule runtime validation errors
Links to More Info: BT824365
Component: Local Traffic Manager
Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:
err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".
The system should post a more informative message, in this case:
err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"
Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.
Impact:
With no informative error messages, it is difficult to identify the validation error.
Workaround:
There is no workaround at this time.
Fix:
Informative messages are provided for HTTP iRule runtime validation errors.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.3, 13.1.3.6
824149-5 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
Links to More Info: BT824149
Component: Service Provider
Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.
Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4
824093-5 : Parameters payload parser issue
Links to More Info: BT824093
Component: Application Security Manager
Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.
Conditions:
-- ASM in use.
-- Request contains multipart headers.
Impact:
Incorrect policy enforcement.
Workaround:
None.
Fix:
This release fixes an issue related to multipart requests.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3
824073 : Incorrect error message when uploading OpenAPI 3.0 file
Links to More Info: BT824073
Component: Access Policy Manager
Symptoms:
When trying to upload OpenAPI 3.0 file through Access ›› API Protection : Profile ›› New, an error message is displays that the file is not a valid OpenAPI specification file.
Conditions:
- Upload OpenAPI 3.0 or newer specification files.
Impact:
Cannot use OpenAPI 3.0 or newer specification files to create profiles.
Workaround:
The BIG-IP 15.1.x does not support OpenAPI 3.0 specification files.
OpenAPI 3.0 is supported from BIG-IP 16.1.x, this functionality is moved from TMUI to AGC.
Fix:
Updated error message to show supported OpenAPI specification file version.
Fixed Versions:
15.1.9
822245-2 : Large number of in-TMM monitors results in some monitors being marked down or delay in marking node down
Links to More Info: BT822245
Component: In-tmm monitors
Symptoms:
- When configured with a large number of in-TMM monitors, Nodes are marked DOWN when they are actually UP.
- When configured with a large number of in-TMM monitors, Nodes or Pool Members may not be marked DOWN immediately after the configured timeout period once the target stops responding to pings.
- When using the in-TMM monitoring feature, monitored targets (Nodes/Pool Members) may be marked DOWN unexpectedly if there is a delay in responding to ping attempts.
Specifically, if the ping response from the target is delayed by more than the interval value configured for the monitor, but less than the timeout value configured for the monitor, then the target may be marked DOWN.
Conditions:
This may occur when the one of the following conditions are met:
- The in-TMM monitoring feature is enabled (through sys db bigd.tmm).
- A large number of Nodes and/or Pool Members (several hundreds or thousands) are configured and monitored.
- Monitored target does not respond to ping attempts within the interval value configured for the monitor.
Impact:
- Monitor target may appear DOWN when it is actually UP.
- Nodes or Pool Members which are not responsive may not be marked DOWN in stipulated time.
- The monitored target may be marked DOWN if it does not respond to ping attempts within the interval value configured for the monitor, instead of within the timeout value configured for the monitor.
Workaround:
Disable in-TMM monitors:
tmsh modify sys db bigd.tmm value disable
Fix:
N/A
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
822025 : HTTP response not forwarded to client during an early response
Links to More Info: BT822025
Component: Local Traffic Manager
Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.
Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.
Impact:
A client does not receive the redirect from the HTTP::respond iRule.
Workaround:
None.
Fix:
The client now receives the redirect from the HTTP:respond iRule.
Fixed Versions:
15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.6, 12.1.5.3
821309-1 : After an initial boot, mcpd has a defunct child "systemctl" process
Links to More Info: BT821309
Component: TMOS
Symptoms:
Zombie "systemctl" process, as a child of mcpd.
Conditions:
Reboot of the BIG-IP.
Impact:
Minimal; a single zombie process is created.
Workaround:
To get rid of the process, you can restart mcpd.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
820845-3 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
Links to More Info: BT820845
Component: TMOS
Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.
Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.
Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.
Workaround:
Create static ARP entries on affected endpoints.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
820333-1 : LACP working member state may be inconsistent when blade is forced offline
Links to More Info: BT820333
Component: Local Traffic Manager
Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.
Conditions:
LACP updates while blade is going offline.
Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1
819645-2 : Reset Horizon View application does not work when accessing through F5 APM
Links to More Info: BT819645
Component: Access Policy Manager
Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.
Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android
Impact:
Impaired reset option functionality
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
819429-5 : Unable to scp to device after upgrade: path not allowed
Links to More Info: BT819429
Component: TMOS
Symptoms:
Cannot scp copy a file to the BIG-IP system. The system reports an error:
path not allowed
Conditions:
Issue occurs when both conditions are present:
-- The BIG-IP user has 'shell tmsh' or 'shell none' access.
-- The scp destination is the real path target (not listed in the 'allow' list) of a symbolic link that is listed in the scp 'allow' list (/config/ssh/scp.whitelist).
For example:
scp to /var/tmp succeeds.
scp to /shared/tmp fails with 'path not allowed'.
Impact:
Cannot copy files to a path present under whitelist.
Workaround:
Use the explicitly listed (symlink) path as the scp destination.
Fix:
You can now scp copy files to a path present under whitelist without error.
Fixed Versions:
16.0.0, 15.1.10
819329-4 : Specific FIPS device errors will not trigger failover
Links to More Info: BT819329
Component: Local Traffic Manager
Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.
Conditions:
-- FIPS hardware failure occurs, but the device is idle
Impact:
The device may not fail over on FIPS hardware failure.
Fix:
Interpret rare FIPS card failure as failover event.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.3.1, 13.1.5
819301-2 : Incorrect values in REST response for dos-l3 table
Links to More Info: BT819301
Component: Application Visibility and Reporting
Symptoms:
Some of the calculations in the AVR publisher are not performed, and incorrect values are shown in the REST response.
Conditions:
-- Device vector detection and mitigation thresholds are set to 10
-- The attack vector is triggered
Impact:
Wrong values appear in REST reponse
Fix:
Fixed an issue with incorrect values for mitigated attacks.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1
818889-2 : False positive malformed json or xml violation.
Links to More Info: BT818889
Component: Application Security Manager
Symptoms:
A false positive malformed XML or JSON violation occurs.
Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.
Impact:
A false positive violation.
Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
818853-1 : Duplicate MAC entries in FDB
Links to More Info: BT818853
Component: Local Traffic Manager
Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.
Conditions:
-- Having multiple paths to a MAC in a given configuration.
Impact:
There are duplicate MAC address entries which come from multiple interfaces.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5
818833-1 : TCP re-transmission during SYN Cookie activation results in high latency
Links to More Info: BT818833
Component: Local Traffic Manager
Symptoms:
Issue is reported at the following system setup:
client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet
-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.
Conditions:
Haredware SYN Cookie is enabled on FastL4 profile
Impact:
High latency is observed.
Workaround:
Disable the SYN Cookie on the FastL4 profile
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.4
818705-1 : The daemon afm_cmi.py can cause high BIG-IP CPU utilization (>90%)
Links to More Info: BT818705
Component: Advanced Firewall Manager
Symptoms:
The AFM auto threshold and Behavioral DoS historical data synchronization process consumes greater than 90% CPU, this affects TMM performance and some outages can occur.
Conditions:
This occurs in both High Availability (HA) and standalone configurations. In both cases "MCPD" issues were reported (delay in response or the daemon crashed).
Impact:
TMM performance is affected and outages can occur.
Workaround:
Terminate the AFM data synchronization process:
kill -9 $(pgrep afm_cmi.py)
Fix:
If the connection to MCP is not responsive, the script will attempt to reinitialize MCP connection every second until successful. The script will be blocked until MCP connection is established.
Fixed Versions:
16.1.0, 15.1.9
818297-3 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
Links to More Info: BT818297
Component: TMOS
Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.
In /var/log/openvswitch/ovsdb-server.log:
...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).
Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.
Impact:
Permission denied, SSL connection failure.
Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };
Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t
Step 4: Apply the policy:
# semodule -i openvswitch_t.pp
Fix:
SELinux policy rules for openvswitch module have been added.
Fixed Versions:
16.0.0, 15.1.10
818253-3 : Generate signature files for logs
Links to More Info: BT818253
Component: TMOS
Symptoms:
To achieve DoDIN APL certification, the BIG-IP system must guarantee the integrity of log files using the standards' recommendation of encrypting those files on the local store. The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) without creating integrity files.
Conditions:
Viewing the audit information stored in /var/log and other locations.
Impact:
Audit log files are stored without integrity files on the local system.
Workaround:
Disable local logging for audit logs and send them to remote syslog, for example:
tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "
Fix:
There is now a LogIntegrity utility provided to generate signature files for logs.
-- To enable the feature:
tmsh modify sys db logintegrity.support value enable
-- To set the LogIntegrity loglevel:
tmsh modify sys db logintegrity.loglevel value debug
You must create private key and store it in SecureVault before enabling this feature. To do so:
1. Generate a private key with the name logfile_integrity.key, for example:
tmsh create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365
2. Generate RSA encrypted private SSL keys:
2a. Go to the filestore location on the BIG-IP system:
cd /config/filestore/files_d/Common_d/certificate_key_d/
ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2
openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key
2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key):
2c. run command to list the generated files
ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key
3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system:
tmsh install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key
Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated.
If you want to verify Signatures, follow these steps:
1. Go to the filestore location on the BIG-IP system :
cd /config/filestore/files_d/Common_d/certificate_d
2. Execute the following command to generate the public key.
openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer
3.Verify the signature file using public key:
openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8
818109-1 : Certain plaintext traffic may cause SSL Orchestrator to hang
Links to More Info: BT818109
Component: Local Traffic Manager
Symptoms:
After upgrading SSL Orchestrator to version 5.x, traffic gets reset, SSL Orchestrator hangs, and tcpdump analysis indicates that connections are being reset due to SSL handshake timeout exceeded.
Conditions:
-- SSL Orchestrator configured.
-- Initial plaintext traffic resembles SSLv2 hello message or has less-than-enough bytes for SSL to process.
Impact:
SSL Orchestrator hangs on that connection, unable to bypass traffic until the connection times out. Other connections handle traffic during this interval.
Workaround:
None.
Fix:
This release adds a db variable to enable/disable SSLv2 hello parsing. It is called tmm.ssl.v2compatibility and is disabled by default.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.4
817989-1 : Cannot change managemnet IP from GUI
Links to More Info: BT817989
Component: TMOS
Symptoms:
You are unable to change the management IP from the GUI
Conditions:
This is encountered when using the GUI to change the management IP address via the System :: Platform page.
Impact:
The GUI indicates that it will redirect you to the new IP address. You will eventually be redirected but the management IP address is not changed on the BIG-IP device.
Workaround:
Use tmsh to create the management IP. This will overwrite the old one.
Example:
create /sys management-ip [ip address/prefixlen]
To view the management IP configurations
tmsh list /sys management-ip
Fix:
Should be able to set the Management IP from GUI as below
1. Go to System->Platform page.
2. Choose Configuration -> Manual and set some other IPv4 address
3. Press the Update button.
Fixed Versions:
16.1.0, 15.1.10
817709-3 : IPsec: TMM cored with SIGFPE in racoon2
Links to More Info: BT817709
Component: TMOS
Symptoms:
TMM asserted and cored in racoon2 with this panic message:
panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.
Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This issue no longer occurs.
Fixed Versions:
16.1.0, 15.1.0.2, 14.1.2.8, 13.1.5
817137-1 : SSO setting for Portal Access resources in webtop sections cannot be updated.
Links to More Info: BT817137
Component: Access Policy Manager
Symptoms:
SSO setting for Portal Access (PA) resource assigned to any webtop section cannot be updated due to the following error:
No such atomic attribute:name in class:webtop_section_webtop_section_resource
Configuration with such a resource cannot be transferred to another BIG-IP system due to the same error.
Conditions:
BIG-IP system configuration with the following objects:
-- SSO configuration (any type).
-- PA resource with resource item.
-- The webtop section with the PA resource.
-- Full webtop.
-- Per-session access policy with resource assignment agent which assigns webtop, webtop section, and PA resource.
Impact:
Configuration cannot be updated or transferred.
Workaround:
Delete webtop sections from the configuration and re-create them after transfer / upgrade / update process.
Fix:
Now APM configuration with Portal Access resources in webtop sections can be transferred or upgraded.
Fixed Versions:
16.0.0, 15.1.4.1
816881-2 : Serverside conection may use wrong VLAN when virtual wire is configured
Links to More Info: BT816881
Component: Local Traffic Manager
Symptoms:
Server syn is flowing on the wrong VLAN, when tmm tries to establish a server connection. The BIG-IP system sends RST packets of unmatched VLAN/MAC combination
Conditions:
-- Virtual wire is configured .
-- Clientside data and handshake come in on different VLANs.
Impact:
Some client connections fail to establish
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8
816233-1 : Session and authentication cookies should use larger character set
Links to More Info: BT816233
Component: TMOS
Symptoms:
The session and authentication cookies are created using a limited character set.
Conditions:
Creating session and authentication cookies.
Impact:
Cookies are created with a less broad character set than they could be.
Workaround:
None.
Fix:
JSESSIONIDs and AuthCookies are created using a wider character set.
Behavior Change:
This release changes the format of the BIGIPAuthCookie and JSESSIONID cookies to use a larger alphabet during encoding (case sensitive alphanumeric).
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7
816229-3 : Kernel Log Messages Logged Twice
Links to More Info: BT816229
Component: TMOS
Symptoms:
You see duplicate log messages in /var/log/kern.log
Conditions:
This can be encountered when viewing /var/log/kern.log right after startup in BIG-IP versions dating back to 14.1.0
Impact:
Viewing ('cat'ing) kern.log results in duplicated log messages in the buffer.
Fix:
Fixed an issue with duplicated log messages in /var/log/kern.log.
Fixed Versions:
16.0.0, 15.1.2, 14.1.2.4
815901-1 : Add rule to the disabled pem policy is not allowed
Links to More Info: BT815901
Component: Policy Enforcement Manager
Symptoms:
Adding rule to PEM policy is not allowed
Conditions:
A PEM policy is disabled
Impact:
You are unable to add rules to a PEM policy if it is disabled.
Fix:
Allow adding rules to disabled PEM policy
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
815877-2 : Information Elements with zero-length value are rejected by the GTP parser
Links to More Info: BT815877
Component: Service Provider
Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.
Conditions:
Virtual server with GTP profile enabled processing GTP traffic.
Impact:
Well-formed GTP messages might get rejected.
Workaround:
Avoid sending GTP messages containing zero-length IEs.
Fix:
Zero-length IEs are now processed correctly.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.3
814585-1 : PPTP profile option not available when creating or modifying virtual servers in GUI
Links to More Info: BT814585
Component: TMOS
Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.
Conditions:
Creating or modifying a virtual server in the GUI.
Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.
Workaround:
Use TMSH to add a PPTP profile to the virtual server.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3
814037-6 : No virtual server name in Hardware Syncookie activation logs.
Links to More Info: BT814037
Component: Local Traffic Manager
Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:
notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.
Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.
Impact:
Difficult to determine which virtual server actually got the Syncookie activated.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5
813701-6 : Proxy ARP failure
Links to More Info: BT813701
Component: Local Traffic Manager
Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.
Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.
Impact:
ARP replies are dropped, leading to connection failures.
Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
812981-6 : MCPD: memory leak on standby BIG-IP device
Links to More Info: BT812981
Component: TMOS
Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.
Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically
Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.
Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1
812525-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Links to More Info: K27551003 , BT812525
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Fixed Versions:
16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4
812493-4 : When engineID is reconfigured, snmp and alert daemons must be restarted ★
Links to More Info: BT812493
Component: TMOS
Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.
Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.
Impact:
This may confuse the SNMP client receiving the trap.
Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade
tmsh restart sys service snmpd alertd
Fixed Versions:
16.0.0, 15.1.0.4
811701-3 : AWS instance using xnet driver not receiving packets on an interface.
Links to More Info: BT811701
Component: TMOS
Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.
Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.
Impact:
Loss of packets in the interface, in turn, causing data loss.
Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.
Use the following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)
# echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl
# echo "ndal force_sw_tcs off 1d0f:ec20" >> /config/tmm_init.tcl
[check that the file's contents are correct]
# cat /config/tmm_init.tcl
[restart the BIG-IP system's TMM processes]
# bigstart restart tmm
[make certain that the 'driver_in_use' is 'sock']
# tmctl -dblade -i tmm/device_probed
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7
811149-2 : Remotely-authenticated users are unable to authenticate through the serial console
Links to More Info: BT811149
Component: TMOS
Symptoms:
Attempts to log in to the serial console with remote user credentials (RADIUS, LDAP, TACACS remote auth) fails with one of the following error messages:
-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)
Conditions:
Configure BIG-IQ for remote authentication and attempt authentication through the serial console.
Impact:
Remote authentication users are unable to login to the serial console.
Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.
-- Use the credentials of a local user account to login to the serial console.
Fix:
Fixed in BIG-IQ 8.3.0 Release
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.8
811053-6 : REBOOT REQUIRED prompt appears after failover and clsh reboot
Links to More Info: BT811053
Component: TMOS
Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.
Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.
Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #
Any blade with this prompt must be rebooted again.
Workaround:
None currently known.
Fixed Versions:
16.0.0, 15.1.2, 14.1.2.7
811041-7 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf
Links to More Info: BT811041
Component: TMOS
Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.
Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.
Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.
Workaround:
None.
Fix:
The HA table no longer leaks memory if an entry is reinitialized.
Fixed Versions:
16.1.0, 15.1.2
810821-3 : Management interface flaps after rebooting the device.
Links to More Info: BT810821
Component: TMOS
Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.
Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.
This problem has been observed only on hardware platforms.
Impact:
Devices go active-active for a few seconds and then resume normal operation.
Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.
For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.
or
Connecting serial failover cable between HA peers would prevent active/active issue from happening.
Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.
Fixed Versions:
16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5
810381-2 : The SNMP max message size check is being incorrectly applied.
Links to More Info: BT810381
Component: TMOS
Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.
Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.
Impact:
Responses time out.
Workaround:
Do not send SNMPv3 requests to the BIG-IP system.
Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.
Fixed Versions:
16.0.0, 15.1.0.4, 14.1.2.8, 13.1.3.5
809701-7 : Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist
Links to More Info: BT809701
Component: Local Traffic Manager
Symptoms:
In BIG-IP GUI iRule definitions, when hovering over HTTP::proxy, the help text mentions 'HTTP::proxy dest', which is an invalid command.
Conditions:
The system displays incorrect information when the iRule help text is visible.
Impact:
The help text mentions 'HTTP::proxy dest', which is an invalid command option.
Workaround:
Do not use the invalid 'HTTP::proxy dest' command.
Fix:
The help text now shows 'HTTP::proxy', which is correct.
Fixed Versions:
16.0.0, 15.1.2, 15.0.1.3, 14.1.3.1
809657-7 : HA Group score not computed correctly for an unmonitored pool when mcpd starts
Links to More Info: BT809657
Component: TMOS
Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.
Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).
Impact:
Incorrect HA Group score.
Workaround:
Remove the unmonitored pools from the HA group and re-add them.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5
809597-5 : Memory leak in icrd_child observed during REST usage
Links to More Info: BT809597
Component: Local Traffic Manager
Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.
Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.
Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.
Workaround:
None.
Fix:
Fixed a memory leak in icrd_child.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.3, 13.1.4
809205-6 : CVE-2019-3855: libssh2 Vulnerability
Component: TMOS
Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.
Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.
Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Workaround:
None.
Fix:
libcurl updated
Fixed Versions:
16.0.1.2, 15.1.3, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.1
809125-5 : CSRF false positive
Links to More Info: BT809125
Component: Application Security Manager
Symptoms:
A CSRF false-positive violation.
Conditions:
CSRF enforcing security policy.
This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.
Impact:
False-positive Blocking / Violation
Workaround:
If this happens change the csrf parameter and restart the asm daemon:
1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>
2. Restart the asm daemon:
restart asm
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7, 12.1.5.1
808913-2 : Big3d cannot log the full XML buffer data
Links to More Info: BT808913
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d cannot log the full XML buffer data:
-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.
Conditions:
The gtm.debugprobelogging variable is enabled.
Impact:
Not able to debug big3d monitoring issues efficiently.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
808409-4 : Unable to specify if giaddr will be modified in DHCP relay chain
Links to More Info: BT808409
Component: Local Traffic Manager
Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.
However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.
Conditions:
DHCP Relay deployments where the giaddr needs to be changed.
Impact:
You are unable to specify whether giaddr will be changed.
Workaround:
None.
Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced
The default is :
sys db tmm.dhcp.relay.giaddr.overwrite {
value "enable"
}
On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP
On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3
808277-6 : Root's crontab file may become empty
Links to More Info: BT808277
Component: TMOS
Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.
Conditions:
Low disk space on the /var filesystem.
Impact:
System and user entries in root's crontab file stop executing.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.10
807957-5 : Link Up status should clear Link Down in Nokia Alarm database
Links to More Info: BT807957
Component: TMOS
Symptoms:
When using Nokia NetAct (the alertd.nokia.alarm DB variable has the value "enable"), the LINK STATUS traps are the same for down/disable and up/enable. That has the side effect of leaving entries in the Nokia Alarm database.
Conditions:
Enable Nokia NetAct and see that the alarm database has uncleared entries for link status changes.
Impact:
This is confusing because entries in the database that do not clear.
Fix:
A new DB variable has been implemented (alertd.nokia.linktraps). The default value is disabled and the variable only takes effect when alertd.nokia.alarm is enabled. Note that the first time these variables are enabled you must restart the alertd and nokiasnmpd daemons. With these variables enabled (and the daemons restarted) the link status traps are broken out into two separate traps. The LINK UP/ENABLED trap clears the LINK DOWN/DISABLED trap.
Fixed Versions:
16.1.0, 15.1.10
807337-5 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
Links to More Info: BT807337
Component: TMOS
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object (such as delete, create, modify).
Impact:
The GUI shows misleading info about the pool monitor.The monitor-related object may be unchanged, or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8
807005-5 : Save-on-auto-sync is not working as expected with large configuration objects
Links to More Info: BT807005
Component: TMOS
Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true
Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions
Impact:
Configuration is not saved, which leads to out-of-sync condition.
Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.3, 11.6.5.2
806073-1 : MySQL monitor fails to connect to MySQL Server v8.0
Links to More Info: BT806073
Component: TMOS
Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.
Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.
Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.
Fix:
BIG-IP can monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1
805821-3 : GTP log message contains no useful information
Links to More Info: BT805821
Component: Service Provider
Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.
Conditions:
GTP profile or iRules fails to process message
Impact:
User lacks of information for troubleshooting
Workaround:
N/A
Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
805417-3 : Unable to enable LDAP system auth profile debug logging
Links to More Info: BT805417
Component: TMOS
Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.
Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.
Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.
Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:
systemctl stop nslcd
nslcd -d
Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.
You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.
When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:
systemctl start nslcd
Fix:
The nslcd logs are now visible on /var/log/secure file.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.7
804529 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools
Links to More Info: BT804529
Component: TMOS
Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.
Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.
For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"
- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
In the above example, the word 'members' is displayed in selflink.
Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.
Workaround:
The following workarounds are available:
1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.
2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:
/mgmt/tm/ltm/pool/<pool>/members/<member>/stats
Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
804309-1 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
Links to More Info: BT804309
Component: TMOS
Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:
[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy
Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.
Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.
Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false
tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5
804157-3 : ICMP replies are forwarded with incorrect checksums causing them to be dropped
Links to More Info: BT804157
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server receives an ICMP response without first receiving an ICMP request, the checksum on the ICMP response that is egressed by tmm will not be calculated correctly.
Conditions:
An ICMP response without a corresponding ICMP request, such as in non-symmetric routing scenarios.
Impact:
ICMP replies are forwarded with the incorrect checksum and likely will be dropped by the recipient or other devices on the network.
Workaround:
Ensure symmetric routing. Configure L7 virtual servers for use with ipother profiles.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
803825-5 : WebSSO does not support large NTLM target info length
Links to More Info: BT803825
Component: Access Policy Manager
Symptoms:
WebSSO crashes.
Conditions:
When the optional field of the target info is about 1000 bytes or larger.
Impact:
WebSSO crashes and loss of service.
Workaround:
Config NTLM not to have large target info, recommend < 800.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4
803809-4 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
Links to More Info: BT803809
Component: Service Provider
Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.
Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.
Impact:
Calls from one or more clients are unable to be completed.
Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.
Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.4
803629-7 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
Links to More Info: BT803629
Component: Local Traffic Manager
Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.
Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure
The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.
Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.
The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.
Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.
Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4.5, 13.1.5
803237-2 : PVA does not validate interface MTU when setting MSS
Links to More Info: BT803237
Component: TMOS
Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.
Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.
Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.
Workaround:
Increase MTU size.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
803233-1 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
Links to More Info: BT803233
Component: Local Traffic Manager
Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):
1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:
-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.
2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:
-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.
Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.
Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.
Workaround:
None.
Fix:
FQDN ephemeral pool members are created in a more timely manner when FQDN resolution via DNS returns new address records.
Fixed Versions:
16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2
803109-3 : Certain configuration may result in zombie forwarding flows
Links to More Info: BT803109
Component: Local Traffic Manager
Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.
On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.
Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.
Conditions:
-- OneConnect configured.
And one of the following:
-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.
Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.
The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs
Workaround:
You can use any of the following workarounds:
-- Remove the OneConnect profile from the Virtual Server.
-- Do not use 'source-port preserve-strict' setting on the Virtual Server.
-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.
Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
802873-2 : Manual changes to policy imported as XML may introduce corruption for Login Pages
Links to More Info: BT802873
Component: Application Security Manager
Symptoms:
Manual changes to a policy imported as XML may introduce corruption for Response Pages. The following log appears:
ASM subsystem error (asm_config_server.pl ,F5::PrepareConf::Policy::prepare_alternate_response_file_tbl): failed to parse response headers - please check response page.
Conditions:
-- XML policy file is missing a response header.
-- Import the policy.
Impact:
The affected reponse page is not returned for traffic as expected, and an error is reported instead.
Workaround:
Mitigation:
Ensure that response_header exists in XML policy file before import.
Workaround:
Go to the affected policy's Response Pages: Login Page, click Save and then click Apply Policy.
Fix:
The system now gracefully ignores empty header for Login Page response page.
Fixed Versions:
16.0.0, 15.1.4, 14.1.2.7
802685-2 : Unable to configure performance HTTP virtual server via GUI
Links to More Info: BT802685
Component: TMOS
Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.
Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).
Impact:
Failed to create a 'performance HTTP' virtual server.
Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
802421-6 : The /var partition may become 100% full requiring manual intervention to clear space
Links to More Info: BT802421
Component: Advanced Firewall Manager
Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.
Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.
Run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
802281-3 : Gossip shows active even when devices are missing
Links to More Info: BT802281
Component: TMOS
Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.
Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.
Impact:
Gossip reports that it is working when it is not.
Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5
801705-6 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
Links to More Info: BT801705
Component: Local Traffic Manager
Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.
Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.
Impact:
There is no space preceding the attribute. RFC is violated.
Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.3.1, 13.1.3.6
801497-3 : Virtual wire with LACP pinning to one link in trunk.
Links to More Info: BT801497
Component: Local Traffic Manager
Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.
Conditions:
Virtual-wire configured across multi-interface trunks.
Impact:
This may lead to unexpected link saturation.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.1
799749-2 : Asm logrotate fails to rotate
Links to More Info: BT799749
Component: Application Security Manager
Symptoms:
ASM logrotate reports errors in /var/log/asm.:
error: error creating output file /ts/log//bd.log.1: File exists
Conditions:
Files ending with .1 exists in the logs directories.
Impact:
Logrotate does not work. May fill disk with logs over time.
Workaround:
Remove or rename all of the .1 logs.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
799001-1 : Sflow agent does not handle disconnect from SNMPD manager correctly
Links to More Info: BT799001
Component: TMOS
Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.
Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.
Impact:
Snmpd service restarts repeatedly
Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.
Fix:
No Fix. Execute 'tmsh restart sys service sflow_agent'
Fixed Versions:
16.1.0, 15.1.3, 14.1.4
797829-6 : The BIG-IP system may fail to deploy new or reconfigure existing iApps
Links to More Info: BT797829
Component: TMOS
Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:
script did not successfully complete: ('source-addr' unexpected argument while executing
The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.
The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.
Conditions:
This issue occurs when:
-- The BIG-IP system is configured with multiple users of varying roles.
-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.
-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.
Note: You can inspect the number of child processes already created by scriptd by running the following command:
pstree -a -p -l | grep scriptd | grep -v grep
However, it is not possible to determine their current 'security context'.
Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.
Workaround:
Restart scriptd. To restart scriptd, run:
bigstart restart scriptd
Running this command has no negative impact on the system.
The workaround is not permanent; the issue may occasionally recur depending on your system usage.
Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5
797769-9 : Linux vulnerability : CVE-2019-11599
Links to More Info: K51674118
796601-2 : Invalid parameter in errdefsd while processing hostname db_variable
Links to More Info: BT796601
Component: TMOS
Symptoms:
Errdefsd crashes, creates a core file, and restarts.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Possible loss of some logged messages.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
795649-5 : Loading UCS from one iSeries model to another causes FPGA to fail to load
Links to More Info: BT795649
Component: TMOS
Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.
The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:
-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
Note: Similar messages may be observed when there is a genuine issue with the BIG-IP HSB hardware.
Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.
Impact:
FPGA fails to load; the BIG-IP system becomes unusable.
Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Following are some examples:
-- For the i2800:
# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i7800:
# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i11400-ds:
# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
2. Reboot the system.
Fixed Versions:
16.0.0, 15.1.0.3, 14.1.3.1, 13.1.3.5, 12.1.5.2
794417-4 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not ★
Links to More Info: BT794417
Component: Local Traffic Manager
Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.
Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:
1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
Impact:
The configuration does not load if saved, and reports an error:
01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.
Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.
Fix:
Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.
Behavior Change:
BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile
Fixed Versions:
16.1.3, 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
794385-3 : BGP sessions may be reset after CMP state change
Links to More Info: BT794385
Component: Local Traffic Manager
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection
Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.
Fix:
BGP session is no longer reset during CMP state change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
793669-5 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value.
Links to More Info: BT793669
Component: Local Traffic Manager
Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.
Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (for example, Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover
Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.
Workaround:
Delete the fqdn node from the pool and add it back.
Fix:
FQDN ephemeral pool members are now in sync and disabled on the high availability (HA) peer.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
793121-5 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
Links to More Info: BT793121
Component: TMOS
Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.
Conditions:
The TMUI redirect-http-to-https is enabled.
Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.
Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.2
793017-3 : Files left behind by failed Attack Signature updates are not cleaned
Links to More Info: BT793017
Component: Application Security Manager
Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.
Conditions:
Attack Signature update encounters an error during installation.
Impact:
This can eventually lead to disk space issues.
Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.
Fix:
These directories are now included in the periodic file cleanup task.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.3
793005-1 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect
Links to More Info: BT793005
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.
Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.
Workaround:
None.
Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4
792813-1 : The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet information is not received
Links to More Info: BT792813
Component: Global Traffic Manager (DNS)
Symptoms:
When subnet information is not received, iRule command 'DNS::ends0 subnet address' reports a Tcl error. As the subnet information is optional, the command should not report an error.
Conditions:
- Run the iRule command 'DNS::ends0 subnet address'.
- DNS request is received without subnet information.
Impact:
Using the iRule command 'DNS::edns0 subnet address' reports a Tcl error.
Workaround:
None
Fix:
The command now returns an empty string instead of reporting a Tcl error.
Behavior Change:
When DNS request is received without subnet information,
before the fix, when the iRule command 'DNS::edns0 subnet address' is used a Tcl error is reported.
After the fix, the command returns an empty string instead of reporting a Tcl error.
Fixed Versions:
16.0.0, 15.1.10
791669-2 : TMM might crash when Bot Defense is configured for multiple domains
Links to More Info: BT791669
Component: Application Security Manager
Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.
Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.
Impact:
TMM crash with core. Traffic disrupted while tmm restarts.
Workaround:
None,
Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3
790845-4 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
Links to More Info: BT790845
Component: Local Traffic Manager
Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.
Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.
Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.
Impact:
An In-TMM monitor is falsely marked as down.
Workaround:
Use default settings for a CMP-hash.
Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.
Fixed Versions:
16.0.0, 15.1.2, 14.1.4, 13.1.3.5
789857 : "TCP half open' reports drops made by LTM syn-cookies mitigation.
Links to More Info: BT789857
Component: Advanced Firewall Manager
Symptoms:
'TCP half open' reports drops in logs/tmctl/AVR even though it is configured in detect-only mode.
Conditions:
-- 'TCP half open' attack is being actively detected.
-- LTM syn-cookie mitigation is enabled.
-- This is triggered when LTM syn-cookies mitigation begins.
Impact:
It will appear that 'TCP half open' is doing mitigation, but it is actually LTM syn-cookies dropping the connections.
Workaround:
If LTM syn-cookies are not needed, disable the option:
modify ltm global-settings connection default-vs-syn-challenge-threshold infinite global-syn-challenge-threshold infinite
Fixed Versions:
15.1.1, 14.1.4
789421-4 : Resource-administrator cannot create GTM server object through GUI
Links to More Info: BT789421
Component: Global Traffic Manager (DNS)
Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.
Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.
Impact:
Unable to create GTM server object via the GUI.
Workaround:
Use tmsh or iControl/REST.
Fixed Versions:
16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7
789181-5 : Link Status traps are not issued on BIG-IP VE systems
Links to More Info: BT789181
Component: TMOS
Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.
Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).
Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.
On a VE-based BIG-IP system, these logs and traps do not occur.
An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.
Workaround:
None.
Fix:
VE now issues link status messages (which will cause traps to be issued) when interfaces on VEs are administratively disabled and enabled. The underlying interface status impacted by cables being plugged/unplugged must be monitored on the underlying system (the hypervisor) and is not logged by VE. If an interface on VE is not configured, then it is in the uninitialized state. If the interface in that state is disabled/enabled, the Link status message issued on enable is Link DOWN.
Fixed Versions:
16.0.0, 15.1.2
788753-2 : GATEWAY_ICMP monitor marks node down with wrong error code
Links to More Info: BT788753
Component: Local Traffic Manager
Symptoms:
Pool state shows down when there is no route configured to node.
Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.
Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4
788625-1 : A pool member is not marked up by the inband monitor even after successful connection to the pool member
Links to More Info: BT788625
Component: Service Provider
Symptoms:
1. Pool member is still shown as down even after BIG-IP has connected to it.
2. If a pool has only one pool member, continuous logs are seen in /var/log/ltm, at the frequency of auto-init interval and in-band timer interval mentioning about pool member being in-active and active respectively.
Conditions:
-- Auto-init is enabled to continuously try connecting the pool member
-- An inband monitor is configured
-- The inband monitor's retry interval is slightly less than auto-init interval
Impact:
Pool member marked down, even though the pool member is up
Workaround:
Configure the inband monitor's retry interval to be the lowest interval possible, which is 1 second.
Fix:
Pool member should be marked as up by the inband monitor, when the pool member comes up and connection to it is successful.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
788577-7 : BFD sessions may be reset after CMP state change
Links to More Info: BT788577
Component: TMOS
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.
It might also lead to a situation where the BFD session is deleted and immediately recreated.
This problem occurs rarely and only on a chassis with more than one blade.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.
Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.
This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There are two workarounds, although the latter is probably impractical:
-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.
Fix:
BFD session is no longer reset during CMP state change.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2
788513-6 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
Links to More Info: BT788513
Component: Service Provider
Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:
warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]
This appears to be benign, as the configuration loads successfully, and the script works as expected.
Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name
Instead of:
RADIUS::avp replace USER-NAME "static value"
Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.
Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2
788465-5 : DNS cache idx synced across HA group could cause tmm crash
Links to More Info: BT788465
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache idx conflicts and tmm crash.
Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.
Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.
Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1
787885-2 : The device status is falsely showing as forced offline on the network map while actual device status is not.
Links to More Info: BT787885
Component: TMOS
Symptoms:
Network Map in GUI shows incorrect [Forced Offline] status.
Conditions:
-- Multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Forced Offline]. In other words, it is always shown as [Forced Offline].
-- Non multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Active] or [Forced Offline]. In other words, it displays fine only for [Active] and [Forced Offline].
Impact:
The device status in the network map is not reliable
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
787677-5 : AVRD stays at 100% CPU constantly on some systems
Links to More Info: BT787677
Component: Application Visibility and Reporting
Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.
Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.
Impact:
System performance degrades.
Workaround:
Restart TMM:
bigstart restart tmm
Fix:
Added processing that prevents AVRD from entering endless loops.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
786517-5 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
Links to More Info: BT786517
Component: Local Traffic Manager
Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.
- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.
Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.
Impact:
Monitors are sent to an incorrect IP address.
tmsh load /sys config will fail to load the configuration.
Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.
-- Fix the monitor definition using tmsh.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.5
785877-5 : VLAN groups do not bridge non-link-local multicast traffic.
Links to More Info: BT785877
Component: Local Traffic Manager
Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.
Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.
Impact:
Non-link-local multicast traffic does not get forwarded.
Workaround:
None.
Fix:
VLAN groups now bridge non-link-local multicast traffic.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
785741-3 : Unable to login using LDAP with 'user-template' configuration
Links to More Info: K19131357 , BT785741
Component: TMOS
Symptoms:
Unable to login as remote-user.
Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.
Impact:
Unable to login with remote-user.
Workaround:
Use bind-dn for authentication.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.3
785361-3 : In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
Links to More Info: BT785361
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system is configured in L2Wire mode, packets from srcIP 0.0.0.0 are dropped.
Conditions:
L2Wire mode.
Impact:
All srcIP 0.0.0.0 packets are dropped silently.
Workaround:
Configure the virtual server to be in L2-forward mode.
Fix:
The system no longer drops srcIP 0.0.0.0 packets when in L2Wire mode.
Fixed Versions:
16.1.0, 15.1.9
785017-3 : Secondary blades go offline after new primary is elected
Links to More Info: BT785017
Component: TMOS
Symptoms:
Secondary active blades go offline.
Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.
For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.
Impact:
Cluster reduced to a single blade, which may impact performance.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4, 13.1.4
783165-1 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
Links to More Info: BT783165
Component: Application Security Manager
Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.
Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.
Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.
Workaround:
Delete and add the whitelist after modifying the profile.
Fix:
Keep the whitelist as is when updating bot profile.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
783125-1 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
Links to More Info: BT783125
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.
Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.
Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.
Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.
Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.
See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
https://clouddocs.f5.com/api/irules/DNS__drop.html
https://clouddocs.f5.com/api/irules/UDP__drop.html
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
780857-2 : HA failover network disruption when cluster management IP is not in the list of unicast addresses
Links to More Info: BT780857
Component: Local Traffic Manager
Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.
Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.
Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:
[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
Workaround:
You can add an explicit management IP firewall rule to allow this traffic:
tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }
This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
779857-2 : Misleading GUI error when installing a new version in another partition ★
Links to More Info: BT779857
Component: TMOS
Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:
'Install Status':Failed Troubleshooting
Conditions:
Install a new version in another partition.
Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.
Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
778261-2 : CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate
Links to More Info: BT778261
Component: Application Security Manager
Symptoms:
CPB Connection (between BIG-IP and BIG-IQ logging node) is not refreshed to use the new certificate / new domain name to validate the certificate.
Conditions:
Either:
-- BIG-IQ logging node domain name updated.
-- BIG-IQ logging node webd certificate is replaced (and updated using webd restart).
Impact:
CPB Connection (between BIG-IP and BIG-IQ logging node) remains the same and is not refreshed to use the new certificate.
Workaround:
Restart Policy Builder on the BIG-IP system:
killall -s SIGHUP pabnagd
Fix:
Policy Builder now resets the connection upon update of BIG-IQ logging node certificate / domain name.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.1
776393-3 : Restjavad restarts frequently due to insufficient memory with relatively large configurations
Links to More Info: BT776393
Component: TMOS
Symptoms:
Restjavad restarts frequently -- approximately every 5 minutes -- due to the JVM heap running out of memory.
Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.
Impact:
REST API intermittently unavailable.
Workaround:
Give restjavad extra memory, using the following commands. The example below allocates 1600 MB of extra memory to restjavad:
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad
Note: The increase in restjavad size will be slightly greater than extra host memory from provision.extramb on systems using modules other than just LTM and GTM.
To have this change persist past system reboots, save the configuration with:
tmsh save sys config
Fix:
Default restjavad heap memory has been increased to 384 MB. Minimum heap size has been set to the same value as maximum heap size.
Behavior Change:
Extra memory is allocated to Java. The maximum heap size was increased to 384 MB from 192 MB previously.
The minimum heap size has been set to same size as maximum heap size. This will be particularly apparent where restjavad.useextramb is set to the value true and provision.extramb is set to a high value but restjavad hadn't required much extra memory previously. Note though in this case the Linux kernel does not usually back all the memory requested with physical memory unless it is used.
ID 1025261 ( https://cdn.f5.com/product/bugtracker/ID1025261.html ) introduces sys db variable provision.restjavad.extramb to allow finer grained control of restjavad memory size. See the Behavior Change text in that bug for more information.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
776285-1 : No stats returned for 'ltm classification stats urlcat-cloud' component at system startup
Links to More Info: BT776285
Component: Traffic Classification Engine
Symptoms:
The 'ltm classification stats urlcat-cloud' returns no stats even if the stats have zero values.
Conditions:
-- PEM URL Filtering license
-- The BIG-IP system has recently rebooted and has not passed traffic yet
Impact:
You are unable to see the zeroed stats for 'urlcat-cloud' until traffic has passed through and some stats accumulate.
Workaround:
None
Fix:
Zero value stats for 'urlcat-cloud' component are initialized at BIG-IP startup if PEM URL Filtering is licensed.
Fixed Versions:
16.1.0, 15.1.9
776117-2 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
774817-1 : ICMP packets are intermittently forwarded out of both VLAN group members
Links to More Info: BT774817
Component: Local Traffic Manager
Symptoms:
ICMP packets sent out on the wrong interface.
Conditions:
BIG-IP system is configured in VLAN group-based L2 transparent mode.
Impact:
The ICMP packet sent out on the wrong VLAN is dropped by the receiving router because the destination MAC address does not match that of the router. Typically, a topology for asymmetric traffic flows across VLAN groups has VLAN asymmetry built in using routers.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.10
774617-3 : SNMP daemon reports integer truncation error for values greater than 32 bits
Links to More Info: BT774617
Component: TMOS
Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.
Conditions:
Values greater than 32 bits sent to SNMP.
Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:
err snmpd[20680]: truncating integer value > 32 bits
Workaround:
No current workaround.
Fixed Versions:
16.0.0, 15.1.0.4, 14.1.4
774257-4 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types
Links to More Info: BT774257
Component: Global Traffic Manager (DNS)
Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:
tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A
tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A
Conditions:
This occurs when running the following tmsh commands:
tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt
Impact:
The output type is printed twice
Workaround:
None.
Fix:
The output becomes like this after fix:
gtm pool a emptypool
gtm wideip a testwip.f5.com
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
773253-5 : The BIG-IP may send VLAN failsafe probes from a disabled blade
Links to More Info: BT773253
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core
Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.
Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.
Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.
Impact of workaround: Traffic disrupted while tmm restarts.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.4.2, 13.1.4
771961-3 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
Links to More Info: BT771961
Component: Access Policy Manager
Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.
Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm core related to deleting SSL Orchestrator.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1
768085-4 : Error in python script /usr/libexec/iAppsLX_save_pre line 79
Links to More Info: BT768085
Component: iApp Technology
Symptoms:
While creating a UCS file, you see a confusing error message, and the UCS file is not created:
Failed task: %s: %s"%(taskUri, taskResult['message']))"
Conditions:
This can be encountered while trying to create a UCS file.
Impact:
Certain failure messages are not interpreted correctly by the script, resulting in the actual error message not being displayed.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
767737-4 : Timing issues during startup may make an HA peer stay in the inoperative state
Links to More Info: BT767737
Component: TMOS
Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.
Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.
Impact:
An HA peer does not become ACTIVE when it should.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.2.1, 14.1.3.1, 13.1.3.5
767341-1 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
Links to More Info: BT767341
Component: Local Traffic Manager
Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.
Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.
This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.
Filesystem error might be due to power loss, full disk or other reasons.
Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.
Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.
Another workaround is clean install, if possible/acceptable
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
767269-5 : Linux kernel vulnerability: CVE-2018-16884
Links to More Info: K21430012
766017-6 : [APM][LocalDB] Local user database instance name length check inconsistencies ★
Links to More Info: BT766017
Component: Access Policy Manager
Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.
The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.
Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.
Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.
Workaround:
Delete instance from tmsh and re-create it with a shorter name.
Fix:
Tmsh now enforces the length limit for localdb instance names.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.4.2, 13.1.3.5, 12.1.5.3
761303-5 : Upgrade of standby BIG-IP system results in empty Local Database
Links to More Info: BT761303
Component: Access Policy Manager
Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.
Conditions:
This happens on standby device in a high availability (HA) setup.
Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.
Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, after rebooting into the volume with the upgraded installation, do the following:
1. Force stop the localdbmgr process:
bigstart stop localdbmgr
2. Wait at least 15 minutes.
3. Restart the localdbmgr:
bigstart restart localdbmgr
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3
760739-2 : The Nokia alert configuration is not correct for all clearing events
Links to More Info: BT760739
Component: TMOS
Symptoms:
Alarms may not get correctly entered or cleared from the Nokia Alarm database.
Conditions:
A Nokia alarm is generated and then the alert condition clears.
Impact:
The alarm is not cleared when it should be. This can lead to confusion about error conditions.
Workaround:
None.
Fix:
The values have been corrected.
Fixed Versions:
16.1.0, 15.1.10
760629-5 : Remove Obsolete APM keys in BigDB
Links to More Info: BT760629
Component: Access Policy Manager
Symptoms:
Several APM/Access BigDB keys are obsolete
Conditions:
This is encountered on BIG-IP software installations.
Impact:
The db keys are obsolete and can be safely ignored.
Workaround:
None
Fix:
The following db keys have been removed from the system:
Log.AccessControl.Level
Log.ApmAcl.Level
Log.SSO.Level
Log.swg.Level
Log.AccessPerRequest.Level
Log.access.syslog
Log.access.db
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3
760622-5 : Allow Device Certificate renewal from BIG-IP Configuration Utility
Links to More Info: BT760622
Component: TMOS
Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.
Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.
Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.
Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:
openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt
For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:
openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt
Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.
Fixed Versions:
16.0.0, 15.1.0.5
760496-1 : Traffic processing interrupted by PF reset
Links to More Info: BT760496
Component: TMOS
Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.
Conditions:
-- E710 NICs are used.
-- Reset PF.
Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.
Workaround:
Restart the BIG-IP device.
Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
760471-1 : GTM iQuery connections may be reset during SSL key renegotiation.
Links to More Info: BT760471
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)
Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.
Workaround:
There is no workaround.
Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.3, 13.1.3.5, 12.1.5.2
760406-1 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync.
Links to More Info: BT760406
Component: Local Traffic Manager
Symptoms:
A BIG-IP system in a high availability (HA) configuration might exhibit slow performance in handling TLS/SSL traffic and experience 'SSL handshake timeout' errors.
Messages such as the following can appear in the "ltm" log:
01260009:4: Connection error: hud_ssl_handler:1554: codec alert (20)
Conditions:
This might occur in either of the following scenarios:
Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.
Scenario 2
-- Saving configuration on an high availability (HA) Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.
Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.
-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.
In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.
-- The high availability (HA) system performance becomes degraded due to SSL connection timeout.
Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.
-- Set device management sync type to Automatic with incremental sync.
Fix:
N/A
Fixed Versions:
16.0.0, 15.1.5.1, 14.1.4.1
760355-3 : Firewall rule to block ICMP/DHCP from 'required' to 'default' ★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.
Fixed Versions:
17.1.2, 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1
760050-8 : "cwnd too low" warning message seen in logs
Links to More Info: BT760050
Component: Local Traffic Manager
Symptoms:
The following benign message appears in the log: "cwnd too low."
The message can be seen in both tmm logs (where it shows as 'notice' severity) and also in the ltm log (where it shows as 'crit' (critical) severity).
Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.
Impact:
None. TCP resets the congestion window to 1 MSS.
Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.
Fixed Versions:
16.0.0, 15.1.4, 14.1.2.7, 13.1.4.1
759988-2 : Geolocation information inconsistently formatted
Links to More Info: BT759988
Component: Fraud Protection Services
Symptoms:
The ${geo} pattern in the Logging Profile has only GeoIP data; however, in alerts that are sent to either the alert server or to BIG-IQ, the GEO data includes both GeoIP and GeoLocation information.
Conditions:
Configure ${geo} pattern in Logging Profile template and trigger a logging event.
Impact:
GeoLocation data is missing in logs written by Logging Profile when using ${geo} pattern.
Fix:
The ${geo} pattern in Logging Profile template now provides full GEO informaion, both GeoIP and GeoLocation, in the same format as in alerts.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1
759928-4 : Engineering Hotfixes might not contain all required packages
Links to More Info: BT759928
Component: TMOS
Symptoms:
An Engineering Hotfix might be missing certain required packages.
Conditions:
This can occur with certain Engineering Hotfixes.
Impact:
Some of the required packages may be missing.
Workaround:
None
Fix:
Engineering Hotfix ISOs now automatically include packages for targets that may be affected by code change in a specific target.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
759799-3 : New rules cannot be compiled
Links to More Info: BT759799
Component: Advanced Firewall Manager
Symptoms:
When the number of firewall policy rules compiles to a blob sized over 2 GB, the blob size limit is exceeded and no new rules can be compiled. All traffic stops.
Conditions:
When compiled rules configured size exceeds 2 GB after a new rule is added.
Impact:
New rules cannot be compiled. Traffic stops.
Workaround:
Remove rules until the rules compile successfully.
Fixed Versions:
16.1.0, 15.1.4
759564-2 : GUI not available after upgrade
Links to More Info: BT759564
Component: TMOS
Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions
Shell prompt may show logger[1234]: Re-starting named
bigstart restart httpd fails
bigstart start httpd fails
Conditions:
Installation over a previously used Boot Volume
Impact:
Corrupt install
Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
758599-3 : IPv6 Management route is preferred over IPv6 tmm route
Links to More Info: BT758599
Component: Local Traffic Manager
Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.
Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.
Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.
Workaround:
None.
Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.
Fixed Versions:
16.0.0, 15.1.0.3, 15.0.1.4, 14.1.2.7, 13.1.3.5
758336-5 : Incorrect recommendation in Online Help of Proactive Bot Defense
Links to More Info: BT758336
Component: Application Security Manager
Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:
Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.
Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.
The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Conditions:
Application has multiple cross-domain resources.
Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.
Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.
Fixed Versions:
16.1.0, 15.1.2.1, 14.1.4, 13.1.1.5, 12.1.5
758105-6 : Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml
Links to More Info: BT758105
Component: TMOS
Symptoms:
Below messages get logged to /var/log/messages
-- notice syslog-ng[15662]: Configuration reload request received, reloading configuration;
-- warning pendsect[31898]: skipping drive -- Model: WDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting
Conditions:
Using hardware containing drive model WDC WD1005FBYZ-01YCBB2.
Impact:
The system logs the messages because the drive model is not listed in /etc/pendsect/drives.xml.
Workaround:
Manually edit /etc/pendsect/drives.xml as follows:
1. Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml
2. Open the file and add the following at the end of the file, before default:
<snip>
<WD1005FBYZ>
<offset firmware="RR07">0</offset>
<offset firmware="default">0</offset>
<family> "wd_Gold"</family>
<wd_name>"Gold"</wd_name>
</WD1005FBYZ>
<DEFAULT>
<firmware version="default">
<offset>0</offset>
</firmware>
<name> "UNKNOWN"</name>
<family> "UNKNOWN"</family>
<wd_name>"UNKNOWN"</wd_name>
</DEFAULT>
</model>
</drives>
3. Save and close the file.
4. Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml
5. Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect
Fixed Versions:
15.1.6.1
758041-1 : LTM Pool Members may not be updated accurately when multiple identical database monitors are configured.
Links to More Info: BT758041
Component: Local Traffic Manager
Symptoms:
When two or more LTM database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different LTM pools (with at least one pool member in each), the monitor status of some LTM pool members may not be updated accurately.
Other parameters of the affected LTM monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while LTM pool members using another affected monitor may be marked DOWN.
As a result of this issue, LTM pool members that should be marked UP or DOWN by the configured LTM monitor may instead be marked according to another affected monitor's configuration, resulting in the affected LTM pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affectedLTM pool members members may be marked with the correct state.
Conditions:
This may occur when multiple LTM database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different LTM pools/members which share the same IP address and Port values.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored LTM pool members using an LTM database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each LTM database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
Fix:
The system now correctly updates LTM pool members when multiple identical LTM database monitors are configured.
Fixed Versions:
16.0.0, 15.1.4.1, 14.1.2.7, 13.1.3.5
757279-3 : LDAP authenticated Firewall Manager role cannot edit firewall policies
Links to More Info: BT757279
Component: Advanced Firewall Manager
Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).
Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.
Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.
Workaround:
None.
Fix:
Firewall manager can now edit firewall policies.
Fixed Versions:
15.1.0.5, 14.1.2.8, 13.1.1.5
756918-3 : Engineering Hotfix ISOs may be nearly as large as full Release ISOs
Links to More Info: BT756918
Component: TMOS
Symptoms:
Engineering Hotfix ISO images might be unexpectedly large.
Conditions:
This might occur with certain Engineering Hotfix builds.
Impact:
Engineering Hotfixes are unnecessarily large.
Workaround:
None
Fix:
Engineering Hotfix ISO images are no longer created with a size that may occasionally exceed 2 GB, and no longer contain a complete set of packages replacing all packages installed by the original BIG-IP release upon which the Engineering Hotfix is based.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
756830-5 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Links to More Info: BT756830
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
Fixed Versions:
17.1.2, 15.1.9
756812-3 : Nitrox 3 instruction/request logger may fail due to SELinux permission error
Links to More Info: BT756812
Component: Local Traffic Manager
Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.
The system posts messages in /var/log/ltm similar to the following:
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.
Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.
Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.
Workaround:
None.
Fix:
Nitrox 3 queue stuck occurrences are now logged as expected.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4.1
756540-1 : End-user may not be able to connect to VPN.
Links to More Info: BT756540
Component: Access Policy Manager
Symptoms:
When a virtual server without a connectivity profile is accessed with the request for a file pre/config.php, an invalid file is cached in the BIG-IP system's HTTP cache.
When the same request is later sent to a virtual server that does contain a connectivity profile, the invalid file from the cache is returned, which results in VPN connection failure.
Conditions:
-- APM is configured.
-- Virtual server without connectivity profile is configured.
-- Another Virtual server with connectivity profile is configured.
-- The first virtual server is accessed with an HTTP request for pre/config.php?version=2.0.
-- Then second virtual server is accessed with same request.
Impact:
End-user may not be able to use the VPN.
Workaround:
When the issue occurs, run the following command on the BIG-IP command line in order to clear the cache:
tmsh delete ltm profile ramcache all
Fix:
The caching functionality has been updated to ignore the caching of invalid files.
Fixed Versions:
16.0.0, 15.1.10
756313-6 : SSL monitor continues to mark pool member down after restoring services
Links to More Info: BT756313
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.
Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.
Impact:
Services are not automatically restored by the health monitor.
Workaround:
-- To restore the state of the member, remove it and add it back to the pool.
-- Remove !TLSv1 and -TLSv1 from the cipher string, if possible.
Fixed Versions:
16.1.0, 15.1.9
756139-3 : Inconsistent logging of hostname files when hostname contains periods
Links to More Info: BT756139
Component: TMOS
Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:
-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.
Whereas other log files write the full name:
-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.
Conditions:
BIG-IP hostname contains periods or an FQDN:
[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
hostname bigip1.example.com
}
Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.
Workaround:
None.
Fix:
Hostnames are now written consistently for all log files in /var/log directory.
Behavior Change:
Syslog-ng was using truncated hostname (without FQDN) while logging. This release adds fqdn use_fqdn(yes) in the syslog-ng template, so the system now logs the full hostname (FQDN).
Fixed Versions:
16.0.1.1, 15.1.2, 14.1.3.1
755976-4 : ZebOS might miss kernel routes after mcpd deamon restart
Links to More Info: BT755976
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
755317-3 : /var/log logical volume may run out of space due to agetty error message in /var/log/secure
Links to More Info: BT755317
Component: TMOS
Symptoms:
An agetty error message is output to the /var/log/secure log fil every 10 seconds while the instance remains on:
agetty[<process_id>]: /dev/tty0 ttyS0: No such file or directory.
Conditions:
This agetty error message is an issue on all BIG-IP Virtual Edition and Cloud instances. It is not configuration-dependent.
Impact:
This may fill the /var/log/secure log file. When /var/log is full, certain system services may degrade or become unresponsive (e.g., DNS).
Workaround:
Manually extend the /var/log logical volume.
For more information, see Increase disk space for BIG-IP VE :: https://clouddocs.f5.com/cloud/public/v1/shared/disk_space.html.
Fix:
The issue causing the agetty error message in /var/log/secure has been resolved.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5
755197-5 : UCS creation might fail during frequent config save transactions
Links to More Info: BT755197
Component: TMOS
Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.
Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.
Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.
Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.
This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.
Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.
Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
755033-1 : Dynamic Routes stats row does not appear in the UI
Links to More Info: BT755033
Component: Service Provider
Symptoms:
From UI, when navigate to the following path:
Statistics ›› Module Statistics : Local Traffic ›› Profiles Summary : Diameter Router.
The stat for 'Current number of dynamic routes' does not appear.
Conditions:
Any condition
Impact:
Unable to view dynamic routes statistics in the GUI
Workaround:
Look at the statistics from tmsh
Fix:
Dynamic Routes stats row is displayed properly in the UI
Fixed Versions:
16.0.0, 15.1.9
754932-1 : New SNMP MIB, sysVlanIfcStat, for VLAN statistics.
Links to More Info: BT754932
Component: TMOS
Symptoms:
V16.0.0 and v15.1.2 have a new SNMP MIB, sysVlanIfcStat, for VLAN statistics. Previously there were no ways to retrieve PVA statistics for each VLAN.
Conditions:
Viewing VLAN statistics through SNMP queries.
Impact:
PVA stats are not displayed.
Fix:
The new MIB, sysVlanIfcStat, includes several new statistics, including PVA statistics.
Example:
snmpwalk -v2c -c public localhost F5-BIGIP-SYSTEM-MIB::sysVlanIfcStat
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatNumber.0 = INTEGER: 3
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/HA" = STRING: /Common/HA
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/external" = STRING: /Common/external
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/internal" = STRING: /Common/internal
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/HA" = Gauge32: 3
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/external" = Gauge32: 1
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/internal" = Gauge32: 4
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/HA" = Counter64: 498576
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/external" = Counter64: 4053194
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/internal" = Counter64: 499668
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/HA" = Counter64: 3892
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/external" = Counter64: 56086
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/internal" = Counter64: 3898
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/HA" = Counter64: 3896
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/external" = Counter64: 3950
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/internal" = Counter64: 3896
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/external" = Counter64: 30
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/internal" = Counter64: 12
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/HA" = Counter64: 250558
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/external" = Counter64: 3792002
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/internal" = Counter64: 252154
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/external" = Counter64: 52115
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/internal" = Counter64: 6
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/HA" = Counter64: 3906
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/external" = Counter64: 3944
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/internal" = Counter64: 3906
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/HA" = Counter64: 5
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/external" = Counter64: 8
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/internal" = Counter64: 29
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/external" = Counter64: 53198
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/external" = Counter64: 9901246
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/external" = Counter64: 53198
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/external" = Counter64: 9901246
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/internal" = Counter64: 0
Fixed Versions:
16.0.0, 15.1.2
754924-1 : New VLAN statistics added.
Links to More Info: BT754924
Component: TMOS
Symptoms:
The tmsh command 'show net vlan' only displays statistics for each VLAN's interface, and not each VLAN's statistics.
Conditions:
This is encountered when running the command 'tmsh show net vlan'.
Impact:
You are unable to view PVA statistics.
Fix:
The tmsh command 'show net vlan' now displays each VLAN's statistics, including PVA statistics.
Behavior Change:
Starting in v16.0.0, the command 'tmsh show net vlan' now outputs each vlan's stats retreived from TMM, including PVA stats, immediately following 'customer-tag' and right before the list of interfaces.
Example:
[root@localhost:Active:Standalone] config # tmsh sho net vlan
-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) f4:15:63:52:10:84
MTU 1500
Tag 4094
Customer-Tag
| Incoming Discard Packets 2
| Incoming Error Packets 0
| Incoming Unknown Proto Packets 0
| Outgoing Discard Packets 0
| Outgoing Error Packets 0
| HC Incoming Octets 28.8M
| HC Incoming Unicast Packets 121.2K
| HC Incoming Multicast Packets 121.2K
| HC Incoming Broadcast Packets 0
| HC Outgoing Octets 14.4M
| HC Outgoing Unicast Packets 8
| HC Outgoing Multicast Packets 121.2K
| HC Outgoing Broadcast Packets 45
| PVA Incoming Packets 5
| PVA Incoming Octets 443
| PVA Outgoing Packets 7
| PVA Outgoing Octets 3.2K
-----------------------
| Net::Vlan-Member: 1.1
-----------------------
| Tagged no
| Tag-Mode none
--------------------------------------------------------------------
| Net::Interface
| Name Status Bits Bits Pkts Pkts Drops Errs Media
| In Out In Out
--------------------------------------------------------------------
| 1.1 up 133.5M 31.5K 129.3K 17 36 0 10000SR-FD
-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) f4:15:63:52:10:85
MTU 1500
Tag 4093
Customer-Tag
| Incoming Discard Packets 0
| Incoming Error Packets 0
| Incoming Unknown Proto Packets 0
| Outgoing Discard Packets 0
| Outgoing Error Packets 0
| HC Incoming Octets 28.8M
| HC Incoming Unicast Packets 121.2K
| HC Incoming Multicast Packets 121.2K
| HC Incoming Broadcast Packets 1
| HC Outgoing Octets 14.4M
| HC Outgoing Unicast Packets 15
| HC Outgoing Multicast Packets 121.2K
| HC Outgoing Broadcast Packets 17
| PVA Incoming Packets 7
| PVA Incoming Octets 3.2K
| PVA Outgoing Packets 5
| PVA Outgoing Octets 443
-----------------------
| Net::Vlan-Member: 1.2
-----------------------
| Tagged no
| Tag-Mode none
--------------------------------------------------------------------
| Net::Interface
| Name Status Bits Bits Pkts Pkts Drops Errs Media
| In Out In Out
--------------------------------------------------------------------
| 1.2 up 133.5M 14.0K 129.3K 22 16 0 10000SR-FD
This feature is also available as of v15.1.2 on an 'opt-in' basis; default output is unchanged. A new db variable is available on v15.1.2 for controlling the output format. To change the output of 'tmsh show net vlan' so that it provides the new stats, run the command:
tmsh modify sys db vlan.pva.stats value enable
Output can be changed back to the old format at any time by running:
tmsh modify sys db vlan.pva.stats value disable
Fixed Versions:
16.0.0, 15.1.2
754335-3 : Install ISO does not boot on BIG-IP VE ★
Links to More Info: BT754335
Component: TMOS
Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).
Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.
Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.
Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.
Fix:
Fixed an issue with iso images not booting.
Behavior Change:
The fix introduces a behavioral change in the serial console prompt when compared to the legacy console. During DVD, USB, PXE installations, MOS reboots on hardware platforms:
The login prompt will read 'localhost login:' before changing to the 'switch_root' prompt.
After logging in as root, the prompt changes to 'switch_root'.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
753715-2 : False positive JSON max array length violation
Links to More Info: BT753715
Component: Application Security Manager
Symptoms:
False-positive JSON max array length violation is reported.
Conditions:
-- JSON profile is used.
-- The violation is coming for non-array under certain conditions.
Impact:
The system reports a false-positive violation.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
752077-1 : Kerberos replay cache leaks file descriptors
Links to More Info: BT752077
Component: Access Policy Manager
Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:
-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept
There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:
-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write
Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.
Impact:
APM end users experience intermittent log on issues.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
751719-2 : UDP::hold/UDP::release does not work correctly
Links to More Info: BT751719
Component: Carrier-Grade NAT
Symptoms:
UDP::hold/UDP::release do not work properly. Connections cannot be deleted and tmm logs an error:
crit tmm14[38818]: 01010289:2: Oops @ 0x2b6b31b:7903: Flow already has peer. Tried to overwrite.
Conditions:
iRule with UDP::hold/UDP::release
Impact:
UDP::hold/UDP::release does not work correctly
Fix:
UDP::hold/UDP::release now works correctly
Fixed Versions:
17.1.0, 15.1.10
751586-3 : Http2 virtual does not honour translate-address disabled
Links to More Info: BT751586
Component: Local Traffic Manager
Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.
Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.
Impact:
The traffic is still translated to the destination address to the pool member.
Workaround:
None.
Fix:
Translate-address disabled is working correctly now.
Fixed Versions:
16.0.0, 15.1.4, 14.1.2.1, 13.1.3.4, 12.1.4.1
751103-2 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
Links to More Info: BT751103
Component: TMOS
Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.
Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config
Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)
Scripts are stopped until the prompt is answered.
Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).
In the case of this script, you can also delete the management route definitions to prevent the question from being asked.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8
751032-5 : TCP receive window may open too slowly after zero-window
Links to More Info: BT751032
Component: Local Traffic Manager
Symptoms:
After a zero-window, TCP reopens its receive window with init-rwnd * mss bytes if sys db tm.tcpinitwinafterxon is enabled, and grows it as data is received. For a TCP connection with a large receive window, reaching the receive window limit might take some RTTs because init-rwnd is limited to 64.
Conditions:
-- A TCP profile with large receive window size.
-- A zero-window is sent.
-- TCP receive window is reopened when data is drained.
Impact:
TCP does not have the functionality to reopen its receive window more aggressively if needed, which might result in longer transfer times.
Workaround:
None
Fix:
A new sys db (tm.tcpinitwinmultiplierafterxon) is introduced to provide TCP the functionality to reopen its receive window more aggressively after zero-window.
Behavior Change:
A new sys db (tm.tcpinitwinmultiplierafterxon) has been introduced to provide TCP the functionality to reopen its receive window more aggressively after zero-window. It has a default minimum value of 1 and can be increased to a maximum of 100.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.4
749332-2 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation
Links to More Info: BT749332
Component: TMOS
Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.
Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.
Impact:
REST PUT operation cannot be used to update/modify the description.
Workaround:
You can use either of the following:
-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.
-- You can also use PATCH operation and send only the required field which need modification.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4
749007-1 : South Sudan is missing in the GTM region list
Links to More Info: BT749007
Component: TMOS
Symptoms:
South Sudan is missing from the region list.
Conditions:
-- Create a GTM region record.
-- Create a GTM region of Country South Sudan.
Impact:
Cannot select South Sudan county from GTM country list.
Workaround:
None
Fix:
South Sudan is now present in the GTM country list.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
748886-3 : Virtual server stops passing traffic after modification
Links to More Info: BT748886
Component: Local Traffic Manager
Symptoms:
A virtual server stops passing traffic after changes are made to it.
Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server
Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
748561-2 : Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context
Links to More Info: BT748561
Component: Advanced Firewall Manager
Symptoms:
In Security :: Network Firewall :: Active Rules, when selecting any context (Global, Route Domain, Virtual Server, or SelfIP), the policy associated with the Virtual Server is listed, but not the rules within that policy.
Conditions:
Applies to any context policies.
Impact:
You cannot manage rules from the Active Rules page. This is GUI display issue and does not affect functionality.
Workaround:
In Security :: Options :: Network Firewall :: Firewall Options:
Disable Inline Rules.
This reverts to the legacy editor and displays the policy details.
Fix:
Network Firewall : Active Rules page now lists active rule entries for firewall policies associated with any context.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4
748333-5 : DHCP Relay does not retain client source IP address for chained relay mode
Links to More Info: BT748333
Component: Local Traffic Manager
Symptoms:
The second relay in a DHCP relay chain modifies the src-address. This is not correct.
Conditions:
Using DHCP chained relay mode.
Impact:
The src-address is changed when it should not be.
Workaround:
None.
Fix:
For chained relay mode there is now an option to preserve the src-ip, controllable by 'sys db tmm.dhcp.relay.change.src'.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4
747234-7 : Macro policy does not find corresponding access-profile directly
Links to More Info: BT747234
Component: Access Policy Manager
Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.
Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.
Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.
Workaround:
Apply the Access Policy manually after auto-discovery.
Fix:
Fixed an issue with not automatically applying the access policy after discovery.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
747020-2 : Requests that evaluate to same subsession can be processed concurrently
Links to More Info: BT747020
Component: Access Policy Manager
Symptoms:
Requests that evaluate to the same subsession can be processed concurrently in some cases
Conditions:
-- Per-Request policy with subroutines.
-- Duplicate requests are sent that match existing subsession gating criteria.
Impact:
The request gets aborted with error messages in /var/log/apm:
apmd_plugin.cpp func: "serialize_apmd_reply()" line: 495 Msg: AccessV2 agent execution error 4.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1
746861-3 : SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated ★
Links to More Info: BT746861
Component: TMOS
Symptoms:
The SFP interfaces do not come up, or they flap up and down repeatedly on BIG-IP 2000/4000 on boot up when both SFP interfaces are populated.
When interface flaps state changes such as those below are logged in ltm log:
info pfmand[PID]: 01660009:6: Link: 2.1 is UP
info pfmand[PID]: 01660009:6: Link: 2.1 is DOWN
Conditions:
Both SFP interfaces, 2.1 and 2.2, on BIG-IP 2000/4000 are populated.
This is typically observed on boot up after an upgrade to an affected version. And this may occur during normal reboot
Impact:
Traffic cannot be sent/received from these interfaces.
Workaround:
Disconnect and reconnect the cable.
Fix:
The interfaces now come up successfully. Occasional link bounce may be seen on reboot.
Fixed Versions:
16.0.0, 15.1.4, 14.1.2.5
746348-4 : On rare occasions, gtmd fails to process probe responses originating from the same system.
Links to More Info: BT746348
Component: Global Traffic Manager (DNS)
Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.
Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.
Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.
Workaround:
Restart gtmd on the affected BIG-IP system.
Fixed Versions:
16.0.0, 15.1.2, 14.1.2.7, 13.1.3.4, 12.1.5.2
745465-4 : The tcpdump file does not provide the correct extension
Links to More Info: BT745465
Component: TMOS
Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.
Conditions:
Whenever tcpdump is generated and downloaded.
Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.
Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.
Fix:
File name changed to support.tcpdump.tar.gz.
Behavior Change:
The tcpdump file has a different name and file extension - support.tcpdump.tar.gz
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
744407-1 : While the client has been closed, iRule function should not try to check on a closed session
Links to More Info: BT744407
Component: Access Policy Manager
Symptoms:
tmm cores. System posts a message:
access::session exists is used during CLIENT_CLOSED iRule event.
Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.
Impact:
tmm may core. Traffic disrupted while tmm restarts.
Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.
Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4
743826-2 : Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)
Links to More Info: BT743826
Component: Application Visibility and Reporting
Symptoms:
When a pool member is defined with port any(0), calling the GetPoolMember() function, gives an incorrect error message that the pool member was not found.
Conditions:
Pool member with port any(0)
Impact:
Wrong error message printed to avrd.log
Fix:
Added a flag that indicates whether or not to print an error message to the GetPoolMember() function.
Fixed Versions:
17.0.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6
743253-2 : TSO in software re-segments L3 fragments.
Links to More Info: BT743253
Component: Local Traffic Manager
Symptoms:
FastL4 does not re-assemble fragments by default, but on a system with software-enabled TSO (sys db tm.tcpsegmentationoffload value disable), those fragments are erroneously re-segmented.
Conditions:
The behavior is encountered on BIG-IP Virtual Edition when setting sys db tm.tcpsegmentationoffload value disable, but does not cause a tmm core on Virtual Edition.
Impact:
Already-fragmented traffic is fragmented again.
Workaround:
None
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4
743234-6 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
Links to More Info: BT743234
Component: TMOS
Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.
Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'
Impact:
The SNMPv3 value does not take effect.
Workaround:
Restart the daemons after changing the EngineID:
restart /sys service snmpd
restart /sys service alertd
Note: The SNMP daemon should be restarted before the Alert daemon.
Fix:
The new EngineID is used after being configured, and no longer requires daemon restart.
Fixed Versions:
16.0.0, 15.1.0.4
742753-5 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Links to More Info: BT742753
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
Fix:
CSRF checks based on HTTP headers pre-logon have been improved.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
742628-1 : A tmsh session initiation adds increased control plane pressure
Links to More Info: BT742628
Component: TMOS
Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.
Conditions:
-- Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.
-- You are running certain versions of BIG-IP software, specifically:
- 12.1.x versions earlier than 12.1.5.3.
- 13.1.x versions earlier than 13.1.3.4.
- Any 14.x version earlier than 14.1.4, except 14.1.2.6.
- 15.0.x versions earlier than 15.0.1.2.
- 15.1.x versions earlier than 15.1.0.4.
Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.
Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:
tmsh modify /auth user ADMINUSERNAME shell bash
Fix:
This issue is fixed in the following releases:
-- 12.1.5.3 and later
-- 13.1.3.4 and later
-- 14.1.2.6
-- 14.1.4 and later
-- 15.0.1.2 and later
-- 15.1.0.4 and later
-- 16.0.0 and later
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.3
742549-3 : Cannot create non-ASCII entities in non-UTF ASM policy using REST
Links to More Info: BT742549
Component: Application Security Manager
Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.
Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.
Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.
Workaround:
Use UTF-8.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.6
741702-2 : TMM crash
Links to More Info: BT741702
Component: TMOS
Symptoms:
TMM crashes during normal operation.
Conditions:
-- This can occur while passing normal traffic.
-- In this instance, APM and LTM are configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.4
740589-4 : MCPD crashes with core after 'tmsh edit /sys syslog all-properties'
Links to More Info: BT740589
Component: TMOS
Symptoms:
The syslog-ng consumes more than 95% of CPU starving other processes of CPU time. This leads to eventual Master Control Program Daemon (MCPD) crash with core.
Conditions:
Configuring non-existent local IP addresses and remote log server.
Impact:
Abnormal CPU usage. Potential eventual MCPD crash with core. Traffic disruption while MCPD restart.
Workaround:
To mitigate the issue, you can use either of the following:
-- Follow these two steps:
1. Remove the remote log server from the configuration.
2. Replace the non-existent local IP addresses with self-IP addresses.
or
-- Configure the remote destination host with a unique parameter in the configuration so that syslog works as expected when there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));
Fix:
Fixed circular loop due to configuration with empty (duplicate) persist-name. The configuration will still fail to load if it is invalid, but it will fail early in the process before consuming excessive CPU.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
739618-3 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
Links to More Info: BT739618
Component: Application Security Manager
Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.
Conditions:
- AWAF or MSP license
Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.
Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}
Fix:
Users can now create LTM rule in the BIG-IP Configuration Utility that controls ASM if have AWAF or MSP license.
Fixed Versions:
15.1.0.2, 14.1.2.3, 14.1.0, 13.1.3.2
739570-4 : Unable to install EPSEC package ★
Links to More Info: BT739570
Component: Access Policy Manager
Symptoms:
Installation of EPSEC package via tmsh fails with error:
Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).
Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso
Impact:
First-time installation of EPSEC package through tmsh fails.
Workaround:
You can do a first-time installation of EPSEC with the following commands:
tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso
Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3
739507-3 : Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check
Links to More Info: BT739507
Component: TMOS
Symptoms:
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check.
Console shows messages similar to:
Starting System Logger Daemon...
[ OK ] Started System Logger Daemon.
[ 14.943495] System halted.
Conditions:
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license).
-- System element monitored by FIPS 140-2 integrity check has changed.
-- The device is rebooted.
Impact:
The device halts and cannot be used.
Workaround:
Workaround:
[1] Connect a terminal to the BIG-IP serial console port.
[2] From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.
[3] Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones.
[5] Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running:
cat /dev/null > /mnt/test/f5_public/fipserr
[6] Reboot.
If the system still halts, repeat from Step [1] above, until this no longer happens.
Fix:
If your device is running a version where ID 739507 is fixed:
[1] Connect a terminal to the BIG-IP serial console port
[2] From the serial console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that starts with 'linux', or the first line that starts with 'module'.
[6] Add a space, followed by NO_FIPS_INTEGRITY=1 (do not press ENTER).
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.
The machine boots into the partition containing FIPS 140-2-enabled license.
[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:
Integrity Check Result: [ FAIL ]
If fatal errors persist, do not reboot (otherwise the system foes into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Rerun the test tool until no error is seen.
Note: You can find information on the sys-eicheck (FIPS) utility in the AskF5 Non-Diagnostic Article K00029945: Using the sys-eicheck (FIPS) utility :: https://support.f5.com/csp/article/K00029945.
[11] Truncate the file /config/f5_public/fipserr:
cat /dev/null > /config/f5_public/fipserr
Fixed Versions:
16.1.0, 15.1.0.5, 14.1.4, 13.1.1.2
739505-3 : Automatic ISO digital signature checking not required when FIPS license active ★
Links to More Info: BT739505
Component: TMOS
Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.
The system logs an error message upon an attempt to install or update the BIG-IP system:
failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)
Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.
Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.
Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.
Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.1.2
738964-4 : Instruction logger debugging enhancement
Component: Local Traffic Manager
Symptoms:
Specific platforms may experience a zip-engine lock-up for various reasons. When it happens, the symptoms follow a report pattern that declares the zip-engine requires reset. When resets persist, the instruction logger is unable to diagnose the value of the instructions sent to the zip-engine.
Conditions:
Invalid or unusual compression source data.
Impact:
Compression device goes off-line and CPU usage spikes as it takes over all compression responsibility. Lack of instruction logging makes it difficult to diagnose what occurred.
Workaround:
Disable hardware compression until issue is fixed.
Fix:
A new tcl variable, nitrox::comp_instr_logger has been added. It has four possible values: off, on, force-restart-tmm and force-reboot-host. This variable is used for diagnosing issues with the Nitrox compression engine.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4.1
738865-6 : MCPD might enter into loop during APM config validation
Links to More Info: BT738865
Component: Access Policy Manager
Symptoms:
Mcpd crashes after a config sync.
Conditions:
This can occur during configuration validation when APM is configured.
Impact:
Mcpd may take too long to validate the APM configuration and is killed by watchdog, causing a core
Workaround:
Use the Visual Policy Editor to configure access policy instead of tmsh commands.
The Visual Policy Editor does not allow policies to be created if they contain loops.
Fix:
Fixed an mcpd crash related to policy loop detection in APM.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.2
738593-2 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.
Links to More Info: BT738593
Component: Access Policy Manager
Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.
Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client only.
-- Launch resources and VMware Horizon Client will use Blast protocol to display VMware sessions.
-- Shadow session is enabled in desktop.
Impact:
Desktop's Shadow session resource icon is not showed on webtop of native client.
Workaround:
None
Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop of native client.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
738032-3 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
Links to More Info: BT738032
Component: Local Traffic Manager
Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.
Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.
Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.
Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6
737692-4 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
Fix:
Tmm now restarts automatically when the PF comes back up after going down.
Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.
Fixed Versions:
17.1.1, 16.1.5, 15.1.3.1
737098-1 : ASM Sync does not work when the configsync IP address is an IPv6 address
Links to More Info: BT737098
Component: TMOS
Symptoms:
If the configsync IP address of the device is configured to be an IPv6 address, changes in ASM configuration do not synchronize across the cluster.
Conditions:
Devices in a Device Group have an IPv6 address set as their configsync IP address.
Impact:
ASM configuration does not synchronize across the Device Group.
Workaround:
Set the configsync IP address to be an IPv4 address and restart the asm_config_server process. To restart the asm_config_server process, run the following command:
pkill -f asm_config_server
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
730852-1 : The tmrouted repeatedly crashes and produces core when new peer device is added
Links to More Info: BT730852
Component: TMOS
Symptoms:
There is a tmrouted crash when new peer device is added.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.
Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.4
726518-1 : Tmsh show command terminated with CTRL-C can cause TMM to crash.
Links to More Info: BT726518
Component: Local Traffic Manager
Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]
Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not terminate tmsh show commands with CTRL-C.
Fixed Versions:
16.0.0, 15.1.2, 14.1.2.8, 13.1.3.6
724824-1 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
Links to More Info: BT724824
Component: Local Traffic Manager
Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.
Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.
Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.
Impact:
Monitor status on the peer devices is reported incorrectly.
Workaround:
Any of the following three options will correct reporting status on the peer devices:
-- Restart bigd
-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.
-- Disable and then re-enable the FQDN node
Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
724653-3 : In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.
Links to More Info: BT724653
Component: TMOS
Symptoms:
In a device-group configuration, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).
Although the config-sync operation will report as having completed successfully on both devices, and no errors will be visible in the /var/log/ltm file of either device, a number of issues can manifest at a later time.
For instance, assuming the non-synced object was a VLAN, listing all VLANs across all partitions will return the following error:
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/)(tmos)# list net vlan recursive
01070712:3: Internal error, can't load folder or nested folder for: /test/my_vlan
And reloading the config will return the following error (as the partition has been deleted, including its flat config files):
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/var/libdata/dpi/conf/classification_update.conf
/defaults/urlcat_base.conf
/defaults/daemon.conf
/defaults/pem_base.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
01070523:3: No Vlan association for STP Interface Member 1.2.
Unexpected Error: Loading configuration process failed.
These are just examples, and the exact failures will depend on the type of non-synced object and its use within your configuration.
Conditions:
-- Two or more devices in a device-group configuration.
-- Using partitions that contain non-synced objects.
-- Deleting the partition on a device and syncing the changes to the other devices.
Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects. A number of config issues can arise at a later time as a result of this.
Workaround:
In some cases, if you need to define non-synced objects, you can do so in partitions or folders that are associated with 'device-group none' and 'traffic-group none'. This would prevent the partition or folder from synchronizing to other devices in the first place.
Fix:
Validation has been added that will make a config-sync receiver reject the operation if this includes the deletion of a non-empty partition. In this case, the config-sync will fail and report an error message similar to the following example:
0107082a:3: All objects from local device and all HA peer devices must be removed from a partition (test) before the partition may be removed, type ID (467), text ID (60706)
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
723112-8 : LTM policies does not work if a condition has more than 127 matches
Links to More Info: BT723112
Component: Local Traffic Manager
Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.
Conditions:
LTM policy that has a condition with more than 127 matches.
Impact:
LTM policy does not match the expected condition.
Workaround:
There is no workaround at this time.
Fix:
LTM policy now works for a condition with more than 127 matches.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
723109-1 : FIPS HSM: SO login failing when trying to update firmware
Links to More Info: BT723109
Component: TMOS
Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.
Conditions:
When trying to update FIPS firmware.
Impact:
This will not be able to upgrade the FIPS firmware.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
722337-2 : Always show violations in request log when post request is large
Links to More Info: BT722337
Component: Application Security Manager
Symptoms:
The system does not always show violations in request log when post request is large.
Conditions:
A large post request with many parameters is sent.
Impact:
Although the violations is handled correctly, it is not reported.
Workaround:
Disable learning mode.
The internal parameter pb_sampling_high_cpu_load can define what is seen as high CPU load above which sampling does not take place. The default is 60.
-- Using a lower value reduces the chances of sampling data.
-- Using 0 makes sampling never happen and thus this issue does not occur (this slows down automatic policy building).
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.7, 13.1.3.5
722230-1 : Cannot delete FQDN template node if another FQDN node resolves to same IP address
Links to More Info: BT722230
Component: TMOS
Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.
Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.
Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.
Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.4, 12.1.5.2
720610-3 : Automatic Update Check logs false 'Update Server unavailable' message on every run
Links to More Info: BT720610
Component: TMOS
Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.
Workaround:
None.
Fix:
The Automatic Update Check operation no longer logs false messages.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3
720440-6 : Radius monitor marks pool members down after 6 seconds
Links to More Info: BT720440
Component: Local Traffic Manager
Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.
Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.
Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.
Workaround:
There is no workaround at this time.
Fix:
The maximum length of time that the radius probe will wait for has been increased from 6 seconds to 30 seconds.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.6, 12.1.5.2
719555-3 : Interface listed as 'disable' after SFP insertion and enable
Links to More Info: BT719555
Component: TMOS
Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.
Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.
Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.
Workaround:
This issue is cosmetic; the interface is functional so it may be used.
To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface
Fixed Versions:
16.0.0, 15.1.1, 14.1.4, 13.1.5
719338-1 : Concurrent management SSH connections are unlimited
Links to More Info: BT719338
Component: TMOS
Symptoms:
There is no limit to the number of users that can login concurrently onto a BIG-IP system.
Conditions:
Multiple users are logged into the BIG-IP device through SSH at the same time.
Impact:
System can potentially run out of memory.
Workaround:
Provide a way to limit the number of concurrent user SSH sessions.
Fix:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.
-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
+ Enables the feature; feature is functional with default values.
+ Defaults: feature is not enabled for admin/root privileged user.
+ Total session limit for all users is 10 sessions.
-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
+ Enables feature for admin/root privileged user.
+ Total session limit for all users is still 10 sessions.
-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
+ Changes the default global setting limit of 10 to the specified value.
-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
+ Sets the maximum session limit per user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
+ Sets the maximum number of sessions for a particular user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
Behavior Change:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.
-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
+ Enables the feature; feature is functional with default values.
+ Defaults: feature is not enabled for admin/root privileged user.
+ Total session limit for all users is 10 sessions.
-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
+ Enables feature for admin/root privileged user.
+ Total session limit for all users is still 10 sessions.
-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
+ Changes the default global setting limit of 10 to the specified value.
-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
+ Sets the maximum session limit per user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
+ Sets the maximum number of sessions for a particular user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
Fixed Versions:
16.1.0, 15.1.1, 14.1.4, 13.1.4
718573-3 : Internal SessionDB invalid state
Links to More Info: BT718573
Component: TMOS
Symptoms:
TMM crashes.
Conditions:
SessionDB is accessed in a specific way that results in an invalid state.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.4
717806-1 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
Links to More Info: BT717806
Component: Local Traffic Manager
Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.
Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.
Impact:
No performance impact
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
716746-3 : Possible tmm restart when disabling single endpoint vector while attack is ongoing
Links to More Info: BT716746
Component: Advanced Firewall Manager
Symptoms:
tmm restarts.
Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.
Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.
Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.
Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.
Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.0.7
715748-6 : BWC: Flow fairness not in acceptable limits
Links to More Info: BT715748
Component: TMOS
Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.
Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.
Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
715032-1 : iRulesLX Hardening
Links to More Info: K73302459 , BT715032
Component: Local Traffic Manager
Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.
Conditions:
-iRulesLX in use
Impact:
iRulesLX does not follow current best practices.
Workaround:
None.
Fix:
iRulesLX now follows current best practices.
Fixed Versions:
16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3
714642-2 : Ephemeral pool-member state on the standby is down
Links to More Info: BT714642
Component: Local Traffic Manager
Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.
Conditions:
Re-enabling a forced-down FQDN node on the primary system.
Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6
714502-3 : bigd restarts after loading a UCS for the first time
Links to More Info: BT714502
Component: Local Traffic Manager
Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.
Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check
Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.
Workaround:
System runs as expected after the bigd restart, and the user need not take any action.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
714372-5 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
Links to More Info: BT714372
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.
Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.
Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.
Workaround:
Use an iRule to remove the Keep-Alive header:
when HTTP_RESPONSE_RELEASE {
HTTP::header remove keep-alive
}
Alternatively use an LTM Policy where this header is removed from a server's response.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.1, 14.1.4.4
714176-1 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed
Links to More Info: BT714176
Component: TMOS
Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.
Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.
Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.
Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.
1. Locate the dynad config in /config/bigip_base.conf file:
For example, the dynad config will look like:
sys dynad key {
key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}
2. Modify the dynad configuration lines to:
sys dynad key {
key "test"
}
3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config
Fix:
The log message is improved to provide the BIG-IP administrator with more specific detail that the dynad key failed to be decrypted.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
713754-2 : Apache vulnerability: CVE-2017-15715
Links to More Info: K27757011
713614-7 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
Links to More Info: BT713614
Component: TMOS
Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.
Impact:
Virtual Server does not fail over with floating traffic group as expected.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.4.6, 13.1.5
709952-4 : Disallow DHCP relay traffic to traverse between route domains
Links to More Info: BT709952
Component: Local Traffic Manager
Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.
Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.
Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.
Workaround:
There is no workaround at this time.
Fix:
A db key has been introduced, tmm.dhcp.routedomain.strictisolate, which allows enforcement of route domain traversal if desired/configured.
Fixed Versions:
16.0.0, 15.1.10, 13.1.1.5
706782-5 : Inefficient APM processing in large configurations.
Links to More Info: BT706782
Component: Access Policy Manager
Symptoms:
In configurations with large numbers of virtual servers or other entities, the apmd, oauth, and localdbmgr processes may consume large amounts of system resources.
Conditions:
-- Large configuration.
-- APM provisioned.
-- Multiple traffic groups exacerbate the effect.
Impact:
Heavy use of odd-numbered CPU cores may slow all control-plane operations, including user-interface response.
Workaround:
None known.
Fixed Versions:
17.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.8
706521-2 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
Links to More Info: K21404407 , BT706521
Component: TMOS
Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.
Conditions:
Configure TACACS+ auditing forwarder.
Impact:
Exposes sensitive information.
Workaround:
None.
Fix:
The sensitive data is not exposed, and this issue is fixed.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3
705768-2 : The dynconfd process may core and restart with multiple DNS name servers configured
Links to More Info: BT705768
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query when there are multiple DNS name servers configured, or when the list of DNS name servers is changed.
Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.
Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.
Workaround:
This issue occurs rarely. There is currently no known workaround.
Fix:
The dynconfd process no longer cores and restarts with multiple DNS name servers configured.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2
705112-6 : DHCP server flows are not re-established after expiration
Links to More Info: BT705112
Component: Local Traffic Manager
Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.
Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds
Impact:
DHCP server traffic not load balanced.
Workaround:
None.
Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.
Fixed Versions:
16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3, 12.1.4.1, 11.5.9
697331-2 : Some TMOS tools for querying various DBs fail when only a single TMM is running
Links to More Info: BT697331
Component: Service Provider
Symptoms:
Command returns "No route to host" error.
Conditions:
Running diadb, sipdb, genericmsgdb or lsndb when only a single TMM is running.
Impact:
Unable to query SIP, Diameter, Generic-Message and LSN information from its corresponded DB query tool.
Workaround:
N/A
Fix:
Tools for querying various DBs now work regardless of the number of TMMs.
Fixed Versions:
16.0.0, 15.1.1, 14.1.3.1, 14.1.3
696755-5 : HTTP/2 may truncate a response body when served from cache
Links to More Info: BT696755
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.
Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.
Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.
Workaround:
Adding the following iRule causes the body to be displayed:
when HTTP_RESPONSE_RELEASE {
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Content-Length
HTTP::header insert Content-Length "$con_len"
}
Fix:
With provided fix, HTTP/2 end users no longer experience the problem of incorrect page rendering due to this issue.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.0.6, 13.1.0.8
696348-5 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
Links to More Info: BT696348
Component: Service Provider
Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:
[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]
Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option
Impact:
The commands still be executed during runtime but the warning message may confuse user.
Fix:
There is no warning message when using "GTP::ie insert" and "GTP::ie append" without "-message" option.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4
693473-6 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
692218-1 : Audit log messages sent from the primary blade to the secondaries should not be logged.
Links to More Info: BT692218
Component: TMOS
Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.
Conditions:
Multi-blade platform.
Impact:
Unnecessary messages in the log file.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
691499-5 : GTP::ie primitives in iRule to be certified
Links to More Info: BT691499
Component: Service Provider
Symptoms:
The following commands in iRules are created and available but not officially tested and approved:
GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove
Conditions:
Using the following iRule commands:
GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove
Impact:
Although you can use these iRule commands, their functionality has not been tested and approved.
Workaround:
None.
Fix:
GTP::ie primitives in iRule are now certified.
Behavior Change:
Certified pre-existing iRules:
-- GTP::ie set instance <ie-path> <instance>
Assigns <instance> to the information element (IE) instance at <ie-path>.
-- GTP::ie set value <ie-path> <value>
Assigns <value> to the IE value at <ie-path>.
-- GTP::ie insert <ie-path> <type> <instance> <value>
Inserts a new IE of type <type> and instance <instance> with value <value> at <ie-path>
-- GTP::ie append [<ie-path>] <type> <instance> <value>
Appends a new IE of type <type> and instance <instance> with value <value> to the end of embeded IE of grouped-IE specified by <ie-path> or to the end of message if the grouped-IE <ie-path> is absent.
-- GTP::ie remove <ie-path>
Removes IE specified by <ie-path>.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4
686783-2 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.
Links to More Info: BT686783
Component: Traffic Classification Engine
Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.
Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,
Impact:
Improper classification
Workaround:
Using an iRule can help classify the URL.
Fix:
Normalized the URL before putting in the custom database.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
686395-3 : With DTLS version1, when client hello uses version1.2, handshake shall proceed
Links to More Info: BT686395
Component: Local Traffic Manager
Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".
Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)
Impact:
DTLS functionalities.
Workaround:
N/A
Fix:
In this case, we shall still proceed to perform handshake instead of bailing out with "unsupported version" error.
Fixed Versions:
15.1.5, 12.1.3.4
685904-1 : Firewall Rule hit counts are not auto-updated after a Reset is done
Links to More Info: BT685904
Component: Advanced Firewall Manager
Symptoms:
When a rule is selected and the 'Reset Count' button is clicked, the command is executed but rule stats are not updated in the GUI.
Conditions:
This occurs when resetting the rule hit count stats in the GUI.
Impact:
Incorrect (stale) statistics are seen.
Workaround:
Refresh the page.
Fix:
Rule stats are now correctly updated in the UI after a 'Reset Count' is initiated.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.2
681010-4 : 'Referer' is not masked when 'Query String' contains sensitive parameter
Links to More Info: K33572148 , BT681010
Component: Application Security Manager
Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.
Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.
-- 'Query String' contains the defined sensitive parameter.
Impact:
"Referer" header contains unmasked value of the sensitive parameter.
Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.
Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
679751-2 : Authorization header can cause a connection reset
Links to More Info: BT679751
Component: Access Policy Manager
Symptoms:
APM resets connections and reports an ERR_ARG from a simple web request.
Conditions:
-- APM profile with User Identification Method as HTTP.
-- APM profile with User Identification Method as OauthToken.
-- HTTP traffic arrives with certain types of Authorization headers.
Impact:
Connections are reset and APM logs ERR_ARG, which is not helpful for understanding the cause.
Workaround:
iRule workaround:
when HTTP_REQUEST {
if { [HTTP::header "Authorization"] contains "Bearer" && [string tolower [HTTP::header "User-Agent"]] contains "onenote" } {
HTTP::header replace Authorization [string map {"Bearer" ""} [HTTP::header Authorization]]
}
}
Fix:
APM no longer resets connections and reports an ERR_ARG from a simple web request.
Fixed Versions:
16.1.0, 15.1.1, 14.1.2.8, 13.1.3.5
675911-12 : Different sections of the GUI can report incorrect CPU utilization
Links to More Info: K13272442 , BT675911
Component: TMOS
Symptoms:
The following sections of the GUI can report incorrect or higher than expected CPU utilization:
-- The 'download history' option found in the Flash dashboard.
-- Statistics :: Performance :: Traffic Report (section introduced in version 12.1.0).
Values such as 33%, 66%, and 99% may appear in these sections despite the system being completely idle.
Conditions:
HT-Split is enabled (default for platforms that support it).
Impact:
The CPU history in the exported comma-separated values (CSV) file does not match actual CPU usage.
Workaround:
-- You can obtain CPU history through various other means. One way is to use the sar utility.
- In 12.x and higher versions:
sar -f /var/log/sa6/sa
- or for older data:
sar -f /var/log/sa6/sa.1
- The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.
- In 11.x:
sar -f /var/log/sa/sa
- or for older data
sar -f /var/log/sa/sa.1
- The oldest data is found compressed in /var/log/sa and must be gunzipped before use.
-- Live CPU utilization can also be obtained through the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
674026-4 : iSeries AOM web UI update fails to complete. ★
Links to More Info: BT674026
Component: TMOS
Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.
Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.
Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:
err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2
Workaround:
At the bash prompt run:
/etc/lcdui/bmcuiupdate
This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.
Fix:
AOM web UI update failures are now automatically corrected.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
673272-2 : Search by "Signature ID is" does not return results for some signature IDs
Links to More Info: BT673272
Component: Application Security Manager
Symptoms:
Search by "Signature ID is" does not return results for some signature IDs.
Conditions:
Request associated with signature that was previously enforced and is now in staging after the attack signature update.
Impact:
You are unable to filter requests by some signature IDs.
Fix:
Fixed an issue with searching by signature ID.
Fixed Versions:
17.0.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4
672963-2 : MSSQL monitor fails against databases using non-native charset
Links to More Info: BT672963
Component: Local Traffic Manager
Symptoms:
MSSQL monitor is fails against databases using non-native charset.
Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).
Impact:
MSSQL monitoring always marks node / member down.
Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:
1. Log in to the BIG-IP console into a bash prompt.
2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr
3. Restart bigd:
bigstart restart bigd
Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
669046-5 : Handling large replies to MCP audit_request messages
Links to More Info: BT669046
Component: TMOS
Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.
In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.
Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).
Memory usage is already high.
Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.
Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.
Fix:
Viewing audit logs in the GUI is now limited to 10,000 lines, so this issue no longer occurs.
Behavior Change:
The GUI is limited to viewing no more than 10,000 lines of the audit log.
You can use tmsh/bash to view audit logs larger than 10,000 lines.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
662301-2 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Links to More Info: BT662301
Component: TMOS
Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
On an appliance, restart mcpd by running the following command:
bigstart restart mcpd
On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:
clsh bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
648242-6 : Administrator users unable to access all partition via TMSH for AVR reports
Links to More Info: K73521040 , BT648242
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
Fix:
Allowing for administrator users to get all partitions available on query.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 14.0.0.5, 13.1.0.8, 12.1.3.2
644192-2 : Query of "MX" or "any" RR type to a CNAME wide IP results in a NXDOMAIN reply
Links to More Info: K23022557 , BT644192
Component: Global Traffic Manager (DNS)
Symptoms:
Query of "MX" or "any" RR type to a CNAME wide IP results in a NXDOMAIN reply
Conditions:
A 'CNAME' Wide IP, and a DNS Express zone for the parent zone.
For example, CNAME wide IP for "www.siterequest.com" and a DNS Express zone for "siterequest.com"
Impact:
Depending on the configuration of a BIG-IP DNS device and the back end DNS server, an 'NXDOMAIN' response may be provided to the requesting client, despite a wideip partially matching the query (matching with a different RR type)
The DNS "NXDOMAIN" response code (rcode) indicates that the DNS server holds no records of any type for the specified query. For example, a query for type 'A' records for www.example.com will return NXDOMAIN if the back end DNS server is authoritative for example.com, and there are no RRs of any type for www.example.com.
By contrast, the DNS "NODATA" response (NODATA is indicated by a result code of 'NOERROR' and zero ANSWER records) indicates that the DNS server holds some data for that query, but not of the type requested (for example, a 'A' record exists, but the query was for 'TXT')
Cache resolvers will remember a NXDOMAIN for all record types related to DNS query, for example if a query for type 'A' returns NXDOMAIN from the back end DNS sever, DNS express will return NXDOMAIN not only for further type 'A' queries, but also for any other resource record type, such as 'AAAA' or 'MX' or 'TXT' etc.
In a situation where BIG-IP DNS has configuration for a wideip of a different type than was queried, but the back end DNS server holds no records, then the back end DNS server will correctly respond with NXDOMAIN, and the BIG-IP will pass that response to the client, despite the wideip of a different type existing in the config.
This NXDOMAIN response may then be cached further upstream, causing queries for all types of records for that particular query, to return NXDOMAIN, and future queries for the wideip will be answered by the cache, for the negative-cache duration, and not even make it to the BIG-IP DNS listener.
Workaround:
In versions of BIG-IP software that do not have a fix for the issue, the BIG-IP device can be configured to prevent a NXDOMAIN response being sent to the client.
Option 1: Create a dummy "www.siterequest.com" TXT record in ZoneRunner with the same name - this causes the query to be answered by zonerunner (bind).
Option 2: Create a ltm virtual server iRule, which conditionally alters the rcode to be 'NOERROR":
when DNS_RESPONSE {
if { [DNS::question name] eq "www.siterequest.com" } {
if { [DNS::header rcode] eq "NXDOMAIN" } {
DNS::header rcode NOERROR
DNS::authority clear
return
}
}
}
Fix:
In 16.1.0 and later, a 'gtm global-settings general allow-nxdomain-override' configuration setting has been added to allow configuring the BIG-IP DNS system to respond with a NOERROR response.
In versions below 16.1.0 where this issue is fixed, there is a new DB key, 'gtm.allownxdomainoverride', which enables this configuration.
Note that this feature is not available for wildcard wideips. If DNS requests handledd by wildcard wideips need to return a NOERROR response, an irule will need to be used to make the change to the result code.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5, 11.6.5.3
640842-5 : ASM end user using mobile might be blocked when CSRF is enabled
Links to More Info: BT640842
Component: Application Security Manager
Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.
Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.
Impact:
Client is blocked.
Workaround:
None.
Fix:
Enabling access for specific mobile application.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.2.7
639773-6 : BIG-IP AFM vulnerability CVE-2021-22983
Links to More Info: K76518456
615934-6 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Links to More Info: BT615934
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl/SOAP functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4, 13.1.3.5
608952-1 : MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
Links to More Info: BT608952
Component: Local Traffic Manager
Symptoms:
MSSQL health monitor always shows down.
Conditions:
The Microsoft SQL server that is being monitored has disabled support for legacy security protocols, and supports only versions TLSv1.1 and TLSv1.2.
Impact:
MSSQL monitor is unable to perform health checking when SQL Server is configured to require TLSv1.1 or TLSv1.2.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.5, 14.1.2.7, 13.1.3.6, 12.1.5.3
605675-6 : Sync requests can be generated faster than they can be handled
Links to More Info: BT605675
Component: TMOS
Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.
Conditions:
Configuration changes in quick succession that might generate sync-change messages.
Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.
Workaround:
None.
Fixed Versions:
16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3, 11.6.5.2
601271-10 : CVE-2016-0723: TTY use-after-free race
Links to More Info: K43650115
594600-1 : No validation when delete iRule that is assigned to ACL policy
Links to More Info: BT594600
Component: Advanced Firewall Manager
Symptoms:
When an iRule is deleted, BIG-IP does not throw error even when it is configured under ACL policy.
Conditions:
-- AFM is provisioned
-- iRule is configured under an ACL Policy.
-- iRule is deleted
Impact:
iRule gets deleted without error. Later, the ACL policy won't be able to access the iRule.
Fix:
Added validation and an error message when an iRule is deleted which is configured under an ACL policy.
"The irule (/Common/iRule1) cannot be deleted because it is in use by a fw_rule (rule1) in Policy (/Common/policy11)."
Fixed Versions:
16.0.0, 15.1.10
593536-9 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
Links to More Info: K64445052 , BT593536
Component: TMOS
Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.
Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.
Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.
Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.
Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8
592353-3 : Javascript parser incompatible with ECMA6/7+
Links to More Info: BT592353
Component: Access Policy Manager
Symptoms:
A web application may not work correctly when using Portal Access.
Conditions:
-- APM proxying a web application with Portal Access feature
-- Web-application uses ES6/7 or higher JavaScript syntax
Impact:
Web applications will fail to perform properly when using Portal Access.
Fix:
This is STEP 1 to support Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.
With this fix, a custom iRule workaround can be applied to fix a limited set of possible cases.
STEP 2 of Modern Javascript support is tracked with ID 957453. This fix is available via EngHF and removes the need for an iRule workaround in most cases.
Please ask support for help with workaround or the EngHF request.
Fixed Versions:
16.1.0, 15.1.9
583084-6 : iControl produces 404 error while creating records successfully
Links to More Info: K15101680 , BT583084
Component: TMOS
Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.
Conditions:
Creating GTM topology record without using full path via iControl.
Impact:
Resulting code/information is not compatible with actual result.
For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.
Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.
Fix:
The system now compares both names, ignoring the partition '/Common' if the exact comparison fails.
Fixed Versions:
16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
582666-1 : TMM spams ltm log with "01010235:2: Inet port find called for pg 1 with invalid cmp state 0"
Links to More Info: BT582666
Component: Local Traffic Manager
Symptoms:
/var/log/ltm is spammed with below shown logs:
Mar 23 08:21:52 slot2/technetium crit tmm[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0
Mar 23 08:21:53 slot2/technetium crit tmm3[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0
Mar 23 08:21:53 slot2/technetium crit tmm3[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0
Conditions:
One or more blades are administratively disabled on a chassis system.
Impact:
Detrimental to TMM performance.
Fix:
/var/log/ltm should no longer be spammed with these critical logs.
Fixed Versions:
16.0.0, 15.1.10
580715-2 : ASM is not sending 64 KB remote logs over UDP
Links to More Info: BT580715
Component: Application Security Manager
Symptoms:
REmote logs are missing. The following log messages appears in bd.log and asm.log:
ASM configuration error: event code L3350 Failed to write to remote logger vs_name_crc 1119927693 LoggingAccount.cpp:3348`remote log write FAILED res = -3 <Failed to send remote message (remote server not responding)> errno <Message too long>.
Conditions:
-- A remote logger configured for UDP.
-- Max message length of 64 KB.
Impact:
Missing logs in the remote logger.
Workaround:
You can use either of the following workarounds:
-- Change the remote logger to TCP.
-- Reduce the message length to 1 KB.
Fixed Versions:
17.0.0, 15.1.5
579219-5 : Access keys missing from SessionDB after multi-blade reboot.
Links to More Info: BT579219
Component: Access Policy Manager
Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.
Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.
Impact:
Some Access subkeys may be missing after the reboot.
Workaround:
Reboot the primary blade.
Fixed Versions:
16.0.0, 15.1.1, 14.1.2.8, 13.1.5
574762-2 : Forwarding flows leak when a routing update changes the egress vlan
Links to More Info: BT574762
Component: Local Traffic Manager
Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.
Conditions:
Conditions to hit this are a route change on forwarded flows.
Impact:
Memory leak.
Workaround:
None
Fix:
Fixed a memory leak with forwarding flows.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
569859-7 : Password policy enforcement for root user when mcpd is not available
Links to More Info: BT569859
Component: TMOS
Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.
Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.
Impact:
Root password may be set to a string that does not comply with the current password policy.
Workaround:
None.
Fix:
The system now enforces the password policy for root user, even when mcpd is not available.
Fixed Versions:
16.0.0, 15.1.3, 14.1.4.1
528894-6 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition
Links to More Info: BT528894
Component: TMOS
Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.
Conditions:
-- The system includes partitions other than Common.
-- Configuration in a partition other than Common is modified.
-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").
Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).
/config/bigip_base.conf will no longer contain config stanzas that belong there.
Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.
However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.
Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.
Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".
Note that neither workaround is permanent and the issue will reoccur.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
490138-2 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers
Links to More Info: BT490138
Component: Access Policy Manager
Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently
Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm
Impact:
Kerberos authentication fails, user cannot log in
Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers
Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
489572-5 : Sync fails if file object is created and deleted before sync to peer BIG-IP
Links to More Info: K60934489 , BT489572
Component: TMOS
Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:
Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...
Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.
Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.
Impact:
Sync fails.
Workaround:
When you create/add a file object, make sure to sync before deleting it.
If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.
Fixed Versions:
16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3
474797-8 : Nitrox crypto hardware may attempt soft reset while currently resetting
Links to More Info: BT474797
Component: Local Traffic Manager
Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.
Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.
Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.
Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.
To disable hardware-based crypto acceleration issue the following command:
tmsh modify sys db tmm.ssl.cn.shunt value disable
Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.
Fix:
A crypto soft reset attempt is now allowed to complete before another soft reset attempt can occur.
Fixed Versions:
16.0.0, 15.1.10, 12.1.5, 11.6.2, 11.5.7
470916-3 : Launching resources that are published on an apm webtop from multiple VMWare servers will fail when the Native View client is selected.
Links to More Info: BT470916
Component: Access Policy Manager
Symptoms:
If APM is configured to publish multiple VMware resources (VCS servers) on an APM Webtop, and you select the Native View Client when you launch a resource, you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in error.
Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers) and publish those resources on an APM Webtop.
-- You attempt to launch a desktop or application specifying the native VMware client on Windows
Impact:
Cannot access desktops and applications from multiple VMware back-ends.
Workaround:
Use HTML5 client instead.
Fix:
APM now supports launching of desktops and applications from multiple View resources published on the APM webtop using native View clients.
Note: Linux and Mac are not supported, as VMware has yet to add support for mid-parameter on Linux and Mac native clients.
Fixed Versions:
16.0.0, 15.1.6.1, 14.1.5
470346-3 : Some IPv6 client connections get RST when connecting to APM virtual
Links to More Info: BT470346
Component: Access Policy Manager
Symptoms:
IPv6 clients connecting to APM virtual server that renders some page, e.g., logon page, webtop, or message box, might get connection resets.
Conditions:
IPv6 client has the last 4 bytes of the IP address set to some special-purpose address, e.g., multicast address.
Impact:
Client connection is reset.
Workaround:
Change the last 4 bytes of the client IPv6 address to avoid the IPv4 special-address range.
Fix:
All IPv6 clients can now connect through APM virtual server, regardless of the values of the last 4 bytes of the address.
Fixed Versions:
16.0.0, 15.1.4, 14.1.4.3, 13.1.5
431503-8 : TMSH crashes in rare initial tunnel configurations
Links to More Info: K14838 , BT431503
Component: TMOS
Symptoms:
In rare BIG-IP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.
Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.
Impact:
TMM crash in rare race conditions.
Workaround:
None.
Fix:
TMM no longer crashes on neighbor messages during the initial tunnel config load process.
Fixed Versions:
15.1.1, 14.1.2.8, 13.1.3.5, 11.5.0
427094-2 : Accept-language is not respected if there is no session context for page requested.
Links to More Info: BT427094
Component: Access Policy Manager
Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.
Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.
Impact:
APM page doesn't load the preferred language after refreshing twice.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
423519-3 : Bypass disabling the redirection controls configuration of APM RDP Resource.
Links to More Info: K74302282 , BT423519
Component: Access Policy Manager
Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.
Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.
Impact:
User can bypass RDP resource restrictions.
Workaround:
NA
Fix:
User is not allowed to perform any redirection controls of the RDP resource.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
405329-3 : The imish utility cores while checking help strings for OSPF6 vertex-threshold
Component: TMOS
Symptoms:
The imish (vtysh) utility dumps core while checking help strings for the OSPF6 vertex-threshold command from OSPF mode.
Conditions:
-- Routing enabled.
-- Configuring OSPF vertex-threshold for either IPv4 or IPv6.
-- Requesting help for the OSPF6 vertex-threshold command.
Impact:
There is an imish (vtysh) crash.
Workaround:
None.
Fix:
Updated with the proper help strings for the OSPF6 vertex-threshold command.
Fixed Versions:
16.0.0, 15.1.0.5, 14.1.4.6
398683-4 : Use of a # in a TACACS secret causes remote auth to fail
Links to More Info: K12304
Component: TMOS
Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.
Conditions:
TACACS secret contains the '#' character.
Impact:
TACACS remote auth fails.
Workaround:
Do not use the '#' character in the TACACS secret.
Fixed Versions:
16.1.0, 16.0.1.1, 15.1.9
1702565-1 : tmsh configuration save improvements
Component: TMOS
Symptoms:
In some scenarios, saving system configuration does not work properly.
Conditions:
NA
Impact:
NA
Workaround:
Permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users
Fix:
The configuration issue has been resolved.
Fixed Versions:
15.1.10.6
1689953-1 : tmsh configuration save improvements
Component: TMOS
Symptoms:
In some scenarios, saving system configuration does not work properly.
Conditions:
NA
Impact:
NA
Workaround:
Permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users
Fix:
The configuration issue has been resolved.
Fixed Versions:
15.1.10.6
1689781-3 : TMUI hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
No work around
Fix:
Best security practices are now applied.
Fixed Versions:
17.1.2, 15.1.10.6
1615861-3 : TMUI hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
No work around
Fix:
Best security practices are now applied
Fixed Versions:
17.1.1.4, 16.1.5.1, 15.1.10.5
1593681-3 : Monitor validation improvements
Links to More Info: K000140061 , BT1593681
1495217-1 : TMUI hardening
Links to More Info: K000138636 , BT1495217
1494833-4 : A single signature does not match when exceeding 65535 states
Links to More Info: K000138898 , BT1494833
Component: Application Security Manager
Symptoms:
One of the attack signatures is not matched.
Conditions:
When all signatures are enabled and custom ones are created.
Impact:
The attack signature is passed instead of getting blocked.
Workaround:
NA
Fix:
All the signatures will be detected and respective violations will be raised.
Fixed Versions:
17.1.1.3, 16.1.4.3, 15.1.10.4
1492361-3 : TMUI Security Hardening
Links to More Info: K000138894 , BT1492361
1449709-4 : Possible TMM core under certain Client-SSL profile configurations
Links to More Info: K000138912 , BT1449709
1391357-2 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address
Links to More Info: K000136909 , BT1391357
1381357-3 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability
Links to More Info: K000137365 , BT1381357
1378329-3 : Secure internal communication between Tomcat and Apache
Links to More Info: K000137353
Component: TMOS
Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353
Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353
Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353
Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747
For more details see: https://my.f5.com/manage/s/article/K000137353
Fix:
Communication between Tomcat and Apache is secured.
Fixed Versions:
17.1.1.4, 16.1.5, 15.1.10.5
1366025-3 : A particular HTTP/2 sequence may cause high CPU utilization.
Links to More Info: K000137106 , BT1366025
1360917-3 : TMUI hardening
Links to More Info: K000138520 , BT1360917
1355117-1 : TMM core due to extensive memory usage ★
Links to More Info: K000137374 , BT1355117
Component: Access Policy Manager
Symptoms:
User observes TMM core due to extensive memory usage.
Conditions:
- Using BIG-IP 15.1.10
- When APM is used and users login and logoff multiple times.
- Each logoff may lead to some memory leak.
Impact:
User observes TMM core and fail over will occur.
Workaround:
None
Fix:
TMM does not core due to successive logoffs.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10.3
1354253-3 : HTTP Request smuggling with redirect iRule
Links to More Info: K000137322 , BT1354253
Component: Local Traffic Manager
Symptoms:
See: https://my.f5.com/manage/s/article/K000137322
Conditions:
See: https://my.f5.com/manage/s/article/K000137322
Impact:
See: https://my.f5.com/manage/s/article/K000137322
Workaround:
See: https://my.f5.com/manage/s/article/K000137322
Fix:
See: https://my.f5.com/manage/s/article/K000137322
Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.
Fixed Versions:
17.1.1.1, 16.1.4.2, 15.1.10.3
1324745-3 : An undisclosed TMUI endpoint may allow unexpected behavior
Links to More Info: K000135689 , BT1324745
1316277 : Large CRL files may only be partially uploaded
Links to More Info: K000137796 , BT1316277
Component: TMOS
Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.
Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load
Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.
Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.
Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.
The log received will look like:
01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.
Fixed Versions:
17.1.1, 16.1.4.2, 15.1.10.3
1314301-3 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled
Links to More Info: K000137334 , BT1314301
1307697 : IPI not working on a new device - 401 invalid device error from BrightCloud
Links to More Info: BT1307697
Component: Advanced Firewall Manager
Symptoms:
IPI update is failing with below error:
iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)
Conditions:
Only IPI update will stop working.
Impact:
IPI stop working.
Workaround:
No workaround
Fix:
IPI license will work for all platforms.
Fixed Versions:
17.1.1, 15.1.10
1305865 : Drop in performance with high throughput on BIG-IP 15.1.9 Virtual Edition or tenants on r2000 or r4000 hosts.
Links to More Info: BT1305865
Component: Local Traffic Manager
Symptoms:
Up to 30% drop in performance due to non-optimal DAG algorithm.
Conditions:
BIG-IP version 15.1.9 or 15.1.9.1 BIG-IP Virtual Edition or tenants on r2x00 or r4x00 systems.
Impact:
There is up to a 30% drop in the performance of the traffic.
The impact will be higher on systems where packet throughput is very high and a substantial amount of the CPU use was already used for servicing packet throughput.
Workaround:
None
Fixed Versions:
15.1.10
1304957-5 : BIG-IP Edge Client for macOS vulnerability CVE-2023-5450
Links to More Info: K000135040 , BT1304957
1304497 : SIGSEGV core during HUDEVT_EXPIRED
Links to More Info: BT1304497
Component: TMOS
Symptoms:
Tmm crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through tmm.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash.
Fixed Versions:
15.1.10
1303185-2 : Large numbers of URLs in url-db can cause TMM to restart
Links to More Info: BT1303185
Component: SSL Orchestrator
Symptoms:
TMM continuously restarts during startup.
Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".
Impact:
TMM is unusable.
Workaround:
Large numbers of globs that start with the below should be OK:
".*://"
".*://.*\\."
Note that there should be no other special glob characters, so ".*://www.example.com" would be OK but ".*://www.example.com*" might not be.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302925 : Failed to load detected bots list , when you clicked on Bot Category
Links to More Info: BT1302925
Component: Application Security Manager
Symptoms:
An error occurs while trying to access the bot event logs.
Conditions:
The bot events logs has N/A bot categories, and you clicked on one of them to see details.
Impact:
After clicking on the N/A bot categories, you will get an error when you click on a specific category in the event logs (for example, if you click on “Search Engine Masquerading” in Bot Categories)
Workaround:
"bigstart restart asm" will allow to click again and see details for a specific category.
But if you click again on the 'N/A' bot category in the events log, it will reproduce again the issue.
Fix:
You can see the details for a specific category and for N/A with no errors.
Fixed Versions:
15.1.10
1302689-1 : ASM requests to rechunk payload
Links to More Info: BT1302689
Component: Application Security Manager
Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.
Conditions:
Content-Length header is missing from the HTTP response.
Impact:
Transfer-Encoding: chunked header is added to the response.
Workaround:
None
Fix:
On "Fixed" versions, create an internal ASM parameter as "is_disable_rechunk" below and restart ASM service, which would then stop tagging "Transfer Encoding: Chunked" in the Response header.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302677-1 : Memory leak in PEM when Policy is queried via TCL
Links to More Info: BT1302677
Component: Policy Enforcement Manager
Symptoms:
Memory leak of struct size ummem_alloc_112.
Conditions:
[PEM::session config policy get [IP::client_addr]]
If above configuration is present in irule/format script
and subscriber has ipv6 address.
Impact:
Memory leak of struct size ummem_alloc_112.
TMM may go out of memory, may restart and cause service disruption.
Workaround:
Avoid getting policy via tcl command for IPv6 subscriber.
Remove below configuration:
[PEM::session config policy get [IP::client_addr]]
Fix:
Code fixed to avoid memory leak.
cb_cookie object was not getting freed sometimes. Made sure its freed in all the required cases.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1301197-4 : Bot Profile screen does not load and display large number of pools/members
Links to More Info: BT1301197
Component: Application Security Manager
Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).
Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.
Impact:
Bot Profile screen cannot be loaded.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1296489-4 : ASM UI hardening
Links to More Info: K000138047 , BT1296489
1295113 : LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00
Links to More Info: BT1295113
Component: F5OS Messaging Agent
Symptoms:
For an LACP interface configured on the platform LACP mode is always shown as ACTIVE even though it is configured as PASSIVE on the platform.
Conditions:
When the LACP interface is configured on the platform and associated with a VLAN and a tenant is launched with the same VLAN.
Impact:
This is more of a show issue, There is no impact on the datapath or functionality as LACP mode is a configuration used when LACP protocol is running. For a tenant on Rx00 platforms, LACP protocol runs on the platform but not in the tenant.
Workaround:
None
Fix:
None
Fixed Versions:
15.1.10
1295017-1 : TMM crash when using MPTCP
Links to More Info: K000138477 , BT1295017
1295009-4 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data
Links to More Info: BT1295009
Component: Application Security Manager
Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.
Conditions:
Concurrent HTTP requests contain the same JSON data.
Impact:
JSON schema validation fails.
Workaround:
None
Fix:
JSON schema validation does not fail in case of concurrent requests with same JSON data.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1293193-1 : Missing MAC filters for IPv6 multicast
Links to More Info: BT1293193
Component: TMOS
Symptoms:
Certain drivers are missing MAC filters for multicast. This prevents TMM from receiving messages sent to All Nodes and All Routers addresses.
Conditions:
- BIG-IP VE
- Using TMM's IAVF driver
Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1292793-1 : FIX protocol late binding flows that are not PVA accelerated may fail
Links to More Info: BT1292793
Component: Local Traffic Manager
Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.
Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.
Impact:
Connection may stall.
Workaround:
Disable late binding. If late binding cannot be disabled, then
disable pva-flow-aging and pva-flow-evict to avoid the issue.
Fix:
FIX protocol flow works as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1292685-1 : The date-time RegExp pattern through swagger would not cover all valid options
Links to More Info: BT1292685
Component: Application Security Manager
Symptoms:
Some valid hours option would not match the Regular Expression (RegExp).
Conditions:
Creating a policy using swagger file and uploading a swagger file which contains parameter in date time format.
Impact:
Valid hours options 10 and 19 would not match the RegExp.
Workaround:
Manually fix the regular expression in the parameter
from:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|2[0-3]):([0-5]\d)))$'
to:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|1\d|2[0-3]):([0-5]\d)))$'
Fix:
The date-time regular expression for swagger is fixed and now suppose to cover all valid options.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1291993-1 : When using http2-to-http-gateway, tmm can crash in very rare circumstances
Links to More Info: BT1291993
Component: Local Traffic Manager
Symptoms:
Tmm crashes and restarts
Conditions:
When using http2 http gw, and chunking is present at the serverside, under very rare circumstances tmm can restart.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm does not crash anymore.
Fixed Versions:
15.1.10
1291565-1 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup
Links to More Info: BT1291565
Component: Local Traffic Manager
Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.
Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info
Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.
Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.
Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod
Fix:
Cleanup the multicast entries populated on old device name when the name is updated.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1291149-2 : Cores with fail over and message routing
Links to More Info: BT1291149
Component: Service Provider
Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.
Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.
Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.
Workaround:
None
Fix:
The MR message store iteration is fixed, no corruption or cores observed.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1290889-3 : TMM disconnects from processes such as mcpd causing TMM to restart
Links to More Info: K000134792 , BT1290889
Component: TMOS
Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:
crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting
When this occurs, in a default configuration, no core file is generated.
TMM may also disconnect unexpectedly from other services (i.e. tmrouted).
TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.
Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.
Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance
Workaround:
Do not use tunnels.
Fix:
TMM will not unexpectedly reset connections when tunnels are in use.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1289997-1 : Tenant clustering fails when adding a lower number slot to Tenant
Links to More Info: BT1289997
Component: F5OS Messaging Agent
Symptoms:
If an existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on, the Tenant can fail to cluster after a tenant reboot.
Conditions:
An existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on.
Impact:
The Tenant can intermittently fail to cluster after a Tenant reboot.
Workaround:
In the partition CLI, set the tenant to provisioned, then back to deployed.
Fixed Versions:
17.1.1, 15.1.10
1289549-2 : TCP RST internal error in tcpproxy bad transition during SSL connection closure.
Links to More Info: BT1289549
Component: Local Traffic Manager
Symptoms:
The BIG-IP RSTs connection with Internal error in tcpproxy bad transition.
Conditions:
Issue occurs when following condition is met:
Client - DUT1 - DUT2 - Server
-> Configure https virtual server on both DUT1 and DUT2
-Configure client-ssl profile with 'maximum-record-size' set to 256 and unclean-shutdown to disabled
- Configure tcp profile with nagle enabled
-> On DUT1 configure a default https in-tmm monitor monitoring a DUT2.
-> On Server, make sure the response spans 3 to 4 times the SSL record size.
Impact:
Connection closes abruptly on serverside.
Workaround:
None
Fix:
Connection closes as expected.
Fixed Versions:
15.1.10
1289365-3 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode ★
Links to More Info: BT1289365
Component: SSL Orchestrator
Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.
Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.
Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1289189-2 : In certain traffic patterns, TMM crash
Links to More Info: K000137333 , BT1289189
1288729-1 : Memory corruption due to use-after-free in the TCAM rule management module
Links to More Info: BT1288729
Component: TMOS
Symptoms:
- TMM crashes.
- Neuron client errors may be found in /var/log/ltm.
Conditions:
Platform with Neuron/TCAM support (BIG-IP iSeries).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Released variable is cleared to avoid use-after-free.
Fixed Versions:
17.1.1, 15.1.10
1287981-1 : Hardware SYN cookie mode may not exit
Links to More Info: BT1287981
Component: TMOS
Symptoms:
-- Virtual server reports SYN cookie mode is "full hardware" even after a SYN flood has stopped.
-- The virtual_server_stat tmstat table columns sc_mode0,sc_mode1 show "FRS" and the syncookies.hwsyncookie_inst column is greater than zero, even after a SYN flood has stopped.
Conditions:
-- Platform with Neuron/TCAM support.
-- AFM is not provisioned.
Impact:
-- SYN/ACK responses that include a SYN cookie are generated by HW even after a SYN flood attacked has stopped.
-- SYN pkts are not seen by the virtual server.
Workaround:
Set the pvasyncookies.preferhwlmode BigDB variable to "true".
Fix:
Virtual servers properly exit HW SYN cookie mode.
Fixed Versions:
17.1.1, 15.1.10
1287821-1 : Missing Neuron/TCAM rules
Links to More Info: BT1287821
Component: TMOS
Symptoms:
- Neuron/TCAM rules are missing for a virtual server that has a rule based feature activated.
- /var/log/ltm has the following error :
Apr 12 02:31:14 bigip1 err tmm5[23326]: 01010331:3: Neuron client neuron_app_dyn_tcam failed with rule add(request full)
Conditions:
- On platforms with Neuron/TCAM support.
- A single virtual server requires more than 16 rules.
Impact:
Features that rely on the Neuron/TCAM rules are not fully offloaded to hardware and thus fall back to software.
Workaround:
None
Fix:
Rules are created correctly for all virtual servers.
Fixed Versions:
17.1.1, 15.1.10
1287313-1 : SIP response message with missing Reason-Phrase or with spaces are not accepted
Links to More Info: BT1287313
Component: Service Provider
Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.
Conditions:
A SIP response message in this format
SIP/2.0 424 \r\n
are dropped
If the message has a reason text
Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found\r\n
then it would not be dropped
Impact:
Connectivity issue.
Workaround:
None
Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1286433-1 : Improve ASM performance for BIG-IP instances running on r2k / r4k appliances
Links to More Info: BT1286433
Component: TMOS
Symptoms:
ASM performance has regressed on BIG-IP instances running on r2k / r4k appliances (since F5OS release 1.3.0)
Conditions:
BIG-IP instance running on r2k / r4k
ASM traffic flowing through BIG-IP
Impact:
Improvement in ASM performance.
Workaround:
None (because this change is an improvement that alleviates performance regression)
Fix:
The kernel scheduling parameters are modified to enable better sharing of CPU resources between TMM and ASM daemons.
Fixed Versions:
17.1.1, 15.1.9
1286357-1 : Reducing packet loss for BIG-IP instance running on r2k / r4k appliances
Links to More Info: BT1286357
Component: Local Traffic Manager
Symptoms:
Packet loss occurs when DNS traffic flows through BIG-IP tenant on r2k / 4k appliances. This causes DNS performance to regress.
Conditions:
BIG-IP vCMP instance running on r2k / r4k appliances
DNS traffic (or other UDP traffic as well) flowing through BIG-IP
Impact:
Reduction in packet loss.
Workaround:
None (This change is an improvement that alleviates performance regression)
Fix:
The rx/tx ring buffer sizes of iavf driver have been increased.
Fixed Versions:
17.1.1, 15.1.9
1286101-4 : JSON Schema validation failure with E notation number
Links to More Info: BT1286101
Component: Application Security Manager
Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.
Conditions:
The E notation is without a dot.
For example, the following trigger this issue:
- 0E-8
- 0e-8
But, the following do not trigger this issue:
- 0.0E-8
- 0.0e-8
The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.
Impact:
False positive.
Workaround:
Use E notation with a dot or disable schema validation violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1285173-4 : Improper query string handling on undisclosed pages
Links to More Info: K000133474 , BT1285173
1284261-2 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.
Links to More Info: BT1284261
Component: Local Traffic Manager
Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.
Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.
Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.
Impact:
Failover/crash.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1283645-2 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued
Links to More Info: BT1283645
Component: Access Policy Manager
Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.
Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.
Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.
Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.
The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.
Fix:
The issue is fixed by invoking the EPI helper application instead of the inspection host plugin in Mac Edge Client running on 13.3 and newer.
For more details on the deployment of the fix, refer to the K000133476 article.
For more details regarding the issue, refer to the K000132932 article.
Fixed Versions:
17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6
1282513 : Redirections on the lowest numbered blade in mirroring configuration.
Links to More Info: BT1282513
Component: TMOS
Symptoms:
Incorrect DAG context mirroring causes redirections on the lowest numbered blade.
Conditions:
- B4460 platform.
- Mirroring is enabled.
- Failover is performed.
Impact:
The lowest numbered blade is redirecting packets, which can be checked by executing `tmctl -d blade tmm/flow_redir_stats`.
It can cause traffic disruption/performance loss.
Workaround:
N/A
Fix:
Fixed incorrect DAG context mirroring causing redirections on the lowest numbered blade.
Fixed Versions:
17.1.1, 15.1.9
1282357 : Double HTTP::disable can lead to tmm core
Links to More Info: BT1282357
Component: Local Traffic Manager
Symptoms:
Calling the HTTP::disable command more than once in an irule can result in the tmm process crashing.
Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
set collects 0
TCP::collect
}
when CLIENT_DATA {
if { $collects eq 1 } {
HTTP::disable
HTTP::disable
}
TCP::release
TCP::collect
incr collects
}
when HTTP_REQUEST {
log local0. "Request"
}
when HTTP_DISABLED {
log local0. "Disabled"
}
Impact:
BIG-IP may crash during an HTTP CONNECT request from a client.
Workaround:
Avoid calling HTTP::disable more than once per connflow
Fix:
Treat disable via iRule as a NOP when a disable is in progress
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1282281-2 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns
Links to More Info: BT1282281
Component: Application Security Manager
Symptoms:
Roll forward upgrade fails.
The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:
----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------
Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.
Impact:
Incorrect enforcement until workaround is applied.
Workaround:
Perform an apply policy operation on all policies.
Fix:
Roll forward upgrade is successful.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1281709-2 : Traffic-group ID may not be updated properly on a TMM listener
Links to More Info: BT1281709
Component: Local Traffic Manager
Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.
Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.
OR
An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.
Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.
Workaround:
Use an incremental sync. Do not use MCP transactions.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1281637 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
Links to More Info: BT1281637
Component: Local Traffic Manager
Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.
Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.
Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.
Workaround:
None
Fix:
The message HUDEVT_RESPONSE_DONE is delayed until the HTTP completes EV_BODY_COMPLETE action.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1280281-2 : SCP allow list may have issues with file paths that have spaces in them
Links to More Info: BT1280281
Component: TMOS
Symptoms:
SCP may error out.
Conditions:
A file path with a space that is allowlisted in /config/ssh/scp.whitelist.
This affects BIG-IP 14.x.x and BIG-IP 15.x.x only if running an EHF with BugID 819429 is included.
Impact:
May not copy files to a path present under allow list.
Workaround:
Remove spaces from any allowlisted file paths.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1272537 : TMM high memory due to ping_access_agent
Links to More Info: BT1272537
Component: Access Policy Manager
Symptoms:
Tmm memory steadily increases, due to ping_access_agent
Conditions:
-- Ping access feature configured;
-- The initial ping agent request receives a response with generic custom status code 477 (which means agent repeats agent request with request body).
Impact:
Connectivity issues with Virtual IP addresses and broken services as memory increases over time which could result in an out-of-memory condition and HA action.
Workaround:
None
Fix:
Fixed an issue with the ping agent.
Fixed Versions:
15.1.10
1271349-2 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Links to More Info: K000133098 , BT1271349
1269889-2 : LTM crashes are observed while running SIP traffic and pool members are offline
Links to More Info: BT1269889
Component: Service Provider
Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Conditions:
- When all pool members are offline or there are no pool members in the pool.
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1269773-4 : Convert network-order to host-order for extensions in TLS1.3 certificate request
Links to More Info: BT1269773
Component: Local Traffic Manager
Symptoms:
The network-order length is sent as argument instead of host-order length.
Conditions:
- A signature algorithms extension is present in the certificate request message from the server.
Impact:
Handshake fails with illegal parameter alert.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1269733-4 : HTTP GET request with headers has incorrect flags causing timeout
Links to More Info: BT1269733
Component: Local Traffic Manager
Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.
The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.
Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.
Impact:
The HTTP GET request causing timeout.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1268521-2 : SAML authentication with the VCS fails when launching applications or remote desktops from the APM Webtop if multiple RD resources are assigned.
Links to More Info: BT1268521
Component: Access Policy Manager
Symptoms:
The client is unable to authenticate with VMware VDI using SAML when multiple remote desktop (i.e. Windows App) resources are assigned to Webtop.
Conditions:
1. Webtop with VMware View Client access or HTML5 is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration or
4. Password based SSO with different username and password on each remote desktop resource is used.
Impact:
The remote desktop does not open.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1265425-3 : Improper query string handling on undisclosed pages
Links to More Info: K000134535 , BT1265425
1259489-1 : PEM subsystem memory leak is observed when using PEM::subscriber information
Links to More Info: BT1259489
Component: Policy Enforcement Manager
Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.
Conditions:
- PEM is provisioned.
- PEM iRules are used that access PEM::session or PEM::subscriber information.
Impact:
TMM can have excessive memory consumption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256841-2 : AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script
Links to More Info: BT1256841
Component: TMOS
Symptoms:
On the customer’s BIG-IP instances, the cloud-init script fails to render the cloud provider’s name correctly. And so, cloud_name=unknown is set.
Conditions:
Deploy BIG-IP VE on AWS in autoscaling group (1-NIC deployments) using Terraform.
Impact:
Whenever the cloud provider is not set to AWS, the DataSourceEc2.py cloud-init script, which is supposed to set up minimal network config with an ephemeral interface including fetching DHCP lease info, fails to do what it is supposed to and as a result metadata service is unreachable
Workaround:
The Identify_aws function is responsible to set the cloud name as AWS. The existing function fails when the network is not up. The customer had faced a similar issue. I have modified the function to check for UUID and serial. As these are available during boot-up itself, we are not dependent on network status.
Fix:
Cloud-init now renders the cloud provider name (AWS) successfully. It does not depend on the network status anymore. Thus, AWS metadata crawling goes through smoothly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1253649 : RPM error log in liveinstall.log and TMM error with failed to load/open library during upgrade ★
Links to More Info: BT1253649
Component: TMOS
Symptoms:
During a BIG-IP upgrade, an RPM error occurs and is logged to /var/log/liveinstall.log. The nature of the error has RPM post nodpdk script failure in one of the packages.
After the RPM post nodpdk script failure occurs, the upgrade status is reported as success.
Upon rebooting to the upgraded BIG-IP version, TMM logs following error, that it cannot open a library:
localhost.localdomain notice ERROR: dlopen(libtcl_xnet.so) failed
Conditions:
- Upgrading BIG-IP 13.x and BIG-IP 14.0.x to BIG-IP 15.1.6/15.1.7/15.1.8.
- This issue impacts platforms other than VE.
Impact:
TMM fails to load a library. This can impact or disrupt traffic.
Workaround:
Upgrade the BIG-IP in the following sequence:
Upgrade BIG-IP 13.1.3.6 to BIG-IP 15.1.5.1 and then to BIG_IP 15.1.6.1.
Fix:
Updated post nodpdk install script for failed RPM package to address the problem.
Fixed Versions:
15.1.10
1253481-2 : Traffic loss observed after reconfiguring Virtual Networks
Links to More Info: BT1253481
Component: Local Traffic Manager
Symptoms:
The traffic exiting from the tenant is being forwarded to an incorrect virtual network.
Conditions:
Reconfigure Virtual-wire by removing the current configured Virtual networks and adding another pair of virtual networks in one step and commit it.
Impact:
NTI Identifier is populated incorrectly causing traffic loss.
Workaround:
Remove the existing Virtual Networks. Commit the changes. Now reconfigure the Virtual networks and commit again.
Fix:
Modify Virtual Networks has been handled to resolve the issue. Add/Remove were handled already.
Fixed Versions:
17.1.1, 15.1.10
1252405 : HTTP Invalid action:0x10a090 serverside
Links to More Info: BT1252405
Component: Local Traffic Manager
Symptoms:
When using HTTP2 GW configuration, and suspending iRule commands and http::collect, under certain circumstances the connection might be interrupted, and invalid action:0x10a090 serverside displays in the logs.
Conditions:
- HTTP2 GW configuration
- Suspending iRule and http::collect.
Impact:
Invalid action:0x10a090 serverside.
Workaround:
Do not use iRule http::collect.
Fix:
The connection is not interrupted.
Fixed Versions:
15.1.10
1252005-2 : VMware USB redirection does not work with DaaS
Links to More Info: BT1252005
Component: Access Policy Manager
Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.
Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop
Impact:
USB device is not available.
Workaround:
None.
Fix:
USB device should be available
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1251157 : Ping Access filter can accumulate connections increasing the memory use
Links to More Info: BT1251157
Component: Access Policy Manager
Symptoms:
The maximum HTTP header count value for ping access is 128. The connection to the backend is aborted if there are more than 128 headers.
Conditions:
- Ping access is configured.
- The HTTP header count is more than 128.
Impact:
Connection is aborted by the BIG-IP, users are unable to access the backend.
Workaround:
None
Fix:
Fixed the issue with the ping access filter.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1251105-3 : DoS Overview (non-HTTP) - A null pointer was passed into a function
Links to More Info: BT1251105
Component: Advanced Firewall Manager
Symptoms:
In BIG-IP version all 15.1 builds, when protected object filter is selected in Security > DoS overview page, it displays following error:
Error : DoS Overview (non-HTTP) - A null pointer was passed into a function
Schema changes updated in BIG-IP version 15.1.8 which added context_name and context_type to the mcp_network_attack_data_stat_t structure used to report DoS attack stats.
The MCP code that fills in these fields in the structure when responding to the stats request was not inculded, thus an attempt to get the stats, result in detection of a NULL pointer.
Conditions:
Configure a protection profile.
Create a protected object by attaching the protection profile.
Select protected object filter in DoS Overview (non-HTTP) page.
Impact:
This issue avoids usage of GUI partially.
Workaround:
None
Fix:
Updates are implemented to compile the required fields so that NULL pointer is not returned and selected protected object is returned.
Fixed Versions:
15.1.10
1251033-2 : HA is not established between Active and Standby devices when the vwire configuration is added
Links to More Info: BT1251033
Component: Local Traffic Manager
Symptoms:
Active and Standby shows disconnected since the HA packets are not exchanged resulting in failure to establish HA.
Conditions:
Condition occurs only when the vwire configs are added to the tenant.
Impact:
-- HA fails to establish, Active and Standby shows disconnected.
-- Config sync between the Active and Standby is not established.
Workaround:
HA exchange packets or failover packets mode should be set to default mode.
Fix:
HA fix Optimized
Fixed Versions:
17.1.1, 15.1.10
1251013-3 : Allow non-RFC compliant URI characters
Links to More Info: BT1251013
Component: Service Provider
Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.
Conditions:
- SIP URIs are not formatted as per RFC.
Impact:
MRF parser allows URI formats which are not comply with RFC.
Workaround:
None
Fix:
Set allow-unknown-methods to enabled in SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1250077-3 : TMM memory leak
Links to More Info: BT1250077
Component: Global Traffic Manager (DNS)
Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.
Conditions:
DNSSEC signing process is unable keep pace with the incoming DNSSEC requests.
Impact:
TMM memory utilization increases over time and could crash due to Out of Memory (OOM) issue.
Workaround:
None
Fix:
A new DB variable dnssec.signwaitqueuecap is introduced to configure the limit for the software based crypto operations for DNSSEC.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests on crypto software queue.
tmsh modify sys db dnssec.signwaitqueuecap value <value>
this value sets the capacity per TMM process.
Fixed Versions:
17.1.1, 15.1.10
1240937-2 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic
Links to More Info: BT1240937
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.
The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.
The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.
Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.
Impact:
The IPv6 serverside egress TOS is not set to the expected value.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1240121-2 : CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
Links to More Info: K000132643 , BT1240121
1239901-1 : LTM crashes while running SIP traffic
Links to More Info: BT1239901
Component: Service Provider
Symptoms:
LTM crashes are observed while running SIP traffic.
Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fix:
TMM does not crash while running SIP traffic.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1238629-3 : TMM core when processing certain DNS traffic with bad actor (BA) enabled
Links to More Info: K000137521 , BT1238629
1238413-2 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group
Links to More Info: BT1238413
Component: Local Traffic Manager
Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.
The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.
Conditions:
- A transparent or translucent VLAN-group is configured.
- ARP requests passing through the VLAN-group.
- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.
Impact:
ARP resolution failure.
Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1238321-3 : OpenSSL Vulnerability CVE-2022-4304
Links to More Info: K000132943
1238249-4 : PEM Report Usage Flow log is inaccurate
Links to More Info: BT1238249
Component: Policy Enforcement Manager
Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.
Conditions:
- HSL logging is configured.
Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.
Workaround:
None
Fix:
Updated the flow duration calculation for Flow-duration-seconds and Flow-duration-milli-seconds.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1235813-10 : OpenSSL vulnerability CVE-2023-0215
Links to More Info: K000132946 , BT1235813
1235801-3 : OpenSSL vulnerability CVE-2023-0286
Links to More Info: K000132941 , BT1235801
1232997 : IPSEC: The tmm process may exit with 'Invalid policy remote index'
Links to More Info: BT1232997
Component: TMOS
Symptoms:
The tmm process restarts after logging the following message to /var/log/tmm*:
notice panic: iked/isakmp.c:2338: Assertion "Invalid policy remote index" failed.
Conditions:
May occur during an SA deletion or an update of IPsec configuration.
Impact:
Unexpected high availability (HA) failover, or interruption to traffic processing on a standalone unit, while the tmm process restarts.
Workaround:
None
Fix:
When the remote index is null, the system gracefully fails the init packet creation. Continuous traffic to the BIG-IP system retriggers the tunnel, and the IPsec config will be updated by then.
Fixed Versions:
16.1.4, 15.1.10
1232521-1 : SCTP connection sticking on BIG-IP even after connection terminated
Component: TMOS
Symptoms:
After an SCTP client has terminated, the BIG-IP still shows the connection when issuing "show sys conn protocol sctp"
Conditions:
Under certain conditions, an SCTP client connection may still exist even if the client has sent a SHUTDOWN request.
Impact:
Memory resources will be consumed as these type of lingering connections accumulate
Fix:
SCTP connections are properly internally closed when required.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1230753 : HTTP/2 sends RST_STREAM for completed streams
Links to More Info: BT1230753
Component: Local Traffic Manager
Symptoms:
Unwarranted RST_STREAM frames on server side, on completed streams.
Conditions:
HTTP/2 full proxy configuration.
Impact:
HTTP/2 will erroneously send RST_STREAM, which violates the RFC.
Workaround:
None
Fix:
HTTP/2 should not send RST_STREAM to server after receiving response.
Fixed Versions:
15.1.9
1230709 : Remove unnecessary logging with nsec3_add_nonexist_proof
Links to More Info: BT1230709
Component: Global Traffic Manager (DNS)
Symptoms:
For few DNSSEC queries to non-existent domains, NSEC3 records will be missing.
Following log message is included:
nsec3_add_nonexist_proof: to_prove returns NULL with qname
Conditions:
Receives DNSSEC request to a non-existent query.
Impact:
Missing NSEC3 records.
Workaround:
None
Fixed Versions:
16.1.4, 15.1.10
1229813-3 : The ref schema handling fails with oneOf/anyOf
Links to More Info: BT1229813
Component: Application Security Manager
Symptoms:
In JSON schema validation, it fails in handling of a ref schema that is referenced from multiple places under oneOf/anyOf.
Conditions:
Using oneOf or anyOf, a ref schema is referenced multiple times from oneOf/anyOf section.
Impact:
JSON schema validation fails and request gets blocked.
Workaround:
Change schema structure so that the single ref schema is not referenced from multiple places under oneOf/anyOf.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1229417-3 : BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: Local Traffic Manager
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality.
It may cause denial of service and data integrity when untrusted input via locale.
Conditions:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Impact:
When node inspector gets untrusted input passed to y18n, it may affect data confidentiality and system availability.
Workaround:
NA
Fix:
The library has been patched to address the issue.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1229369-1 : The fastl4 TOS mimic setting towards client may not function
Links to More Info: BT1229369
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.
The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.
In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)
Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)
Impact:
The clientside egress TOS is not set to the expected value
Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1226121-3 : TMM crashes when using PEM logging enabled on session
Links to More Info: BT1226121
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when using PEM logging.
Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log
Impact:
TMM crashes and restarts, losing all prior connection.
Workaround:
Disabling PEM logging on sessions will avoid the issue.
Fix:
PEM session logging can be used as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1225941-1 : OLH Default Values on Notification and Early Retransmit Settings
Links to More Info: BT1225941
Component: Global Traffic Manager (DNS)
Symptoms:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit, has incorrect default values.
Conditions:
Online Help description of the 2 settings, Explicit Congestion Notification and Early Retransmit setting is disabled by default.
Impact:
NO
Workaround:
None
Fix:
Modified help string so that default is enabled[default, this setting is enabled.]
Fixed Versions:
15.1.10
1225789-3 : The iHealth API is transitioning from SSODB to OKTA
Links to More Info: BT1225789
Component: TMOS
Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.
Conditions:
- Authentication
Impact:
Qkview file will not be uploaded to iHealth automatically.
Workaround:
Qkview file must be uploaded manually to iHealth.
Fix:
Qkview file will be uploaded to iHealth automatically once Client ID and Client Secret are configured.
TMSH interface will still display ihealth user/password rather than client ID/ Client Secret. For more details, see article K000130498.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1224409-2 : Unable to set session variables of length >4080 using the -secure flag
Links to More Info: BT1224409
Component: Access Policy Manager
Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.
Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.
Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1223369-4 : Classification of certain UDP traffic may cause crash
Links to More Info: K000135946 , BT1223369
1220629-4 : TMM may crash on response from certain backend traffic
Links to More Info: K000137675 , BT1220629
1218813-3 : "Timeout waiting for TMM to release running semaphore" after running platform_diag
Links to More Info: BT1218813
Component: Access Policy Manager
Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.
Conditions:
Running platform_diag tool on a platform licensed with URL filtering.
Impact:
Unable to run platform_diag tool. TMM remains inoperative.
Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:
# wait for processes
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}
Then restart urldb:
> bigstart restart urldb
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1215613-1 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
Links to More Info: BT1215613
Component: TMOS
Symptoms:
In var/log/ltm following error log is available:
0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.
Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
configsync-ip 2001:dead:beef::13 <<-------
- Modifying the ConfigSync-IP to IPv4.
tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13
Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
1215401 : Under Shared Objects, some country names are not available to select in the Address List
Links to More Info: BT1215401
Component: Advanced Firewall Manager
Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.
There is a limit of only 8 entries in the drop-down menu to choose from.
Some countries are not shown in this list due to the ordering of entries returned from the database.
Conditions:
DOS is enabled
Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.
Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.
Fix:
The database query is modified such that the list of countries is ordered first followed by a list of countries with regions.
Fixed Versions:
16.1.4, 15.1.9
1215165 : Support added for Microsoft Azure Managed HSM
Links to More Info: BT1215165
Component: Local Traffic Manager
Symptoms:
Azure Managed HSM integration with BIG-IP is now supported.
Conditions:
Using an Azure Managed HSM as HSM client with BIG-IP.
Impact:
Azure Managed HSM integration with BIG-IP is now supported.
Fix:
BIG-IP now supports using an Azure Managed HSM as an HSM client.
Fixed Versions:
15.1.8.1
1214073-1 : LACP Trunks are not created in TMM on R2800/R4800 platforms.
Links to More Info: BT1214073
Component: Local Traffic Manager
Symptoms:
When a BIG-IP tenant is launched with LACP trunks on R2800/R4800 platforms, LACP Trunk is not being created at the TMM level.
Conditions:
When LACP Trunk is created with a VLAN associated to it and a tenant is launched with VLAN associated to LACP Trunk.
Impact:
LACP Trunks will not be created in TMM level.
Workaround:
Change the distribution hash configuration of the LACP Trunk being attached to the tenant on the platform.
Fixed Versions:
17.1.0, 15.1.9
1214069-1 : Potential data leak inside Ethernet padding field on rseries/VELOS architecture products
Links to More Info: K000139217 , BT1214069
1213305-2 : Improper query string handling on undisclosed pages
Links to More Info: K000132726 , BT1213305
1211985-3 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring
Links to More Info: BT1211985
Component: In-tmm monitors
Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.
Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.
Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.
Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1211885-1 : Zone Based DDoS upgrade fails from 15.1.8 to 15.1.8.1
Links to More Info: BT1211885
Component: Advanced Firewall Manager
Symptoms:
If the protected zone feature is enabled and configured, when the BIG-IP is upgraded from 15.1.8 to 15.1.8.1, then the loading of the configuration will fail as the feature is disabled in the 15.1.8.1 build.
Conditions:
Zone based DDoS feature enabled and provisioned on release 15.1.8.
Impact:
Upgrade from 15.1.8 to 15.1.8.1 will fail when the protected-zone object is provisioned in release 15.1.8 and the user upgrades to 15.1.8.1.
Note: The variable dos.protectedzone will be enabled by default in future releases (17.1.0, 16.1.4, and 15.1.9). Upgrading to a future releases will be successful.
Workaround:
Enable the variable dos.protectedzone manually and reload the configuration. The protected-zone configuration will load successfully.
Fix:
Enable the variable dos.protectedzone manually and reload the configuration. The protected-zone configuration will load successfully.
Fixed Versions:
17.1.0, 15.1.9
1211513-1 : Data payload validation is added to HSB validation loopback packets
Links to More Info: BT1211513
Component: TMOS
Symptoms:
Send validation loopback packets to the HSB on the BIG-IP platforms.
Conditions:
This issue occurs while running a BIG-IP hardware platform with HSB.
Impact:
No impact, this is a new diagnostic feature.
Workaround:
None
Fix:
Loopback validation now occurs on hardware platforms equipped with HSB, except on iSeries platforms i4600, i4800, i2600, i2800, and i850 as wd_rx_timer is disabled by default.
Behavior Change:
A new diagnostic feature with failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms with the hardware component.
The feature adds following two new db variables that can be altered with TMSH modify sys db:
- The variable tmm.hsb.loopbackValidation is enabled by default, change it to disabled to stop the loopback validation packets sent to HSB.
- The variable tmm.hsb.loopbackvalidationErrthreshold is set to 0 by default. If this value is set to 0, the BIG-IP will only log corruption detection without taking any action. If the value is set to greater than 0, then an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches the value.
An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system.
If a validation loopback packet is found to be corrupt, one or more messages like the following will appear in /var/log/tmm:
notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043
These logs are rate-limited to 129 logs per 24-hour period. If the variable tmm.hsb.loopbackvalidationErrthreshold is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:
notice Reached threshold count for corrupted HSB loopback packets
Typically, the log message will then be followed by a reboot.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1211341-3 : Failed to delete custom monitor after dissociating from virtual server
Links to More Info: BT1211341
Component: Global Traffic Manager (DNS)
Symptoms:
When dissociated from virtual server, unable to delete custom monitor.
Conditions:
- Dissociate the custom monitor from virtual server
- Delete the custom monitor
Impact:
Unable to delete custom monitor.
Workaround:
None
Fix:
The custom monitor can be deleted after dissociating from virtual server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1211297 : Handling DoS profiles created dynamically using iRule and L7Policy
Links to More Info: BT1211297
Component: Anomaly Detection Services
Symptoms:
Persistent connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
Fix:
No TMM crash due to persistent connections.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1211021-3 : Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues
Links to More Info: BT1211021
Component: Advanced Firewall Manager
Symptoms:
Entries added or updated in IP Intelligence (IPI) feed lists are not enforced. This occurs when threads in Dynamic White or Black Daemon (DWBLD) module are in deadlock.
Conditions:
- IPI license is enabled.
- Feed lists and policies are configured.
Impact:
Enforcement of entries in new and updated IPI feed lists does not happen.
Workaround:
Run the command "bigstart restart dwbld" to resolve the issue.
Check for "Empty items" message in /var/log/dwbld.log. If same message is seen for more than 100 times continuously, threads are in lock state and we can recover by restarting DWBLD module.
Fix:
The function "set_curl_state" was returning without unlocking mutex in a condition.
The mutex is now unlocked appropriately and prevents locking up of DWBLD threads.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1210469-5 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1210433-1 : Conversion between virtual-wire VLAN and normal VLAN
Links to More Info: BT1210433
Component: Local Traffic Manager
Symptoms:
In tenant-based platforms, VLAN can be configured on the tenants. On platforms supported with virtual-wire, adding a virtual-wire would cause a conversion of normal VLAN to virtual-wire VLAN and vice-versa. After conversion, the following error message is displayed.
01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/vlan-11-31.
This issue has been fixed with this.
Conditions:
Virtual-wire enabled tenants to see this issue.
Impact:
The tenant will not become operationally up.
Workaround:
None
Fix:
With the fix, normal VLAN and virtual-wire VLAN can co-exist.
Fixed Versions:
17.1.0, 15.1.9
1209945 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
Links to More Info: BT1209945
Component: Local Traffic Manager
Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.
Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.
Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.
Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*
Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.
Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.
Alternatively, issue the "reboot" command from the tenant bash shell.
Fix:
None
Fixed Versions:
17.1.1, 15.1.9
1209709 : Memory leak in icrd_child when license is applied through BIG-IQ
Links to More Info: BT1209709
Component: TMOS
Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.
Conditions:
License applied through BIG-IQ.
Impact:
Higher than normal control-plane memory usage, possible OOM related crash.
Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1209561-2 : License is not operational after reboot and an error is logged in /var/log/ltm
Links to More Info: BT1209561
Component: TMOS
Symptoms:
The below error will be logged on /var/log/ltm during the startup and the "Reboot Required" prompt may appear even after multiple reboots.
mcpd[9528]: 01070608:0: License is not operational (expired or digital signature does not match contents).
Also,
The Database error (13) will be logged in /var/log/ltm during startup:
err mcpd[]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:private_mac_addr_freelist status:13 - EdbCfgObj.cpp, line 127.
Conditions:
-- 15.1.4 to 15.1.8.2
Impact:
The license is not operational and the services may not run. Also, it may impact traffic.
Workaround:
Ensure the mcpd daemon is running using the command "bigstart status mcp" in the BIG-IP shell and restart the chmand daemon using the command "bigstart restart chmand".
[root@bigip1:Active:Standalone] config # bigstart status mcpd
mcpd run (pid 16367) 3 days
[root@bigip1:Active:Standalone] config # bigstart restart chmand
[root@bigip1:Active:Standalone] config #
If you enter the above commands, there is a possibility of traffic interruption.
Fix:
A communication issue occurred between the chmand and mcpd daemons while exchanging the platform information. The issue is fixed.
Fixed Versions:
17.1.0, 15.1.9
1208989-5 : Improper value handling in DOS Profile properties page
Links to More Info: K000132726 , BT1208989
1208949-3 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'
Links to More Info: BT1208949
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
Network Access is in use.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1208529-3 : TMM crash when handling IPSEC traffic
Links to More Info: K000132420 , BT1208529
1208001-6 : iControl SOAP vulnerability CVE-2023-22374
Links to More Info: K000130415 , BT1208001
1207821-4 : APM internal virtual server leaks memory under certain conditions
Links to More Info: BT1207821
Component: Access Policy Manager
Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.
Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.
Conditions:
- Traffic processing in the internal virtual server used for APM.
Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1207793-4 : Bracket expression in JSON schema pattern does not work with non basic latin characters
Links to More Info: BT1207793
Component: Application Security Manager
Symptoms:
Pattern matching in JSON schema has an issue of unable to match string in a specific pattern expression.
Conditions:
When all the following conditions are satisfied:
- a non-basic latin character is in bracket expression []
- the bracket expression is led by ^ or followed by $
- there is at least one character just before or after bracket expression
Following are examples for pattern that has issue:
- /^[€]1/
- /1[€]$/
The bracket would have multiple characters in real scenario.
Following are examples for patterns that do not have the issue:
- /^[€]/
- /[€]1/
- /^€1/
Impact:
The JSON content profile fails matching legitimate JSON token with JSON schema, resulting a false positive.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1207661-2 : Datasafe UI hardening
Links to More Info: K000132768 , BT1207661
1207381-5 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205501 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
Fix:
The server SSL profiles will now reloaded successfully after changes are made.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1204961-3 : Improper query string handling on undisclosed pages
Links to More Info: K000132726 , BT1204961
1204793-3 : Improper query string handling on undisclosed pages
Links to More Info: K000132726 , BT1204793
1200929-1 : GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang
Links to More Info: BT1200929
Component: Global Traffic Manager (DNS)
Symptoms:
If GTM objects larger than 16384 bytes are created, then the GTM sync process will not complete. In addition, the gtm_add process (which requests a GTM sync for all objects) will not complete.
Following is the symptom for gtm_add:
After "Retrieving remote GTM configuration...", the process will pause for 300 seconds (5 minutes), and then exit, with a message "Syncer failed to retrieve configuration".
For a normal GTM sync, where gtm_add is not being used, the symptom is that the synchronisation of configuration changes is not working.
Conditions:
The presence of any MCPD object in the GTM configuration (/config/bigip_gtm.conf) which is larger than 16384 bytes, for example a large GTM rule.
Note: The GTM iRules are distinct from LTM iRules. Only GTM objects, such as GTM rules (applied to wideIPs) are relevant to this issue.
Impact:
Unable to complete GTM sync, unable to add a new GTM into the sync group.
Workaround:
Reduce the size of the problematic object to lower than 16384 bytes. For example, if the issue is with a GTM iRule, then try removing comments, blank lines, or unnecessary log statements that do not affect the functionality of the rule.
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1199025-1 : DNS vectors auto-threshold events are not seen in webUI
Links to More Info: BT1199025
Component: Advanced Firewall Manager
Symptoms:
No option to see DNS auto-threshold event logs from webUI.
Conditions:
- DNS profile configured with fully automatic mode.
Impact:
DNS auto-threshold event logs are not visible from webUI.
Workaround:
None
Fix:
Option to see the DNS auto-threshold logs is available in webUI.
Fixed Versions:
17.1.1, 15.1.10
1196537-2 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196477-2 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196401-3 : Restarting TMM does not restart APM Daemon
Links to More Info: BT1196401
Component: Access Policy Manager
Symptoms:
Due to asynchronous nature of TMM threads and APM plugin channel threads, a core can trigger when TMM exited and APM Daemon (APMD) is still available with earlier TMM plugin handlers.
Conditions:
When TMM restarts and APM still has old TMPLUGIN handle (which will become invalid eventually).
Impact:
Might observe APMD core.
Workaround:
Restart APM, when TMM is restarted.
Fix:
Updated TMM bigstart scripts to restart APMD and related tm_plugin services.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1196053-2 : The autodosd log file is not truncating when it rotates
Links to More Info: BT1196053
Component: Advanced Firewall Manager
Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.
Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.
Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.
Workaround:
Restarting autodosd daemon will truncate the log file content to zero.
Fix:
The bigstart script of autodosd deamon is updated to open the file in correct mode.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1196033-3 : Improper value handling in DataSafe UI
Links to More Info: K000132726 , BT1196033
1195489-3 : iControl REST input sanitization
Links to More Info: K000137522 , BT1195489
1195177 : TMM may crash during hardware offload on virtual-wire setup
Links to More Info: BT1195177
Component: TMOS
Symptoms:
TMM SIGSEGV may crash.
Conditions:
-- ePVA capable HSB based platform.
-- virtual-wire setup.
Impact:
Failover may occur.
Workaround:
Disable hardware offload of virtual-wire flows by setting the 'pva-acceleration' parameter of the related fastl4 profile to 'none'.
Fix:
None
Fixed Versions:
17.1.0, 15.1.9
1194173-3 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Links to More Info: BT1194173
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
Fix:
The attack signature check runs on normalised parameter value.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1194077-1 : The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000
Links to More Info: BT1194077
Component: Performance
Symptoms:
With BIG-IP vCMP tenants running on r-series R10000 (and higher viz R12000), performance degrades when executing iRules on a virtual server configured with FastHTTP profile.
Conditions:
- Executing iRule
- FastHTTP profile is selected for virtual server
- BIP-IP vCMP tenant running on R10000 or R12000 platforms
Impact:
Performance degradation is observed.
Workaround:
None
Fix:
Performance is improved.
Fixed Versions:
17.1.1
1191137-2 : WebUI crashes when the localized form data fails to match the expectations
Links to More Info: BT1191137
Component: TMOS
Symptoms:
In the Chinese BIG-IP, when multicast rate limit field is checked (enabled) and updated, the webUI is crashing.
Conditions:
On the Chinese BIG-IP:
- Navigate to the System Tab > Configuration.
- In Configuration, select Local Traffic > General.
- In Multicast Section, enable Maximum Multicast Rate Checkbox and click on Update.
Impact:
Chinese BIG-IP webUI is crashing.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1190365-4 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
Fix:
The enforcer serializes the OpenAPI object correctly, no violation reported.
Note: In case of single occurrence of a parameter name in query string, it will be handled as a primitive (non-array) type.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1190353-2 : The wr_urldbd BrightCloud database downloading from a proxy server is not working
Links to More Info: BT1190353
Component: Policy Enforcement Manager
Symptoms:
Downloading BrightCloud database is not working with the proxy.
Conditions:
BrightCloud database download through Proxy management.
Impact:
URL categorization disruption as database not getting downloaded.
Workaround:
None
Fix:
Added the proxy settings in wr_urldbd BrightCloud database.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1189881 : Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading does not work on hardware
Links to More Info: BT1189881
Component: TMOS
Symptoms:
Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading does not work on hardware. It works as expected on software.
Conditions:
Offloading DoS vectors.
Impact:
Hardware offload is not successful for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Workaround:
None
Fix:
The bit image is updated and optimized sPVA rules.
This fix is not applicable for all platforms.
Fixed Versions:
15.1.9
1189865-3 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
-- The violation is blocked due to "Cookie not RFC-compliant" violation
-- Looking at the request log details.
Impact:
The description is empty it is not possible to determine what is the problem with the request.
Workaround:
None
Fix:
After the fix, the description is shown in the request log details in the description field
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189513-3 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
Fix:
The SIP MRF extracts the SDP information and media flow pinholes are created on the BIG-IP even when the SDP MIME body part does not have a content-length header.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189465-4 : Edge Client allows connections to untrusted APM Virtual Servers
Links to More Info: K000132539 , BT1189465
1189457-4 : Hardening of client connection handling from Edge client.
Links to More Info: K000132522 , BT1189457
1186925-3 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1186401-3 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1185421-3 : iControl SOAP uncaught exception when handling certain payloads
Links to More Info: K000133472 , BT1185421
1185257-3 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1185133-3 : ILX streaming plugins limited to MCP OIDs less than 10 million
Links to More Info: BT1185133
Component: Local Traffic Manager
Symptoms:
When trying to get started with iRules LX, every script attempted results in the following error:
"Sep 16 11:16:26 pid[6958] streaming tm_register failed"
Conditions:
MCP configuration (MCP OID's) should go beyond 10 million.
Impact:
Unable to run iRules LX streaming plugins.
Workaround:
The below command forces MCPD to load the configuration from the text file with an empty database, thus the OID counter is reset to 0.
bigstart stop
rm -f /var/db/mcpdb*
bigstart start
Fix:
The TMSTAT segment names are limited to 31 characters (not including terminating NUL). With 23 characters used by the constant portion, 8 characters are left for both OID and CPU. The CPU will be 1 or 2 characters, leaving 6 or 7 characters for the OID. When exceeded, the tmstat_create fails.
tmplugin_nodejsplugin_1000000_0 err 0
tmplugin_nodejsplugin_10000000_0 err -1
Change the plugin class from "nodejsplugin" to "nodejs" or similar, to allow 6 more digits of OID space (allowing to 10 trillion).
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1184841-3 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Links to More Info: BT1184841
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1184629-3 : Validate content length with respective to SIP header offset instead of parser offset
Links to More Info: BT1184629
Component: Service Provider
Symptoms:
The SIP parser is validating the content length of the SIP message with respective to the parser offset instead of SIP actual header. Validating the content length with parser offset is inaccurate.
Conditions:
The SIP message should have content length greater than zero and should have content.
Impact:
The SIP parser is calculating the SIP message body size inaccurately.
Workaround:
None
Fix:
Validating the content length with respective to SIP header offset instead of parser offset.
Fixed Versions:
17.1.0, 16.1.5, 15.1.9
1184153-3 : TMM crashes when you use the rateshaper with packetfilter enabled
Links to More Info: BT1184153
Component: Local Traffic Manager
Symptoms:
Tmm might crash when you use the packet-filter with the packetfilter.established option enabled, and when rate-class is applied via packet-filter rule.
Conditions:
- packet-filter with packetfilter.established option enabled.
AND
- rate-class is applied via packet-filter rule.
Impact:
TMM crash/failover.
Workaround:
Do not apply rate-class via packetfilter or disable the packetfilter.established option.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1183901-4 : VLAN name greater than 31 characters results in invalid F5OS tenant configuration
Links to More Info: BT1183901
Component: TMOS
Symptoms:
VLAN names 32 characters or longer results in invalid BIG-IP tenant configuration, and mcpd errors.
01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/this_is_a_very_long_vlan_name_32
On F5OS tenants, mcpd, devmgmtd and lind restart in a loop.
Conditions:
VLAN with a name that is 32 characters or longer is assigned to a BIG-IP tenant.
Impact:
-- Invalid configuration
-- mcpd errors
-- Blank VLAN name in webUI of tenant
Workaround:
Use shorter VLAN names, with a maximum of 31 characters.
Fixed Versions:
17.1.1, 15.1.10
1183553 : The platform_mgr core dumps on token renewal intermittently
Links to More Info: BT1183553
Component: F5OS Messaging Agent
Symptoms:
The platform_mgr core dumps on token renewal.
Conditions:
On token renewal, gRPC is adding additional characters to token buffer in initial metadata of gRPC channel.
Impact:
The platform_agent core dumped and configuration related to tenant will be re-fetched on platform_agent startup.
Workaround:
None
Fix:
Token renewal handling is changed to read token considering token's length from initial metadata in gRPC channel.
Fixed Versions:
17.1.0, 15.1.8.1
1183453-2 : Local privilege escalation vulnerability (CVE-2022-31676)
Links to More Info: K87046687
1182613 : BIG-IP Version 15.1.8 installed as a tenant on CX410 or rSeries systems see continuous 'Unable to Notify Tenant stats' log in /var/log/ltm
Links to More Info: BT1182613
Component: F5OS Messaging Agent
Symptoms:
A message 'Unable to Notify Tenant Stats' is logged for every 10 seconds in /var/log/ltm on affected BIG-IP tenants.
bigip1 warning platform_agent[5203]: 01d50005:4: Unable to Notify Tenant stats. Retrying...
Conditions:
When installed BIG-IP 15.1.8 as a tenant on CX410 or rSeries platforms, /var/log/ltm is filled with continuous, but benign log messages
Impact:
No functionality impact. But /var/log/ltm gets filled with the message and consumes disk space.
Workaround:
None
Fix:
Unnecessary logging has been removed.
Fixed Versions:
15.1.9
1182353-4 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1181345-1 : Fix for VLAN Group reconfiguration issue when an additional virutal-wire configuration is added on top of deployed tenant
Links to More Info: BT1181345
Component: Local Traffic Manager
Symptoms:
Failed to create VLAN group when adding new virtual-wire config with different VLAN on a deployed tenant (reconfiguration issue).
Conditions:
Other virtual-wire configurations are added on top of the deployed tenant.
Impact:
Failed to create VLAN group when adding new virtual-wire config with different VLAN on a deployed tenant.
Workaround:
None
Fix:
With this fix, the VLAN group reconfiguration issue is resolved when an additional virtual-wire configuration is added on top of the deployed tenant.
Fixed Versions:
17.1.0, 15.1.9
1180365-1 : APM Integration with Citrix Cloud Connector
Links to More Info: BT1180365
Component: Access Policy Manager
Symptoms:
-- Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
-- Apps/Desktop will not be published.
Conditions:
-- Citrix cloud connector is used to publish apps instead of Citrix Delivery controller
-- The user clicks on the App/Desktop
Impact:
The cloud connector sends an empty response, and users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.
Workaround:
None
Fix:
After integration of APM with Citrix Cloud Connector, the user is able to publish Apps/Desktops which are published through Citrix Cloud Connector.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1178221-2 : In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT
Links to More Info: BT1178221
Component: TMOS
Symptoms:
When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".
Conditions:
Tunnel is established between Initiatior and Responder.
Responder is able to send DPD request. but not able to receive response.
Impact:
Wrong information logged.
DPD response packet corruption.
Workaround:
None
Fix:
Logs will display correct message.
Packet will not corrupt.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1174873-1 : Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F"
Links to More Info: BT1174873
Component: Access Policy Manager
Symptoms:
In muti-domain Single Sign-On (SSO) or SAML Auth, the location header query string separator is converted from "?" to "%3F" or / to "%2F"
Conditions:
- Create an access policy with a redirect to login page.
Impact:
MultiDomain Auth or SAML Auth will fail
Workaround:
None
Fix:
A function that was used to normalize URLs was corrected.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1174085 : Spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes while passing traffic. Multiple references accessing and trying to modify the same entry
Conditions:
BIG-IP passing certain network traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Delete the entry for every reference
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1174033-3 : The UPDATE EVENT is triggered with faulty session_info and resulting in core
Links to More Info: BT1174033
Component: Policy Enforcement Manager
Symptoms:
The UPDATE EVENT requires a proper initialization of the session_info which in turn is used to set the tcl pcb's cmdctx. With properly defined cmdctx, the sess_data is populated successfully. But, without proper initialization of the session_info makes the cmdctx to carry incorrect vaules, thus resulting in a core when populating the sess_data.
Conditions:
Enable the Global UPDATE-EVENT option and make sure you log
some session attributes as part of the UPDATE EVENT.
Impact:
Results in a core.
Workaround:
None
Fix:
Triggering UPDATE EVENT is not causing any core.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1173669-3 : Unable to reach backend server with Per Request policy and Per Session together
Links to More Info: BT1173669
Component: Access Policy Manager
Symptoms:
It is observed that backend pool is not reachable.
Conditions:
The OAuth case with Per Request policy and Per Session together.
Impact:
Backend Pool is not reachable.
Workaround:
None
Fix:
Variables pushed with server configuration into per request flow are accessed with last rather than the server configuration.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1173493-1 : Bot signature staging timestamp corrupted after modifying the profile
Links to More Info: BT1173493
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1173441-2 : The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired
Links to More Info: BT1173441
Component: TMOS
Symptoms:
The 'tmsh save sys config' call is being triggered when REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Conditions:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Impact:
There is no functional impact. However, in the BIG-IPs where there is huge configuration, a 'tmsh save sys config' call takes a lot of time and thus impacts the performance.
Workaround:
None
Fix:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired without triggering the 'tmsh save sys config' call as the call is unnecessary.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1168309-1 : Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms
Links to More Info: BT1168309
Component: Local Traffic Manager
Symptoms:
Traffic does not flow through the virtual-wire trunk. Traffic through the interface is not impacted.
Conditions:
When there is an overlap between the DID values of the interface and trunk, virtual-wire traffic does not pass through the trunk.
Impact:
Traffic outage might occur.
Workaround:
None
Fix:
The conflict between Interface DID values and Trunk DID values are avoided, by marking whether the DID value belongs to a trunk or interface.
Fixed Versions:
17.1.0, 15.1.9
1168137-2 : PEM Classification Auto-Update for month is working as hourly
Links to More Info: BT1168137
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature auto-update as monthly, but it runs on hourly.
If the update schedule is set to daily or weekly, then the latest IM package is downloaded based on the set update schedule. But, when it is set to monthly, it is working on hourly.
Conditions:
Automatic updates for classification signatures is configured and enabled, and update schedule should be set to monthly.
Impact:
Classification update is not working on monthly basis.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1167949 : Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware
Links to More Info: BT1167949
Component: Advanced Firewall Manager
Symptoms:
Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware. It is working as expected on software.
Conditions:
Offloading vectors.
Impact:
Hardware offload is not successful for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Workaround:
None
Fix:
Hardware offload is performed correctly for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Fixed Versions:
17.1.1, 15.1.9
1167941-2 : CGNAT SIP ALG INVITE loops between BIG-IP and Server
Links to More Info: BT1167941
Component: Service Provider
Symptoms:
On an inbound call on the ephemeral listener, if the INVITE message TO header is not registered, and From header is registered, then INVITE is sent out on the ephemeral listener which might cause a loop issue, if the server sends back the INVITE to BIG-IP again.
Conditions:
It occurs with inbound calls.
Impact:
It could lead to performance issue if the loop continues.
Workaround:
Step 1 or 2 can be used as a workaround based on the use case.
1)If the From and To headers are the same, 400 bad response is given.
Also, the packets are dropped in case the destination address is not translated.
ltm rule sip_in_rule {
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && [IP::addr [IP::remote_addr] equals $localAddr]} {
SIP::discard
}
}
when SIP_REQUEST {
set localAddr [IP::local_addr]
set from [substr [SIP::header from] 0 ";"]
set to [substr [SIP::header to] 0 ";"]
if {[SIP::method] == "INVITE" && $from equals $to} {
SIP::respond 400 "Bad Request"
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_in_rule } }
2)below Irule would drop all inbound calls.
ltm rule sip_drop_rule {
when MR_INGRESS {
if { [MR::transport] contains "_$" } {
MR::message drop
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_drop_rule } }
Fix:
BIG-IP will drop the messages in the following cases.
a)If From and To headers are the same in the sip INVITE message.
b)If the SIP INVITE message To header is not registered and From is registered.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1167929-3 : CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167897-5 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167889-3 : PEM classification signature scheduled updates do not complete
Links to More Info: BT1167889
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature updates to run at an defined interval, the updates may not actually occur.
Via tmsh:
ltm classification auto-update settings { }
via GUI:
Traffic Intelligence -> Applications -> Signature Update -> Automatic Update Settings
In the /var/log/ltm log, the following message may be seen
mcpd[xxxx]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.
Conditions:
Automatic updates for classification signatures is configured and enabled.
Impact:
The classification updates do not occur.
Workaround:
Run the classification update manually.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1166449-3 : APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list
Links to More Info: BT1166449
Component: Access Policy Manager
Symptoms:
NTLM authentication will stop working.
Conditions:
If any of the DC FQDN is not resolvable in the configured NTLM Auth Config DC list during below scenarios:
- Create/Modify NTLM Auth Configuration
- Restart ECA/NTLM service
- Restart, Power cycle or after upgrade
- Active/Stand by switch over.
Impact:
NTLM authentications targeted towards this NTLM Auth Config will start to fail.
Workaround:
User need to remove the non-resolvable DC FQDN from the NTLM Auth configuration's DC list.
Fix:
Fix will be provided to try FQDN resolution for all entries in the NTLM Auth configuration's DC list, NTLM Auth will proceed if at least one of the DC is resolvable and reachable.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1162221-4 : Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough
Links to More Info: BT1162221
Component: Global Traffic Manager (DNS)
Symptoms:
Resources will be marked timed out.
Conditions:
iQuery connection between local gtmd and big3d is not established before probing decision is made.
Impact:
Resources be marked DOWN unexpectedly.
Workaround:
Modify max-synchronous-monitor-requests to a new value which will trigger probing decision re-evaluation.
Fix:
None
Fixed Versions:
15.1.10
1162081-4 : Upgrade the bind package to fix security vulnerabilities
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Conditions:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Impact:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Workaround:
None
Fix:
Upgraded the bind package to 9.16.33.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1161965-4 : File descriptor(fd) and shared memory leak in wr_urldbd
Links to More Info: BT1161965
Component: Traffic Classification Engine
Symptoms:
When updating the customdb, fd and shared memory leaks were observed in wr_urldbd.
Conditions:
The issue happens when a urldb feed list is modified multiple times in a loop.
Impact:
Updating customdb will not work.
Workaround:
No
Fix:
Handled the updating of the customdb more efficiently to prevent any fd or shared memory leaks.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1161733-3 : Enabling client-side TCP Verified Accept can cause excessive memory consumption
Links to More Info: K000134652 , BT1161733
1160805 : The scp-checkfp fail to cat scp.whitelist for remote admin
Links to More Info: BT1160805
Component: TMOS
Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed
Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.
Impact:
SCP command is not working for the remote admin users.
Workaround:
None
Fix:
Issue is with the Internal Field Separation (IFS) environment variable from /bin/scp-checkfp file. Following is an example for IFS:
IFS=$"\n" -->
This means, it expects a string character.
It should expect a character value to read the paths from the SCP files.
IFS=$'\n' -->
This means, it expects a character.
Fixed Versions:
17.1.2, 16.1.4, 15.1.9
1159569-1 : Persistence cache records may accumulate over time
Links to More Info: BT1159569
Component: Local Traffic Manager
Symptoms:
The persistence cache records accumulate over time if the expiration process does not work reliably. The 'persist' memory type grows over time when multiple TMMs are sharing the records.
Conditions:
- Non-cookie, persistence configured.
- Multi TMM box
- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in multiple ways. Aggressive mode sweeper runs and terminates active connections. TMM may restart. Traffic is disrupted while TMM restarts.
Workaround:
None
Fix:
Persistence records are now reliably expired at the appropriate time.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1159397-2 : The high utilization of memory when blade turns offline results in core
Links to More Info: BT1159397
Component: Policy Enforcement Manager
Symptoms:
The TMM memory utilization continue to increase after a blade turns offline.
Conditions:
Blade turns offline.
Impact:
The TMM memory utilization will finally cause out-of-memory errors or cores and TMM processes will restart. The service will be interrupted.
Workaround:
None
Fix:
Error code ERR_MEM will be handled successfully.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1156889-2 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1156697-2 : Translucent VLAN groups may pass some packets without changing the locally administered bit
Links to More Info: BT1156697
Component: Local Traffic Manager
Symptoms:
Translucent VLAN groups may pass some packets without changing the locally administered bit.
Conditions:
The destination mac address of the ingress packet does not match the nexthop.
Impact:
Connections may fail, packet captures show the packets being egressed the VLAN group with the locally administered bit set.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1156105-3 : Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition
Links to More Info: BT1156105
Component: Local Traffic Manager
Symptoms:
Unable to add IP apart from /Common to Proxy Exclusion List.
Conditions:
- Route-Domain is created with default-route-domain in same partition.
#tmsh create auth partition part5
#tmsh create net route-domain /part5/rd5 id 5
#tmsh modify auth partition part5 default-route-domain 5
Impact:
The following command fails:
tmsh modify net vlan-group /part5/RD5-VLAN-GRP proxy-excludes add { 10.10.20.196 }
Workaround:
- The following command is used to create route-domain in /Commom:
#tmsh create net route-domain /part5/rd5 id 5
Modify this command as following:
#tmsh create net route-domain rd5 id 5
- Manually edit the bigip.conf file in partitions and add IP address manually, and then reload the config.
Fix:
IP can be added to Proxy Exclusion List.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1155861-1 : 'Unlicensed objects' error message appears despite there being no unlicensed configuration
Links to More Info: BT1155861
Component: TMOS
Symptoms:
Following error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Conditions:
- The primary blade disabled manually using the following TMSH command:
modify sys cluster default members { 1 { disabled } }
Impact:
Failed to load the license on disabled slot from primary slot.
Workaround:
Execute the following command on disabled slot:
rm /var/db/mcpdb.*
bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
or
Execute command "reloadlic" which reloads the license into the current MCPD object.
Fix:
None
Fixed Versions:
17.1.1, 15.1.9
1155733-2 : NULL bytes are clipped from the end of buffer
Links to More Info: BT1155733
Component: TMOS
Symptoms:
In logs the key length is less then the actual key length.
Conditions:
- Establish IPSec tunnel.
- Check the logs.
Impact:
Incomplete information in the logs.
Workaround:
None
Fix:
Printing all bytes in the buffer irrespective of NULL bytes.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1155393-1 : Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression
Links to More Info: BT1155393
Component: Local Traffic Manager
Symptoms:
The BIG-IP fails to remove chunk headers when compressing a chunked response from a pool member.
The chunk headers are compressed and delivered to the client as part of the payload.
Conditions:
-- Version with the fix for ID902377
-- Rewrite/HTML profile
-- Compression profile
-- Chunked response from pool member (With "Transfer-Encoding: Chunked" header)
-- HTTP response eligible for compression
Impact:
Chunk header and terminating 0 length chunk are compressed and delivered to the client as part of the payload, resulting in broken application functionality.
Workaround:
One of the following:
- Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
- Remove the compression profile.
- Modify the compression profile to ensure the response in question is no longer eligible for compression.
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1155297-2 : XAL debug register additions
Component: TMOS
Symptoms:
This is a debug addition. No datapath functionality update.
Conditions:
N/a
Impact:
Impact is to give F5 engineers more visibility into the HSB FPGA datapath. No datapath functionality impact.
Workaround:
Additional FPGA debug visibility. No mitigation or workaround needed.
Fix:
This update is additional HSB debug visibility around the PCIe bus interface.
Fixed Versions:
15.1.10
1154933-3 : Improper permissions handling in REST SNMP endpoint
Component: TMOS
Symptoms:
Certain requests to the REST SNMP endpoint improperly handle user permissions.
Conditions:
Not specified
Impact:
Security best practices are not followed
Workaround:
Only allow trusted users to have access to the REST interface.
Fix:
User permissions work as expected.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1154681 : Reconfiguration of virtual-wire VLAN in tenant
Links to More Info: BT1154681
Component: Local Traffic Manager
Symptoms:
When normal VLAN in the controller is reconfigured to virtual-wire VLANs, issue is observed in vWire VLAN creation.
Conditions:
- vWire is configured in the tenant.
Impact:
The command "tmsh list net vlan" throws error.
Workaround:
1. Delete the vlan-groups and vlans in the tenant using "tmsh delete net vlan-group all" followed by "tmsh delete net vlan all".
2. Reconfigure the VLANs in the controller.
3. Execute "tmsh list net vlan-group" and "tmsh list net vlan" in tenant and verify whether all the VLANs are created fine.
Fix:
None
Fixed Versions:
17.1.0, 15.1.9
1154673 : Enabling DHCP for management should not be allowed on F5OS BIG-IP tenants
Links to More Info: BT1154673
Component: TMOS
Symptoms:
Options to enable DHCP for the management interface are available on F5OS BIG-IP tenants.
Conditions:
F5OS BIG-IP tenant
Impact:
The F5OS BIG-IP tenant can be configured with options that are incompatible with BIG-IP operation.
This might result in a loss of management IP in the tenant after a reboot.
Workaround:
Do not attempt DHCP on the management interface of a F5OS BIG-IP tenant.
Fixed Versions:
17.1.0, 15.1.9
1154465-1 : Error attaching QAT devices to TMM on F5OS
Links to More Info: BT1154465
Component: Local Traffic Manager
Symptoms:
Crypto and compression yield low throughput.
Tmm logs contain the following signature
tmm1:<13> localhost notice This QAT device is not compress enabled: 0d:00.0.
tmm1:<13> localhost notice This QAT device is not crypto enabled: 0d:00.0.
Conditions:
-- Deploying tenants with crypto enabled
-- Allocating more than 32 vCPUs
-- F5QAT driver is used
-- Other unknown conditions may contribute to this issue
Impact:
When this happens, some QAT devices are ignored (not used) and a significant drop in performance occurs for the impacted TMM thread.
Workaround:
None
Fix:
Correctly parse the contents of the /sys/kernel/debug/<device>/dev_cfg file.
Fixed Versions:
17.1.0, 15.1.8
1154381-3 : The tmrouted might crash when management route subnet is received over a dynamic routing protocol
Links to More Info: BT1154381
Component: TMOS
Symptoms:
The tmrouted might crash when management route subnet is received over a dynamic routing protocol.
Conditions:
- Management route subnet is received over a dynamic routing protocol.
- Multi-bladed VIPRION.
- Blade failover or IP address change occurs.
Impact:
Dynamic routes are lost during tmrouted restart.
Workaround:
Do not advertise a management subnet over a dynamic routing protocol towards BIG-IP. Use route-map to suppress incoming update.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1153969-3 : Excessive resource consumption when processing LDAP and CRLDP auth traffic
Links to More Info: K000134516 , BT1153969
1153865-3 : Restjavad OutOfMemoryError errors and restarts after upgrade ★
Links to More Info: BT1153865
Component: TMOS
Symptoms:
After upgrade to an affected version, restjavad restarts intermittently or frequently, and/or may use high CPU.
The restjavad logs, /var/log/restjavad.X.log, may report the following errors:
java.lang.OutOfMemoryError: Java heap space
restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current
Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-15.1.8.2, 16.1.3.1-16.1.3.5, 17.0.0.1-17.0.0.2
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API, such as SSL Orchestrator, may be very affected.
Impact:
May have problems in the GUI with certain pages or tabs, such as network map with very large config or SSL Orchestrator or iLX related tabs.
Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability
Workaround:
Before upgrade to an affected version - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSL Orchestrator systems would typically need the maximum.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
Fix:
After upgrade, the system now sets the default value for provision.restjavad.extramb variable to 384MB. This sets the maximum heap size to 384MB. For values of provision.restjavad.extramb of 384 and lower the starting heap size is set at 96MB. For values above 384MB the starting heap size is set to the same value as maximum heap size.
When upgrading from a version that has provision.restjavad.extramb and it is explicitly set to a value*, rather than just takes default value, that value will be preserved and take affect in the new version. This will happen even if restjavad.useextramb had been set to false.
Where sys db restjavad.useextramb was set to value true in the previously used version, and provision.restjavad.extramb doesn't already exist, the value for provision.restjavad.extramb is based on a calculation of the maximum restjavad heap size that could have been used.
Usually this maintains the same or very similar restjavad heap size as used previously with more ability to fine tune it. The default size works in a wider range of settings.
When upgrading from a version that had a smaller starting heap size than maximum heap size, so before 14.1.4 or 15.1.3, and restjavad.useextramb set to true, it's possible that restjavad will use more memory than required. That's because for values above the default size of 384MB for provision.restjavad.extramb starting heap size is set the same as maximum heap size to lower performance issues when large memory sizes are required. You can lower restjavad memory use by lowering the value of provision.restjavad.extramb and restarting it if needed.
Note: This fix also removes the db variable restjavad.useextramb as it is no longer needed.
*Note: The command 'tmsh list sys db X' will return the value for DB key where set, or the default value for X otherwise. printdb can be used to display both value and default.
eg
printdb -n provision.restjavad.extramb
Name: Provision.Restjavad.extraMB
Realm: common
Type: integer
Default: 384
Value: 600
SCF_Config: true
Min: 192
Max: 8192
shows a default of 384 and an explicitly set value of 600 that would override the default. Where the value hadn't been set the 'Value:' line will not be present.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1148009-4 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1147621 : AD query do not change password does not come into effect when RSA Auth agent used
Links to More Info: BT1147621
Component: Access Policy Manager
Symptoms:
When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected.
Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet.
So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.
Conditions:
RSA Auth with OTP along with AD query agent with the negotiate logon page.
Impact:
User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.
Workaround:
If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.
Fix:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1146377-3 : FastHTTP profiles do not insert HTTP headers triggered by iRules
Links to More Info: BT1146377
Component: Local Traffic Manager
Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.
Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.
Impact:
The expected headers will not be inserted on packets sent to servers.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1146373 : Basic authentication for REST admin account fails
Links to More Info: BT1146373
Component: TMOS
Symptoms:
Basic authentication may fail for anything other than creating a token. This has most often been seen after a device had several large AS3 declarations sent to it. Most of the scenarios that caused this were fixed in ID877145 but this added on to that fix.
One symptom is you my encounter lots of DNS Null requests:
DNS OUT s1/tmm4 : Standard query 0xc33b A null
DNS OUT s1/tmm4 : Standard query 0xe366 AAAA null
DNS IN s1/tmm4 : Standard query response 0xe366 Server failure AAAA null
DNS IN s1/tmm4 : Standard query response 0xc33b Server failure A null
Conditions:
Large AS3 declarations suddenly encounters a failure (503). This issue seems to be the most frequent trigger but other scenarios may cause this.
If you view the restjavad.audit log you may see a username of local/null logged and showing the 401 for the rest call that was attempted. Also if you capture port 53 during the rest call you may see DNS queries for domain "null".
Impact:
Basic authentication will fail with a 401 code when it previously used to work. The admin account will also fail. Typically it takes 30 seconds to encounter the failure.
Workaround:
Configure the device to resolve to localhost may work around this issue in some cases. If it does not then a fixed version is needed:
To add localhost, run the following commands:
tmsh mod sys global-settings remote-host add { null { hostname null addr 127.0.0.1 } }
tmsh save sys config
Fix:
Basic authentication now works reliably
Fixed Versions:
15.1.9
1146341-3 : TMM crashes while processing traffic on virtual server
Links to More Info: BT1146341
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on virtual server.
Conditions:
- Assigning a per-request policy to virtual server.
or
- Configuring Network Access resource.
Impact:
TMM crashes leading to disruption in traffic flow.
Workaround:
None
Fix:
TMM does not crash with APM per-request policy.
Fixed Versions:
17.1.0, 16.1.5, 15.1.10
1146241-3 : FastL4 virtual server may egress packets with unexpected and erratic TTL values
Links to More Info: BT1146241
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server may egress (either towards the client or the server) IP packets with unexpected and erratic TTL values. The same also applies to IPv6, where the TTL field is known as Hop Limit.
Conditions:
- The BIG-IP system is a Virtual Edition (VE).
- The Large Receive Offload (LRO) is enabled on the system (which it is by default), and is operating in software mode. You can determine whether LRO is enabled on the system by inspecting the tm.tcplargereceiveoffload DB key, and you can determine whether LRO is operating in software mode by trying to query the tcp_lro tmstat table (tmctl -d blade tcp_lro). If the table exists, LRO will be operating in software mode.
- The FastL4 profile is configured to decrement the TTL (this is the default mode).
- The virtual server uses mismatched IP versions on each side of the proxy (for example, an IPv6 client and an IPv4 server).
Impact:
Depending on the actual TTL values that will be sent out on the wire (which can be random and anything within the allowed range for the field) traffic can be dropped by routers on the way to the packet's destination.
This will happen if there are more routers (hops) on the way to the packet's destination than the value specified in the TTL field.
Ultimately, this will lead to retransmissions and possibly application failures.
Workaround:
You can work around this issue by doing either of the following things:
- Disable LRO on the BIG-IP system by setting DB key tm.tcplargereceiveoffload to disable.
- Use a TTL mode for the FastL4 profile other than decrement (for example, use proxy or set).
Fix:
The TTL decrement mode now works as expected under the conditions specified above.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1146017-2 : WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile
Links to More Info: BT1146017
Component: Access Policy Manager
Symptoms:
WebUI does not show error when parent profile is empty.
Conditions:
1) Navigate to Access > Connectivity/VPN > Portal Access > Rewrite.
2) Enter the details, do not assign any parent rewrite profile.
3) Click Create.
Impact:
No webUI error is seen as parent profile is not assigned to user defined rewrite profile.
Workaround:
Enter details in the parent profile field and click Create.
Fix:
WebUI error is displayed when the parent profile filed is empty and clicked on Create button.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1144817-1 : Traffic processing interrupted by PF reset
Links to More Info: BT1144817
Component: TMOS
Symptoms:
Traffic between client and server is interrupted.
Conditions:
- E810 NICs are used.
- Reset PF.
Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.
Workaround:
Restart the BIG-IP device.
Fix:
A TMSH db variable ve.ndal.exit_on_ue is used to enable/disable device restart on PF reset. On restart, following error message is recorded in /var/log/tmm:
"Restarting TMM on unrecoverable error."
Fixed Versions:
17.1.0, 15.1.9
1144497-3 : Base64 encoded metachars are not detected on HTTP headers
Links to More Info: BT1144497
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1144373-3 : BIG-IP SFTP hardening
Links to More Info: BT1144373
Component: TMOS
Symptoms:
Under certain conditions SFTP does not follow current best practices.
Conditions:
- Authenticated high-privilege user
- SFTP file transfer
Impact:
BIG-IP does not follow current best practices for filesystem protection.
Workaround:
None
Fix:
All filesystem protections now follow best practices.
Behavior Change:
When you are using SFTP to transfer the files from BIG-IP to remote-machine and vice versa,
1. filename should have absolute file paths.
2. un-encrypted files cannot be transferred when fips/cc-mode is enabled.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1144117-2 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands
Links to More Info: BT1144117
Component: Local Traffic Manager
Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.
Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Impact:
Some HTTP transactions might fail.
Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1142389-1 : APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request
Links to More Info: BT1142389
Component: Access Policy Manager
Symptoms:
Following message is displayed in APM Access Report:
"Error Processing log message. Original log_msg in database"
Conditions:
Checking APM Access Report while accessing VPN.
Impact:
Unable to see correct log messages in APM Access Report.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1141853-1 : SIP MRF ALG can lead to a TMM core
Links to More Info: BT1141853
Component: Service Provider
Symptoms:
SIP MRF ALG can lead to a TMM core
Conditions:
SIP MRF ALG in use
Impact:
TMM core
Workaround:
None
Fix:
TMM does not core anymore when SIP MRF ALG is in use.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1141845-3 : RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP.
Links to More Info: BT1141845
Component: Local Traffic Manager
Symptoms:
If a RULE_INIT contains an extra colon character (:)
when RULE_INIT {
catch { call sv::hsl:open "/Common/publisher-syslog_server_pool" }
}
It will crash instead of reporting the error.
In this example, the extra : before 'open' is an error. Instead of logging the error, it crashes the process.
Conditions:
RULE_INIT contains more than 2 colon characters (:) on a rule.
Impact:
The tmm process crashes.
Workaround:
Avoid creating a RULE_INIT containing a third colon character(:).
Fix:
Correctly log an error instead of trying to process it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1141665-3 : Significant slowness in policy creation following Threat Campaign LU installation
Links to More Info: BT1141665
Component: Application Security Manager
Symptoms:
Significant and consistent slowness in policy creation in Layered Policies suites in BVT (asmdp).
Conditions:
Slowness was triggered by installing a Threat Campaign LU.
Impact:
Slow policy creation when we have Threat Campaign LU.
Workaround:
None
Fix:
Optimized policy creation following Threat Campaign LU installation.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1141597-1 : DOS stats are not updating for IPv4-all and IPv6-all vectors
Links to More Info: BT1141597
Component: Advanced Firewall Manager
Symptoms:
DOS stats are not updating when IPv4-all and IPv4-all flood or sweep types are selected.
Conditions:
When user configures sweep or flood vectors with IPv4-all and IPv6-all, the DOS related functionality for these types is not getting triggered.
Impact:
For IPv4-all and IPv6-all sweep or flood types, the DOS attack-detection and mitigation will not happen as expected.
Workaround:
None
Fix:
Updated the call to identify the IPv4-all and IPv6-all types as expected.
Fixed Versions:
17.1.0, 15.1.9
1137993-3 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1137717-3 : There are no dynconfd logs during early initialization
Links to More Info: BT1137717
Component: Local Traffic Manager
Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
Missing some informational logging from dynconfd during startup.
Workaround:
None
Fix:
The dynconfd logs are now logged at default (info) level during initial startup of the dynconfd process.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1137677 : GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources
Links to More Info: BT1137677
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent status for resources on multiple GTMs in the same GTM sync group.
Conditions:
The 'require M from N' rule is configured for the monitored resources.
Impact:
Inconsistent resource status.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.9
1137569-2 : Set nShield HSM environment variable.
Links to More Info: BT1137569
Component: Global Traffic Manager (DNS)
Symptoms:
The HSM Management fail to set a makepath.
Conditions:
When nShield HSM is configured .
Impact:
GTM rfs-sync fail.
Workaround:
N/A.
Fix:
Sync issue is fix.
Fixed Versions:
17.1.2, 16.1.5, 15.1.10
1137485-3 : Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly ★
Links to More Info: K10865360 , BT1137485
Component: Global Traffic Manager (DNS)
Symptoms:
1. --An excessive number log lines are seen in /var/log/gtm, which indicate a state change even though a state change has not occurred (eg, state change blue --> blue, state change green --> green, state change red --> red (No nodes up)), for example:
/var/log/gtm:
alert gtmd[13612]: 011a6006:1: SNMP_TRAP: virtual server ltm1 (ip:port=192.168.0.1:0) (Server /Common/vs1) state change blue --> blue ()
2. If, on affected version, the GTM configuration contains virtual servers with a depends-on clause, the gtmd process can exit abnormally ("crash") and produce a gtmd core file. The process restarts immediately automatically, but may then exit and restart again every few seconds or minutes, and continues to do this indefinitely.
In /var/log/user.log, many messages similar to the following may be seen
notice logger[26789]: Started writing core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
notice logger[26800]: Finished writing 35032053 bytes for core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
Conditions:
- For the excessive logging issue: A GTM server object exists with one or more virtual servers configured under it
- For the gtmd crashing issue: One or more GTM server object's virtual-servers has a depends-on clause referring to another virtual-server.
Impact:
- Flood of SNMP trap logs are seen
- gtmd process exits abnormally, bringing down iquery connection and potentially impacting GTM monitoring
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1137133-4 : Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors
Links to More Info: BT1137133
Component: Advanced Firewall Manager
Symptoms:
A tenant side stats_rate is almost double.
Conditions:
-- Appliance has two ATSEs (rSeries 10k and VELOS )
-- AFM is enabled and licensed and broadcast or multicast packets are sent.
Impact:
Stats_rate is shown as double than sent traffic rate.
If vector is configured and traffic is passing with higher rate than mitigation value, stats_rate and int_drops_rate will be shown as double data rate.
Workaround:
None
Fix:
Only one of the ATSE will be configured with broadcast/multicast dos vectors.
Fixed Versions:
17.1.0, 15.1.9
1136921-3 : BGP might delay route updates after failover
Links to More Info: BT1136921
Component: TMOS
Symptoms:
The BGP might delay route updates after failover.
Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.
Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1136837-3 : TMM crash in BFD code due to incorrect timer initialization
Links to More Info: BT1136837
Component: TMOS
Symptoms:
TMM crashes in BFD code due to incorrect timer initialization.
Conditions:
- BFD configured
- Multi-bladed system
- One of blades experiences failure.
Impact:
Crash or core.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1136429-3 : Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group
Links to More Info: BT1136429
Component: TMOS
Symptoms:
MCPD can send an unexpected (another request group) result response message to a current processing request group in the middle of a transaction
Conditions:
While MCPD processing multiple request groups.
Impact:
MCPD closes the connection of the current request group and
subscriber of that particular request group never get requested data.
Workaround:
Restart the subscriber daemon.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1136013-4 : The tmrouted generates core with double free or corruption
Links to More Info: BT1136013
Component: TMOS
Symptoms:
A tmrouted core is generated.
Conditions:
The system is a multi-blade system.
Impact:
The tmrouted core is generated. There are no other known impacts.
Workaround:
None
Fixed Versions:
15.1.9
1135961-4 : The tmrouted generates core with double free or corruption
Links to More Info: BT1135961
Component: TMOS
Symptoms:
A tmrouted core is generated.
Conditions:
The system is a multi-blade system.
Impact:
A tmrouted core is generated. There are no other known impacts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1135313-3 : Pool member current connection counts are incremented and not decremented
Links to More Info: BT1135313
Component: Local Traffic Manager
Symptoms:
With a certain configuration the connection counts on a gateway pool may increment and not be decremented.
Conditions:
- A gateway pool with more than one member.
- Autolasthop disabled.
- A pool monitor with a TCP monitor where the pool member responds to the TCP handshake with data. Common services that do this are SSH, SMTP, and FTP.
Impact:
The connection counts are inflated.
Workaround:
- Configure autolasthop.
- Configure a receive string on the TCP monitor.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1135073-2 : IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled
Links to More Info: BT1135073
Component: Protocol Inspection
Symptoms:
Following warning message is displayed on BIG-IP webUI in Security ›› Protocol Security: Inspection Updates:
"An active subscription is required to access certain inspections"
Conditions:
If the BIG-IP has AFM and IPS subscription license, then this warning message on webUI should not be displayed.
Impact:
There is no impact if AFM and IPS subscription license are installed on BIG-IP. All the IPS signatures and compliances will work as usual.
Workaround:
None
Fix:
Based on the IPS full subscription flag in the license the warning message is displayed. Earlier, it was verified on the wrong feature flag.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1135041 : Performance issue related to crypto and compression
Links to More Info: BT1135041
Component: Local Traffic Manager
Symptoms:
Crypto and compression were yielding low throughput when considered more than 32 vCPUs.
Conditions:
Always, crypto and compression were yielding low throughput when considered more than 32 vCPUs.
Following is the RCA:
- Maximum configuration files were 48, but 36 vCPUs need 54 Virtual Function (VF) and hence 54 VF configuration files.
- A variable was not thread safe and hence not proper, need a fix.
Impact:
Less throughput.
Workaround:
None
Fix:
- By increasing the number of VF configuration files, earlier maximum configuration files were 48, but 36 vCPUs need 54 VFs and hence 54 VF configuration files.
- A variable was not thread safe and hence not proper, it is made thread safe.
Fixed Versions:
17.1.0, 15.1.8
1134509-3 : TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.
Links to More Info: BT1134509
Component: TMOS
Symptoms:
TMM crashes in BFD code when peers from ipv4 and ipv6 families are in use.
Conditions:
- BFD configured
- Mixed IPv4 and IPv6 peers.
Impact:
Crash or core
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1134301-2 : IPsec interface mode may stop sending packets over tunnel after configuration update
Links to More Info: BT1134301
Component: TMOS
Symptoms:
An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.
Conditions:
- IPsec tunnel with ipsec-policy in interface mode.
- The sys db ipsec.if.checkpolicy is disabled (by default it is enabled).
- Static routes pointing to the IPsec interface.
- Tunnel configuration updated.
Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.
Impact:
The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.
Workaround:
There are two similar workaround options for when the issue is observed:
Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again.
Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.
Fix:
Traffic can pass over the IPsec tunnel after a configuration update.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1134085-1 : Intermittent TMM core when iRule is configured with SSL persistence
Links to More Info: BT1134085
Component: Local Traffic Manager
Symptoms:
The TMM core file is observed.
Conditions:
Under certain conditions, the TMM core file is observed with iRule and SSL persistence.
Impact:
TMM core file is observed.
Workaround:
Perform either of the following tasks:
- Disable SSL persistence
- Disable iRule
Fix:
Added fix to handle cases which can lead to the TMM core file generation.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1
1134057-3 : BGP routes not advertised after graceful restart
Links to More Info: BT1134057
Component: TMOS
Symptoms:
The BGP routes not advertised after a graceful restart.
Conditions:
The BGP with graceful restart configured.
Impact:
The BGP routes not advertised after graceful restart.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1133881-3 : Errors in attaching port lists to virtual server when TMC is used with same sources
Links to More Info: BT1133881
Component: Local Traffic Manager
Symptoms:
When creating a virtual server that has identical traffic matching criteria with another virtual server, but uses a source address defined same as configured in TMC object, and when we try to attach the port-list it fails, with an error similar to the following:
01b90011:3: Virtual Server /Common/vs2-443's Traffic Matching Criteria /Common/vs2-443_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1-443 destination address, source address, service port.
Conditions:
- Port lists are used.
- The first virtual server uses a wildcard source, for example, 0.0.0.0/0.
- The second virtual server uses an identical destination, protocol, and port, with the same source address configured in TMC object.
Impact:
Inability to utilize 'port lists' to configure the virtual server.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1133869 : Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms
Links to More Info: BT1133869
Component: F5OS Messaging Agent
Symptoms:
For an LACP LAG interface, the distribution hash configuration applied on F5OS is not applied automatically on BIG-IP tenants running on R2800 and R4800 platforms.
Conditions:
When distribution hash is configured for a LACP LAG interface.
Impact:
A BIG-IP tenant running on R2800 and R4800 platforms does not automatically synchronize the distribution hash configuration from the platform.
Workaround:
Manually configure the hash distribution on the BIG-IP tenant to whatever was applied on the platform.
Note: This workaround does not persist after the host/tenant reboot
Fixed Versions:
17.1.0, 15.1.9
1133625-3 : The HTTP2 protocol is not working when SSL persistence and session ticket are enabled
Links to More Info: BT1133625
Component: Local Traffic Manager
Symptoms:
Connection gets dropped when SSL persistence is enabled with session ticket and HTTP2 protocol.
Conditions:
When SSL persistence is enabled with session ticket and HTTP2 protocol.
Impact:
Connection will get dropped.
Workaround:
-- Disable SSL persistence OR
-- Disable session ticket.
Fix:
Provided fix to handle this defect.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1133557-3 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name
Links to More Info: BT1133557
Component: Local Traffic Manager
Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.
Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).
Fix:
The DNS server being queried to resolve LTM node FQDN names is now logged by default in the /var/log/dynconfd.log file.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1132981-1 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132925-4 : Bot defense does not work with DNS Resolvers configured under non-zero route domains
Links to More Info: BT1132925
Component: Application Security Manager
Symptoms:
When a DNS Resolver is configured under a non-zero route domain, the bot defense does not use the DNS resolver to perform DNS queries, resulting in some bots not being detected.
Conditions:
DNS Resolver is configured under non-zero route domain.
Impact:
Some bots are not detected by bot defense mechanism.
Workaround:
Configure DNS Resolver under route domain 0.
Fix:
Enhanced bot defense to use resolvers from any corresponding route domain. However, bot defense does not support route domain modification of DNS resolvers. Resolvers must be deleted and created again in the correct route domain.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1132765-3 : Virtual server matching might fail in rare cases when using virtual server chaining.
Links to More Info: BT1132765
Component: Local Traffic Manager
Symptoms:
When using virtual server chaining (for example iRule 'virtual' command sending traffic to another virtual server explicitly), a small percentage of packets might be dropped.
Conditions:
- Virtual server chaining.
- virtual servers have the vlan_enabled feature configured.
- DatagramLB or idle-timeout = 0 configured on protocol profile.
- High packet rate of incoming traffic.
Impact:
Some packets fail to match a virtual server and get dropped.
Workaround:
- Remove vlan_enabled feature
- OR remove datagramLB/set idle-timoeut > 0 on protocol profile.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1132741-4 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
Fix:
Break from html parser early stage for long html tags
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132697-1 : Use of proactive bot defense profile can trigger TMM crash
Links to More Info: BT1132697
Component: Application Security Manager
Symptoms:
TMM crash is triggered.
Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.
Impact:
The TMM goes offline temporarily or failover. Traffic disruption can occur.
Workaround:
Remove all proactive bot defense profiles from virtuals.
Fix:
TMM no longer crashes in the scenario.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132405-1 : TMM does not process BFD echo pkts with src.addr == dst.addr
Links to More Info: BT1132405
Component: Local Traffic Manager
Symptoms:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Conditions:
- TMM does not process BFD echo pkts with src.addr == dst.addr.
Impact:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Workaround:
None
Fix:
TMM now processes BFD echo pkts with src.addr == dst.addr.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1128977 : When the device DoS vector rate-limit setting is configured to a low value, sampled attack log messages are not logged
Links to More Info: BT1128977
Component: Advanced Firewall Manager
Symptoms:
On hardware platforms, with the default-internal-rate-limit of a device DoS vector being set to a low number, there is no sampled attack message in the log, even when the attack is being detected.
Conditions:
- Setting the default-internal-rate-limit of the targeted device DoS vector to a low number.
- Detect attack.
Impact:
No visibility of the attack after being detected.
Workaround:
Use a higher number for the default-internal-rate-limit of the targeted device DoS vector.
Fix:
The sampled attack log message is displayed even when a lower number is used for the default-internal-rate-limit value.
Fixed Versions:
17.1.0, 15.1.8
1128721 : L2 wire support on vCMP architecture platform
Links to More Info: BT1128721
Component: Local Traffic Manager
Symptoms:
L2 wire works on BIG-IP, virtual-wire on vCMP architecture platform will be based on Network Tenant Interface (NTI) objects.
Tenant related data path and control plane changes.
Conditions:
- vCMP architecture based on NTI.
- F5OS is completely responsible to create/modify/delete NTI objects and synchronizing it to the tenants.
Impact:
The virtual-wire is one of the most important features used under operating in L2 domain. This mode of operation involves very little changes to topology and configuration and thereby can easily plug in a BIG-IP device with virtual-wire configuration.
Workaround:
None
Fix:
Tenant (data/control) plane changes for virtual-wire support on vCMP architecture.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1128689-3 : High BD CPU utilization
Links to More Info: BT1128689
Component: Application Security Manager
Symptoms:
The signature engine in BD uses more CPU cycles than it actually needs to complete the task.
Conditions:
ASM provisioned and in use
Impact:
Slower system performance
High CPU utilization with BD
Workaround:
None
Fix:
Some modifications are done to the signature engine to improve performance.
Fixed Versions:
16.1.4, 15.1.9
1128629-2 : Neurond crash observed during live install through test script
Links to More Info: BT1128629
Component: TMOS
Symptoms:
Neurond core is observed during live install followed by FPGA firmware upgrade through the test script.
Conditions:
Live install through the test script
Impact:
No functional impact
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1127809-4 : Due to incorrect URI parsing, the system does not extract the expected domain name
Links to More Info: BT1127809
Component: Application Security Manager
Symptoms:
The system will fail to send webhook requests to the server.
Conditions:
Add webhook to the policy and execute Apply policy on BIG-IP.
Impact:
Webhook requests will fail
Fix:
After the fix, BIG-IP will send webhook requests to the server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1127445-2 : Performance degradation after Bug ID 1019853
Links to More Info: BT1127445
Component: Performance
Symptoms:
Performance degradation is observed with BD in TPS in the versions that have the fix for Bug ID 1019853.
Conditions:
Versions that have the fix for Bug ID 1019853.
Impact:
Lower TPS performance with BD.
Workaround:
None
Fix:
The part of the change for Bug ID 1019853 has been reverted while still addressing the problem reported in ID1019853.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1127117 : High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes
Links to More Info: BT1127117
Component: Advanced Firewall Manager
Symptoms:
Memory consumption increases with the number of connections.
Conditions:
1. Configure LSN Pool in CGNAT with Persistence mode with Address and Port.
OR
1. Configure AFM NAT source Translations with DPAT and PBA with End Point Independent Mode
Impact:
Memory keeps increasing and eventually might reach 100% utilization.
Sample Comparison table below:
Connection_Count: 30M
Memory_Usage_on_14.x_Version: ~3GB
Memory_usage_on_15+_Version: ~30GB
Workaround:
-- Increase the available RAM if possible
OR
-- Reduce the connection timeout interval
OR
-- Try using other options like Address Pooling Paired Mode in PBA
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126841-2 : HTTP::enable can rarely cause cores
Links to More Info: BT1126841
Component: Local Traffic Manager
Symptoms:
The TMM crashes with seg fault.
Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.
Impact:
The TMM restarts causing traffic interruption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1126805-2 : TMM CPU usage statistics may show a lower than expected value on Virtual Edition
Links to More Info: BT1126805
Component: TMOS
Symptoms:
The self-reported CPU statistics of TMM may show a usage value that is lower than the expected number. Some TMM threads may show lower CPU usage than others even if the threads are processing the same amount of traffic. When this issue occurs, a high number of idle polls are observed in the tmm_stat table for the affected TMM.
Conditions:
Virtual Edition
Impact:
TMM CPU stats may not be accurate.
Fix:
The cpu stats are now accurate.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126409-4 : BD process crash
Links to More Info: BT1126409
Component: Application Security Manager
Symptoms:
BD process restarts with a core file.
Conditions:
Unknown
Impact:
The unit goes offline for a short period of time.
Workaround:
None
Fix:
A sanity check has been added in order to avoid possible crash.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126401 : Variables are not displayed in Debug log messages for MGMT network firewall rules
Links to More Info: BT1126401
Component: Advanced Firewall Manager
Symptoms:
Setting the log level to Debug allows some logging to be displayed, but the log messages are not fully implemented as the variables are not displayed. See an example logging message below:
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: rule %s (act %s) sip %s dip %s sport %d dport %d protocol %d
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: processed %u packets in current iteration. total pkts processed %u
Conditions:
Enable the log level to Debug.
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db log.mgmt_acld.level value Debug
Impact:
Unable to see the debug logs for MGMT network firewall rules.
Workaround:
None
Fix:
Variables are displayed.
Fixed Versions:
17.1.1, 15.1.9
1126329-3 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT ★
Links to More Info: BT1126329
Component: Local Traffic Manager
Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.
Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled
Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1125773-2 : TCP options are disabled while hardware SYN cookie is active
Links to More Info: BT1125773
Component: TMOS
Symptoms:
TCP options are not included in the SYN/ACK packet generated by hardware while hardware SYN cookie mode is active.
Conditions:
- VELOS or rSeries platform
- Hardware SYN cookie is activated on a virtual server
Impact:
Minor performance impact on the connections of the related virtual server.
Workaround:
None
Fix:
The TCP options are enabled in SYN/ACK packets generated by hardware.
Fixed Versions:
17.1.0, 15.1.9
1125733-1 : Wrong server-side window scale used in hardware SYN cookie mode
Links to More Info: BT1125733
Component: TMOS
Symptoms:
Client enables Window Scale in the first SYN packet with a specific factor value, however the BIG-IP system disables Window Scale in its SYN/ACK response.
Instead, disabling the Window Scale TCP option in both peer BIG-IPs, TMM honors the Window Scale presented by the client in the first SYN, whereas client assumes Window Scale is disabled. This will cause BIG-IP to send data payload bytes exceeding the client's Windows Size.
Conditions:
Below conditions must be met in order to match this issue:
- Client and server enables timestamp TCP option.
- Client enables Window Scale TCP option.
- SYN Cookie HW is activated in BIG-IP.
Impact:
This can cause performance issues because some packets could need to be retransmitted.
In rare cases where client TCP stack is configured to abort the connection when it receives a window overflow, the connection will be RST by the client.
Workaround:
The preferred workaround is changing to Software SYN Cookie mode.
Fix:
Correct server-side Window Scale behavior is provided when:
- Client and server enables timestamp TCP option
- Client enables Window Scale TCP option
- SYN Cookie HW is activated in BIG-IP
Fixed Versions:
17.1.0, 16.1.5, 15.1.9
1124865-1 : Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart
Links to More Info: BT1124865
Component: Local Traffic Manager
Symptoms:
Removal of LAG member from an active LACP trunk stops the traffic flow to the tenant launched on R2x00/R4x00 based appliances.
Conditions:
Removal of LAG member from an active LACP trunk on R2x00 and R4x00 appliances.
Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk from where the LAG member was removed.
Workaround:
- Remove the LAG member using the confd CLI
- Restart tmm on all tenants that are associated with the trunk
Fix:
When removing a LAG member from an Active LACP trunk stops traffic flow on an R2x00/R4x00 appliance system, restarting tmm in the tenants resolves the issue.
Fixed Versions:
15.1.9
1124209-2 : Duplicate key objects when renewing certificate using pkcs12 bundle
Links to More Info: BT1124209
Component: TMOS
Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.
Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.
Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.
2) Duplicate key objects are getting created.
Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.
Fix:
Added the fix which has the capability to pass cert-name and key-name with the PKCS12 bundle command.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1124149 : Increase the configuration for the PCCD Max Blob size from 4GB to 8GB
Links to More Info: BT1124149
Component: Advanced Firewall Manager
Symptoms:
There was a limit of 4GB for the firewall rules prior to this change being checked in. The user could configure a blob size of 4GB only.
Conditions:
PCCD rules provisioning with an AFM license.
Impact:
Provisioning firewall rules. The PCCD blob size was restricted to 4GB.
Workaround:
None
Fix:
With these changes, the user will now be able to provision FW rules with a blob size of 8G.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1124109-1 : Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS
Component: Access Policy Manager
Symptoms:
The "typ":"JWT" is missing in the JWT header.
Conditions:
The JWT token is generated from OAuth Authorization Server (AS).
Impact:
The "typ":"JWT" is missing.
Workaround:
None
Fix:
The "typ":"JWT" is added in the header, it is available whenever JWT token is generated from OAuth AS.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1123885-3 : A specific type of software installation may fail to carry forward the management port's default gateway.
Links to More Info: BT1123885
Component: TMOS
Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.
Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).
-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).
-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).
Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.
On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.
Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.
Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.
If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.
Fix:
The issue has been corrected; this specific type of software installation now correctly carries forward the management port's default gateway.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1123169-3 : Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event
Links to More Info: BT1123169
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from HTML_TAG_MATCHED event, an error occurs.
Conditions:
-- configure an iRule with event HTML_TAG_MATCHED
-- The event calls a procedure
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(CLIENTSIDE)": no such element in array
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1123153-1 : "Such URL does not exist in policy" error in the GUI
Links to More Info: BT1123153
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
Fix:
Resolved non-existent URL error during Parameter creation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1122497-1 : Rapid response not functioning after configuration changes
Links to More Info: BT1122497
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Rapid Response is not functioning and stats are not present and/or not changing as requests are being sent to the virtual server.
Conditions:
- DNS Rapid Response is set on the virtual.
- Rapid response is toggled off and back on in the DNS profile.
Impact:
DNS rapid response remains disabled.
Workaround:
Restarting services will allow rapid-response to begin functioning again.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1122473-3 : TMM panic while initializing URL DB
Links to More Info: BT1122473
Component: Access Policy Manager
Symptoms:
TMM panic because of a race condition which prevents the TMM from accessing files related to the URL database.
Conditions:
While the BIG-IP system is rebooting, if an infrequent timing delay occurs, one or more files related to the URL database may be created in the wrong order of sequence.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None. Repeated attempts at rebooting may eventually succeed.
Fixed Versions:
17.1.0, 16.1.3.3, 15.1.9
1122377-3 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response
Links to More Info: BT1122377
Component: Local Traffic Manager
Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response
Conditions:
The Last Modified header is not included in the origin server response headers.
Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.
Workaround:
Add the Last-Modified header to the response headers using iRule
when HTTP_RESPONSE priority 1 {
set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
HTTP::header insert Last-Modified $time
log local0.debug "Inserting Last-Modified header as $time"
}
Fix:
Use date header value when Last-Modified is not present in Response headers
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1122313 : VXLAN tunnels fail to pass traffic after TMM restarts
Links to More Info: BT1122313
Component: TMOS
Symptoms:
After TMM restarts (or the tenant reboots), VXLAN tunnels will not pass traffic.
The administrator may see messages such as the following in /var/log/tmm:
notice MCP message handling failed in 0x9ce140 (16977920): May 26 14:07:19 on 1 - MCP Message:
notice create {
notice l2_forward_tunnel {
notice l2_forward_tunnel_vlan_name "/Common/vxlan-tunnel"
Conditions:
-- BIG-IP tenant running on rSeries appliance or VELOS chassis
-- VXLAN tunnels
Impact:
VXLAN tunnels do not function.
Workaround:
After TMM restarts, delete and recreate the FDB entries associated with the tunnel.
To do this manually, run these commands:
TMPFILE=$(mktemp -p /var/tmp)
tmsh list net fdb tunnel all one-line > "$TMPFILE"
tmsh delete net fdb tunnel all all-records
tmsh load sys config merge file "$TMPFILE"
rm -f "$TMPFILE"
Or a one-line command:
TMPFILE=$(mktemp -p /var/tmp) && tmsh list net fdb tunnel all one-line > "$TMPFILE" && tmsh delete net fdb tunnel all all-records && tmsh load sys config merge file "$TMPFILE" && rm -f "$TMPFILE"
To configure the system to automatically apply the workaround after TMM restarts, put the following content into /config/user_alert.conf:
# Delete and re-add tunnel FDBs after TMM starts up to work-around ID1122313
alert tmm_vxlan_workaround "Tmm ready - links up" {
exec command="TMPFILE=$(mktemp -p /var/tmp) && tmsh list net fdb tunnel all one-line > $TMPFILE && tmsh delete net fdb tunnel all all-records && tmsh load sys config merge file $TMPFILE && rm -f $TMPFILE";
}
Fixed Versions:
17.1.0, 15.1.9
1122205 : The 'action' value changes when loading protocol-inspection profile config
Links to More Info: BT1122205
Component: Protocol Inspection
Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.
Conditions:
Use case 1:
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security : Inspection Profiles
-> Click "Add" >> "New"
1. Fill in the Profile Name field (pi_diameter in my example).
2. Services: pick "DIAMETER".
3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
7. Click "Commit Changes to System".
b) Check the current config via tmsh. Confirm there is no line with "action".
# tmsh list security protocol-inspection profile pi_diameter
c) Copy the result of the command in step b.
d). Delete the profile.
# tmsh delete security protocol-inspection profile pi_diameter
e). Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh. The action value has changed.
(tmos) # list security protocol-inspection profile pi_diameter
Use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.
Use case 3: Restore configuration by loading UCS/SCF after RMA.
Use case 4: Perform mcpd forceload for some purpose.
Use case 5: Change VM memory size or number of core on hypervisor.
Use case 6: System upgrade
Impact:
Some of the signatures and compliance action values are changed
Following commands output lists affected signatures and compliances.
## Signatures ##
tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
## Compliances ##
tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security: Inspection Profiles
-> Click "Add" >> "New" >> ips_testing
b) Check the current config via tmsh.
# tmsh list security protocol-inspection profile ips_testing all-properties
c) Copy the result of the command in step b.
d) Delete the profile.
# tmsh delete security protocol-inspection profile ips_testing
e) Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh using all-properties
(tmos) # list security protocol-inspection profile ips_testing all-properties
Workaround for use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 3:
a) Load the ucs/scf config file twice.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 4, 5, 6:
a) Before performing any of the operations of Use case 4, 5, 6, save the config.
tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
b) Once the operation in use cases are done then perform the load operation.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Fix:
After fixing the issue, the action value will not be changed for signatures and compliances.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1121657 : EAM is down after APM is provisioned
Links to More Info: BT1121657
Component: Access Policy Manager
Symptoms:
After BIG-IP is provisioned with APM, EAM is down.
Conditions:
Error invalid number of channel threads, MAX_CHANNEL_THREADS are greater than the number of threads set while binary is called.
Impact:
EAM is down.
Fix:
Set MAX_CHANNEL_THREADS to highest number possible.
Fixed Versions:
17.1.0, 15.1.7
1121521-1 : Libssh upgrade from v0.7.7 to v0.9.6
Links to More Info: BT1121521
Component: Advanced Firewall Manager
Symptoms:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Conditions:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Impact:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Workaround:
NA
Fix:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Fixed Versions:
16.1.4, 15.1.8
1121517-3 : Interrupts on Hyper-V are pinned on CPU 0
Links to More Info: BT1121517
Component: TMOS
Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.
Conditions:
BIG-IP is deployed on a Hyper-V platform.
Impact:
Performance is degraded.
Fix:
Interrupts are balanced across all CPUs.
Fixed Versions:
16.1.4, 15.1.10
1121085-2 : Some valid connections may get rejected in hardware SYN cookie mode
Links to More Info: BT1121085
Component: TMOS
Symptoms:
Due to an algorithm mismatch in software and hardware, valid TCP connections may get rejected with "No flow found for ACK' reset-cause when the hardware SYN cookie mode is active.
Conditions:
- BIG-IP iSeries appliances with ePVA support and the B2250 and B44xx VIPRION blades.
- Hardware SYN cookie mode is activated.
Impact:
Service degradation.
Workaround:
- Disable the hardware SYN cookie mode globally.
- After a reboot, restart the TMM for an additional time.
Fix:
The SYN cookie hash algorithm is correctly selected on all TMMs.
Fixed Versions:
17.1.0, 15.1.9
1117673-1 : Configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}' ★
Links to More Info: BT1117673
Component: TMOS
Symptoms:
Configuration load fails after an upgrade, with the following error
warning mcpd[6758]: 01071859:4: Warning generated : Configuring DAG Global IPv6 Prefix Length still might require modification of vlans previously created with the old setting.
err mcpd[6758]: 01071e16:3: DAG ipv6 prefix length is not supported on this platform.
err tmsh[9523]: 01420006:3: Loading configuration process failed.
emerg load_config_files[9521]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.5.1
err mcpd[6758]: 01070422:3: Base configuration load failed.
Conditions:
-- Configure a non-default value of 'net dag-global {dag-ipv6-prefix-len}'.
-- Upgrade the BIG-IP software to the affected version.
Impact:
-- Configuration load error
-- The setting of 'net dag-global {dag-ipv6-prefix-len}' is not functioning correctly
Workaround:
None
Fix:
Fixed configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}'
Fixed Versions:
17.1.0, 15.1.9
1117637-2 : FastL4 traffic traversing the tunnels such as VXLAN, may fail on VELOS and rSeries tenants
Links to More Info: BT1117637
Component: TMOS
Symptoms:
The BIG-IP tenants running on an VELOS or rSeries system may incorrectly attempt to PVA accelerate traffic that goes through a VXLAN tunnel. That is, where the pool members are reachable through a VXLAN tunnel.
Conditions:
- BIG-IP tenant running on VELOS or rSeries.
- Virtual server that processes traffic over a tunnel. For example, VXLAN, GRE, or IP-IP.
Impact:
Connections fail.
A packet capture from the F5OS layer shows packets arriving at the system, but not forwarded through the tunnel.
As a result, packet retransmits are obeserved.
A packet capture in the tenant shows packets arriving at the TMM, but with layer 3 and layer 4 headers rewritten to match the server-side connection information.
Workaround:
FastL4 acceleration is not supposed to work for traffic being load-balanced over a tunnel.
To mitigate this issue, disable PVA acceleration in the FastL4 profile for virtual servers that will load-balance traffic over a tunnel.
Fix:
Packets are successfully forwarded through the tunnel, these flows are not accelerated.
Fixed Versions:
17.1.0, 15.1.8
1117609-3 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
Links to More Info: BT1117609
Component: Local Traffic Manager
Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).
Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.
Impact:
Host-side tagging is required.
Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.
If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.
echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl
CPU utilization may increase as a result of switching to the sock driver.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117305-1 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
Fix:
The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1117297 : Wr_urldbd continuously crashes and restarts ★
Links to More Info: BT1117297
Component: Traffic Classification Engine
Symptoms:
Malloc failed while wr_urldb is started
Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd
Impact:
Wr_urldbd crashes.
Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)
Fix:
After the fix, malloc is properly done and no crash
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1117245-3 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117229-2 : CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
1116941-3 : Need larger Content-Length value supported for SIP
Links to More Info: BT1116941
Component: Service Provider
Symptoms:
SIP MRF sends error 413 when the content_length value in the SIP message is greater than 65535 (0xff).
Conditions:
The SIP content_length has to be greater than 65535 (0xff) on SIP MRF configuration
Impact:
The SIP messages with content_length greater than 65535 can't be processed by the BIG-IP successfully because of the hard coded constraint on the SIP content_length
Workaround:
None
Fix:
Make the allowable SIP content_length dynamic with respective to the configured max_msg_size in the SIP MRF session profile configuration.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1116845-1 : Interfaces using the xnet driver are not assigned a MAC address
Links to More Info: BT1116845
Component: TMOS
Symptoms:
Interfaces on BIG-IP Virtual Edition that are capable of 100gb are unusable when the default driver of xnet is used.
The following validation error will be present in /var/log/ltm
"01071ab7:3: 'not-supported' is an invalid forward-error-correction setting for Interface"
The interfaces will not report a MAC address in either of:
- tmsh list /net interfaces
- tmsh show /sys mac
Conditions:
BIG-IP Virtual Edition where the interfaces report a 100gb max speed and the xnet driver is used.
Impact:
Interfaces are not assigned a MAC address, therefore are unusable.
Workaround:
Force the interface(s) to use a driver other then xnet.
In order to apply the workaround you will need to get 1) the available drivers and 2) the pci id of the interfaces.
The available drivers are reported using this tmctl command:
# tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- -------------------- -------------
0000:00:03.0 F5DEV_PCI mlxvf5, xnet, sock,
0000:00:05.0 1.1 F5DEV_PCI mlxvf5, xnet, sock, xnet
0000:00:06.0 1.2 F5DEV_PCI mlxvf5, xnet, sock, xnet
The pci id is reported with the lspci -nnvvv command:
In this example: the pci id is 15b3:101a
# lspci -nnvvv | grep -i ethernet
00:03.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:05.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
00:06.0 Ethernet controller [0200]: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function] [15b3:101a]
And to force the use of a different driver you need to modify /config/tmm_init.tcl by adding a line such as:
device driver vendor_dev 15b3:101a mlxvf5
Where the last values of that line are the pci id and driver name.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1116813 : Some of the valid connections may get rejected in HW SYN cookie mode
Links to More Info: BT1116813
Component: TMOS
Symptoms:
Due to algorithm mismatch in software and hardware, valid TCP connections may get rejected with "No flow found for ACK' reset-cause while HW SYN cookie mode is active.
Conditions:
In vCMP environment either the host or the guest is installed with an affected version.
Impact:
Service degradation.
Workaround:
Disable HW SYN cookie globally on the guest.
Fix:
SYN cookie hash algorithm is correctly selected on vCMP guests.
Fixed Versions:
17.1.0, 15.1.9
1115041-3 : BIG-IP does not forward the response received after GOAWAY, to the client.
Links to More Info: BT1115041
Component: Local Traffic Manager
Symptoms:
After receiving a GOAWAY from the server followed by data on the same stream, the BIG-IP system does not forward that data to the client but rather sends RESET_STREAM.
Conditions:
1. Configure an NGINX server to handle two streams per connection
2. Virtual server with http2 profile
3. Send more than two requests on the same connection
Impact:
The client does not get a proper response
Workaround:
None
Fix:
The client should receive proper response.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1113961-4 : BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China
Links to More Info: K43391532 , BT1113961
Component: TMOS
Symptoms:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Conditions:
Running BIG-IP 16.1.3 VE with FIPS 140-3 with 16.1.3 in AWS China region
Impact:
BIG-IP 16.1.3 VE with FIPS 140-3 may fail to start in AWS-China
Workaround:
Upgrade to 16.1.3.1 when it is available.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1113889 : Classic BIG-IP tenant running on F5OS will not correctly pin in-tenant control plane threads correctly on first deployment
Links to More Info: BT1113889
Component: TMOS
Symptoms:
This may not impact performance in the tenant, but for tenant builds without this fix, upon initial deployment, the control plane will not be pinned correctly (should be pinned to odd-numbered cpus).
Note: This pinning is inside the tenant virtual machine, not in the F5OS host. The datapath (TMM) will still be pinned correctly.
Conditions:
The BIG-IP tenant without this fix is initially deployed.
Impact:
The datapath (TMM) threads run at elevated priority anyway, so would be protected from the control plane threads.
Workaround:
If this is bothersome, redeploy the tenant, and the problem will not reoccur.
Fix:
Tenant platform determination no longer depends on a file that is not there on initial startup. The dmidecode utility is used instead.
Fixed Versions:
17.1.0, 15.1.9
1113881-3 : Headers without a space after the colon, trigger an HTTP RFC violation
Links to More Info: BT1113881
Component: Application Security Manager
Symptoms:
An "Unparsable request content" violation is detected for valid headers that do not have a space after the header's name ':'.
Conditions:
Any header without a space between the colon ':' and the header value will trigger "Unparsable request content".
With v14.1.x, there are no affected versions.
With v15.1.x, this issue was introduced in 15.1.7
With v16.1.x, there are no affected versions.
With v17.0.x, this issue was introduced in 17.0.0.1
With v17.1.x, there are no affected versions.
Impact:
Requests that are suppose to pass are blocked by the ASM enforcer.
Workaround:
The client has to send headers with space after ':'.
Fix:
No "Unparsable request content" violation for headers with space after ':'.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1113753-3 : Signatures might not be detected when using truncated multipart requests
Links to More Info: BT1113753
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1113385-3 : Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP
Links to More Info: BT1113385
Component: TMOS
Symptoms:
REST tokens which are present in /var/run/pamcache on BIG-IP are not deleted after token expiration when there are a large number of tokens.
Conditions:
When a large number of tokens are generated.
Impact:
More memory will be used as /run/pamcache is an in memory filesystem
Workaround:
Try to remove token files from /run/pamcache manually.
You can check what would be deleted by the command below by using -print in place of -delete
# find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete
Restart httpd processes:
bigstart restart httpd
Fix:
Expired token are removed from /run/pamcache by the BIG-IP system.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1113333-2 : Change ArcSight Threat Campaign key names to be camelCase
Links to More Info: BT1113333
Component: Application Security Manager
Symptoms:
The threat_campagin_names and staged_threat_campaign_names do not follow other key name format. Changing these key names to be camelCase (threatCampaignNames and stagedThreatCampaignNames).
Conditions:
ArcSight is in use with ASM remote logging.
Impact:
Inconsistent key name formatting.
Workaround:
None
Fix:
Changed name format to be camelCase (threatCampaignNames and stagedThreatCampaignNames).
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1113181-3 : Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom".
Links to More Info: BT1113181
Component: Local Traffic Manager
Symptoms:
Although a Self-IP address appears configured correctly (for example, when this is inspected using the WebUI or the tmsh utility), the Self-IP address does not allow through any traffic. Effectively, the Self-IP address behaves as if it was set to "Allow None".
Conditions:
The port-lockdown setting of the Self-IP address was recently modified from "Allow Custom (Include Default)" to "Allow Custom".
Impact:
The Self-IP does not allow through any traffic, whereas it should allow through the traffic in your custom list of ports and protocols.
Workaround:
You can work around this issue by temporarily setting the affected Self-IP to "Allow None" and then again to "Allow Custom", specifying your desired custom list of ports and protocols.
Fix:
Self-IP port-lockdown modifications from "Allow Custom (Include Default)" to "Allow Custom" are now handled correctly.
Fixed Versions:
16.1.4, 15.1.9
1113161-4 : After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets ★
Links to More Info: BT1113161
Component: Application Security Manager
Symptoms:
Learning and Blocking Settings page is not loading
Conditions:
Some policies are using factory sets which were deleted in later versions, and an upgrade was performed.
Impact:
When trying to open "Security ›› Application Security : Policy Building : Learning and Blocking Settings" page, GUI is stuck on 'loading' status
Workaround:
Run this mysql in the BIG-IP in order to fix the database, it will remove all unreferenced policy sets from the system:
mysql -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -e "delete from PLC. PL_POLICY_NEGSIG_SETS where set_id not in (SELECT set_id from PLC.NEGSIG_SETS);"
Fix:
After the fix, the 'Learning and Blocking Settings' page will be loaded with no error.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1112805-1 : ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4
Links to More Info: BT1112805
Component: Application Security Manager
Symptoms:
The key used for the ip_address_intelligence field is mapped to an IPv6 Address in the latest CEF standard.
Conditions:
-- IP Intelligence is enabled.
-- An ArcSight remote logger is configured.
-- A HTTP transaction is carried out with a malicious Source IP Address
Impact:
The ip_address_intelligence field value is not populated in the ArcSight remote log
Workaround:
None
Fix:
A new key for ip_address_intelligence is implemented specific to IPv4
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1112781-1 : DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record.
Links to More Info: BT1112781
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system drops the packet if the DNS response size is larger than 2048.
Conditions:
When the DNS server sends a response larger than 2048 bytes.
Impact:
The BIG-IP system drops the packet and does not respond to the client.
Workaround:
If possible, switch from UDP to TCP to avoid dropping the packet.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1112745 : System CPU Usage detailed graph is not accessible on Cerebrus+
Links to More Info: BT1112745
Component: Local Traffic Manager
Symptoms:
When accessing performance reports of CPU usage detailed graph, error "Error trying to access the database." is displayed since the CPU graph name is getting truncated.
Conditions:
When on a single blade, if we have more than 17 TMMs this error will be seen.
Impact:
Detailed graph for system CPU usage will not be accessible.
Workaround:
No workaround
Fix:
Increased the size of the detail string to support more than 32 TMMs.
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1112537-3 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
Fix:
Unused monitors can now be deleted correctly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1112385-2 : Traffic classes match when they shouldn't
Links to More Info: BT1112385
Component: Local Traffic Manager
Symptoms:
Traffic classes may match when they should not.
Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.
Impact:
Traffic is not categorized properly.
Workaround:
Specify a source address, e.g.
ltm traffic-class /Common/blah {
source-address 1.1.1.1
source-mask none
...
}
Note that because the mask is none this won't have any effect (other than working around this bug).
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1112349-3 : FIPS Card Cannot Initialize
Links to More Info: BT1112349
Component: Local Traffic Manager
Symptoms:
Initializing the FIPS card for the first time which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02 may cause the below error and will not be able to initialize the card:
Enter new Security Officer password (min. 0, max. 0 characters):
ERROR: Too long input (max.: 0 characters)
ERROR: Failed to read password
ERROR: INITIALIZATION FAILED!
Conditions:
First time initialization of new device with "tmsh run util fips-util -f init" command which contains the FIPS firmware CNN35XX-NFBE-FW-1.1-02
Impact:
FIPS card cannot be used for the FIPS key traffic and will not be able to re-initialize.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1112205-2 : HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire
Links to More Info: BT1112205
Component: Local Traffic Manager
Symptoms:
If the client-side stream aborts while response headers are on the wire, the subsequent requests may receive a garbled response.
Conditions:
- HTTP2 profile is used on both client and server side.
- The client terminates the stream while the response has not yet reached the BIG-IP system.
Impact:
The client will receive an obscure response
Workaround:
None
Fix:
Even if the client terminates a stream (while the response has yet not reached BIG-IP), the subsequent requests will receive a correct response.
Fixed Versions:
17.1.0, 15.1.9
1112109-3 : Unable to retrieve SCP files using WinSCP or relative path name
Links to More Info: K000134769 , BT1112109
Component: TMOS
Symptoms:
When you attempt to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from the remote side failed."
If you attempt to transfer a file by the relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with a fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with the command line SCP utility.
Impact:
Cannot use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
You may use WinSCP in SFTP mode if the user ID is permitted to do so.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1111993-1 : HSB tool utility does not display PHY settings for HiGig interfaces
Links to More Info: BT1111993
Component: TMOS
Symptoms:
When running the hsb_tool utility, PHY settings for HiGig interfaces are not displayed.
Conditions:
Run hsb_tool on a BIG-IP system with HSB functionality.
Impact:
None
Workaround:
None
Fix:
The HSB tool now displays PHY settings for HiGig interfaces.
Following is an example:
[root@localhost:/S1-green-P::LICENSE EXPIRED:Standalone] config # hsb_tool
no nde found
no anti-nde found
HSB Debug Tool:
hsb_tool <-m module > [-o option] [-n dev_idx] [-p multi_params]
module: lbb
option: info # show bus info for hsb and pde
option: memory
option: phy # show phy settings for higig interfaces
module: pde
option: memory
module: edag or edagv2 # edagv2 refers to edag version 2
option: default
src_clst # show source cluster tables
dst_clst # show dest cluster tables
dst_assn # show dest assignment tables
vcmp_dsag # show VCMP disaggregation table
hash_cfg # show edag hash config
module: epva
option: mac_src # show epva mac src table
module: nde
option: memory
module: ande
option: memory
device idx params:
device indexes seperated by comma: e.g. -n 1,3,5
-p params:
option memory
3 params seperated by comma [offset, size, mode], e.g. -p 0x300,64,0
mode = 1 means binary mode, display in bytes
mode = 0 means register mode, display in 4 bytes
option mac_src
2 params [start, size], e.g. -p 1,10
Device index convention:
The device index is assigned in the pci device enumeration order
For example: hsb0 on bus 20:0:0, and hsb1 on 21:0:0
Note: the device index assigned in this tool might not be the same as BIG-IP software.
Please refer to the bus.dev.func for discrepancy.
Examples:
display edag info on all HSBs
hsb_tool -m edag
display edag source cluster table for hsb1
hsb_tool -m edag -o src_clst -n 1
display memory for pde 0 & pde 1 with offset 0x200, size 64, register mode
hsb_tool -m pde -o memory -p 0x300,64,0 -n 0,1
display first 10 entries in the epva mac src table
hsb_tool -m epva -o mac_src -p 0,10
[root@localhost:/S1-green-P::LICENSE EXPIRED:Standalone] config # hsb_tool -m lbb -o phy
no nde found
no anti-nde found
lbb0 on bus 1:0:0 phy dump
hsb version 0x03100100
PHY dump for [HGM1] started.
channel:00 drive:00000020
channel:00 pre:00000000
channel:00 post1:00000000
channel:00 post2:00000011
channel:00 rxdcgain:00000004
channel:00 rxeq:0000000c
channel:01 drive:00000020
channel:01 pre:00000000
channel:01 post1:00000000
channel:01 post2:00000011
channel:01 rxdcgain:00000004
channel:01 rxeq:0000000c
channel:02 drive:00000020
channel:02 pre:00000000
channel:02 post1:00000000
channel:02 post2:00000011
channel:02 rxdcgain:00000004
channel:02 rxeq:0000000c
channel:03 drive:00000020
channel:03 pre:00000000
channel:03 post1:00000000
channel:03 post2:00000011
channel:03 rxdcgain:00000004
channel:03 rxeq:0000000c
PHY dump for [HGM1] completed.
PHY dump for [HGM2] started.
channel:08 drive:00000020
channel:08 pre:00000000
channel:08 post1:00000000
channel:08 post2:00000011
channel:08 rxdcgain:00000004
channel:08 rxeq:0000000c
channel:09 drive:00000020
channel:09 pre:00000000
channel:09 post1:00000000
channel:09 post2:00000011
channel:09 rxdcgain:00000004
channel:09 rxeq:0000000c
channel:0a drive:00000020
channel:0a pre:00000000
channel:0a post1:00000000
channel:0a post2:00000011
channel:0a rxdcgain:00000004
channel:0a rxeq:0000000c
channel:0b drive:00000020
channel:0b pre:00000000
channel:0b post1:00000000
channel:0b post2:00000011
channel:0b rxdcgain:00000004
channel:0b rxeq:0000000c
PHY dump for [HGM2] completed.
lbb1 on bus 82:0:0 phy dump
hsb version 0x03100100
PHY dump for [HGM1] started.
channel:00 drive:00000020
channel:00 pre:00000000
channel:00 post1:00000000
channel:00 post2:00000011
channel:00 rxdcgain:00000004
channel:00 rxeq:0000000c
channel:01 drive:00000020
channel:01 pre:00000000
channel:01 post1:00000000
channel:01 post2:00000011
channel:01 rxdcgain:00000004
channel:01 rxeq:0000000c
channel:02 drive:00000020
channel:02 pre:00000000
channel:02 post1:00000000
channel:02 post2:00000011
channel:02 rxdcgain:00000004
channel:02 rxeq:0000000c
channel:03 drive:00000020
channel:03 pre:00000000
channel:03 post1:00000000
channel:03 post2:00000011
channel:03 rxdcgain:00000004
channel:03 rxeq:0000000c
PHY dump for [HGM1] completed.
PHY dump for [HGM2] started.
channel:08 drive:00000020
channel:08 pre:00000000
channel:08 post1:00000000
channel:08 post2:00000011
channel:08 rxdcgain:00000004
channel:08 rxeq:0000000c
channel:09 drive:00000020
channel:09 pre:00000000
channel:09 post1:00000000
channel:09 post2:00000011
channel:09 rxdcgain:00000004
channel:09 rxeq:0000000c
channel:0a drive:00000020
channel:0a pre:00000000
channel:0a post1:00000000
channel:0a post2:00000011
channel:0a rxdcgain:00000004
channel:0a rxeq:0000000c
channel:0b drive:00000020
channel:0b pre:00000000
channel:0b post1:00000000
channel:0b post2:00000011
channel:0b rxdcgain:00000004
channel:0b rxeq:0000000c
PHY dump for [HGM2] completed.
Fixed Versions:
17.1.0, 16.1.5, 15.1.10
1111981-2 : Decrement in MQTT current connections even if the connection was never active
Links to More Info: BT1111981
Component: Local Traffic Manager
Symptoms:
Current connections statistics display unrealistic values.
Conditions:
When MQTT Over Websockets setup is in passthrough mode.
Impact:
The correct count of the current connections is lost.
Fix:
Added a new field called 'activated' in pcb, to verify if the connection was activated at least once.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1111793-3 : New HTTP RFC Compliance check for incorrect newline separators between request line and first header
Links to More Info: BT1111793
Component: Application Security Manager
Symptoms:
ASM does not enforce incoming HTTP requests where the request line and the first header are separated with a line feed ('\n').
Conditions:
Any HTTP request with a line feed only at the end of the request line will not be enforced.
Impact:
Invalid requests might pass through ASM enforcement.
Workaround:
None
Fix:
HTTP requests with LF('\n') as the only separator between the request line and the first header are enforced, and "Unparsable request content" is reported.
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1111629-3 : Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors
Links to More Info: BT1111629
Component: TMOS
Symptoms:
After logging in to the GUI you may observe these logs under /var/log/httpd/httpd_errors
warning httpd[7698]: [auth_pam:warn] [pid 7698] [client 10.6.4.2:61221] AUTHCACHE Error processing cookie AFQ6MCL2VWASB6NZTAWGQLFFWY - Failed Read: User, referer:
Conditions:
- Using token authentication for rest calls
- Login to the GUI
Impact:
- Increased disk space usage under /var/log
- Increased memory size of httpd processes
Workaround:
Growth in httpd memory use can be mitigated by restarting httpd:
bigstart restart httpd
Fix:
These messages are no longer logged when not needed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1111473-3 : The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes
Links to More Info: BT1111473
Component: Local Traffic Manager
Symptoms:
Log messages similar to the following may be observed in /var/log/ltm:
bigip1 err mcpd[4783]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 29.
This may also result in a few unresponsive monitors in checking state.
If this occurs on a VIPRION system or a multi-slot tenant on a VELOS system, one or more secondary blades may reboot repeatedly while logging messages similar to the following:
err mcpd[####]: 01020036:3: The requested monitor instance (/Common/?????? ##.##.##.## ### ?????????) was not found.
err mcpd[####]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/?????? ##.##.##.## ### ?????????) was not found.... failed validation with error 16908342.
Conditions:
The initial "requested monitor instance ... was not found" message may occur when:
-- FQDN nodes exist on the configuration.
-- A full config sync occurs.
-- Device contains a fix for Bug ID 1017513.
-- May happen regardless of bigd or in-tmm monitoring.
In addition, the message "Configuration error: Configuration from primary failed validation" and secondary blade/slot reboot loop may occur on VIPRION or VELOS systems.
Impact:
-- A few monitor statuses may not be correctly reported.
-- A few monitors may be unresponsive in checking state.
-- On VIPRION or VELOS systems, one or more secondary blades may be unresponsive in a reboot loop.
Workaround:
Force the MCPD process to reload the BIG-IP configuration. For more information refer K13030.
Fix:
The monitors are responsive, no errors are recorded.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1111397 : [APM][UI] Wizard should also allow same patterns as the direct GUI
Links to More Info: BT1111397
Component: Access Policy Manager
Symptoms:
Device wizard fails if a certain string is used in the access policy name:
- access policy name that fails: abc_1234_wxyz
- access policy name that works: abc-1234-wxyz
An error can be found in the log:
ERROR SAWizard.SACreateAccessPolicy:error - java.sql.SQLException: General error: 01020036:3: The requested Access Profile /common/abc_1234_wxyz was not found. in statement [DELETE FROM profile_access WHERE name = ?]
Conditions:
Using certain string patterns when creating an access policy via the wizard (specifically the underscore character).
Impact:
The wizard fails and throws errors.
Workaround:
None
Fix:
Fixed the naming mismatch by removing function to concat strings with extra _x.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1111149-1 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1111149
Component: Access Policy Manager
Symptoms:
The following symptoms are observed
In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
Fix:
NA
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1111097-4 : gzip arbitrary-file-write vulnerability CVE-2022-1271
Links to More Info: K000130546 , BT1111097
1110893-3 : Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy
Links to More Info: BT1110893
Component: TMOS
Symptoms:
Some sections of the BIG-IP GUI fail to load properly, and may report "An error occurred:" Additionally, iControl REST calls may fail with a 401 unauthorized error.
Conditions:
-- BIG-IP GUI or iControl REST is accessed behind a proxy that that includes an X-Forwarded-For header
-- The "httpd.matchclient" BigDB key is set to true (this is the default).
Impact:
Some portions of the GUI are broken as well as iControl REST calls may fail.
Workaround:
Disable the "httpd.matchclient" DB key:
tmsh modify sys db httpd.matchclient value false
bigstart restart httpd
Fix:
REST Auth token client ip address and mod_auth_pam client ip address should match
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1110813-2 : Improve MPTCP retransmission handling while aborting
Links to More Info: BT1110813
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is aborting.
- TMM cores.
Conditions:
- MPTCP is enabled.
- MPTCP enabled TCP connection is aborting.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
Fix:
Improved MPTCP retransmission handling while aborting.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1110489-1 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
Links to More Info: BT1110489
Component: Access Policy Manager
Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.
Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1110281-4 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Application Security Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
Fix:
Fixed the Behavioral DoS HTTP::disable command handler in the tmm code.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1110241-3 : in-tmm http(s) monitor accumulates unchecked memory
Links to More Info: BT1110241
Component: In-tmm monitors
Symptoms:
Connflows growing larger than expected/desired.
Conditions:
-- in-TMM monitors are enabled
-- http(s) monitors are configured
-- Pool members continue spooling chunked data
Impact:
If an http(s) server does not close its connection to BIG-IP and continues spooling chunked data, the connflow remains and can eventually cause similar issues.
Workaround:
Three possible:
1. Fix the server.
2. Periodically reboot the server.
3. Use BigD LTM monitors.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1110205-1 : SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown
Links to More Info: BT1110205
Component: Local Traffic Manager
Symptoms:
If a virtual server has an iRule performing SSL payload processing in CLIENTSSL_DATA, TMM fails to process or forward an ingress TCP FIN from a client, leaving the connection in a zombie state until it eventually idles out.
Conditions:
The issue occurs only when SSL::collect is used in CLIENTSSL_DATA
when CLIENTSSL_DATA {
log local0. "."
SSL::release
SSL::collect
}
Impact:
Unexpected growth in the number of connections idling on a virtual server leads to memory pressure.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
1109953-3 : TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry
Links to More Info: BT1109953
Component: Local Traffic Manager
Symptoms:
A very long entry (exceeding the maximum length allowed by internet stndards) in a data-group used for SSL Forward Proxy Bypass/Intercept hostname list may cause TMM to crash.
Conditions:
All of the below conditions have to be met:
-- A virtual server uses SSL profile
-- This SSL profile has Forward Proxy enabled.
-- The SSL profile has Forward Proxy Bypass enabled.
-- The SSL profile uses Hostname Bypass and/or Hostname Intercept data-group.
-- Anny to the data-groups contains entries which are longer than 255 characters.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure all entries in the data-group used for intercept/bypass hostnanme list do not exceed 255 characters. According to RFC 1035 section 2.3.4, longer hostnames are not valid.
Fix:
TMM no longer crashes when hostname data-group entries are too long. Instead there is an error message logged: 01260000:2: Profile <affected SSL profile name>: could not load hostname bypass/intercept list
However, incorrect entries need to be fixed as they are not valid anyway and make the data-group to be ignored.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1108681-1 : PEM queries with filters return error message when a blade is offline
Links to More Info: BT1108681
Component: Policy Enforcement Manager
Symptoms:
Attempting to retrieve subscriber session data for a specific subscriber returns the following error: "Data Input Error: ERROR: 'query_view' query reply did not contain a result object."
Conditions:
One of the blades is disabled, and the pem sessiondb query contains a filter, for example subscriber-id or session-ip.
Impact:
Cosmetic error, no impact.
Workaround:
Enable the disabled blades, or send a pem sessiondb query without filters.
Fix:
No error is returned when sending a pem session query with filters when one of the blades is disabled.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1108181-1 : iControl REST call with token fails with 401 Unauthorized
Links to More Info: BT1108181
Component: TMOS
Symptoms:
For a short period after creating or refreshing a token, the iControl REST calls may fail with a 401 Unauthorized error and an HTML body content, or a 401 F5 Authorization Required error and a JSON body content.
When using F5 Ansible modules for BIG-IP, the modules may fail with an error "Expecting value: line 1 column 1 (char 0)".
The AS3 may return an error "AS3 API code: 401".
Conditions:
- REST call using valid token.
- Can commonly occur on the call after a token has been refreshed or a Token list has been requested.
Impact:
The iControl REST calls may temporarily fail (typically less than 1 second) after the creation or refresh of an iControl REST token.
Workaround:
After being issued a token or refreshing a token, wait a second before attempting to use it.
If this does not work, request a new token.
No workaround exists for AS3 or F5 Ansible BIG-IP modules.
Fix:
A race condition on a PAM file update has been resolved. Tokens should remain valid.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1108109-1 : APM policy sync fails when access policy contains customization images ★
Links to More Info: BT1108109
Component: Access Policy Manager
Symptoms:
APM policy sync fails after an upgrade. Mcpd logs an error
err mcpd[6405]: 01b70117:3: local_path (/tmp/psync_local_file) starts with invalid directory. Valid directories are /var/config/rest/, /var/tmp/, /shared/tmp/.
Conditions:
APM access policy contains a custom image file
Impact:
APM policy sync fails.
Workaround:
None
Fix:
Customization image file is allowed to be created from /tmp local_path.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1107689 : IPI is not dropping traffic from IPREP database malicious IPs
Links to More Info: BT1107689
Component: TMOS
Symptoms:
IPI is unable to drop traffic when you send an attack using IPs from the IPREP list of IPs.
Conditions:
-- IPI Subscription License installed
Impact:
The packet is not dropped and mysql logs or network-ipi logs are not seen for such.
Workaround:
No
Fix:
IPI is now able to drop traffic from IPREP IPs, and the traffic drops are logged.
Fixed Versions:
15.1.6.1
1107549-3 : In-TMM TCP monitor memory leak
Links to More Info: BT1107549
Component: In-tmm monitors
Symptoms:
TMM memory use grows unbounded; aggressive sweeper is engaged
Conditions:
-- In-TMM TCP monitors are enabled
Impact:
TCP peer ingress accumulates over time. Over an extended period of time the aggressive sweeper begins freeing memory.
Workaround:
1. Rebooting the BIG-IP system after the change is made is one potential remedy.
2. Use regular LTM monitors.
Fix:
Fixed a memory leak with in-tmm TCP monitors.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1106937-1 : ASM may skip signature matching
Links to More Info: BT1106937
Component: Application Security Manager
Symptoms:
Under certain conditions ASM skips signature matching.
Conditions:
Authorization header type is Bearer.
- When input contains less than or more than 3 parts of JWT token values.
- When base64 decode fails while decoding JWT token.
Impact:
Signature matching gets skipped.
Workaround:
None
Fix:
ASM checks for signature matching.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1106757-2 : Horizon VDI clients are intermittently disconnected
Links to More Info: BT1106757
Component: Access Policy Manager
Symptoms:
VMware Horizon Clients experience intermittent freezes and disconnects as the mapping between blast UUID and session id in CLIENT_CLOSED function is maintained only for 20 seconds.
Conditions:
-- VMware VDI is configured via an iApp
-- The connection to the virtual server is lost for more than 20 seconds
Impact:
VMware Horizon Clients experience freezes and disconnects intermittently.
Workaround:
None
Fix:
VMware Horizon Clients are not being disconnected intermittently.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1106489-3 : GRO/LRO is disabled in environments using the TMM raw socket "sock" driver.
Links to More Info: BT1106489
Component: TMOS
Symptoms:
GRO/LRO packets are not received: "tmctl -d blade tmm/ndal_rx_stats" shows "0" in "lro". The linux host has GRO disabled: "ethtool -k eth1 | grep generic-receive-offload" shows "off".
Conditions:
-- BIG-IP is deployed in a Hyper-V environment.
-- Any environment such that "tmctl -d blade tmm/device_probed" displays "sock" in "driver_in_use".
Impact:
Performance is degraded.
Workaround:
Manually enable GRO on the device: ethtool -K eth1 gro on
Check that it's enabled with: ethtool -k eth1 | grep generic-receive-offload
Fix:
When sending large payload, "tmctl -d blade tmm/ndal_rx_stats" shows "1" in "lro". "tmctl -d blade tmm/ndal_dev_status" shows "y:y" (available:enabled) in "lro". The linux host indicates the device has GRO enabled: "ethtool -k eth1 | grep generic-receive-offload" shows "on".
Fixed Versions:
16.1.4, 15.1.10
1106353-3 : [Zebos] Expand zebos/bgp commands in a qkview
Links to More Info: BT1106353
Component: TMOS
Symptoms:
Improvement to add the following commands to a qkview:
show ip route
show ipv6 route
show ip bgp neighbors
show bgp
show ip bgp attribute-info
show ip bgp scan
show ip pim neighbor
show route-map
show process
Conditions:
None
Impact:
None
Workaround:
None
Fix:
The following commands are added to a qkview:
Show ip route
show ipv6 route
show ip bgp neighbors
show bgp
show ip bgp attribute-info
show ip bgp scan
show ip pim neighbor
show route-map
show process
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1106341 : /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition
Links to More Info: BT1106341
Component: Advanced Firewall Manager
Symptoms:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.
Conditions:
Create a firewall rule or policy.
Impact:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.
Workaround:
None
Fix:
Creating a firewall rule or policy no longer causes the /var/tmp/pccd.out file size to increase rapidly.
Fixed Versions:
17.1.1, 15.1.7
1106273-1 : "duplicate priming" assert in IPSECALG
Links to More Info: BT1106273
Component: Advanced Firewall Manager
Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert
Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.
Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Data is able to flow through tunnel and no crash
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1105901-3 : Tmm crash while doing high-speed logging
Links to More Info: BT1105901
Component: TMOS
Symptoms:
Tmm crashes
Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1105341-3 : Decode_application_payload can break exponent notation in JSON
Links to More Info: BT1105341
Component: Application Security Manager
Symptoms:
With decode_application_payload set to 1, the single pass of decoding prior to JSON parsing will convert positive exponents to ascii characters ie "+" to " ". This results in Malformed numeric value violations
Conditions:
Positive exponents with decode_application_payload set to 1.
Impact:
Malformed JSON violations
Workaround:
Disable decode_application_payload
decode_application_payload set to 0.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1104741-1 : ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on zone
Links to More Info: BT1104741
Component: Advanced Firewall Manager
Symptoms:
Hardware drops are not seen for the vectors ICMP flood or ICMP/IP/IPv6 fragment when configured on zone.
Conditions:
A zone is configured with ICMP flood or ICMP/IP/IPv6 fragment vectors.
Impact:
Hardware mitigation is not happening when ICMP flood and ICMP/IP/IPv6 fragment vectors configured on a zone.
Workaround:
None
Fix:
This was due to know limitation in one of the hardware module. Added the required changes to use SPVA for these vectors to fix the issue.
In order to mitigate these vectors on Zone, you can update the dos.allvlans sys DB variable to 'false'.
root@(localhost)(cfg-sync Standalone)# modify sys db dos.allvlans { value false }
root@(localhost)(cfg-sync Standalone)# list sys db dos.allvlans
sys db dos.allvlans {
value "false"
}"
Fixed Versions:
17.1.0, 15.1.9
1104553 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up
Links to More Info: BT1104553
Component: Local Traffic Manager
Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.
Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server
Impact:
Clients may not be able to connect to the virtual server after a point in time.
Fix:
This defect has been resolved and stale connections are being cleaned up as expected.
Fixed Versions:
17.1.1, 15.1.7
1104517 : In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map
Links to More Info: BT1104517
Component: Access Policy Manager
Symptoms:
Some clients' TCP connections are reset with an error "cl sm driver error (Illegal value)" when the BIG-IP system is in this error state.
Conditions:
SWG explicit proxy is configured.
Impact:
Some clients are unable to access a service.
Workaround:
Disable sessionDB mirroring on both active and standby
# tmsh modify sys db statemirror.mirrorsessions value disable
# tmsh save sys config
Restart tmm on standby
# bigstart restart tmm
Fix:
Fixed an issue causing a TCP reset with certain clients.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1104409-2 : Added Rewrite Control Lists builder to Admin UI
Links to More Info: BT1104409
Component: Access Policy Manager
Symptoms:
Poor usability for admins in Rewrite Control Lists (RCL) functionality
Conditions:
You wish to edit Rewrite Control Lists
Impact:
Previously there was no RCL builder. The RCL strings where added as is.
Now Admin UI has an RCL builder which creates the RCL string.
Workaround:
None
Fix:
RCL Builder added to Admin UI
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1104073-3 : Use of iRules command whereis with "isp" or "org" options may cause TCL object leak.
Links to More Info: BT1104073
Component: Local Traffic Manager
Symptoms:
When iRules command whereis is being used with "isp" or "org" options and underlying GEOIP database(s) have not been loaded,
cur_allocs for tcl memory increases over time and does not return to the prior level.
Conditions:
- iRules command whereis is used with "isp" or "org" options
- The underlying GEOIP database(s) have not been loaded
Impact:
Cur_allocs for tcl memory increases over time and does not return to the prior level.
Workaround:
Load the underlying GEOIP database(s) before using "isp" or "org" options of the iRules command whereis.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1104037-3 : Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire
Links to More Info: BT1104037
Component: SSL Orchestrator
Symptoms:
Tmm crashes.
Conditions:
Changing "connection.vlankeyed" from enabled to disabled on a system configured for L2 wire
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep "connection.vlankeyed" enabled
Fix:
The crash was eliminated
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1103617-3 : 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile.
Links to More Info: BT1103617
Component: Local Traffic Manager
Symptoms:
'Reset on Timeout' setting might be ignored when Fastl4 profile is configured along with some other profile.
Conditions:
Fastl4 profile is configured along with some other profile (for example IPS).
Impact:
Traffic might be reset unexpectedly.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1103477-1 : Refreshing pool member statistics results in error while processing requests
Links to More Info: BT1103477
Component: Global Traffic Manager (DNS)
Symptoms:
Pool member statistics aren't displayed and the page shows an error message 'An error has occurred while trying to process your request'.
Conditions:
-- A GTM pool is configured with one or more pool members.
-- The 'Refresh' button or the timer is used to fetch the pool member statistics again.
Impact:
Refresh does not work as expected.
Workaround:
Although the refresh button or refresh timer is broken, you can refresh the page to see updated statistics.
Fix:
The page refreshes correctly on clicking the button or on setting the timer.
Fixed Versions:
17.1.1, 15.1.10
1103369-3 : DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant
Links to More Info: K000133368 , BT1103369
Component: TMOS
Symptoms:
The REST tokens are not deleted from cache /var/run/pamcache when the tokens are expired or deleted.
Conditions:
- A large number of REST Auth tokens are created in multi-slot VIPRION, multi-slot vCMP Guest, or multi-slot VELOS tenant.
Impact:
The deleted token continue to be available in the cache.
Memory is consumed as cache is stored in an in-memory filesystem.
Workaround:
First take immediate action to recover memory by removing stale tokens and restarting affected processes. This should be done to free memory, even if planning to update software to prevent reoccurrence.
Remove token files from /run/pamcache manually. This may have minor impact to REST API use causing a REST user to need to reauthenticate.
Execute the following command by using -print instead of -delete to verify the tokens to be deleted (recommended to not use clsh):
# clsh "find /run/pamcache -regextype posix-extended -type f -regex '/run/pamcache/[A-Z0-9]{26}' -delete"
httpd processes can be affected - restart them. This has an impact to REST API and GUI for the few seconds until httpd restarts:
# clsh bigstart restart httpd
Restart csyncd - this is expected to have no adverse impact.
# clsh bigstart restart csyncd
Alternatively clear any stale content and restart processes simply by rebooting the chassis (ie all blades together).
Next, it is possible to prevent the issue reoccurring by the following steps, if not quickly updating software to a fixed version.
Execute the following commands in bash to remove the pamcache directory from the set being acted upon by "csyncd":
# clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
# clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
# clsh "bigstart restart csyncd"
Fix:
Auth tokens in /run/pamcache are deleted as required.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1103233-4 : Diameter in-tmm monitor is logging disconnect events unnecessarily
Links to More Info: BT1103233
Component: Service Provider
Symptoms:
Errors are logged to /var/log/ltm:
err tmm[20104]: 01cc0006:3: Peer (<peer>) connection state has changed: disconnected
Conditions:
A diameter in-tmm monitor is configured
Impact:
Debug logs are logged at the error level.
Workaround:
None
Fix:
Log level has been changed to the debug level for the peer disconnected log.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1102849-2 : Less-privileged users (guest, operator, etc) are unable to run top level commands
Links to More Info: BT1102849
Component: TMOS
Symptoms:
Less privileged users are no longer able to run top-level commands such as "show running-config recursive". Executing this command from TMOS results in an error:
Unexpected Error: Can't display all items, can't get object count from mcpd
and mcpd throws error:
result_message "01070823:3: Read Access Denied: user (test) type (Abort Ending Agent)"
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1102837-3 : Use native driver for e810 instead of sock
Links to More Info: BT1102837
Component: TMOS
Symptoms:
Default driver sock cannot provide good performance.
Conditions:
Running BIG-IP Virtual Edition (sock is the default virtual function network driver for VE until 15.1.6 release)
Impact:
Default driver sock cannot provide good performance.
Workaround:
No mitigation when native drivers are not yet available for e810 NIC (for example, 15.1.6 and earlier). Default driver sock are used and that is unable to provide good performance.
Fix:
This release provides a native driver.
Fixed Versions:
17.1.0, 16.1.5, 15.1.7
1102429-3 : iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.
Links to More Info: BT1102429
Component: Local Traffic Manager
Symptoms:
Invoking the iRule command 'reject' under the iRule event 'FLOW_INIT' may, in some cases, fail to send out the intended reject packet (i.e. TCP reset or ICMP port unreachable).
Conditions:
The issue occurs when the BIG-IP system does not have a route back to the client, and should instead deliver the reject packet by means of autolasthop.
Impact:
The connection is actually removed from the BIG-IP system's connection table, and correctly does not progress. However, the lack of a reject packet could make the client retransmit its initial packet or insist in opening more connections.
Fix:
iRule 'reject' command under 'FLOW_INIT' event now works correctly even when autolasthop should be employed to deliver the reject packet back to the client.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1102425-2 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
Links to More Info: BT1102425
Component: TMOS
Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.
Following are the symptoms:
- Following log message is logged in /var/log/ltm:
mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.
- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.
Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.
Impact:
Secondary blades are inoperative.
Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd
Fixed Versions:
17.1.1, 15.1.10
1101697-1 : TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR).
Links to More Info: BT1101697
Component: Local Traffic Manager
Symptoms:
Connection failure.
Conditions:
This condition can occur when:
- The 0-RTT is enabled.
- When TLS1.3 session goes for Hello Retry Request (HRR).
Impact:
Connection failure.
Workaround:
Disable the 0-RTT.
Fix:
Added changes which handle this defects.
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1101653-1 : Query Type Filter in DNS Security Profile blocks allowed query types
Links to More Info: BT1101653
Component: Advanced Firewall Manager
Symptoms:
When NXDomain is moved to active/enabled, a query response does not work in the GUI.
Conditions:
NXDomain field is in enable state in filtered-query-type in GUI.
Impact:
The query response fails.
Workaround:
NXDomain field should not be enabled using the GUI.
NXDomain is always response type.
Fixed Versions:
17.1.1, 15.1.10
1101453-3 : MCPD SIGABRT and core happened while deleting GTM pool member
Links to More Info: BT1101453
Component: TMOS
Symptoms:
Mcpd crashes while deleting a pool member.
Conditions:
-- Huge GTM configuration
-- One pool members is referenced by 1000 wide IPs
Impact:
Traffic disrupted while mcpd restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1101369-2 : MQTT connection stats are not updated properly
Links to More Info: BT1101369
Component: Local Traffic Manager
Symptoms:
Negative values can be seen in current connections.
Conditions:
This issue can be seen when the 'CONNECT' message is dropped by iRule or when the first message received is not 'CONNECT.'
Impact:
MQTT profile stats are not incremented correctly with CONNECT message.
Workaround:
None
Fix:
MQTT profile stats are incremented correctly with CONNECT message.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1101321 : APM log files are flooded after a client connection fails.
Links to More Info: BT1101321
Component: Access Policy Manager
Symptoms:
Once a client connection fails, the var/log/apm log files get flooded with repeat error messages like "queue.cpp func: "printx()" line: 359 Msg: Queued fd"
Conditions:
When the client connection fails, for example, when the client connection is no longer valid, the log files are flooded with all queued connections which are available at that point of time.
Impact:
The continuous error messages in the log files may cause high CPU issues.
Workaround:
None
Fix:
Log level changed so that these logs are only printed in debug log-level.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1101181-1 : HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server
Links to More Info: BT1101181
Component: Local Traffic Manager
Symptoms:
The BIG-IP forwards HTTP request headers to pool member, but does not forward the request body. This results in a connection stall, and the connection eventually timing out and failing.
Conditions:
-- Virtual server with HTTP/2 full proxy configured (HTTP MRF router is enabled, and HTTP/2 profile present on virtual server).
-- Virtual server has request-logging profile assigned.
-- Serverside connection uses HTTP/2.
-- Client sends a request that includes a payload body (e.g. a POST).
Impact:
HTTP transaction fails; traffic does not pass.
Workaround:
Remove the request-logging profile.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1100721-3 : IPv6 link-local floating self-IP breaks IPv6 query to BIND
Links to More Info: BT1100721
Component: Local Traffic Manager
Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.
Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.
Impact:
DNS requests will get timed out.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
1100669-1 : Brute force captcha loop
Links to More Info: BT1100669
Component: Application Security Manager
Symptoms:
Captchas for a user that failed to login after several attempts will continue after a successful login.
Conditions:
-- A user fails to log in after several attempts.
-- The mitigation is captcha mitigation.
Impact:
If the user eventually provides the correct password, the user will be able to log in.
Workaround:
None
Fix:
Issue with captcha loop was fixed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1100549-1 : "Resource Administrator" role cannot change ACL order
Links to More Info: BT1100549
Component: Access Policy Manager
Symptoms:
You encounter a 'No Access' error when trying to change ACL order
Conditions:
You are logged in with a Resource Administrator role.
Impact:
You are unable to change the ACL order
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1100409-3 : Valid connections may fail while a virtual server is in SYN cookie mode.
Links to More Info: BT1100409
Component: TMOS
Symptoms:
Some of the valid connections to a TCP virtual server may fail while the virtual server is in SYN cookie mode due to an attack.
Conditions:
-- BIG-IP i4x00 platform.
-- TCP virtual server under SYN flood attack.
Impact:
Failed connections, service degradation.
Workaround:
Disabling SYN cookie in the TCP or fastL4 profile is a possible workaround, but that would leave the virtual server open to SYN flood attacks.
Fix:
The ePVA module is now correctly initialized on the i4x00 platform.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1100321-1 : MCPD memory leak
Links to More Info: BT1100321
Component: TMOS
Symptoms:
Viewing virtual server firewall policy rules leaks some memory in MCPD.
Conditions:
- BIG-IP AFM is provisioned
- Virtual server firewall policy rules are viewed, e.g. by running one of the following commands:
tmsh show ltm virtual fw-enforced-policy-rules
tmsh show ltm virtual fw-staged-policy-rules
Impact:
A memory leak occurs when the command is run.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1100125-1 : Per virtual SYN cookie may not be activated on all HSB modules
Links to More Info: BT1100125
Component: TMOS
Symptoms:
The virtual reports Hardware SYN cookie mode, but some of the SYNs are still processed in software.
Conditions:
On platforms where one TMM instance attached to multiple HSB modules.
Impact:
A portion of an SYN flood is processed in Software instead of Hardware.
Workaround:
-
Fix:
SYN cookie processing is correctly offloaded to all HSB modules.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1099765-4 : Inconsistent behavior in violation detection with maximum parameter enforcement
Links to More Info: BT1099765
Component: Application Security Manager
Symptoms:
Request with JSON body with more than 600 parameters causes the event log to show incorrect violations.
Conditions:
-- 'Maximum params' configured to 600 in JSON profile
-- 'Maximum array length' configured to 'Any'
-- A request occurs that contains more than 600 parameters in the body in JSON format
Impact:
No violation for passing maximum parameters given in event log, although the maximum number of allowed parameters was exceeded.
Workaround:
None
Fix:
The violations VIOL_HTTP_PROTOCOL and VIOL_JSON_FORMAT are now recorded in the event log.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1099545-3 : Tmm may core when PEM virtual with a simple policy and iRule is being used
Links to More Info: BT1099545
Component: Local Traffic Manager
Symptoms:
Tmm cores with SIGSEGV.
Conditions:
-- PEM virtual with a simple policy and iRule attached.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1099341-3 : CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs
1099305-1 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1099305
Component: Access Policy Manager
Symptoms:
The following symptoms are observed in /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
Fix:
NA
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1099229-3 : SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present
Links to More Info: BT1099229
Component: Local Traffic Manager
Symptoms:
-- A connection to the virtual server hangs from the client device.
-- A memory leak occurs in tmm
Conditions:
-- Virtual server has an L7 policy configured.
-- Virtual server has iRules configured.
Impact:
-- Clients are unable to connect to the virtual server.
-- A memory leak occurs.
Workaround:
Remove the L7 policy or the iRules from the virtual server configuration.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1099193-3 : Incorrect configuration for "Auto detect" parameter is shown after switching from other data types
Links to More Info: BT1099193
Component: Application Security Manager
Symptoms:
The Configuration shown in the GUI for the "Auto detect" Parameter value type is incorrect after certain steps are performed.
Conditions:
1. Create a default policy
2. Create new a Parameter with "User-input value" as a Parameter Value Type, and "File Upload" as the Data Type.
3. Save the settings above, and go back to the newly created Parameters settings.
4. Change its Parameter Value Type to "Auto detect".
Impact:
You either see unrelated fields, e.g. "Disallow File Upload of Executables" or missing tabs, like Value Meta Characters.
Workaround:
You can save a configuration with "User-input value" as a Parameter Value type, and "Alpha-Numeric" as Data Type, and then set "Auto detect" as Parameter Value Type.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1098837 : Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables
Links to More Info: BT1098837
Component: Protocol Inspection
Symptoms:
During the upgrade/reboot, configuration error with reason DB validation exception occurs and unique constraint violation in the tables ips_inspection_sig and ips_inspection_compl.
Conditions:
During the upgrade/reboot of the device, there should not be a configuration error with a DB exception message.
Impact:
Some of the signatures and compliances will not load into the MCPD database tables ips_inspection_sig and ips_inspection_compl respectively.
Workaround:
Store the details of the signatures and compliances into the file and run the following command:
"tmsh load sys config merge filename"
Fix:
No DB exception on the tables ips_inspection_sig and ips_inspection_compl.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1098829-5 : Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8
1098609-5 : BD crash on specific scenario
Links to More Info: BT1098609
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1098009 : DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms
Links to More Info: BT1098009
Component: TMOS
Symptoms:
There might be problems in DAG context synchronization in high availability (HA) mirroring on VELOS platform.
The problem can be observed as a long sequence of logs similar to:
notice SDAG CDP: Selected DAG state from primary PG 0 for CMP state 07 with clock 4622
Conditions:
-- An high availability (HA) pair is setup
-- The problem is currently known to manifest itself particularly for tenants with 3 blades.
Impact:
Traffic is disrupted when failover occurs.
Workaround:
-- The system should eventually heal itself after up to a few minutes
-- Force a high availability (HA) reconnect, for example by modifying sys db statemirror.clustermirroring to "within" then back to "between".
Fix:
Fixed DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms.
Fixed Versions:
17.1.0, 15.1.8
1097821-3 : Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified
Links to More Info: BT1097821
Component: Access Policy Manager
Symptoms:
Creating an APM policy image file with source_path attribute fails.
Conditions:
APM provisioned
Impact:
You are unable to use the source_path attribute for creating APM customization image files.
Workaround:
Copy the image file to one of the directories of /var/config/rest/, /var/tmp/, /shared/tmp/ and use local_path instead of source_path.
E.g. create apm policy image-file test.jpg local-path /var/tmp/<file name>
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5
1097193-1 : Unable to SCP files using WinSCP or relative path name
Links to More Info: K000134769 , BT1097193
Component: TMOS
Symptoms:
When attempting to retrieve a file with WinSCP, you receive an error dialog and the session will be terminated:
"SCP Protocol error: Invalid control record (r; elative addresses not allowed)
Copying files from remote side failed."
If attempting to transfer a file by relative path with a command line utility the transfer will fail with the message:
"relative addresses not allowed"
Conditions:
-- Running BIG-IP version with fix for ID 915981
-- Using WinSCP set to use SCP protocol to retrieve files from a BIG-IP system.
-- Using a relative remote path to transfer a file with command line scp utility.
Impact:
No longer able to use WinSCP to retrieve files such as packet captures, log archives, or other diagnostic data from the BIG-IP system.
Workaround:
Use a command line SCP tool that allows specifying an absolute path for the source and/or destination file (a path that starts with a forward slash /), when the source and/or destination locations are a BIG-IP device.
If the user ID is permitted to do so, you may use WinSCP in SFTP mode.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
1096893-2 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
Links to More Info: BT1096893
Component: Local Traffic Manager
Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.
Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.
Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.
Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).
Alternatively, you can apply a lower static MTU to the interface.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1096373-3 : Unexpected parameter handling in BIG3d
Links to More Info: K000132972 , BT1096373
1096317-3 : SIP msg alg zombie flows
Links to More Info: BT1096317
Component: Carrier-Grade NAT
Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.
Conditions:
SIPGmsg alg with suspending iRule commands attached.
Impact:
Zombie flow, which cannot be expired anymore.
Workaround:
Restart TMM.
Fix:
Flows are now properly expired.
Fixed Versions:
17.1.1, 15.1.10
1095217-3 : Peer unit incorrectly shows the pool status as unknown after merging the configuration
Links to More Info: BT1095217
Component: TMOS
Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.
Conditions:
This is encountered if 2 or more configurations are specified for an already configured pool on the peer device when using the "tmsh load sys config merge from-terminal" command.
For example:
Existing pool:
ltm pool http_pool {
members {
member1:http {
address 10.82.243.131
monitor http
}
}
}
tmsh load sys config merge from-terminal:
ltm pool http_pool {
members none
}
ltm pool http_pool {
members replace-all-with {
member1:http {
address 10.82.243.131
monitor http
}
}
}
Impact:
Pool members are marked with a state of "Checking".
Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.
Fix:
Specifying the configuration for an LTM pool object multiple times when issuing the "tmsh load sys config merge from-terminal" command no longer causes LTM pool members to remain marked with a state of "Checking".
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1095185-3 : Failed Configuration Load on Secondary Slot After Device Group Sync
Links to More Info: BT1095185
Component: Application Security Manager
Symptoms:
Configuration synchronization fails on secondary slots after the primary slot receives a full sync from a peer in a device group.
Conditions:
Bladed chassis devices are configured in an ASM enabled device group
Impact:
Incorrect enforcement on secondary slots.
Workaround:
None
Fix:
Synchronization to secondary slots is successful.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1095041-3 : ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list.
Links to More Info: BT1095041
Component: Application Security Manager
Symptoms:
HTTP requests are truncated at the cookie and raise a violation.
Conditions:
-- Cookie list contains TS cookie
-- A cookie contains a space in the name
-- TS cookie stripping is enabled (db asm.strip_asm_cookies is set as true)
Impact:
Backend server does not receive a complete cookie.
Workaround:
Sys db asm.strip_asm_cookies is set as false.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1094177-3 : Analytics iApp installation fails
Links to More Info: BT1094177
Component: iApp Technology
Symptoms:
By default restjavad.disablerpmtasks value is true. This causes iApp RPM installation to be blocked.
Conditions:
Analytics iApp RPM installation
Impact:
The RPM installation fails with an error "403, Protocol Exception".
Workaround:
Change the restjavad.disablerpmtasks sys db variable to false, and then restart restjavad:
tmsh modify sys db restjavad.disablerpmtasks value false
To restart restjavad on a VIPRION or multi-bladed vCMP guest or multi-bladed F5OS tenant:
clsh tmsh restart sys service restjavad
To restart restjavad on an appliance or single-slot vCMP guest or F5OS tenant:
tmsh restart sys service restjavad
NOTE: This will require a cluster sync for any device groups configured for manual config sync. All updated systems will require a restart of restjavad for the change to take affect.
After restjavad restarts on all affected devices, you can perform the iApp installation.
Fix:
By default, the sys db variable restjavad.disablerpmtasks should be "false". When appliance mode is enabled, this DB key is forced to "true".
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
1093933-2 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: iApp Technology
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Conditions:
N/A
Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Workaround:
N/A
Fix:
The library has been patched to address the vulnerability.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1093621-1 : Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP
Links to More Info: K10347453
1093357-1 : PEM intra-session mirroring can lead to a crash
Links to More Info: BT1093357
Component: Policy Enforcement Manager
Symptoms:
TMM crashes while passing PEM traffic
Conditions:
-- PEM mirroring enabled and passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1093253-5 : CVE-2021-3999 Glibc Vulnerability
Links to More Info: K24207649
1092965-3 : Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value
Links to More Info: BT1092965
Component: Application Security Manager
Symptoms:
An "Illegal Base64 value" violation will be reported for a staged parameter even though Alarm/Blocking/Learning is disabled for this violation.
Conditions:
- A parameter has to be set to staging mode with base64 decoding.
- The Alarm/Blocking/Learning flags has to be disabled for the violation "Illegal Base64 value".
- The incoming request has to have the defined parameter in QS with an attack signature that is not base64 encoded in the parameter value.
Impact:
The violation "Illegal Base64 value" is reported.
Workaround:
None
Fix:
The violation "Illegal Base64 value" is not reported if Alarm/Blocking/Learning flags are disabled.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1091969-2 : iRule 'virtual' command does not work for connections over virtual-wire.
Links to More Info: BT1091969
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.
Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)
Impact:
Connection stalls on the first virtual-server and never completes.
Fixed Versions:
17.1.2, 16.1.4, 15.1.9
1091761-2 : Mqtt_message memory leaks when iRules are used
Links to More Info: BT1091761
Component: Local Traffic Manager
Symptoms:
Mqtt_message memory leaks when iRules like insert_after, insert_before, and respond are used.
Conditions:
Basic mqtt virtual server with any of the below rules ->insert_after
>insert_before
>respond
Impact:
Memory leak occurs and TMM may crash
Workaround:
NA
Fix:
There is no longer a memory leak with iRules usage
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1091725-3 : Memory leak in IPsec
Links to More Info: BT1091725
Component: TMOS
Symptoms:
Slow memory growth of tmm over time.
This leak affects both the active and standby BIG-IPs.
Conditions:
IPsec is in use.
Security associations are being created or recreated.
Impact:
Over time, tmm may exhaust its memory causing a tmm crash.
Fix:
A leak in IPsec security association handling has been fixed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1091565 : Gy CCR AVP:Requested-Service-Unit is misformatted/NULL
Links to More Info: BT1091565
Component: Policy Enforcement Manager
Symptoms:
Observed diameter protocol warning when Requested Service Unit(RSU) is empty for CCR-I and CCR-U requests.
Conditions:
If the 'Initial Quota' is EMPTY in policy under Policy Enforcement ›› Rating Groups, the BIG-IP system reports empty data in AVP: Requested-Service-Unit.
Impact:
In Wireshark, a protocol warning occurs.
Workaround:
None
Fix:
If the Initial PEM Quota values are EMPTY/0 We are updating the RSU values to Zero.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
1091345-3 : The /root/.bash_history file is not carried forward by default during installations.
Links to More Info: BT1091345
Component: TMOS
Symptoms:
By default, the /root/.bash_history file is not included in the UCS archives. As such, this file is not rolled forward during a software installation.
Conditions:
Performing a BIG-IP software installation.
Impact:
This issue may hinder the efforts of F5 Support should the need to determine what was done prior to a software installation arise.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1091249-3 : BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address.
Links to More Info: BT1091249
Component: Global Traffic Manager (DNS)
Symptoms:
As BIG-IP DNS and Link Controller systems connect with one another (or with monitored BIG-IP systems) over iQuery, you may notice:
-- Log messages that specify IPv6 translation addresses non-existent in your configuration and often meaningless (as in not pertaining to some of the more common IPv6 address spaces). For example:
debug gtmd[24229]: 011ae01e:7: Creating new socket to connect to 2001::1 (a06d:3d70:fd7f:0:109c:7000::)
-- If you restart the gtmd daemon, the IPv6 translation address mentioned above between parenthesis changes to a new, random meaningless value.
-- The GTM portion of the configuration fails to synchronize.
Conditions:
IPv6 translation addresses are in use in relevant objects.
Impact:
The logs are misleading and the GTM portion of the configuration may fail to synchronize.
Workaround:
If possible, do not use IPv6 translation addresses.
Fix:
IPv6 translation addresses now function as designed.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1091185-3 : Issue with input normalization
Links to More Info: K000135944 , BT1091185
Component: Application Security Manager
Symptoms:
Signatures may not be matched correctly with input normalization
Conditions:
N/A
Impact:
Signature is not matched.
Fix:
After fix - signature is correctly detected.
Fixed Versions:
17.1.0, 15.1.9
1090649 : PEM errors when configuring IPv6 flow filter via GUI
Links to More Info: BT1090649
Component: Policy Enforcement Manager
Symptoms:
An error occurs while configuring an IPv6 flow filter using the GUI:
0107174e:3: The source address (::) and source netmask (0.0.0.0) addresses for pem flow info filter (filter0) must be be the same type (IPv4 or IPv6).
Conditions:
Configuring an IPv6 flow filter using the GUI
Impact:
You are unable to configure the IPv6 flow filter via the GUI
Workaround:
The error does not occur when using tmsh.
Fix:
Modified the IPv6 Validation. Able to create IPV6 flow filter after the fix
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1090569 : After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV
Links to More Info: BT1090569
Component: TMOS
Symptoms:
Some SSL handshakes are fail when using the CRL certificate validator and tmm crashes.
Conditions:
-- TLS virtual server
-- The virtual server passes network traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to the CRL certificate validator.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1089829 : PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers
Links to More Info: BT1089829
Component: Policy Enforcement Manager
Symptoms:
SIGSEGV tmm cores with back trace in PEM area.
"pem_sessiondump --list" command will show session with custom attribute name as empty/NULL.
Conditions:
Setting pem session custom attribute value with length more than (1024- attribute name length).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In the iRule, make sure the custom attribute value size + custom attribute name length is not more than 1024.
Fix:
Adding restriction, allowed custom attribute value size + custom attribute name length should be less than 1024.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1089233-3 : CVE-2022-0492 Linux kernel vulnerability
Links to More Info: K54724312
1089101-1 : Apply Access Policy notification in UI after auto discovery
Links to More Info: BT1089101
Component: Access Policy Manager
Symptoms:
"apply access policy notification" pops up in GUI
Conditions:
1. OAuth auto discovery is enabled for OAuth provider
2. The relevant access policy has macros in it.
Impact:
Traffic may fail until "apply access policy" is clicked manually
Workaround:
Access policy can be modified to not have macros in it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1088849-3 : Inconsistent behavior while sending malformed request to /TSbd URLs
Links to More Info: BT1088849
Component: Application Security Manager
Symptoms:
When the BIG-IP system receives crafted/malformed requests to fictive /TSbd URLs, the BIG-IP system behaves in three different ways:
-- Displaying a default response page with Support ID
-- Reset the connection
-- Displaying an alternative response page, e.g. 'Leaked Credentials Detected' OR 'Login Failed').
Conditions:
Use malformed /TSbd URLs.
Impact:
Inconsistent behavior for malformed /TSbd fictive URLs.
Fixed Versions:
15.1.9
1088597-3 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1088445-5 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body
1088429-3 : Kernel slab memory leak
Links to More Info: BT1088429
Component: TMOS
Symptoms:
The Linux kernel unreclaimable slab leaks kmalloc-64 (64 byte) allocations due to an issue with ext4 filesystem code.
The kmalloc-64 leaks occur when specific operations are executed on ext4 filesystems, such as copy of file with extended attribute preservation.
Red Hat have documented the issue, refer to the links below.
Note: Red Hat account with appropriate access are required to view these pages.
Posix ACL object is leaked in setattr and fsetxattr syscalls
https://access.redhat.com/solutions/4967981.
This issue is tracked by Red Hat as bug 1543020
https://bugzilla.redhat.com/show_bug.cgi?id=1543020.
Conditions:
This usually happens a small amount, such as 100MB over a year on most systems.
On some systems memory use can grow much faster and the precise file manipulations that might do this are not known at this time.
Impact:
Kernel unreclaimable slab memory grows over time. This will be growth of what F5 term host memory, and will appear as increased other and/or swap memory on memory graphs.
Usually the amount leaked is quite small and has no impact.
If large enough this may leave system with too little host memory and trigger typical out of memory symptoms such as:
- sluggish management by TMUI (GUI) and CLI shell
- possible invocation of oom-killer by kernel leading to termination of a process
- if severe, the system may thrash and become unstable, leading to cores and possibly reboot.
The amount of slab usage can be tracked with the following commands executed from the advanced shell (bash).
# cat /proc/meminfo | grep ^SUnreclaim
SUnreclaim: 46364 kB
The precise use of slab memory by component can be viewed using:
/bin/slabtop --once
Note: This includes both reclaimable and unreclaimable slab use. High reclaimable slab is usually not a concern because as host memory gets filled it can be freed (reclaimed).
Look for the amount of memory in use by kmalloc-64. There will be some use even without the leak documented here. The amount can be compared with free or easily freeable host memory, a good estimate of which is given by the following command:
# cat /proc/meminfo | grep ^MemAvailable
MemAvailable: 970852 kB
Workaround:
None
Fix:
Linux kernel ext4 filesystem module memory leak fixed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1088389 : Admin to define the AD Query/LDAP Query page-size globally
Links to More Info: BT1088389
Component: Access Policy Manager
Symptoms:
The page-size is a fixed value in LDAP and AD query.
Earlier the value was 1000 and later increased to 2048, after the increase in the value the session failed as the AD servers are configured with lesser value.
Require a configurable page-size.
Conditions:
As the latest page-size value is 2048 the AD Query/LDAP Query with the same may have problem with the AD server whose configured/supported value is 1000 which is lower than 2048.
Impact:
AD/LDAP may fail due to the page-size issue.
Workaround:
None
Fix:
A global setting for the page-size for AD/LDAP Query is available:
sys db apm.ldap.cache.pagesize {
value ""2048""
}"
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1088173 : With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile
Links to More Info: BT1088173
Component: Local Traffic Manager
Symptoms:
Log files indicate that the client certificate is retained when it should not be.
Conditions:
Enable TLS 1.3 and disable retain-certificate parameter in SSL profile
Impact:
Storage of client certificates will increase memory utilization.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1088049 : The fix for ID841469 became broken in the 15.1.x branch for some platforms.
Links to More Info: BT1088049
Component: Local Traffic Manager
Symptoms:
The feature/enhancement introduced by and discussed in https://cdn.f5.com/product/bugtracker/ID841469.html became broken in some BIG-IP 15.1.x versions.
The fix works correctly in BIG-IP versions 15.1.2.1, 15.1.3, and 15.1.3.1. However, the fix is broken in BIG-IP versions 15.1.4, 15.1.4.1, 15.1.5, and 15.1.5.1.
Conditions:
All VIPRION chassis are affected. VELOS chassis are not affected.
Impact:
An upstream load-balancer monitoring and directing traffic to a group of standalone VIPRION chassis may not stop sending traffic to a particular VIPRION system after this suffers an internal interface failure. As a result, some application traffic may fail.
For more information, refer to the bugtracker link in the Symptoms section.
Workaround:
None
Fixed Versions:
17.1.0, 15.1.6.1
1088037 : VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers
Links to More Info: BT1088037
Component: TMOS
Symptoms:
The VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers.
Use `tmsh list/modify net vlan vlan-XYZ dag-adjustment` to view or change the settings.
The recommended and default setting is xor-5mid-xor-5low.
Conditions:
- only even port numbers are used (usually by a Linux client)
Impact:
- only even TMM threads are processing traffic
Workaround:
None
Fix:
VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers. Traffic should be distributed evenly between all TMM threads.
Behavior Change:
VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers. Traffic should be distributed evenly between all TMM threads.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1087621-2 : IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload
Links to More Info: BT1087621
Component: TMOS
Symptoms:
The tunnel stops working after initially starting with no problem.
The BIG-IP will send a bad KE (Key Exchange) Payload when rekeying the IKE SA with ECP.
Conditions:
-- IKEv2
-- ECP PFS
-- Peer attempts to re-key IKE SA (CREATE_CHILD SA) over existing IKE SA.
Impact:
IPsec tunnels stop working for periods of time.
Workaround:
Do not use ECP for PFS.
Fix:
ECP will work correctly when rekeying.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1087469-1 : iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate.
Links to More Info: BT1087469
Component: Local Traffic Manager
Symptoms:
When an SSL client connects to BIG-IP system and sends an empty certificate, the CLIENTSSL_CLIENTCERT is not triggered for iRules.
Conditions:
- Virtual server configured on BIG-IP with a clientssl profile
- Client authentication on the virtual server is set to "request"
- iRule relying on CLIENTSSL_CLIENTCERT
- A client connects to BIG-IP using an empty certificate
Impact:
CLIENTSSL_CLIENTCERT irules aren't triggered.
Workaround:
None
Fix:
CLIENTSSL_CLIENTCERT irules are now triggered when receiving empty certificates.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.6.1
1086677-3 : TMM Crashes in xvprintf() because of NULL Flow Key
Links to More Info: BT1086677
Component: Local Traffic Manager
Symptoms:
TMM crashes while passing traffic
Conditions:
This was observed during internal testing and occurred while making configuration changes while passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1086517-1 : TMM may not properly exit hardware SYN cookie mode
Links to More Info: BT1086517
Component: TMOS
Symptoms:
Due to a race condition, when one TMM exits SYN cookie mode, another may immediately re-enter hardware SYN cookie mode, keeping the virtual server in SYN cookie mode and the mitigation offloaded to hardware. The SYN cookie status of the virtual server is not properly updated and will show 'not-activated'.
Conditions:
Hardware SYN cookie protection is enabled and SYN cookie mode is triggered.
Impact:
A virtual server that once entered hardware SYN cookie mode may remain in that state indefinitely. The reduced MSS size may affect performance of that virtual server.
Workaround:
Disable hardware SYN cookie either locally via the TCP or FastL4 profile, or globally by the PvaSynCookies.Enabled BigDB variable. Software SYN cookie mode is unaffected.
Fix:
The race condition is eliminated, virtual servers properly exit hardware SYN cookie mode.
Fixed Versions:
17.1.0, 16.1.4, 15.1.6.1
1086389-3 : BIG-IP r4k and r2k series based systems shows has_pva flag true though they cannot support
Links to More Info: BT1086389
Component: TMOS
Symptoms:
The BIG-IP r4k and r2k series-based systems cannot support ePVA feature by design. But there are flags related to ePVA, like `has_pva` and `pva_version` which are wrongly shown when ran query with `guishell` app for `platform`.
Issue:
=======
# guishell -c 'select has_pva,pva_version from platform'
-------------------------
| HAS_PVA | PVA_VERSION |
-------------------------
| true | 0 |
-------------------------
1 row 0.115s (mcpd: 0.003s, mcpj: 0.006s, hsql: 0.091s, conn: 0.005s, format: 0.007s)
(rcv: 0Kb, 0.003s, snd: 38b, 0.000s)
[root@localhost:NO LICENSE:Standalone] config #
Conditions:
The ePVA feature flags, `has_pva` and `pva_version` in guishell are not correct on BIG-IP r4k and r2k systems as they cannot support this feature with this release.
Impact:
Though the values for these ePVA fields are misleading it has no impact on the functionality as the underlying NIC Card used is Intel NIC card which cannot support ePVA feature on BIG-IP r4k and r2k systems.
So, there is no impact on the functionality as ePVA not possible on r4k and r2k.
Workaround:
None
Fix:
The ePVA feature cannot be possible on BIG-IP r4k and r2k systems. So, no probable fix can be provided.
Fixed Versions:
17.1.0, 15.1.9
1086309 : Legitimate traffic gets blocked on detecting Bad Destination IP of virtual server subnet
Links to More Info: BT1086309
Component: Advanced Firewall Manager
Symptoms:
-- All traffic destined for IPs of the same virtual subnet gets blocked.
-- Other legitimate users of the same subnet can't access resources.
Conditions:
1. Neurond process configured and running.
2. Should have virtual server subnet.
3. Enabling Attacked Destination Detection of any DOS vector.
4. A DOS vector is triggered and mitigation occurs.
Impact:
Other legitimate users of the same subnet can't access resources.
Workaround:
Until the respective BD entry evicts, the problem persists.
Fixed Versions:
15.1.9
1085837-1 : Virtual server may not exit from hardware SYN cookie mode
Links to More Info: BT1085837
Component: TMOS
Symptoms:
Once a virtual server enters hardware SYN cookie mode it may not exit until a TMM restart.
Conditions:
-- On B2250 and B4450 platforms.
-- A condition triggers SYN cookie mode and then goes back to normal.
Impact:
-- Virtual servers in hardware SYN cookie mode do not receive TCP SYN packets.
-- The limited number of possible TCP MSS values may have a light performance impact.
Workaround:
Disable hardware SYN cookie mode on the affected objects.
Fix:
Virtual servers properly exit hardware SYN cookie mode.
Fixed Versions:
17.1.0, 16.1.4, 15.1.6.1
1085661-3 : Standby system saves config and changes status after sync from peer
Links to More Info: BT1085661
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.
Conditions:
Create an ASM policy and let the system determining language encoding from traffic.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
To prevent the issue from happening, you can manually configure language encoding
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1084993-4 : [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching
Links to More Info: BT1084993
Component: Policy Enforcement Manager
Symptoms:
E2e id and h2h id in Re-Authorisation Answer from PEM to OCS is not matching with Re-Authorisation Request from OCS to PEM.
Conditions:
Diameter-endpoint configuration. PCEF(PEM) communicating over gy interface with OCS for quota information.
Impact:
OCS will not be able to determine for which RAR it got RAA. This is catastrophic for billing.
Workaround:
None
Fix:
There was conversion issue in PEM, fixed it.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1084953 : CPU usage increase observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition
Links to More Info: BT1084953
Component: Local Traffic Manager
Symptoms:
Increase in CPU usage by 7.3% observed for Ramcache::HTTP tests.
Conditions:
- BIG-IP Virtual Edition
- VMWARE 40G NIC SR-IOV with 8 vCPUs unpacked 16GB
- 16KB file size with 1 Request Per Connection
- 16KB file size with 100 Requests Per Connection
- 512KB file size with 1 Request Per Connection
- 512KB file size with 100 Requests Per Connection
Virtual server with the following profiles -
1. http
2. tcp profile with nagle disabled
3. web acceleration profile with following attributes -
- cache-max-age 36000
- cache-object-max-size 1500001
- cache-object-min-size 1
Impact:
Response delay or failure in connectivity on client side especially during peak traffic flow due to increased CPU usage.
Workaround:
None.
Fix:
The Virtual Edition network driver now processes traffic more efficiently as expected.
Fixed Versions:
17.1.0, 15.1.6
1084929 : Performance drop observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition
Links to More Info: BT1084929
Component: Local Traffic Manager
Symptoms:
Drop in TPS of around 6.6% observed for Ramcache::HTTP tests.
Conditions:
- BIG-IP Virtual Edition
- VMWARE 40G NIC SR-IOV with 8 vCPUs unpacked 16GB
- 128B file size with 100 Requests Per Connection
Virtual server with the following profiles -
1. http
2. tcp profile with nagle disabled
3. web acceleration profile with following attributes -
- cache-max-age 36000
- cache-object-max-size 1500001
- cache-object-min-size 1
Impact:
Response delay or failure in connectivity on client side especially during peak traffic flow due to increased CPU usage.
Workaround:
None.
Fix:
The Virtual Edition network driver now processes traffic more efficiently as expected.
Fixed Versions:
15.1.6
1084873 : Packets are dropped when a masquerade MAC is on a shared VLAN
Links to More Info: BT1084873
Component: TMOS
Symptoms:
Packets are dropped when a masquerade MAC is on a shared VLAN.
Conditions:
- A masquerade MAC is on a shared VLAN.
- Traffic is initiated, i.e. ping a self-ip.
- Packets are lost.
Impact:
Connectivity issues.
Workaround:
Configure a static fdb entry.
Fix:
Packets are no longer dropped when a masquerade MAC is on a shared VLAN.
Fixed Versions:
17.1.0, 15.1.6.1
1084857-3 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1084781-5 : Resource Admin permission modification
Component: TMOS
Symptoms:
A user with the Resource Admin role may have incorrect permissions.
Conditions:
A user with Resource Admin role.
Impact:
Undisclosed
Workaround:
None
Fix:
Resource Admin permissions are matched to expected behavior.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1084673-3 : GTM Monitor "require M from N" status change log message does not print pool name
Links to More Info: BT1084673
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned
- A "require M from N" monitor rule is assigned to a gtm pool or an individual gtm pool member.
Impact:
The log written to provide information on the changing number of successful probes does not contain information about the pool member.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1084257-4 : New HTTP RFC Compliance check in headers
Links to More Info: K11342432 , BT1084257
Component: Application Security Manager
Symptoms:
ASM is not enforcing certain HTTP request header formatting.
Conditions:
HTTP request with certain header formatting.
Impact:
Invalid requests according to HTTP RFC might pass through ASM enforcement.
Workaround:
None
Fix:
"Unparsable request content" violation is reported when an HTTP request matching the condition is received.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.4, 15.1.7
1084213 : [rseries]: VLAN member not restored post loading default configuration in BIG-IP tenant
Links to More Info: BT1084213
Component: TMOS
Symptoms:
On a BIG-IP tenant running on a rSeries (r4x00 or r2x00) platform, VLAN members are not restored when the default configuration is restored.
Conditions:
--- One ore more tenants running on a rSeries (r4x00 or r2x00) platforms.
--- Loading default configuration removes the VLAN member.
Impact:
Loading the default configuration removes VLAN members which blocks traffic.
Workaround:
Below steps are to restore the VLAN members after loading the default configuration.
1. Login to confd on the platform.
2. Detach the VLANs from the interfaces.
3. Re-attach the VLANs to interfaces.
4. VLAN members shall be created in the BIG-IP tenant.
Fixed Versions:
17.1.0, 15.1.6.1
1084173-2 : Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup).
Links to More Info: BT1084173
Component: Global Traffic Manager (DNS)
Symptoms:
Each time the iRule command RESOLV::lookup is invoked with a different target IP address or internal virtual server, a unique resolver context is created.
However, for performance and memory preservation reasons, all ephemeral resolvers are backed by the same set of DNS caches.
This means that repeated identical queries to different ephemeral resolvers will always return the answer from the cache that was retrieved by the first ephemeral resolver (until the TTL of the record expires).
While this is fine in the traditional use of DNS, this may be problematic in certain specific use-cases. For example, this does not allow for per-user DNS servers to return different results for the same query. This technique could be used by an iRule to retrieve user-specific information to then spin up user-unique virtual environments.
Conditions:
Sending repeated queries for the same FQDN to different ephemeral resolvers (before the TTL expires) and expecting different results back.
Impact:
Inability to support specific use-cases in a BIG-IP iRule.
Fix:
Versions with the fix include a new DB key called dnscache.ephemeralsnocache, which defaults to "disable".
When set to "disable", the system behaves exactly as in previous releases.
When set to "enable", ephemeral resolvers spawned in an iRule by the RESOLV::lookup command no longer cache anything, thus allowing for use-cases similar to the example mentioned under Symptoms.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1
1083989-2 : TMM may restart if abort arrives during MBLB iRule execution
Links to More Info: BT1083989
Component: Local Traffic Manager
Symptoms:
"Unallocated flow while polling for rule work. Skipping." is logged in /var/log/ltm.
*or*
"flow in use" assert fails causing TMM to restart.
Conditions:
- Virtual using MBLB proxy.
- iRule with LB_SELECTED, CLIENT_CLOSED, and SERVER_CLOSED events.
- client connection is aborted while LB_SELECTED is queued for execution.
Impact:
TMM may restart unexpectedly.
Workaround:
Remove LB_SELECTED event from the iRule, if feasible.
Fix:
The MBLB proxy now correctly handles being aborted when it has iRule events queued for execution.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1083913-1 : Missing error check in ICAP handling
Links to More Info: BT1083913
Component: Application Security Manager
Symptoms:
Bd crashes.
Conditions:
Asm policy is configured for ICAP integration
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1083621-4 : The virtio driver uses an incorrect packet length
Links to More Info: BT1083621
Component: Local Traffic Manager
Symptoms:
In some cases, tmm might drop network packets.
In rare circumstances, this might trigger tmm to crash.
Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1
Impact:
Tmm might drop packets.
In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1083513-2 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
Fix:
BD now initialize the db key internally, not depending on mcpd, that ensures the default db key value is "enable".
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1082941-3 : System account hardening
Component: TMOS
Symptoms:
System accounts are used by various processes to access resources on the BIG-IP. In some cases, they did not follow security best practices.
Conditions:
N/A
Impact:
Security best practices are not followed.
Fix:
Security best practices are now followed.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1082885-2 : MR::message route virtual asserts when configuration changes during ongoing traffic
Links to More Info: BT1082885
Component: Service Provider
Symptoms:
MR::message route virtual causes TMM to crash / panic when the configuration changes during ongoing traffic. This is due to
an invalid validation of the TYPEIDs when mis-matched virtual servers / proxies are identified because of the configuration change.
Conditions:
A BIG-IP configuration change is made while passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Fix:
With the fix, proper validation of the Proxy TYPEIDs will make the server to gracefully close the connection when PROXIES TYPEIDs mismatch is detected and a relevant error log is printed in the ltm logs as well.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6, 14.1.5
1082581-1 : Apmd sees large memory growth due to CRLDP Cache handling
Links to More Info: BT1082581
Component: Access Policy Manager
Symptoms:
Apmd memory keeps growing slowly over time and finally oom killer kills apmd.
Conditions:
Access policy has the crldp auth agent configured.
Impact:
Apmd killed by oom-killer thereby impacting traffic
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9, 14.1.5.3
1082461-3 : The enforcer cores during a call to 'ASM::raise' from an active iRule
Links to More Info: BT1082461
Component: Application Security Manager
Symptoms:
In the case of 'ASM::raise' call execution from an iRule that contains a list length greater than 100, the enforcer (bd) will core.
Conditions:
A call to 'ASM::raise' with a list length greater than 100 from an iRule.
Impact:
Traffic disrupted while bd restarts.
Workaround:
While constructing the iRule, make sure that the list passed into 'ASM::raise' contains fewer than 100 elements.
Fix:
Fixed an enforcer core.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1082453 : Dwbld stops working after adding an IP address to IPI category manually
Links to More Info: BT1082453
Component: Advanced Firewall Manager
Symptoms:
While adding IP addresses to IPI Category, dwbld can hang without giving a warning, and the IP addresses will not be added.
Conditions:
Adding and/or deleting multiple shun entries in parallel
Impact:
Dwbld will go in infinite loop and hang
Workaround:
bigstart restart dwbld
Fix:
Fixed all possible race and expectation condition
Fixed Versions:
17.1.1, 15.1.9
1082225-3 : Tmm may core while Adding/modifying traffic-class attached to a virtual server.
Links to More Info: BT1082225
Component: Local Traffic Manager
Symptoms:
Tmm may core with 'tmm SIGSEGV' while performing addition/updating of traffic class attached to a virtual server.
Conditions:
-- Some Traffic classes have been removed from the virtual server.
-- A new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
The traffic class might not be applied as expected.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1081649-1 : Remove the "F5 iApps and Resources" link from the iApps->Package Management
Links to More Info: BT1081649
Component: TMOS
Symptoms:
The "F5 iApps and Resources" is being removed.
Conditions:
NA
Impact:
iApp page shows "F5"
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1081641 : Remove Hyperlink to Legal Statement from Login Page
Links to More Info: BT1081641
Component: TMOS
Symptoms:
The hyperlink to the legal statement should be removed from the login page.
Conditions:
This appears on the login page of OEM-branded BIG-IP systems.
Impact:
The OEM GUI shows the F5 logo/info.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1081085 : MQTT with slow reading server cores on larger payload
Links to More Info: BT1081085
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing MQTT large payloads.
Conditions:
-- Basic MQTT virtual server configuration.
-- Modify serverside tcp buffer values to lower numbers:
proxy-buffer-high 8
proxy-buffer-low 8
receive-window-size 536
send-buffer-size 536
Impact:
Traffic was disrupted when TMM restarted.
Workaround:
None
Fix:
This issue no longer occurs.
Fixed Versions:
15.1.9
1080957 : TMM Seg fault while Offloading virtual server DOS attack to HW
Links to More Info: BT1080957
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during virtual server DOS attack scenarios.
Conditions:
-- HSB-equipped hardware platforms.
-- The attack is detected on configured virtual server Dos Vector and trying to offload to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Added fix to correctly Identify hardware node to offload/program the DOS entry.
Fixed Versions:
17.1.1, 15.1.10
1080613-2 : LU configurations revert to default and installations roll back to genesis files ★
Links to More Info: BT1080613
Component: Application Security Manager
Symptoms:
The LiveUpdate configurations, such as 'Installation of Automatically Downloaded Updates', and the update installation history disappears and reverts to default, and the installations roll back to genesis files.
Conditions:
This occurs during the first tomcat restart, after upgrading to the versions that have the fix for ID907025.
Impact:
The LiveUpdate configuration and the installation history are reverted to the default.
Workaround:
Https://support.f5.com/csp/article/K53970412
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1080581-3 : Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles. ★
Links to More Info: BT1080581
Component: Local Traffic Manager
Symptoms:
During the upgrade, the configuration load fails with an error:
err mcpd[6381]: 01070734:3: Configuration error: A virtual server (/Common/my_virtual) is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.
Conditions:
-- Upgrading from an earlier version that contains a QUIC profile in a virtual server having tcp, UDP, and HTTP together
-- Upgrading to version 15.1.5 or 16.1.2.2
Impact:
BIG-IP will remain in inoperative state after upgrade
Fix:
QUIC protocol is allowed to use tcp and udp protocol in combination
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.5.1
1080569-1 : BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server
Links to More Info: BT1080569
Component: Local Traffic Manager
Symptoms:
When clientside is using HTTP1.1, serverside is using HTTP2 and two HTTP GET requests are sent by the client, BIG-IP completes the first HTTP transaction and sends a FIN, even though HTTP keepalive should be enabled.
Conditions:
-- HTTP2 full proxy is configured i.e. http profile, http2 profile and MRF router is enabled. As per https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-http2-full-proxy-configuration-14-1-0/http2-full-proxy-configuring.html
-- clientside uses HTTP1.1.
-- serverside uses HTTP2.
-- Two subsequent GET requests are sent by the client.
Impact:
Premature TCP connection termination on the clientside.
Workaround:
Disable the MRF router (httprouter).
The drawback is that serverside will always use HTTP1.1 in this case and it might be undesirable if you want to leverage HTTP2.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1080341-3 : Changing an L2-forward virtual to any other virtual type might not update the configuration.
Links to More Info: BT1080341
Component: Local Traffic Manager
Symptoms:
Changing an L2-forward virtual-server to any other virtual-server type might not update the saved configuration.
Conditions:
Changing an L2-forward virtual-server to any other virtual-server type.
Impact:
Traffic still behaves as if L2-forward virtual-server is configured.
Workaround:
Remove and re-create the affected virtual-server.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1080317-2 : Hostname is getting truncated on some logs that are sourced from TMM
Links to More Info: BT1080317
Component: TMOS
Symptoms:
Hostnames in the APM, IPSEC, SAAS, FW_LOG logs that are sourced from TMM are truncated.
Conditions:
The truncation occurs when the hostname contains a period (for example "my.hostname").
Impact:
Some logs contain truncated hostnames and some contain full hostnames. The inconsistent hostnames degrade the readability and therefore the usefulness of the logs.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1080297-2 : ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration
Links to More Info: BT1080297
Component: TMOS
Symptoms:
ZebOS does not show the 'log syslog' or 'no log syslog' in the running configuration, nor is it saved to the startup configuration.
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.
Conditions:
-- Under Configure log syslog.
-- Check the show running-config.
Impact:
There is no way to verify if the 'log syslog' is configured or not by checking the configuration.
Workaround:
If logging to syslog is not desired, it must be re-disabled every time the ZebOS daemons are started, using 'no log syslog'.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1079909-2 : The bd generates a core file
Links to More Info: K82724554 , BT1079909
Component: Application Security Manager
Symptoms:
The bd generates a core file and restarts.
Conditions:
- ASM running on BIG-IP version 15.1.5.1 or 15.1.6. Other versions are not affected.
- Content profile is configured to check attack signatures.
Impact:
Traffic is disrupted while bd restarts.
Workaround:
Set the internal parameter disable_second_extra_normalization to 1 and restart ASM by executing:
/usr/share/ts/bin/add_del_internal add disable_second_extra_normalization 1
bigstart restart asm
Note: This relaxes matching of attack signatures for some cases.
Fix:
Fixed a bd crash. As mentioned in Conditions field, there are only two official software versions, version 15.1.5.1 and version 15.1.6, that are affected by this bug. This bug was fixed on other major release branches (17.0.x, 16.1.x, 14.1.x, and 13.1.x) before publishing any affected versions to the field, thus this bug appears as fixed with those major releases, but there are actually no affected official versions.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1079817-2 : Java null pointer exception when saving UCS with iAppsLX installed ★
Links to More Info: BT1079817
Component: TMOS
Symptoms:
When saving a UCS the resulting archive does not contain iAppLX packages. This is because the POST to /shared/iapp/build-package gets a 400 error from restjavad.
The restjavad log files will show a null pointer exception when this occurs.
Conditions:
Saving UCS file when iAppLX packages are installed.
Impact:
When saving a UCS the resulting archive does not contain iAppLX packages.
Workaround:
None
Fix:
The RPM build completes successfully.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
1079769-4 : Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers
Links to More Info: BT1079769
Component: Local Traffic Manager
Symptoms:
Tmm crash
There might be entries similar to the following in the tmm log:
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - deleted
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - added
Conditions:
-- The tmm is utilizing the virtio driver for network communications.
-- Many changes, of the order of at least 1900, are made to IPv6 listeners.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
A work-around would be to utilize the sock driver. However, that will not perform as well.
Fix:
A defect was fixed in the virtio driver that might trigger a tmm crash.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1079637 : Incorrect Neuron rule order
Links to More Info: BT1079637
Component: Advanced Firewall Manager
Symptoms:
The order of Neuron rules created for the virtual servers may be incorrect.
Conditions:
- Platforms with Neuron support (BIG-IP iSeries and Viprion B4450 blade) configured with a Turboflex profile other than turboflex-base.
Impact:
There are several features that rely on the Neuron rules.
In case of hardware SYN Cookie a TCP virtual server may not receive the TCP SYN packets even if the virtual server is not in SYN Cookie mode.
Some sPVA feature may behave unexpectedly.
Fix:
The order of the Neuron rules is now correct.
Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1
1079441-1 : APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries
Links to More Info: BT1079441
Component: Access Policy Manager
Symptoms:
APMD memory can grow over a period of time
Conditions:
-- A BIG-IP system with the patched cyrus-sasl/krb5 libraries
Impact:
APMD memory can grow over a period of time
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1078829-2 : Login as current user fails in VMware
Links to More Info: BT1078829
Component: Access Policy Manager
Symptoms:
In VMware if user selects login as current user option, Http 500 error is being displayed.
Conditions:
1. Create vmware login as current user with kerberous AD keytab
2. Select VMware login as current user option on native client
3. Http 500 error is displayed.
Impact:
Login as current user fails in VMware
Workaround:
None
Fix:
VMware Login as current user should not provide any error.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
1078821-2 : Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit
Links to More Info: BT1078821
Component: TMOS
Symptoms:
TMUI (the GUI) needs to be upgraded with OpenJDK 1.8 to support TLS 1.2 AES GCM ciphers for OAuth Provider Discovery
Conditions:
BIG-IP systems using the GUI
Impact:
Deployments which use Microsoft Azure AD as OAuth IDP, will start facing issues with OAuth Provider discovery after 31st Jan 2022. Microsoft is deprecating TLS1.0/1.1 and supporting TLS1.2 AES GCM ciphers only.
Fix:
Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit
Note: This results in an increase in the size of /usr. Although not an issue on its own, cumulative increases in /var, /usr, and /root might result in installation failures on iSeries devices when multiple slots contain software versions 16.1.x or later. Depending on the combination of versions, you might not be able to install/upgrade three TMOS software volumes on your iSeries device (see K41812306: The appdata volume on BIG-IP iSeries platforms is now larger :: https://support.f5.com/csp/article/K41812306 ).
Behavior Change:
Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit
Note: This results in an increase in the size of /usr. Although not an issue on its own, cumulative increases in /var, /usr, and /root might result in installation failures on iSeries devices when multiple slots contain software versions 16.1.x or later. Depending on the combination of versions, you might not be able to install/upgrade three TMOS software volumes on your iSeries device (see K41812306: The appdata volume on BIG-IP iSeries platforms is now larger :: https://support.f5.com/csp/article/K41812306 ).
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1078765-2 : Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer.
Links to More Info: BT1078765
Component: Application Security Manager
Symptoms:
A BD core may occur due to enforcement of 200004390 200004389 signatures with the combination of Arcsight remote logger enabled.
Conditions:
The request must contain 200004390 200004389 signatures with the combination of Arcsight remote logger attached to the virtual server.
Impact:
The enforcer may crash.
Workaround:
Disable 200004390 200004389 signatures.
Fix:
200004390 200004389 are now signatures enforced successfully.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1078669-4 : iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set.
Links to More Info: BT1078669
Component: Global Traffic Manager (DNS)
Symptoms:
“RESOLVER::name_lookup” returns null for TCP resolver with TC set.
Conditions:
Backend server returns very large DNS response.
Impact:
iRule command does not give any response but with TC set.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1078065-3 : The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA.
Links to More Info: BT1078065
Component: Application Security Manager
Symptoms:
The login page shows a blocking page instead of CAPTCHA or shows the blocking page after resolving a CAPTCHA.
Make five (configured in brute force configuration) failed login attempts and you will receive a blocking page.
Blocking Reason: Resource not qualified for injection.
In one instance, bd crashed.
Conditions:
HTML response message has an html page with a length greater than 32000 bytes.
For crashes: the problem arises when the system incorrectly handles the character encoding of HTML documents, leading to a failure during encoding transitions.
Impact:
Users are blocked after failed login attempts.
bd crash that cause BIG-IP failover in HA setup or temporarily offline in standalone setup.
Workaround:
Run tmsh modify sys db asm.cs_qualified_urls value <url value>.
For 'bd' crashes: No direct application-level changes are required. A fix needs to be implemented to address the system’s encoding handling.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1077701-2 : GTM "require M from N" monitor rules do not report when the number of "up" responses change
Links to More Info: BT1077701
Component: Global Traffic Manager (DNS)
Symptoms:
The number of probes that are succeeding is changing in between different windows in which the "N" number of probes were sent.
Conditions:
- GTM/DNS is provisioned.
- A "require M from N" monitor rule is assigned to a gtm resource.
Impact:
The change in the number of successful monitor probes isn't available which is useful for troubleshooting.
Workaround:
None
Fix:
A logline is written to show the change in the number of successful probes.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1077553-2 : Traffic matches the wrong virtual server after modifying the port matching configuration
Links to More Info: BT1077553
Component: Local Traffic Manager
Symptoms:
Traffic matches the wrong virtual server.
Conditions:
A virtual server configured to match any port is modified to matching a specific port. Alternatively, a virtual server matching a specific port is modified to match any port.
Impact:
Traffic may be directed to the wrong backend server.
Workaround:
Restart the TMM after the config change.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1077533 : Status is showing INOPERATIVE after an upgrade and reboot ★
Links to More Info: BT1077533
Component: TMOS
Symptoms:
Very occasionally, after mprov runs after a reboot the BIG-IP may fail to start with logs similar to the following:
bigip1 info mprov:7459:[7459]: 'admd failed to stop.'
bigip1 err mprov:7459:[7459]: 'admd failed to stop, provisioning may fail.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
bigip1 info mprov:7459:[7459]: 'avrd failed to stop.'
...
bigip1 err mcpd[5584]: 01071392:3: Background command '/usr/bin/mprov.pl --quiet --commit asm avr host tmos ui ' failed. The command was signaled.
Conditions:
Occurs rarely after a reboot.
Impact:
The BIG-IP is unable to finish booting.
Workaround:
Reboot the BIG-IP again.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1077405-3 : Ephemeral pool members may not be created with autopopulate enabled.
Links to More Info: BT1077405
Component: TMOS
Symptoms:
Ephemeral pool members might not be added to a pool with an FQDN pool member "autopopulate enabled".
When this issue occurs:
-- Some or all of the expected Ephemeral Pool Members will not be created for the affected pool.
-- A message will be logged in the LTM log similar to the following:
err mcpd[####]: 01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/_auto_<IP address>) has autopopulate set to disabled.
(Note that the node name here is an Ephemeral Node.)
Also note that if you attempt to create an FQDN Pool Member with autopopulate enabled while the corresponding FQDN Node has autopopulate disabled, you will see a similar error message:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (/Common/fred) has autopopulate set to disabled.
Conditions:
This issue can occur under the following conditions:
-- Two or more FQDN Nodes have FQDN names that resolve to the same IP address(es).
-- That is, some Ephemeral Nodes have addresses resolved by more than one FQDN name defined in FQDN Nodes.
-- At least one of these FQDN Nodes has "autopopulate enabled."
-- At least one of these FQDN Nodes does not have "autopopulate enabled."
-- That is, autopopulate is disabled for one or more of these FQDN Nodes.
-- The FQDN Pool Member(s) in the affected pool(s) has "autopopulate enabled."
Impact:
The affected LTM pool(s) are not populated with expected (or any) ephemeral pool members.
Workaround:
To allow some LTM pools to use FQDN pool members with autopopulate enabled (allowing multiple ephemeral pool members to be created) while other LTM pools use FQDN pool members with autopopulate (allowing only one ephemeral pool member to be created), configure the following:
-- Create all FQDN Nodes with FQDN names that might resolve to a common/overlapping set of IP addresses with "autopopulate enabled".
-- Create FQDN Pool Members with autopopulate enabled or disabled depending on the desired membership for each pool.
Fix:
Ephemeral pool members can now be successfully added to LTM pools regardless of the autopopulate configuration of the respective FQDN pool member.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1077281-4 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages
Links to More Info: BT1077281
Component: Application Security Manager
Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.
Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format
Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.
Workaround:
This occurs when using XML format only, so you can use binary export/import
Fix:
XML export/import now will work also if policy contains an individual login page in session tracking
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1076921-2 : The Hostname in BootMarker logs and /var/log/ltm logs that sourced from TMM were getting truncated.
Links to More Info: BT1076921
Component: TMOS
Symptoms:
1. Host names were truncated in BootMarker logs across all log files.
2. Host names were truncated in LTM logs sourced from TMM.
Conditions:
-- Hostname contains a period.
-- Check Hostname in BootMarker logs and /var/log/ltm in which the logs sourced from TMM get truncated.
Impact:
The hostname does not appear consistently in affected logs. Some logs contain truncated hostnames, while others contain full hostnames.
Workaround:
None
Fix:
Log files now consistently contain full hostnames.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1076909-3 : Syslog-ng truncates the hostname at the first period.
Links to More Info: BT1076909
Component: TMOS
Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
-- Hostname contains a period.
-- Viewing log files emitted from journald and from syslog-ng.
Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1076897-3 : OSPF default-information originate command options not working properly
Links to More Info: BT1076897
Component: TMOS
Symptoms:
OSPF default-information originate command options are not working properly.
Conditions:
Using OSPF default-information originate with metric/metric-type options.
Impact:
Incorrect route advertisement.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1076805 : Tmm crash SIGSEGV
Links to More Info: BT1076805
Component: Local Traffic Manager
Symptoms:
Tmm crash with SIGSEGV
Conditions:
Unknown
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.1.0, 15.1.8
1076785 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1076785
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
Selected HSB platforms where TMM is attached to multiple HSB modules. This depends on platform, BIG-IP version and selected Turboflex profile where applicable.
Impact:
The affected virtual server would not receive the TCP SYN packets until a TMM restart. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable hardware SYN Cookie mode on all virtual servers.
Fix:
Virtual server is now fully exits hardware SYN Cookie mode once a SYN flood attack stops.
Fixed Versions:
17.1.0, 16.1.4, 15.1.5.1
1076729-4 : TMM restarts when SSL Orchestrator processes traffic
Links to More Info: BT1076729
Component: SSL Orchestrator
Symptoms:
TMM crashes and restarts when SSL Orchestrator processes traffic.
Conditions:
SSL Orchestrator running TMOS v15.1.6, installed on rSeries devices, processes traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Upgrade to TMOS v15.1.6.1.
Fix:
N/A
Fixed Versions:
15.1.6.1
1076577-2 : iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg'
Links to More Info: BT1076577
Component: Local Traffic Manager
Symptoms:
The 'connect' iRule command fails to resume, causing processing of traffic to halt due to 'irule_scope_msg', which causes iRule processing to proceed in a way that 'connect' does not expect.
Conditions:
- iRule using 'connect' command
- Diameter/Generic-message 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
Fixed Versions:
17.1.0, 16.1.4, 15.1.7
1076573-1 : MQTT profile addition is different in GUI and TMSH
Links to More Info: BT1076573
Component: Local Traffic Manager
Symptoms:
MQTT profile selection is not supported through GUI when HTTP is enabled. In tmsh, the MQTT profile can be added in the same virtual server and contradicting the GUI configuration.
Conditions:
Simple virtual server with HTTP profile.
Impact:
Contradictory configuration validation between the GUI and tmsh.
Workaround:
None
Fix:
Validation to make sure the GUI and tmsh behave the same way for MQTT and HTTP profile in same virtual server.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1076401-3 : Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec.
Links to More Info: BT1076401
Component: Global Traffic Manager (DNS)
Symptoms:
Memory leak leading to TMM running out of free memory.
Conditions:
-- Dnssec.maxnsec3persec set to non-default value (default 0 - unlimited).
-- Number of DNS requests leading to NSEC3 responses goes above the limit of dnssec.maxnsec3persec.
Impact:
TMM runs out of memory.
Workaround:
Set dnssec.maxnsec3persec to 0.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1076377-2 : OSPF path calculation for IA and E routes is incorrect.
Links to More Info: BT1076377
Component: TMOS
Symptoms:
--OSPF path calculation for IA and E routes is incorrect.
--E2 route might be preferred over E1 route.
--Cost calculation for IA routes is incorrect.
Conditions:
Mixing E2/E1 routes and IA routes with different cost.
Impact:
Wrong route is installed.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.9
1076253-3 : IKE library memory leak
Links to More Info: BT1076253
Component: TMOS
Symptoms:
After the tunnel is established, continuous increase in memory observed in "IKE LIB" (memory_usage_stat).
Conditions:
-- IPSEC tunnels are established.
-- DPD delay is 30 seconds.
Impact:
Continuous memory increase on the BIG-IP system.
Workaround:
None
Fix:
Fixed the IKE library memory leak.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1075905-1 : TCP connections may fail when hardware SYN Cookie is active
Links to More Info: BT1075905
Component: TMOS
Symptoms:
When an object is in hardware SYN Cookie mode, some of the valid connections are also rejected with a "No flow found for ACK" reset cause.
Conditions:
VELOS and rSeries platforms.
Impact:
Service degradation.
Workaround:
Disable hardware SYN Cookie on all objects (virtual server, VLAN, and so on).
Fix:
Valid connections are now accepted in hardware SYN Cookie mode.
New DB variable PvaSynCookies.HashMode added; which only takes effect on rSeries and VELOS platforms.
This DB variable sets the syn cookie encoding algorithm to default, xor, or bsd. If a different encoding algorithm would otherwise be automatically selected, this setting overrides that selection.
F5 recommends setting the value to "default".
Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5
1075849-6 : APM client hardening
Component: Access Policy Manager
Symptoms:
In certain scenarios, APM clients may not follow best security practices.
Conditions:
N/A
Impact:
N/A
Fix:
Note, the APM server will need to include a fix for 1103481 for hardening to take effect.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8.2
1075729-1 : Virtual server may not properly exit from hardware SYN Cookie mode
Links to More Info: BT1075729
Component: TMOS
Symptoms:
Virtual servers do not exit hardware SYN Cookie mode even after the SYN flood attack stops. The TMSH 'show ltm virtual' output shows 'full hardware' mode.
Conditions:
-- VELOS and rSeries platforms.
-- SYN cookie mode is triggered.
Impact:
The affected virtual server will not receive TCP SYN packets until TMM is restarted. The limited range of MSS values in SYN Cookie mode may slightly affect performance.
Workaround:
Disable HW SYN Cookie mode on all virtual servers.
Fix:
Virtual server is now fully exits hardware SYN Cookie mode once a SYN flood attack stops.
Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5.1
1075677-3 : Multiple GnuTLS Mend findings
Component: TMOS
Symptoms:
WS-2017-3774 - GnuTLS in versions 3_2_7 to 3_5_19 is vulnerable to heap-use-after-free in gnutls_pkcs12_simple_parse.
WS-2020-0372 - GnuTLS before 3.6.13 is vulnerable to use-of-uninitialized-value in print_crl.
Conditions:
WS-2017-3774 - when using the GnuTLS in versions 3_2_7 to 3_5_19.
WS-2020-0372 - when using the GnuTLS before 3.6.13 versions.
Impact:
WS-2017-3774 - It can lead to Heap-based buffer overflow.
WS-2020-0372 - It can lead to use of uninitialized variable
Workaround:
None.
Fix:
Upstream patches have been applied to resolve Mend findings WS-2017-3774, and WS-2020-0372.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1075321 : AFM never exits attack_detected state after attack has stopped for global/per-virtual HW syncookies
Links to More Info: BT1075321
Component: Advanced Firewall Manager
Symptoms:
When TCP_HALF_OPEN vector is configured and when both good and bad traffic are received, HW Syncookie status will remain full-hardware even after attack stops.
Conditions:
1. AFM is enabled
2. TCP_HALF_OPEN vector is configured on Device and virtual server.
3. Traffic received has both good packets(client traffic) and bad packets(attack traffic).
4. Issue is seen on HW platforms.
5. More than 1 TMM is configured.
Impact:
AFM does not exit attack_detected and syncookie is generated for good traffic also after attack subsides.
Workaround:
None
Fix:
This behavior is observed while good traffic is actively running, HW per-vip syncookies is triggered by a SYN attack, and some arbitrary time later, the SYN attack stops. The expectation is HW should no longer be doing syncookies after the attack has stopped, however, since the good traffic is still running, the SYN cookie entry will remain in the flow cache until it is evicted by an eviction snoop. This eviction process never gets initiated until the TCP_HALF_OPEN attack is no longer detected by AFM.
The root cause is due to the stats->int_drops not being appropriately decremented by the right value upon receiving a syncookie valid ACK. stats->int_drops should be decremented by the total number of active TMMs, not by 1. Allowing for a better badsyn rate calculation so AFM can appropriately exit the "attack_detected" state for the TCP_HALF_OPEN vector
Fixed Versions:
17.1.0, 16.1.5, 15.1.6.1
1075229 : Jumbo frames not supported
Links to More Info: BT1075229
Component: TMOS
Symptoms:
MTU size higher than 1500 is not allowed.
Conditions:
If a client is configured for PMTU, it will discover MTU as a maximum of 1500 and the client will not be able to send packets larger than 1500 bytes.
Packets greater than 1500 bytes will be dropped if don't fragment is set, and they will be fragmented if it is not set.
Impact:
End-End MTU will be limited to 1500.
You are unable to set the MTU size beyond 1500
Workaround:
None
Fixed Versions:
17.1.0, 15.1.6
1075073-1 : TMM Crash observed with Websocket and MQTT profile enabled
Links to More Info: BT1075073
Component: Local Traffic Manager
Symptoms:
A tmm crash occurs while passing Websockets traffic
Conditions:
Virtual server with http, Websockets, MQTT profiles
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Delete the MQTT profile.
Fix:
MQTT validation to ignore non-MQTT messages.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1074517-2 : Tmm may core while adding/modifying traffic-class attached to a virtual server
Links to More Info: BT1074517
Component: Local Traffic Manager
Symptoms:
Tmm may core while adding/modifying traffic-class attached to a virtual server
Conditions:
-- Traffic class is attached to a virtual server.
-- Add an existing traffic class to a virtual server.
-- Afterwards, a new traffic class is attached to the virtual server, or modification of the existing traffic class is triggered.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1074505-2 : Traffic classes are not attached to virtual server at TMM start
Links to More Info: BT1074505
Component: Local Traffic Manager
Symptoms:
When tmm starts, an error message is logged in the TMM log:
"MCP message handling failed in 0xXXXX (XXXXXXXX)"
Conditions:
Virtual server with traffic class attached is being used.
Impact:
A traffic class is not being attached to the virtual server so traffic matching the traffic classes does not work.
Fix:
Traffic matching the traffic classes does match.
Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1
1073677-4 : Add a db variable to enable answering DNS requests before reqInitState Ready
Links to More Info: BT1073677
Component: Global Traffic Manager (DNS)
Symptoms:
When a new GTM is added to the Sync group, it takes a significant amount of time, and the newly added GTM won't become ready.
Conditions:
-- GTMs in a cluster with a large number of persist records
-- A new GTM device is added
Impact:
Clients of the BIG-IP GTM do not receive an answer, and application failures may occur.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1073625-3 : Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled.
Links to More Info: BT1073625
Component: Application Security Manager
Symptoms:
ASM policy import is successful on Active unit and it syncs to standby device, but "Apply changes" is displayed on the standby device policies page.
Conditions:
1. XML policy with learning enabled imported via TMSH.
2. Autosync with incremental sync enabled on device-group with ASM sync enabled.
Impact:
The peer (standby) unit needs to have the policies applied manually even though everything is set to auto-sync
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1073609-1 : Tmm may core while using reject iRule command in LB_SELECTED event.
Links to More Info: BT1073609
Component: Local Traffic Manager
Symptoms:
Tmm cores with SIGFPE "packet is locked by a driver"
Conditions:
-- Fastl4 virtual server
-- iRule attached that uses reject iRule command in LB_SELECTED event
Impact:
Traffic disrupted while tmm restarts.
Fix:
Tmm does not core while using iRules attached that uses reject iRule command in LB_SELECTED event.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1073165 : Add IPv6 prefix length
Links to More Info: BT1073165
Component: TMOS
Symptoms:
The per-VLAN control of DAG IPv6 prefix length is implemented.
Conditions:
DAG IPv6 prefix length is used.
Impact:
The per-VLAN control of DAG IPv6 prefix length is implemented.
Workaround:
None
Fix:
The per-VLAN control of DAG IPv6 prefix length is implemented.
Fixed Versions:
17.1.0, 15.1.6
1072953-3 : Memory leak in traffic management interface.
Links to More Info: BT1072953
Component: Local Traffic Manager
Symptoms:
When configuration objects that use a traffic management interface are modified, they leave behind orphaned objects. The memory leak can become significant over time if there are frequent config changes.
Conditions:
Request logging profile attached to a VIP.
Impact:
TMM uses more memory than it should.
Workaround:
Restart tmm to free the memory, avoid making frequent configuration changes to virtual servers that contain request logging profiles.
Fix:
Traffic management interface no longer leaks memory.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1072733-3 : Protocol Inspection IM package hardening
Component: Protocol Inspection
Symptoms:
Protocol Inspection IM packages do not follow current best practices.
Conditions:
- Authenticated administrative user
- Protocol Inspection IM packages uploaded to BIG-IP
Impact:
Protocol Inspection IM packages do not follow current best practices.
Workaround:
N/A
Fix:
Protocol Inspection IM packages now follows current best practices.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1072377-1 : TMM crash in rare circumstances during route changes
Links to More Info: BT1072377
Component: Local Traffic Manager
Symptoms:
TMM might crash in rare circumstances when static/dynamic route changes.
Conditions:
Dynamic/static route changes.
Impact:
TMM can crash or core. Traffic processing stops during process restart.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.5, 15.1.10
1072237-2 : Retrieval of policy action stats causes memory leak
Links to More Info: BT1072237
Component: TMOS
Symptoms:
When a virtual server with an L7 policy is present, the tmsh show ltm policy command triggers a memory leak.
Conditions:
The tmsh show ltm policy command is executed when a virtual server with an L7 policy attached is present.
one more condition -
Retrieving the ltm policy statistics will cause the umem_alloc_16 memory leak
Impact:
Memory leak for umem_alloc_16 cur_allocs for each request for
each request of tmsh show ltm policy
Workaround:
None
Fix:
Umem_alloc_16 cur_allocs no longer leaking memory.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1072197-2 : Issue with input normalization in WebSocket.
Links to More Info: K94142349 , BT1072197
Component: Application Security Manager
Symptoms:
Under certain conditions, attack signature violations might not be triggered in WebSocket scenario.
Conditions:
- ASM handles WebSocket flow.
- Malicious WebSocket message contains specific characters.
Impact:
Attack detection is not triggered as expected.
Workaround:
N/A
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1072165-1 : Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Links to More Info: BT1072165
Component: Application Security Manager
Symptoms:
Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format
Conditions:
ASM remote logging in ArcSight format
Impact:
Due to the missing fields, the remote message does not tell name of threat campaign name(s) that was detected.
Workaround:
Use other message format.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1072057-2 : "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy.
Links to More Info: BT1072057
Component: Advanced Firewall Manager
Symptoms:
The GUI incorrectly displays the sources address in certain conditions.
1. If the source address of a firewall policy is not empty (that is, some specific IP addresses available to the rule), the word "Any" is displayed.
2. If the source address is empty (that is, no specific IP addresses exist), nothing (empty) is displayed.
Conditions:
Viewing a firewall policy in the GUI via Security > Firewall > policy.
Impact:
No functional impact
Workaround:
N/A
Fix:
Fixed a display issue with the source address field.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1071701 : VE rate limit should not count packet that does not have a matched vlan or matched MAC address
Links to More Info: BT1071701
Component: Local Traffic Manager
Symptoms:
Virtual Edition (VE) Rate limit counts packets that are not intended for BIG-IP.
Conditions:
-- Rate-limited license in BIG-IP Virtual Edition (VE)
-- Promiscuous mode is enabled
Impact:
If you do not have an unlimited license for a Virtual Edition device, you cannot use VLAN tags or MAC Masquerading without a greatly increased risk of running out of licensed bandwidth. Even if you are not using any service, BIG-IP counts all traffic seen on the interface against the license. Due to VMWare's switch design you have to expose the device to all of the traffic to use those two features.
Fixed Versions:
15.1.6.1
1071621-3 : Increase the number of supported traffic selectors
Links to More Info: BT1071621
Component: TMOS
Symptoms:
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.
Conditions:
-- IKEv2
-- More than 30 traffic selectors required on one IPsec policy / ike-peer.
Impact:
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.
Workaround:
None
Fix:
The behavior of sys db ipsec.maxtrafficselectors has changed.
- Max traffic selectors associated with an ike-peer are increased from 30 to 100.
- When the sys-db variable is non-zero, the limit is enforced.
Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.
- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
Behavior Change:
The behavior of sys db ipsec.maxtrafficselectors has changed.
- Max traffic selectors associated with an ike-peer are increased from 30 to 100.
- When the sys-db variable is non-zero, the limit is enforced.
- ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1071609-1 : IPsec IKEv1: Log Key Exchange payload in racoon.log.
Links to More Info: BT1071609
Component: TMOS
Symptoms:
The key exchange payload is not logged to the IPsec logs.
Conditions:
The issue is observed during IKEv1 tunnel establishment.
Impact:
If you are investigating the IKEv1 key calculation, the key exchange payload information will not be available.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1071485-1 : For IP based bypass, Response Analytics sends RST.
Links to More Info: BT1071485
Component: Access Policy Manager
Symptoms:
When SSL takes a dynamic bypass action (IP based bypass decision), the Per-Request Policy agents skip execution when necessary. That is, Category Lookup exits early due to no data because of the early bypass. The same check is not present in Response Analytics and URL Filter agents so that they don't take the error path due to not seeing Category Lookup data.
Conditions:
IP based bypass (in client SSL profile) with Response Analytics or URL Filtering in the Per-Request Policy.
Impact:
Category Lookup skips execution due to IP based bypass and thus Response Analytics and URL Filtering do not have the necessary data, so they take an internal error path. This will cause an RST.
Workaround:
Do not add Response Analytics or URL Filtering agents to paths that you know will not have appropriate Category Lookup data due to bypass.
Fix:
When the SSL level filter bypasses based on client data, Per-Request Policy agents will now be appropriately bypassed as well if there is not enough data to run on. They will take the fallback branches instead of sending a RST on error.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.10
1071449-3 : The statsd memory leak on platforms with license disabled processors.
Links to More Info: BT1071449
Component: Local Traffic Manager
Symptoms:
Memory usage in statsd will continue to grow until the control-plane is out of memory.
Conditions:
This issue occurs when the license on the BIG-IP disables some of the processors.
Following are the affected platforms:
C123 = iSeries i11000 - Discovery Extreme
C124 = iSeries i11000-DS - Discovery Extreme Turbo
Impact:
The statsd may consume excessive memory causing OOM killer activity.
Workaround:
Restart statsd periodically.
Fix:
The statsd no longer leaks memory.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1071301-2 : GTM server does not get updated even when the virtual server status changes.
Links to More Info: BT1071301
Component: Global Traffic Manager (DNS)
Symptoms:
GTM Server is in an Unknown state even though the single virtual server is green.
Conditions:
-- Three-member sync group.
-- Create a large number of virtual servers.
-- Virtual servers are disabled and enabled.
Impact:
The server status does not reflect the virtual server status, and there is no obvious way to recover.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1071233-2 : GTM Pool Members may not be updated accurately when multiple identical database monitors are configured
Links to More Info: BT1071233
Component: Global Traffic Manager (DNS)
Symptoms:
When two or more GTM database monitors (MSSQL, MySQL, PostgreSQL, and Oracle) with identical 'send' and 'recv' strings are configured and applied to different GTM pools (with at least one pool member in each), the monitor status of some GTM pool members may not be updated accurately.
Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause GTM pool members using one of the affected monitors to connect to the same database to be marked UP, while GTM pool members using another affected monitor may be marked DOWN.
As a result of this issue, GTM pool members that should be marked UP or DOWN by the configured GTM monitor may instead be marked according to another affected monitor's configuration, resulting in the affected GTM pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affected GTM pool members members may be marked with the correct state.
Conditions:
This may occur when multiple GTM database monitors (MSSQL, MySQL, PostgreSQL, and Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members which share the same IP address and Port values.
For example:
gtm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
gtm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored GTM pool members using a database monitor (MSSQL, MySQL, PostgreSQL, and Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each GTM database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.
For example:
gtm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
gtm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
Fix:
The system updates GTM pool members correctly when multiple identical database monitors are configured.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1071181-1 : Improving Signature Detection Accuracy
Links to More Info: BT1071181
Component: Anomaly Detection Services
Symptoms:
BADOS generates signatures have up to 20% false positive if the signature covers 100% of bad traffic.
Conditions:
The attack signature generated covers all bad traffic.
Impact:
BADOS generates false positives
Workaround:
None
Fix:
This feature has been removed.
Fixed Versions:
16.1.2.2, 15.1.6.1, 14.1.5
1070833-1 : False positives on FileUpload parameters due to default signature scanning
Links to More Info: BT1070833
Component: Application Security Manager
Symptoms:
False positives on FileUpload parameters due to signature scanning by default
Conditions:
A request containing binary content is sent in "FileUpload" type parameters
Impact:
False positives and ineffective resource utilization
Workaround:
Disable signature scanning on "FileUpload" parameters manually using GUI/REST.
Fix:
Default signature scanning is disabled for FileUpload parameters created using OpenAPI to reduce false positives on binary content.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1
1070677 : Learning phase does not take traffic into account - dropping all.
Links to More Info: BT1070677
Component: Protocol Inspection
Symptoms:
Suggestions are generated every suggestion interval and every suggestion interval suggestions are overriding, so the last suggestion is considered after the staging period is completed.
Conditions:
Once the start of staging period, suggestions will override every time until the staging period completes.
Impact:
IPS learning phase, which lasts the default 7 days, sees a ton of traffic from websites hitting against signatures, but at the end of the 7 days it blocks all signatures and causes an outage.
Workaround:
N/A
Fix:
We now make the decision based on the overall suggestions that are generated during the staging period instead of the last suggestion.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1070389-3 : Tightening HTTP RFC enforcement
Links to More Info: K000132430 , BT1070389
Component: Local Traffic Manager
Symptoms:
BIG-IP allows non RFC-compliant http requests to the backend which may cause backend misbehavior
Conditions:
Basic Virtual Server with http profile
Impact:
Backend server may receive unexpectedly formatted http requests
Fix:
BIG-IP more strictly enforces HTTP RFC compliance.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1070273-2 : OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly.
Links to More Info: BT1070273
Component: Application Security Manager
Symptoms:
On OWASP dashboard, both 2021 and 2017, the Disallow DTDs in XML content profile protection is not calculated correctly on the xml-profile allowDTD field.
Conditions:
Open the OWASP page for any non-parent/child security policy, (Security ›› Overview : OWASP Compliance). For OWASP 2017, DTDs is located under A4 category, and for 2021 under A5 category.
Impact:
Actual OWASP compliance for this protection can be different from the one shown by the GUI.
Workaround:
The actual conditions that satisfy the Disallow DTDs in XML content profile protection are:
1. 'XML data does not comply with format settings' violation should be set to alarm+block.
2. 'Malformed XML data' violation should be set to alarm + block.
3. No XML content profile in the policy is set so that allowDTDs to true.
Fix:
Scoring calculation was changed: Now score will be given only if no XML content profile in the policy has allowDTDs field set as true.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1070073 : ASM Signature Set accuracy filter is wrong on GUI.
Links to More Info: BT1070073
Component: Application Security Manager
Symptoms:
For High/Medium Accuracy Signatures (These are Signatures Sets), The GUI shows signatures with an Accuracy Level that is different from the Signature Set.
Conditions:
1. Go to Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets.
2. Choose High Accuracy Signatures (a "built-in" signature set).
3. You will see Non-High accuracy signatures included in the set such as Zimbra Collaboration ProxyServlet SSRF.
Impact:
Unintended Signatures could be included in the poliy.
Workaround:
Create a custom filter-based Signature Set with setting their accuracy to High Accuracy signatures.
Fix:
N/A
Fixed Versions:
15.1.6.1, 14.1.5
1070029 : GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service
Links to More Info: BT1070029
Component: Access Policy Manager
Symptoms:
Active Directory queries may fail.
Conditions:
-- Users/Services are configured in Synology Directory Service (Non Microsoft based Active Directory Service)
-- Active Directory Query Configuration on BIG-IP
Impact:
User authentication based on AD Query agent will be impacted.
Workaround:
None
Fix:
No fix identified yet. The comprehensive fix would be in the open source cyrus-sasl library.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1069809-1 : AFM rules with ipi-category src do not match traffic after failover.
Links to More Info: BT1069809
Component: Advanced Firewall Manager
Symptoms:
BIG-IP drops all traffic after a reboot or failover.
Conditions:
-- Create firewall rules with IPI deny-list category as source and default action as drop.
-- After reboot, the rule with IPI category as source will overlap all rules and with default action as drop, traffic will be dropped.
Impact:
Site is down, no traffic passes through the BIG-IP.
Workaround:
Workaround is to restart the pccd, as it compiles the blob again with all IPI category initialized:
tmsh restart sys service pccd
Fix:
PCCD waits for the first deny list IPI category initialized before the firewall rules are compiled.
Fixed Versions:
16.1.4, 15.1.9
1069729-2 : TMM might crash after a configuration change.
Links to More Info: BT1069729
Component: Application Security Manager
Symptoms:
After modifying a dosl7 profile, on rare cases TMM might crash.
Conditions:
Modifying DoSl7 profile attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1069501-2 : ASM may not match certain signatures
Links to More Info: K22251611 , BT1069501
Component: Application Security Manager
Symptoms:
Under certain condition, ASM may not match signatures as expected.
Conditions:
- base64 violations not configured for blocking
Impact:
Signatures not matched as expected.
Workaround:
Illegal base64 value violation should be set to blocking.
This way if Base64 decoding fails the requests gets blocked.
Fix:
ASM now processes signature as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1069449-2 : ASM attack signatures may not match cookies as expected
Links to More Info: K39002226 , BT1069449
Component: Application Security Manager
Symptoms:
Under certain conditions ASM attack signatures may not match cookies as expected.
Conditions:
- Specially crafted cookies
Impact:
Attack signatures are not detected as expected.
Workaround:
N/A
Fix:
ASM attack signatures now match cookies as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1069441-1 : Cookie without '=' sign does not generate rfc violation
Links to More Info: BT1069441
Component: Application Security Manager
Symptoms:
If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.
Conditions:
-Set Cookie not RFC-compliant to 'Block'
-Request with Cookie header with name only, for example 'Cookie:a'
Impact:
The request is not blocked.
Workaround:
None
Fix:
The request is blocked and reported with "Cookie not RFC-compliant violation"
Behavior Change:
Previously, if a request included a Cookie header that contained only the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation.
Now, such a request is blocked and reported with a "Cookie not RFC-compliant" violation as expected according to the RFC (Request for Comments) specifications.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1069337-3 : CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument
Component: TMOS
Symptoms:
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
Impact:
Denial of service (memory corruption) via a crafted web site
Fix:
Fix use-after-free in xsltDocumentFunctionLoadDocument
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1069321-1 : High iowait and pgstat wait every hour on the hour, due to excessive logging in autodosd.out
Links to More Info: BT1069321
Component: Advanced Firewall Manager
Symptoms:
Undesirable log messages are logged to /shared/tmp/autodosd.out
Dec 06 15:48:04|mcp_process_aggregate_period|2607| Before sorting ctx[device-global]:dosid[62] tmmid[9] agg[11] proto[0] top1[1451] top2[1634] top3[1449] top4[1652] mean[1393] bump[16] ba_max[0] bd_max[0]
Dec 06 15:48:04|mcp_process_aggregate_period|2615| After sorting ctx[device-global]:dosid[62] tmmid[9] agg[11] proto[0] top1[1652] top2[1634] top3[1451] top4[1449] mean[1393] bump[16] ba_max[0] bd_max[0]
F55 coming to inside query stress
F55 coming to inside query stress
Conditions:
AFM provisioned
Impact:
The BIG-IP system may hang, or have high disk, memory, or cpu utilization. This can lead to a variety of issues, such as a sluggish management interface, or external ltm monitors failing to fire at regular intervals.
Workaround:
None.
Fix:
Removed unwanted logs
Fixed Versions:
15.1.9
1069265-1 : New connections or packets from the same source IP and source port can cause unnecessary port block allocations.
Links to More Info: BT1069265
Component: Advanced Firewall Manager
Symptoms:
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.
Conditions:
All of the following conditions must be met:
- AFM NAT or CGNAT configured with port block allocation.
- In the port-block-allocation settings, a block-lifetime value different from zero.
- A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port.
- A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.
Impact:
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks.
The new blocks keep piling up until the original zombie block timeout expires.
Workaround:
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.
Fix:
A maximum of two blocks is allocated: the original block and an additional block when the original block becomes zombie.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1069133-3 : ASMConfig memory leak
Links to More Info: BT1069133
Component: Application Security Manager
Symptoms:
A slow leak exists for long-lived asm_config_handler processes that handle configuration updates.
Conditions:
Configuration updates are being regularly made.
Impact:
Processes slowly grow in size until they reach a limit and restart themselves.
Workaround:
N/A
Fix:
The slow leak has been fixed.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1068673-2 : SSL forward Proxy triggers CLIENTSSL_DATA event on bypass.
Links to More Info: BT1068673
Component: Local Traffic Manager
Symptoms:
The CLIENTSSL_DATA iRule event is triggered unexpectedly during SSL forward proxy bypass.
Conditions:
This issue is seen when SSL forward proxy with bypass is enabled on client & server SSL profiles.
Impact:
This can cause unexpected failure of existing iRules which only expect CLIENTSSL_DATA on intercepted (and decrypted) data.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1068561 : Can't create key on the second netHSM partition.
Links to More Info: BT1068561
Component: Local Traffic Manager
Symptoms:
While trying to create a key pair in a second partition, the key creation fails.
Conditions:
-- Multiple partitions are used
-- Attempt to create a key with the second partition
Impact:
Unable to use multiple netHSM partitions.
Workaround:
N/A
Fix:
Corrected session handle able to create keys in second partition.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1068445-2 : TCP duplicate acks are observed in speed tests for larger requests
Links to More Info: BT1068445
Component: Local Traffic Manager
Symptoms:
- A lot of TCP duplicate acks are observed in speed tests for larger requests
Conditions:
Below conditions are met
- Large request
- fastL4 profile with PVA acceleration set
- Below sys db variables are enabled
tm.tcpsegmentationoffload
tm.tcplargereceiveoffload
- Softpva is used
Impact:
- Reduced throughput because of duplicate ACKs and retransmissions
Workaround:
Either one of the conditions
- fastL4 profile with PVA acceleration set to NONE
- Disable below sys db variables
tm.tcpsegmentationoffload
tm.tcplargereceiveoffload
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1068237-2 : Some attack signatures added to policies are not used.
Links to More Info: BT1068237
Component: Application Security Manager
Symptoms:
Some attack signatures added to an existing signature set may not be utilized by Policies associated with the signature set, despite the attack signatures being reported as now present in the Policies.
Conditions:
1. Have one or more policies utilizing a manual attack signature set.
2. Update the attack signature database by installing an ASU or creating a custom attack signature.
3. Update the previously created manual attack signature set with one or more attack signatures which were not updated by the ASU (if ASU installed) or are not the newly created custom attack signature (if new custom signature created).
Impact:
The additional attack signatures added to the attack signature set will show up in the Policies utilizing the signature set however the Policies will not actually use those additional attack signatures.
Workaround:
There are two workarounds:
1. When adding additional attack signatures to a Policy, place them in a new attack signature set rather than re-using an existing signature set.
2. If adding signatures to an existing set, afterwards create a new custom attack signature, add it to a new manual attack signature set, add the set to any active policy and then remove the set from the policy (the set and signature can then be deleted if desired).
Both workarounds will result in all attack signatures listed as present in all Policies being fully and properly utilized by the Policies.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1067669-2 : TCP/UDP virtual servers drop all incoming traffic.
Links to More Info: BT1067669
Component: Local Traffic Manager
Symptoms:
-- Incoming TCP/UDP traffic is not processed by virtual servers on the BIG-IP system. Instead, legitimate traffic appears to be dropped by the BIG-IP system.
-- A tcpdump taken on the BIG-IP system shows the traffic arriving on VLAN 0 instead of the actual VLAN.
-- Inspection of the dns_rapid_response_global tmstat table shows many entries in the failed_ifc column.
Conditions:
-- Using a BIG-IP 2000, 4000, or VE device.
-- Using a trunk with an untagged VLAN.
-- Using a virtual server with a dns profile configured for rapid-response.
Impact:
All TCP/UDP virtual servers fail to process incoming traffic.
Workaround:
You can work around this issue by performing any one of the following actions:
-- Avoid using an untagged VLAN with your trunks.
-- Avoid using a trunk if you cannot avoid using untagged VLANs.
-- Disable rapid-response in all dns profiles (this option is disabled by default).
Fix:
TCP/UDP traffic is no longer dropped under the conditions described in this article.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1067617-3 : BGP default route not advertised after mid-session OPEN.
Links to More Info: BT1067617
Component: TMOS
Symptoms:
After BGP peer opens a new session with BIG-IP in the middle of the existing session and the session is dropped, BIG-IP does not send default route NLRI to the peer when the new session is established.
Conditions:
Mid-session OPEN (Event 16 or Event 17 per RFC spec).
Impact:
Default route is missing on a BGP peer.
Workaround:
Clear the BGP session manually.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1067609-3 : Static keys were used while generating UUIDs under OAuth module
Component: Access Policy Manager
Symptoms:
UUIDs generated by the OAuth module are incorrectly obfuscated.
Conditions:
N/A
Impact:
Only static keys are used during generation of UUIDs.
Workaround:
N/A
Fix:
Static keys were removed now and replaced with dynamic generation of keys for the OAuth module during UUID generation.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1067589-2 : Memory leak in nsyncd
Links to More Info: BT1067589
Component: Application Security Manager
Symptoms:
The memory usage for nsyncd increases over time, forcing the device into OOM (out of memory).
Conditions:
-- High availability (HA) environment with ASM sync failover device group.
-- ASU files are being installed by Live Update.
Impact:
OOM activity causes random process restarts and disruption.
Workaround:
Restart the nsyncd daemon.
Fix:
Added a new parameter 'maxMemory' to the nsyncd configuration file:
/usr/share/nsyncd/config/config.properties
# 450 MB
maxMemory=450000000
Nsyncd daemon will limit its memory usage to the configured value, and restart if the value is exceeded.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1067557-3 : Value masking under XML and JSON content profiles does not follow policy case sensitivity
Links to More Info: BT1067557
Component: Application Security Manager
Symptoms:
Value masking is always case sensitive regardless of policy case sensitivity.
Conditions:
- Parse Parameters is unchecked under JSON content profile.
- Value masking section contains element/attribute names under
XML and JSON content profiles.
Impact:
- Value is not masked in a case insensitive manner even when the policy is case insensitive.
Workaround:
None
Fix:
The value masking under JSON and XML content profiles is handled according to policy case sensitivity.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1067405-1 : TMM crash while offloading / programming bad actor connections to hardware.
Links to More Info: BT1067405
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while passing traffic. From the core analysis, this issue looks specific to some platforms that enabled bad actor detection.
Conditions:
This might occur when bad actor detection is enabled in BIG-IP platforms.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue is platform specific and seen only when BA actor detection is enabled.
Fix:
Fixed a tmm crash occurring on BIG-IP platforms that enabled bad actor detection.
Fixed Versions:
17.0.0, 15.1.9
1067397 : TMM cored after response, due to receipt of GOAWAY frame from server post TCP FIN.
Links to More Info: BT1067397
Component: Local Traffic Manager
Symptoms:
TMM crashes while passing HTTP/2 traffic.
A panic may be logged in /var/log/tmm logs:
panic: ../modules/hudproxy/mr/http/http_mr.c:1329: Assertion "Final state" failed.
Conditions:
-- Virtual Server with HTTP2 profile
-- Receipt of GOAWAY from the server after BIG-IP has sent the GOAWAY and TCP FIN
Impact:
Traffic disrupted while TMM restarts.
Workaround:
N/A
Fix:
Fixed a TMM crash with HTTP/2 traffic.
Fixed Versions:
15.1.5.1
1067393-1 : MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool. ★
Links to More Info: BT1067393
Component: Advanced Firewall Manager
Symptoms:
Upgrade failure, which may lead to a rollback and delayed upgrade.
Conditions:
AFM NAT rule referencing a Next Hop pool.
Impact:
Upgrade failure, which may lead to a rollback and delayed upgrade.
Workaround:
Once in the failed state, the system can be recovered by running 'tmsh load sys config'; the config will load successfully. No changes to the configuration are needed.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.5, 15.1.5.1
1067285-2 : Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.'
Links to More Info: BT1067285
Component: Application Security Manager
Symptoms:
F5 Networks, Inc.
F5 Networks Inc.
F5 Networks appear as F5, Inc.
Conditions:
NA
Impact:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.
Workaround:
NA
Fix:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1067105-1 : Racoon logging shows incorrect SA length.
Links to More Info: BT1067105
Component: TMOS
Symptoms:
Debug2 logs incorrect "total SA" length in racoon.log.
Conditions:
-- IKEv1 tunnels in use
-- ikedaemon in debug2 mode
Impact:
Troubleshooting is confused by misleading information about the SA payload length.
Workaround:
None. This is a cosmetic / logging issue.
Fix:
Clarified the log message to indicate what the logged length actually covers.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1066829-2 : Memory leak for xml/json auto-detected parameter with signature patterns.
Links to More Info: BT1066829
Component: Application Security Manager
Symptoms:
A memory leak is observed in ASM when specific traffic arrives.
Conditions:
A request contains a JSON parameter value with the signature pattern.
Impact:
Memory leak in the system.
Workaround:
N/A
Fix:
No memory leak observed after the fix.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1066673-2 : BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions
1066285-3 : Master Key decrypt failure - decrypt failure.
Links to More Info: BT1066285
Component: TMOS
Symptoms:
After MCPD restarts or the system reboots:
-- the system is inoperative and MCPD may be restarting
-- the logs report this error:
err mcpd[12444]: 01071769:3: Decryption of the field (value) for object (config.auditing.forward.sharedsecret) failed while loading configuration that is encrypted with a different master key.
-- the system may be reporting this error:
load_config_files[5635]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
This may occur during a system upgrade.
Conditions:
When config.auditing.forward.sharedsecret is encrypted and masterkey value is changed.
Impact:
MCPD will continuously restart, and the system will remain inoperative.
Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:
- tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'
After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:
setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1065789-2 : TMM may send duplicated alerts while processing SSL connections
Links to More Info: K000133132 , BT1065789
1065501-3 : [API Protection]Per request policy is getting timed out
Links to More Info: BT1065501
Component: Access Policy Manager
Symptoms:
You may see below log in /var/log/apm
notice tmm11[24761]: 01870055:5: /Common/<AP name>:Common:<SID>:Per-Request policy execution timeout (x) reached.
Conditions:
-- Per-request policy
-- Concurrent connections with same JWT
Impact:
Policy execution has timed out
Workaround:
None
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1064753-3 : OSPF LSAs are dropped/rate limited incorrectly.
Links to More Info: BT1064753
Component: TMOS
Symptoms:
Some LSAs are dropped on BIG-IP with a log similar to:
"LSA is received recently".
Conditions:
Tuning OSPF min LSA arrival has no effect on some LSA handling.
Impact:
OSPF LSAs are dropped/rate limited incorrectly.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.5, 15.1.10
1064669-2 : Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash.
Links to More Info: BT1064669
Component: Local Traffic Manager
Symptoms:
TMM crashes if an iRule is configured that has HTTP::enable in the RULE_INIT event.
Conditions:
iRule that uses HTTP:enable command in RULE_INIT event, for example:
ltm rule example_rule {
when RULE_INIT {
# Don't do this!
HTTP::enable
}
}
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Do not use the HTTP::enable iRule command in the RULE_INIT event.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1064649-1 : Tmm crash after upgrade. ★
Links to More Info: BT1064649
Component: Local Traffic Manager
Symptoms:
After upgrading and provisioning the ASM module, TMM starts to crash and core.
Conditions:
-- BIG-IP system is upgraded to version 15.1.4.1.
-- The ARL table is empty (transparent VLAN group) and traffic is passed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 15.1.5
1064617-2 : DBDaemon process may write to monitor log file indefinitely
Links to More Info: BT1064617
Component: Local Traffic Manager
Symptoms:
If debug logging is enabled for a database monitor (mssql, mysql, postgresql or oracle), the DBDaemon process may write to a monitor log file indefinitely, including after the monitor log file is rotated and/or deleted.
Conditions:
This problem may occur when:
- using a database monitor (mssql, mysql, postgresql or oracle) which is configured with the "debug" value set to "yes"
- using a database monitor (mssql, mysql, postgresql or oracle) for a pool member which is configured with the "logging" set to "enabled"
Impact:
The DBDaemon process may write debug logging messages to the affected monitor log file indefinitely, including after the monitor log file has been rotated and/or deleted.
As a result, storage in the /var/log volume may be consumed to the point that other logging cannot be performed, and the BIG-IP instance may be restarted/rebooted.
Workaround:
To work around this issue, restart the DBDaemon process.
To find the PID of the DBDaemon process, observe the output of the following command:
ps -ef |grep -v grep | grep DB_monitor.jar | awk '{print($2)}'
To confirm whether the DBDaemon process is writing to a monitor log file, and if so, which file:
lsof -p $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}') | grep -e COMMAND -e '/var/log/monitors'
To kill the DBDaemon process:
kill $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}')
NOTE:
Killing the DBDaemon process will cause a short-term loss of database monitoring functionality, until DBDaemon is restarted by the next database monitor probe.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1064461-3 : PIM-SM will not complete RP registration over tunnel interface when floating IP address is used.
Links to More Info: BT1064461
Component: TMOS
Symptoms:
PIM-SM will not complete rendezvous point (RP) registration over the tunnel interface when a floating IP address is used (ip pim use-floating-address). Join/prune from RP gets dropped on BIG-IP when doing local-address validation.
BIG-IP never completes registration successfully.
Conditions:
RP registration over tunnel interface when floating IP address is used.
Impact:
BIG-IP never completes registration and outgoing packets are register-encapsulated.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064357-2 : execute_post_install: EPSEC: Installation of EPSEC package failed
Links to More Info: BT1064357
Component: TMOS
Symptoms:
APM EPSEC installation fails and an error message is logged in /var/log/ltm: "execute_post_install: EPSEC: Installation of EPSEC package failed"
Conditions:
APM EPSEC package installation
Impact:
Installation fails with an error message
Fixed Versions:
17.0.0, 16.1.3, 15.1.7
1064217-2 : Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.
Links to More Info: BT1064217
Component: Carrier-Grade NAT
Symptoms:
Port bits are not set as expected in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.
Conditions:
This occurs in a MAP-T configuration.
Impact:
MAP-T port translation does not work as expected.
Workaround:
N/A
Fix:
Fixed an issue with the port bit not being set correctly.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064157-2 : Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows
Links to More Info: BT1064157
Component: Local Traffic Manager
Symptoms:
In a VIP-on-VIP (looped) situation, HTTP on one virtual server uses/reuses an existing 'http_proxy_opaque' whilst still in use by another virtual server that causes unexpected state changes in the opaque which may cause tmm to core.
Conditions:
-- Explicit Forward Proxy SSL Orchestrator, in other words an L3 Explicit Proxy which is usually deployed in a VIP on VIP configuration
-- Hostname resolution using explicit 'RESOLV::lookup' iRule in HTTP_PROXY_REQUEST on the explicit/client-facing VIP
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1064001-2 : POST request to a virtual server with stream profile and a access policy is aborted.
Links to More Info: BT1064001
Component: Access Policy Manager
Symptoms:
POST request to virtual server fails with reset cause "Incomplete chunked response".
Conditions:
Virtual server is configured with both stream profile and access policy.
Impact:
User will be unable to send POST request to backend servers
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1063681-1 : PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn.
Links to More Info: BT1063681
Component: Advanced Firewall Manager
Symptoms:
Pccd (Packet Correlation Classification Daemon) generates a core while adding a fqdn during testing.
Conditions:
Conditions to trigger the core are unknown.
Impact:
Pccd crashes and creates a core file.
Workaround:
Restart PCCD
Fix:
N/A
Fixed Versions:
17.0.0, 15.1.5.1
1063473-2 : While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly
Links to More Info: BT1063473
Component: TMOS
Symptoms:
Even though the platform is distributing packets to the TMM's SEPs evenly, virtual server connections are balanced unevenly.
Conditions:
Migrate vCMP guests to the VELOS chassis.
Impact:
Traffic is not distributed evenly across TMMs. LTM log shows a lot of RST packets and pool members go down and up continuously.
Workaround:
None
Fixed Versions:
17.1.0, 15.1.5.1, 14.1.5
1063453-2 : FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets.
Links to More Info: BT1063453
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing IPv4-to-IPv6 traffic over FastL4.
Conditions:
-- A FastL4 virtual server translates between IPv4 and IPv6.
-- Fragment reassembly is not enabled in the FastL4 profile.
-- A feature requiring asynchronous completion is configured including: asynchronous irules on LB events (LB_SELECTED, LB_FAILED, LB_PERSIST_DOWN, LB_QUEUED, SA_PICKED), persistence, sessiondb operations, HA, virtual rate limiting.
Impact:
All traffic is disrupted while the TMM restarts.
Workaround:
Configure the FastL4 profile to always reassemble fragments.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1063345-3 : Urldbmgrd may crash while downloading the database.
Links to More Info: BT1063345
Component: Access Policy Manager
Symptoms:
Urldbmgrd may crash while downloading the database.
Conditions:
SWG or URLDB is provisioned.
Impact:
User traffic will be impacted when urldbmgrd is down.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.9
1063261-1 : TMM crash is seen due to sso_config objects.
Links to More Info: BT1063261
Component: Access Policy Manager
Symptoms:
Observed a TMM crash once which is due to unfreed sso_config objects in SAML.
Conditions:
Conditions are unknown, this was only seen once.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Freeing the sso_config objects during sso cleanup will avoid this situation.
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
1063237-3 : Stats are incorrect when the management interface is not eth0
Links to More Info: BT1063237
Component: TMOS
Symptoms:
The provision.managementeth db variable can be used to change which interface the management interface is bridged to:
https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic_google.html
If this is changed to something other than eth0, the management interface stats will continue to be read from eth0 and thus be incorrect.
Conditions:
When provision.managementeth is changed to something other than eth0.
Impact:
Management interface stats are incorrect.
Workaround:
Reconfigure the management interface to use eth0
Fixed Versions:
16.1.4, 15.1.9
1063173-1 : Blob size consistency after changes to pktclass.
Links to More Info: BT1063173
Component: Performance
Symptoms:
Blob size grows after making changes to pktclass that should reduce the size.
Conditions:
Making changes to pktclass.
Impact:
The BIG-IP system premature hits blob size limits while making changes which can result in validation issues preventing the pktclass from loading.
Workaround:
Change sys db key "pccd.alwaysfromscratch" to true.
Fix:
N/A
Fixed Versions:
15.1.6
1062605 : Support for MQTT functionality over websockets
Links to More Info: BT1062605
Component: Local Traffic Manager
Symptoms:
MQTT did publish and receive messages for data through websockets.
Conditions:
-- Websockets virtual server configuration.
-- Websockets profile configured with payload-processing-mode as end-to-end or Websocket-termination and payload-protocol-profile as MQTT.
Impact:
None
Workaround:
None
Fix:
BIG-IP virtual servers now support MQTT configuration over websockets.
Fixed Versions:
15.1.9
1062513-3 : GUI returns 'no access' error message when modifying a GTM pool property.
Links to More Info: BT1062513
Component: Global Traffic Manager (DNS)
Symptoms:
When you modify a GTM pool property and then click "Update," the next page displays the error message "No access."
When you modify GTM pool properties using the GUI, the properties do not update or display.
Conditions:
This occurs when you modify a GTM pool property using the GUI.
Impact:
You cannot change a GTM pool property using the GUI.
Workaround:
Use TMSH to change the GTM pool property.
OR
Click on "Update" a second time in the GUI.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1062493-2 : BD crash close to it's startup
Links to More Info: BT1062493
Component: Application Security Manager
Symptoms:
BD crashes shortly after startup.
Conditions:
FTP or SMTP are in use. Other causes are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
No workaround except removal of the FTP/SMTP protection.
Fix:
Crashes close to startup coming from SMTP or FTP were fixed.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1062385-3 : BIG-IP has an incorrect limit on the number of monitored HA-group entries.
Links to More Info: BT1062385
Component: TMOS
Symptoms:
BIG-IP has an incorrect limit on the number of monitored HA-group entries.
Conditions:
Large amount of traffic groups (over 50) with high availability (HA) Group monitoring attached.
Impact:
Not all traffic groups are properly monitored. Some traffic groups might not fail-over properly.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1062333-2 : Linux kernel vulnerability: CVE-2019-19523
Component: TMOS
Symptoms:
A flaw was found in the Linux kernel’s implementation for ADU devices from Ontrak Control Systems, where an attacker with administrative privileges and access to a local account could pre-groom the memory and physically disconnect or unload a module.
Conditions:
The attacker must be able to access either of these two events to trigger the use-after-free, and then race the access to the use-after-free, to create a situation where key USB structs can be manipulated into corrupting memory.
Impact:
An attacker could pre-groom the memory and physically disconnect or unload a module.
Workaround:
N/A
Fix:
Kernel patched to mitigate CVE-2019-19523
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1061977-2 : Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111
1061929 : Unable to perform IPI update (through proxy) after upgrade to 15.1.4. ★
Links to More Info: BT1061929
Component: Advanced Firewall Manager
Symptoms:
After upgrading, the IPI database fails to update. During system start, iprepd logs an error:
"Cannot connect to host api.bcti.brightcloud.com: No route to host".
Conditions:
IPI update occurs through a proxy server.
Impact:
IPI update fails.
Workaround:
N/A
Fix:
IPI updates now work through a proxy after an upgrade.
Fixed Versions:
17.0.0, 15.1.5.1
1061797-2 : Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2
Links to More Info: BT1061797
Component: TMOS
Symptoms:
For AWS's CloudFormation to work with IMDSv2, the Helper Script module had to be upgraded.
Conditions:
Using AWS CloudFormation for IMDSv2-only instances
Impact:
The Helper scripts throw a "No Handler found" error when used to launch IMDSv2 instances
Fix:
With the latest version of BIG-IP VE, you can now launch IMDSv2 instances using AWS's CloudFormation templates.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1061617-3 : Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters".
Links to More Info: BT1061617
Component: Application Security Manager
Symptoms:
The following Attack Signatures are not identified if "Handle Path Parameters" = "As Parameters".
200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644
Conditions:
- Configure "Handle Path Parameters" = "As Parameters"
- Enable URL attack signatures 200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644
Impact:
Some URL attack signatures are not detected by ASM.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1060933-2 : Issue with input normalization.
Links to More Info: K49237345
Component: Application Security Manager
Symptoms:
Under certain conditions, attack signature violations may not be triggered.
Conditions:
- ASM provisioned with XML content profile
- Request contains XML body
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1060833-1 : After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash.
Links to More Info: BT1060833
Component: Advanced Firewall Manager
Symptoms:
TMM crashes.
The 'virt_cnt' column in the tmctl 'string_cache_stat' table continues to grow over time, and diverges significantly from the 'phys_cnt' column.
Conditions:
-- Enforced AFM firewall policies configured in multiple contexts (global, route domain, virtual server)
-- Large number of connections that matches rules in multiple contexts
-- AFM configured in at least one of the following ways:
--+ Stats collection enabled and collecting server-side stats enabled. Stats collection is enabled by default. Collecting server-side statistics ("security analytics settings acl-rules { collect-server-side-stats }") is not enabled by default.
--+ ACL logging enabled, and the logging of translation fields enabled.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Disable logging and reporting of server-side information in AFM firewall ACLs.
After making these changes, it may be necessary to restart TMM once.
Fix:
N/A
Fixed Versions:
17.0.0, 15.1.10
1060477 : iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]".
Links to More Info: BT1060477
Component: Access Policy Manager
Symptoms:
Apmd crashes after setting the userName field via an iRule.
Conditions:
1.Setting the userName field:
set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]
2.Getting the sid feild
[ACCESS::session data get session.user.sessionid]
Impact:
APM traffic disrupted while apmd restarts.
Workaround:
Check the username before setting it from iRule.
Fix:
APM no longer crashes when setting the username from an iRule
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1060409-3 : Behavioral DoS enable checkbox is wrong.
Links to More Info: BT1060409
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.
Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.
Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.
Workaround:
Send 1-2 requests to the server and the configuration will be updated.
Fix:
Behavioral DoS enabled/disabled flag is now reported correctly.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1060181 : SSL handshakes fail when using CRL certificate validator.
Links to More Info: BT1060181
Component: TMOS
Symptoms:
Some SSL handshakes are reset with "SSL Handshake timeout exceeded" reset.
Conditions:
Client SSL profile with CRL certificate validator.
Client SSL certificate authentication enabled.
Impact:
SSL handshakes fail.
Workaround:
None
Fix:
SSL handshakes are now successful.
Fixed Versions:
17.0.0, 15.1.5.1
1060149-1 : BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host.
Links to More Info: BT1060149
Component: TMOS
Symptoms:
-- Interfaces in the vCMP guest may remain uninitialized.
-- 'Invalid VCMP PDE state version' log in /var/log/tmm*.
Conditions:
-- BIG-IP i5xxx/i7xxx/i10xxx/i11xxx platform.
-- vCMP provisioned.
-- turboflex-adc profile selected.
Impact:
Affected guest is non-functional.
Workaround:
Use the turboflex-base profile.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1060145-2 : Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2.
Links to More Info: BT1060145
Component: Global Traffic Manager (DNS)
Symptoms:
When secondary slot reboots and it gets the configuration from the primary blade, the secondary throws a validation error and enters into a restart loop.
The following error is logged:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bbt-generic-bigip 10.1.10.12 80 gtm-vs) was not found.... failed validation with error 16908342.
Conditions:
-- Change the virtual server address on the LTM (manual edit of bigip.conf and load).
-- Reboot the secondary slot.
Impact:
Mcpd enters a restart loop on the secondary slot.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1060093 : Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues. ★
Links to More Info: BT1060093
Component: Local Traffic Manager
Symptoms:
When upgrading from 14.1.x to 15.1.5.x, the 8th slot in a VELOS chassis does not cluster.
Conditions:
Issue 'tmsh show sys cluster' shows 8th slot not active in the cluster.
Impact:
8th slot in a cluster is not active.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.0, 15.1.5
1060057-1 : Enable or Disable APM dynamically with Bados generates APM error
Links to More Info: BT1060057
Component: Anomaly Detection Services
Symptoms:
When APM & Bados are configured together while APM is being enabled or disabled externally (i.e. via an iRule), an APM error occurs.
Conditions:
APM & Bados configured together while APM is being enabled/disabled externally (which is an iRule)
Impact:
Unable to apply Application DoS profile to an existing APM Network Access setup.
Workaround:
No workaround. Do not enable or disable APM with iRules if Bados configured.
Fix:
No APM errors when PM & Bados configured together and APM is being enabled or disabled externally (which is an IRule).
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1060021-2 : Using OneConnect profile with RESOLVER::name_lookup iRule might result in core.
Links to More Info: BT1060021
Component: Local Traffic Manager
Symptoms:
Tmm might core while using a OneConnect profile with iRule command RESOLVER::name_lookup.
Conditions:
1. One connect profile attached.
2. iRules with RESOLVER::name_lookup command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use RESOLVER::name_lookup iRule on virtual that uses the oneconnect profile.
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1060009 : Platform Agent may run out of file descriptors
Links to More Info: BT1060009
Component: TMOS
Symptoms:
Platform Agent may run out of file descriptors.
The log is full of entries similar to:
err platform_agent[7704]: 01d50004:3: setup_new_connection: accept() failed
err platform_agent[7704]: 01d50004:3: wait_for_data: Failed to setup new connection
Conditions:
-- A number of tmm restarts is performed, for example by issuing a `bigstart restart tmm` command
-- `ss -nt` shows a large number of connections to port 5678.
Impact:
The system may fail to function correctly, especially with regards to updating platform settings.
Workaround:
Reboot the affected blades.
Fix:
Fixed platform agent running out of file descriptors.
Fixed Versions:
17.1.0, 15.1.6.1, 14.1.5
1059573-3 : Variation in a case insensitive value of an operand in LTM policy may fail in some rules.
Links to More Info: BT1059573
Component: Local Traffic Manager
Symptoms:
LTM policy engine compiles a policy into a state machine. If there is a variation of the same case insensitive value for an operand, the state machine may fail to properly build all rules, using this value. An example of a variation is a list of words like "Myself", "myself", "MYself", "mySElf", "MYSELF".
Conditions:
-- LTM policy is configured and attached to a virtual server.
-- The policy has variation in a case insensitive value of an operand.
Impact:
An expected rule does not apply: either a wrong rule is applied, or no rule is applied, causing incorrect traffic processing.
Workaround:
Eliminate variation in any case insensitive value of any operand. For example, replace all variations in the mentioned list with "myself".
Fix:
When there is a variation in a case insensitive value of an operand, BIG-IP will correctly handle it and compiles the policy so the rules with the variations are correctly applied to processing traffic.
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
1059513-4 : Virtual servers may appear as detached from security policy when they are not.
Links to More Info: BT1059513
Component: Application Security Manager
Symptoms:
When browsing Security >> Overview: Summary page, the virtual servers may appear as detached. The larger the number of virtual servers are, the more likely you are to see all the virtual servers as detached from the security policy.
Conditions:
From a certain amount of virtual servers (20) that are attached to a security policy, the virtual servers may appear as detached from any security policy.
Impact:
Virtual servers are displayed as detached from any security policy, but this is not the case.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1059337 : Potential data leak inside Ethernet padding field on VELOS architecture products
Links to More Info: BT1059337
Component: Local Traffic Manager
Symptoms:
Padding bytes added by TMM to bring packets up to the minimum Ethernet frame length of 64 bytes may contain contents of TMM's CPU memory.
Conditions:
Issue can occur whenever TMM creates a packet that is shorter than the 64 byte Ethernet minimum transmitted on a VELOS architecture platform.
Impact:
Unintentional leak of TMM memory contents in Ethernet padding on VELOS architecture platforms.
Workaround:
Upgrade to latest BIG-IP version.
Fix:
Ethernet minimum frame padding explicitly zeroed by TMM's data path driver used on VELOS architecture products.
Fixed Versions:
17.1.0, 15.1.9
1059053-1 : Tmm crash when passing traffic over some configurations with L2 virtual wire
Links to More Info: BT1059053
Component: Local Traffic Manager
Symptoms:
In very rare cases, tmm crashes while passing traffic over some configurations with L2 virtual wire.
Conditions:
-- L2 wire setup
-- A routing error occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Modified code to prevent such crashes.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1058677-1 : Not all SCTP connections are mirrored on the standby device when auto-init is enabled.
Links to More Info: BT1058677
Component: TMOS
Symptoms:
When auto-init is enabled, Not all SCTP connections are mirrored to the standby device.
Conditions:
-- SCTP Profile and Mirroring.
-- Auto initialization is enabled.
Impact:
Only half of the connections are mirrored to the standby device.
Workaround:
Disable auto initialization:
tmsh modify ltm message-routing diameter peer <affected_peer> { auto-initialization disabled }
Fix:
SCTP connections are mirrored successfully to standby device.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1058645-1 : ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup.
Links to More Info: BT1058645
Component: Advanced Firewall Manager
Symptoms:
Sophos IPsec clients cannot connect to a Sophos firewall when ipsecalg is configured on the forwarding virtual server.
The Sophos client initially attempts to start the tunnel using aggressive mode. The Sophos firewall does not support remote users attempting aggressive mode and responds with Notify Message Type INVALID-PAYLOAD-TYPE. The tunnel setup cannot proceed correctly after that point.
Conditions:
-- Sophos client is installed on remote user devices.
-- Sophos firewall is the remote endpoint in the IPsec tunnel.
Note: The Sophos client and firewall combination is the only known failing use-case.
Impact:
Sophos clients cannot start an IPsec tunnel.
Workaround:
The Sophos client cannot be configured to use main mode instead of starting with aggressive mode. The Sophos firewall does not support aggressive mode for remote user IPsec tunnels.
Therefore, create an iRule and add the iRule to the ipsecalg virtual server. The iRule simply contains this:
when SERVER_DATA {
# Only execute on first server side packet of conflow.
event disable
if { [UDP::payload length] < 40 } { return; }
binary scan [UDP::payload] x8x8cH2cx9x10S payload_type ver exch_type noti_type
# Depending on throughput, the amount of logging here may be problematic
#log local0. "payload_type : $payload_type"
#log local0. "ver : $ver"
#log local0. "exch_type : $exch_type"
#log local0. "noti_type : $noti_type"
if { $payload_type == 11 && $ver == 10 && $exch_type == 5 && $noti_type == 1 } {
log local0. "Closing ipsecalg connection"
after 1 { reject }
}
}
Fix:
Sophos clients can now bring up an IPsec tunnel with a Sophos firewall.
Fixed Versions:
17.0.0, 15.1.5.1, 14.1.4.6
1058597-3 : Bd crash on first request after system recovery.
Links to More Info: BT1058597
Component: Application Security Manager
Symptoms:
Bd crashes on the first request.
Conditions:
The system is out of disk space while creating the ASM policy.
Impact:
The security configuration is incomplete with missing data.
Workaround:
-- Remove the ASM policy from the virtual server to avoid the bd crash.
-- Go to the cookie protection screen and reconfigure the secure and fast algorithm.
-- Re-attach the security policy to the virtual server.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1058509 : Platform_agent crash on tenant token renewal
Links to More Info: BT1058509
Component: TMOS
Symptoms:
When the tenant token id is renewed after 24 hours, the platform agent process crashes due to a race condition in updating token id
Conditions:
This can occur every 24 hours during normal system operation.
Impact:
Platform_agent process crashes and restarts
Workaround:
None
Fix:
Fixed code to avoid crash on token renewal
Fixed Versions:
17.1.0, 15.1.6
1058469-2 : Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working.
Links to More Info: BT1058469
Component: Local Traffic Manager
Symptoms:
A virtual server which is part of an iApp service and which was previously working correctly now rejects all traffic.
Upon inspecting the log, entries similar to the following examples may be noticed:
==> /var/log/tmm <==
<13> Oct 28 23:41:36 bigip1 notice hudfilter_init: clientside matches TCP position. 0 0
==> /var/log/ltm <==
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Proxy initialization failed for /Common/my.app/my-vs. Defaulting to DENY.
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Listener config update failed for /Common/my.app/my-vs: ERR:ERR_UNKNOWN
Conditions:
This issue is known to occur when strict-updates is disabled for an iApp service which includes a non-default NTLM profile.
Impact:
Traffic outage as the affected virtual server(s) no longer passes any traffic.
Workaround:
To recover an affected system, either restart TMM (bigstart restart tmm) or delete and redeploy the iApp service.
To prevent this issue from occurring again, modify the iApp configuration to use the default NTLM profile rather than a custom one (if the iApp template involved allows this).
Fix:
Disabling strict-updates for an iApp service, which includes a non-default NTLM profile, no longer causes virtual servers associated with the profile to suddenly stop working.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1058297-3 : Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade ★
Links to More Info: BT1058297
Component: Application Security Manager
Symptoms:
The values for "minRetainedFilesInDir" and "maxSizeOfSavedVersions" in /etc/ts/tools/policy_history.cfg
are set back to default after an upgrade.
Conditions:
-- Non-default values for "minRetainedFilesInDir" and for "maxSizeOfSavedVersions"
-- An upgrade occurs
Impact:
After upgrade, the values in the configuration file are set back to default.
Workaround:
Update the values after the upgrade is complete.
Fix:
The usage of the configuration file /etc/ts/tools/policy_history.cfg is deprecated.
New internal config items have been added:
"policy_history_min_retained_versions" and "policy_history_max_total_size"
The internal variables are preserved during the upgrade.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1058229-2 : CVE-2019-17546 - heap-based buffer overflow via a crafted RGBA image
Component: TMOS
Symptoms:
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
Conditions:
N/A
Impact:
N/A
Workaround:
N/A
Fix:
The library has been updated to a fixed version.
Fixed Versions:
15.1.10
1057457-2 : CVE-2015-9019: libxslt vulnerability: math.random()
Component: TMOS
Symptoms:
In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.
Conditions:
where the EXSLT math.random function was called by applications.
Impact:
It could cause usage of this function to produce predictable outputs
Workaround:
Applications using libxslt that rely on non-repeatable randomness should be seeding the system PRNG (srand()) themselves, as they would if calling rand() directly.
Fix:
libxslt patched to resolve CVE-2015-9019
Fixed Versions:
17.0.0, 16.1.4, 15.1.8
1057449-2 : CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS
Component: TMOS
Symptoms:
A type confusion vulnerability was discovered in the xsltStylePreCompute() function of libxslt. A remote attacker could possibly exploit this flaw to cause an application using libxslt to crash by tricking the application into processing a specially crafted XSLT document.
Conditions:
By tricking the application into processing a specially crafted XSLT document.
Impact:
A remote attacker could possibly exploit this flaw to cause an application using libxslt to crash.
Workaround:
N/A
Fix:
libxslt patched to mitigate CVE-2015-7995
Fixed Versions:
17.0.0, 16.1.4, 15.1.8
1057441-2 : An out-of-bounds access flawb in the libxslt component
Component: TMOS
Symptoms:
If the libxslt library fails to handle namespace nodes properly, it may cause TMM to crash or expose private data.
Conditions:
In default conditions
Impact:
TMM may crash or reveal private data due to out-of-bounds access.
Workaround:
N/A
Fix:
libxslt patched to mitigate CVE-2016-1683
Fixed Versions:
17.0.0, 16.1.4, 15.1.8
1057437-2 : CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers
1057433-2 : Integer overflow in libxslt component
Component: TMOS
Symptoms:
If the libxslt library handles harmful xsl data, TMM might crash
Conditions:
Under default conditions
Impact:
TMM may crash due to integer overflow or excessive resource consumption, leading to traffic interruption and a failover event
Workaround:
N/A
Fix:
libxslt patched to mitigate CVE-2016-1684
Fixed Versions:
17.0.0, 16.1.4, 15.1.8
1057061-1 : BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with Log Translation Fields.
Links to More Info: BT1057061
Component: Advanced Firewall Manager
Symptoms:
When using a security log profile that has Log Translation Fields enabled, CPU usage is unusually high.
Conditions:
-- AFM provisioned
-- One or more security log profiles has “Log Translation Fields” enabled
Impact:
Excessive CPU utilization when compared to the same configuration with Log Translation Fields disabled.
Workaround:
N/A
Fix:
Fixed a performance issue with the Log Translation Fields setting.
Fixed Versions:
17.0.0, 15.1.10
1056993-1 : 404 error is raised on GUI when clicking "App IQ."
Links to More Info: BT1056993
Component: TMOS
Symptoms:
When the App IQ menu option is clicked in the GUI workflow, (GUI: System ›› Configuration >> App IQ) the result is "Not Found. The requested URL was not found on this server."
Conditions:
Clicking the App IQ menu option in the GUI workflow, GUI: System ›› Configuration >> App IQ.
Impact:
Not able to access App IQ page.
Workaround:
Navigate directly to the following page on your BIG-IP (replacing <BIG-IP> with the IP/hostname of the system):
https://<BIG-IP>/tmui/tmui/system/appiq_ng/views/settings.html
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056741 : ECDSA certificates signed by RSA CA are not selected based by SNI.
Links to More Info: BT1056741
Component: TMOS
Symptoms:
Attempts to select a client-ssl profile based on the certificate subject/SAN will not work for ECDSA certificates if ECDSA cert is signed by RSA CA. Even when the SNI in the client hello matches the certificate subject/SAN, BIG-IP selects the default client SSL profile.
Conditions:
-- ECDSA certificate signed by RSA CA.
-- Client SSL profile does not have "server name" option configured.
Impact:
The desired client-ssl profile is not selected for ECDSA hybrid certificates when the SNI matches the certificate subject/SAN.
Workaround:
Do not use hybrid certificates or configure the "server name" option in the client-ssl profile matching SNI.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1056401-3 : Valid clients connecting under active syncookie mode might experience latency.
Links to More Info: BT1056401
Component: Local Traffic Manager
Symptoms:
Valid clients that connect using active syncookie mode might experience latency.
Conditions:
- SYN Cookie (Hardware or Software) is enabled.
- SYN Cookies are activated (TCP Half Open) for the virtual server.
- FastL4 tcp-generate-isn option or SYN-ACK vector 'suspicious event count' options are enabled.
- SYN Cookie issue and validation with client is correct.
- SSL Client Hello packet sent by client reaches DHD right after TCP SYN packet is sent to backend server.
Impact:
Random connections might be disrupted.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1056365-3 : Bot Defense injection does not follow best SOP practice.
Links to More Info: BT1056365
Component: Application Security Manager
Symptoms:
In specific cases, Bot Defense challenge does not follow Same Origin Policy.
Conditions:
Bot Defense Profile is attached to a virtual server.
Impact:
In some cases, Bot Defense Injection does not follow Same Origin Policy.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1056213 : TMM core due to freeing of connflow, assuming it as http data.
Links to More Info: BT1056213
Component: Local Traffic Manager
Symptoms:
TMM crashes while passing traffic.
Conditions:
-- HTTP virtual server with httprouter
-- irule with HTTP::disable followed by Header replace on
HTTP_REQUEST
-- curl the virtual IP address until the core
Impact:
Traffic disrupted while TMM restarts.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
15.1.5
1055785 : SmartNIC 2.0: stats throughput logging is broken on Virtual Edition dashboard.
Links to More Info: BT1055785
Component: TMOS
Symptoms:
When using a fastl4 acceleration profile on a virtual server, throughput on the dashboard shows a much lower number of packets than the same traffic with a non-accelerated profile.
Conditions:
A fastl4 profile is used on a virtual server when only using 1 virtual server.
Impact:
Smartnic 2.0 stats throughput data is incorrect.
Workaround:
None
Fix:
Set the snoop's TMM number to the correct TMID instead of the pde number.
Fixed Versions:
15.1.5
1055361-2 : Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash.
Links to More Info: BT1055361
Component: SSL Orchestrator
Symptoms:
Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a TMM crash.
Conditions:
Suspending iRule command in L7CHECK_CLIENT_DATA
Example:
ltm rule /Common/rule-a {
when L7CHECK_CLIENT_DATA {
after 10000
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use Suspending iRule command in L7CHECK_CLIENT_DATA.
Fix:
Fixed a TMM crash.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
1053809 : TMM crashes while running L4 Max concurrent connections
Links to More Info: BT1053809
Component: Local Traffic Manager
Symptoms:
TMM crash is detected while executing L4 Max concurrent connection test.
Conditions:
- Execute L4 Max concurrent connection test.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM does not crash while executing L4 Max concurrent connection test.
Fixed Versions:
17.1.0, 15.1.5
1053741-3 : Bigd may exit and restart abnormally without logging a reason
Links to More Info: BT1053741
Component: Local Traffic Manager
Symptoms:
Certain fatal errors may cause the bigd daemon to exit abnormally and restart to recover.
For many such fatal errors, bigd logs a message in the LTM log (/var/log/ltm) indicating the fatal error that occurred.
For some causes, no message is logged to indicate what error occurred to cause big to exit abnormally and restart
Conditions:
This may occur when bigd encounters a fatal error when monitoring LTM pool members, particularly (although not exclusively) when using In-TMM monitor functionality (sys db bigd.tmm = enable).
Impact:
It may be difficult to diagnose the reason that caused bigd to exit abnormally and restart.
Workaround:
To enable logging of all fatal errors that cause bigd to exit abnormally and restart, enable bigd debug logging:
tmsh modify sys db bigd.debug value enable
With bigd debug logging enabled, bigd messages (including such fatal errors) will be logged to /var/log/bigdlog
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1053589 : DDoS functionality cannot be configured at a Zone level
Links to More Info: BT1053589
Component: Advanced Firewall Manager
Symptoms:
DDoS functionality is supported at the global and virtual server level.
Conditions:
DDoS functionality configured on the BIG-IP system.
Impact:
Cannot enable DDoS at the Zone level.
Workaround:
N/A
Fix:
DDoS functionality is now enabled at the Zone level.
Behavior Change:
Limited DDoS functionality is supported at the scope of a Zone, which is group of VLANs. Thus, DDoS functionality is now supported at the global, Zone, and virtual server levels.
Fixed Versions:
16.1.4, 15.1.8
1053557-3 : Support for Mellanox CX-6
Links to More Info: BT1053557
Component: TMOS
Symptoms:
The Mellanox CX-6 is not fully supported.
Conditions:
-- CX-6 network interface card is used with BIG-IP Virtual Edition.
Impact:
The BIG-IP system is unable to pass traffic through CX-6 interfaces.
Workaround:
None
Fix:
Traffic can be passed through CX-6 interfaces.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1053309-2 : Localdbmgr leaks memory while syncing data to sessiondb and mysql.
Links to More Info: BT1053309
Component: Access Policy Manager
Symptoms:
Top output shows that localdbmgr memory increases steadily.
Conditions:
Localdb auth is enabled or localdb is used for storing APM-related information like for MDM intune.
Impact:
Localdbmgr is killed by oom killer and is restarted, thereby affecting the execution of access policies.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1053149-2 : A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received.
Links to More Info: BT1053149
Component: Local Traffic Manager
Symptoms:
Depending on the software version running on the BIG-IP system, this issue can manifest in one of two ways:
- Versions with the fix for ID1008077 will fail to forward the client's final ACK (from the TCP 3-way handshake) to the server. Eventually, once the TCP handshake timeout expires, the BIG-IP system will reset both sides of the connection.
- Versions without the fix for ID1008077 will forward the traffic correctly, but will not advance the internal FastL4 state for the connection. Given enough traffic for the same 4-tuple, the connection may never expire. Traffic for subsequent connections will appear to be forwarded correctly, but no load-balancing will occur due to the original connection not having expired yet.
Conditions:
A FastL4 TCP connection not completing the TCP handshake correctly, and the client retrying with a new (different SEQ number) SYN.
Impact:
Traffic failures (intended as either connections failing to establish, or improper load-balancing occurring).
Fix:
A FastL4 TCP connection which is yet to fully establish now correctly updates its internal SEQ space when a new SYN is received. This means the connection advances as it should through internal FastL4 states, and is removed from the connection table when the connection closes.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1052929-3 : MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized.
Links to More Info: BT1052929
Component: Local Traffic Manager
Symptoms:
When MCPD starts, it may log an error message reporting an issue communicating with the onboard FIPS HSM. If the HSM is uninitialized, this message is erroneous, and an be ignored.
Depending on the hardware platform, the message may be one of the following:
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. Please issue 'FIPSutil loginreset -r' followed by 'bigstart restart' for a password reset. You will need your FIPS Security Officer password to reset the password..
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. The FIPS card must be reinitialized, which will erase its contents..
Conditions:
-- BIG-IP system with an onboard FIPS HSM, or a vCMP guest running on a BIG-IP system with an onboard FIPS HSM
-- the FIPS HSM is not initialized, i.e. "fipsutil info" reports "FIPS state: -1".
Impact:
This message can be ignored when the FIPS HSM is not in-use, and is uninitialized.
Workaround:
Initialize the FIPS HSM following the instructions in the F5 Platforms : FIPS Administration manual.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1052153 : Signature downloads for traffic classification updates via proxy fail
Links to More Info: BT1052153
Component: Traffic Classification Engine
Symptoms:
Downloading IM package via proxy fails.
Conditions:
Downloading the IM file through a proxy.
Impact:
Auto-download IM package from f5.com will fail
Workaround:
Disable the proxy and trigger the IM package download from the management interface.
Fix:
Fixed an issue with downloading updates through a proxy.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1051213-2 : Increase default value for violation 'Check maximum number of headers'.
Links to More Info: BT1051213
Component: Application Security Manager
Symptoms:
Due to recent change in browsers, up to 7 headers are newly inserted in the request.
In ASM, there is default limit of 20 headers. So, when legitimate requests have more than 20 headers, they're blocked with violation "Maximum Number of Headers exceeded".
Conditions:
When the number of headers passed in request is greater than the value of maximum number of headers set, then this violation is raised.
Impact:
Legitimate requests are blocked with violation "Maximum Number of Headers exceeded" when number of header is greater than the value set for the policy (default 20).
Workaround:
Increase "Check maximum number of headers" to 30 under Learning and Blocking settings screen for a policy.
Fix:
Increased default value of maximum number of headers to 30.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1051209-2 : BD may not process certain HTTP payloads as expected
Links to More Info: K53593534 , BT1051209
Component: Application Security Manager
Symptoms:
Under certain conditions BD may not process HTTP payloads as expected.
Conditions:
- HTTP request
Impact:
Payloads are not processed as expected, potentially leading to missed signature matches.
Workaround:
N/A
Fix:
BD now processes HTTP payloads as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1050969-2 : After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid
Links to More Info: BT1050969
Component: SSL Orchestrator
Symptoms:
Running clear-rest-storage removes all the available tokens as well as cookie files from /var/run/pamchache.
Conditions:
Run the clear-rest-storage command.
Impact:
All users are logged out of the GUI.
Workaround:
Re-login.
Fix:
Clear-rest-storage should only remove tokens not cookies.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1050697-5 : Traffic learning page counts Disabled signatures when they are ready to be enforced
Links to More Info: BT1050697
Component: Application Security Manager
Symptoms:
The traffic learning page counts Disabled signatures when they are ready to be enforced.
Conditions:
Policy has a disabled signature.
Impact:
Traffic learning page shows different counts of "ready to be enforced" signatures compared to Security ›› Application Security : Security Policies : Policies List ›› <policy name>
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1050537-2 : GTM pool member with none monitor will be part of load balancing decisions.
Links to More Info: BT1050537
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM pool member containing no monitor (status=BLUE) is not included in load balancing decisions.
Conditions:
GTM pool member the monitor value set to none.
Impact:
GTM does not load balance to this pool member.
Workaround:
N/A
Fix:
Handled GTM pool with "none" monitor
Behavior Change:
GTM pool members with "none" monitor are now part of load balancing decisions
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1050413-3 : Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml
Links to More Info: BT1050413
Component: TMOS
Symptoms:
When using the hard drive model HGST HUS722T1TALA604, the pendsect does not recognize the hard drive and skips during sector checks.
Conditions:
The issue occurs under the following conditions:
-- Using a HGST HUS722T1TALA604 hard drive on a BIG-IP system.
-- Pendsect runs a sector check.
Impact:
Warning messages like the following will be logged to /var/log/messages:
-- warning pendsect[31898]: skipping drive -- Model: HDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting
Pendsect can't properly check the hard drive.
Workaround:
Give write permissions to modify files:
chmod u+w /etc/pendsect/drives.xml
Open the file and add the following at the end of the file, before default:
<snip>
<HUS722T1TA>
<offset firmware="RAGNWA09">0</offset>
<offset firmware="default">0</offset>
<family> "HA210"</family>
<wd_name>"Ultrastar"</wd_name>
</HUS722T1TA>
<DEFAULT>
<firmware version="default">
<offset>0</offset>
</firmware>
<name> "UNKNOWN"</name>
<family> "UNKNOWN"</family>
<wd_name>"UNKNOWN"</wd_name>
</DEFAULT>
</model>
</drives>
Save and close the file.
Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml
Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect
Fix:
None
Fixed Versions:
17.0.0, 15.1.10
1050273-2 : ERR_BOUNDS errors observed with HTTP service in SSL Orchestrator.
Links to More Info: BT1050273
Component: SSL Orchestrator
Symptoms:
The following similar error log messages repeated many times:
err tmm[13905]: 01c80017:3: CONNECTOR: Listener=/Common/sslo_intercept.app/sslo_intercept-in-t-4, Profile=/Common/ssloS_httpEpxy.app/ssloS_httpEpxy-t-4-connector: Error forwarding egress to return virtual server (null) - ERR_BOUNDS
err tmm8[13905]: 01c50003:3: Service : encountered error: ERR_BOUNDS File: ../modules/hudfilter/service/service_common.c Function: service_cmp_send_data, Line: 477
Conditions:
1. SSL Orchestrator with an HTTP service.
2. System is sending a large file.
Impact:
SSL Orchestrator throughput is degraded.
Workaround:
None
Fix:
After the fix, no such errors are observed and the throughput is back to normal.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.5
1050165-1 : APM SSO is disabled in the session of users and requires support of administrator for resolving
Links to More Info: BT1050165
Component: Access Policy Manager
Symptoms:
The SSO process is disabled for the user session when the webtop resource with APM Single Sign-On (SSO) configuration fails due to unknown reasons.
Conditions:
-- Configure Kerberos SSO
-- Configure a network resource (the mailbox of a user is configured on an exchange server or an IIS-based web service)
Impact:
The BIG-IP Administrator is required to manually release the affected session.
Workaround:
None
Fix:
SSO is no longer disabled for the entire APM session if Kerberos SSO fails.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1050009-1 : Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs
Links to More Info: BT1050009
Component: Access Policy Manager
Symptoms:
In /var/log/apm
<Date> <time> <bigip> err tmm1[12598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: <file name>, Function: acs_cmp_acp_req_handler, Line: 576
Conditions:
While evaluating Access Policy created by irule
ACCESS::session create -timeout <timeout> -lifetime <lifetime>
ACCESS::policy evaluate -sid <session ID> -profile <profile name>
Impact:
/var/log/apm gets filled with many 'Access encountered error:ERR_NOT_FOUND' error logs and there is no functional imapct.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1049237 : Restjavad may fail to cleanup ucs file handles even with ID767613 fix
Links to More Info: BT1049237
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client (such as a BIG-IQ which is out of disk space) does not complete the download.
Since these files remain open, you may see low disk space even after deleting the associated files, and you may see items listed with '(deleted)' in lsof output.
Additionally, on a software version with ID767613 fix, you may see restjavad NullPointerException errors on /var/log/restjavad.*.log.
[SEVERE][1837][23 Sep 2021 10:18:16 UTC][RestServer] java.lang.NullPointerException
at com.f5.rest.workers.FileTransferWorker$3.run(FileTransferWorker.java:230)
at com.f5.rest.common.ScheduleTaskManager$1$1.run(ScheduleTaskManager.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:473)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
# tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1049229-2 : When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays.
Links to More Info: BT1049229
Component: Advanced Firewall Manager
Symptoms:
An authenticated administrative user tries to create a sub-rule under the Network Firewall rule list from the GUI and is redirected to a 'No Access' error page.
Conditions:
This error can occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI on a version of BIG-IP (including engineering hotfixes) that include the fixes for BIG-IP bugs ID1032405 and ID941649.
Impact:
The user cannot create a sub-rule under the Network Firewall rule list in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
After the fixes for ID1032405 and ID941649 are installed, the "No Access" errors no longer occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1049213-1 : A new disaggregation (DAG) mode based on TEID field in GTP-U header is introduced
Links to More Info: BT1049213
Component: Protocol Inspection
Symptoms:
The default DAG mode uses the source and destination ports for hash calculation to distribute the traffic across TMMs. This does not scale well for GTP-U traffic since the source and destination port are unchanged (default well known port 2152).
This results in a single TMM (CPU) processing all the GTP-U packets results in high load on a single CPU whilst the other CPUs are underutilized.
Conditions:
GTP-U traffic uses the same source and destination well known port 2152.
Impact:
One CPU being overloaded where as other CPUs are under utilized.
Fix:
A new disaggregation (DAG) mode for GTP-U traffic is introduced to effectively distribute the traffic across different TMM's and thereby proper utilization of CPU resources.
This can be enabled/disabled by configuring sys db variable "iptunnel.gtp.teid_hash". This sys db variable is set to disabled by default. When enabled, this behavior is applied to only GTP-U traffic when it matches the below criteria:
- GTP-U version needs to be 1 (GTP-U v1)
- Source and destination ports need to be 2152.
Behavior Change:
When the new disaggregation (DAG) mode is enabled for GTP-U traffic by configuring "iptunnel.gtp.teid_hash", the TEID field in the GTP-U header is used to calculate the hash to disaggregate the packets to TMMs.
NOTE: The source-address translation is not supported for GTP-U traffic processing virtual when this mode is enabled. The source-port is preserved, and no ephemeral port is used to create connections on the BIG-IP.
Fixed Versions:
17.0.0, 15.1.8
1048977 : IPSec tunnel is not coming up after tmm/system restart when ipsec.removeredundantsa db variable is enabled
Links to More Info: BT1048977
Component: TMOS
Symptoms:
With an IPsec tunnel configured on the BIG-IP system, when tmm is restarted it fails to establish the IPsec tunnel.
Conditions:
-- VELOS platform
-- Tmm is restarted after a successful IPsec establishment with an appropriate IPSEC configuration.
Impact:
When tmm is restarted, it fails to setup the IPsec tunnel and IPSec traffic is disrupted.
Workaround:
After device reboot, re-apply the ipsec configuration to establish the tunnel again.
Fix:
IPSec tunnels are now re-established following a tmm restart.
Fixed Versions:
17.1.0, 15.1.6
1048949-3 : TMM xdata leak on websocket connection with asm policy without websocket profile
Links to More Info: BT1048949
Component: Application Security Manager
Symptoms:
Excessive memory consumption, tmm core.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Websocket profile isn't attached to the virtual server
- Long lived websocket connection with messages
Impact:
Excessive memory consumption, tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Attach the websocket profile to the virtual server
Fix:
Fix asm code to avoid buffering websocket message without websocket profile
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1048917 : Image2disk does not work on F5OS BIG-IP tenant. ★
Links to More Info: BT1048917
Component: TMOS
Symptoms:
Image2disk fails to recognize the correct disk to install and installation fails.
Conditions:
This occurs with BIG-IP tenants that are running in F5OS partitions.
Impact:
Installation fails.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
15.1.5
1048853-2 : TMM memory leak of "IKE VBUF"
Links to More Info: BT1048853
Component: TMOS
Symptoms:
The "IKE VBUF" memory increase is seen through tmctl memory_usage_stat when ipsec-sa are deleted and new ipsec-sa are created.
Conditions:
A tunnel connection exists between the BIG-IP initiator and responder.
Impact:
Memory consumption increases after every ipsec-sa delete operation when the new ipsec-sa is created.
Workaround:
N/A
Fix:
Fixed a memory leak related to ipsec-sa.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1048709-1 : FCS errors between the switch and HSB
Links to More Info: BT1048709
Component: TMOS
Symptoms:
There are cases where FCS errors occur between the switch and HSB. This can be observed in the snmp_dot3_stat stats table, following is an example:
name fcs_errors
---- ----------
10.1 19729052
Conditions:
This requires a BIG-IP platform that has a switch and HSB.
Impact:
Networking traffic can be impacted when this condition occurs.
Workaround:
The device needs to be rebooted in order to clear the FCS errors.
Fix:
The improvement adds the ability to trigger an High Availability (HA) action when FCS errors are detected on the switch <-> HSB interfaces on the B4450 platform.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1048685-2 : Rare TMM crash when using Bot Defense Challenge
Links to More Info: BT1048685
Component: Application Security Manager
Symptoms:
When using the Bot Defense Profile on Blocking mode, TMM could crash on rare cases with a core dump.
Conditions:
Using the Bot Defense profile on blocking mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM will no longer crash on rare conditions when using the Bot Defense Challenge
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1048541-2 : Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful.
Links to More Info: BT1048541
Component: TMOS
Symptoms:
A BIG-IP Administrator utilizing the 'Certificate Order Manager' feature is unable to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.
Conditions:
Using the 'Certificate Order Manager' feature on BIG-IP to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.
Impact:
The renew requests fail.
Fix:
The renew requests now succeed.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1048445-3 : Accept Request button is clickable for unlearnable violation illegal host name
Links to More Info: BT1048445
Component: Application Security Manager
Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)
The accept button is clickable when it should not. Accept Request button should be disabled for this violations.
Conditions:
Generate an illegal host name or hostname mismatch violation.
Impact:
Request will not be accepted even though you have elected to accept the illegal request.
Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1048433 : Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation. ★
Links to More Info: BT1048433
Component: Local Traffic Manager
Symptoms:
The thales-sync.sh script tries to install on the second blade eventually The packages provided by formerly Thales now nShield/Entrust are increasing version to version, The extract logic is not compatible with to latest versions.
Conditions:
While upgrading lower versions to 12.60.
Impact:
The installation script will fail to find to extract packages.
Workaround:
N/A
Fix:
Extract all the tarballs in the target directory to resolve the issue.
Fixed Versions:
16.1.2.1, 15.1.5.1
1048141-2 : Sorting pool members by 'Member' causes 'General database error'
Links to More Info: BT1048141
Component: TMOS
Symptoms:
The configuration utility (web UI) returns 'General database error' when sorting pool members. The pool member display does not work for the duration of the login.
Conditions:
Sorting the pool member list by member.
Impact:
A pool's pool member page cannot be displayed.
Workaround:
Clear site and cached data on browser and do not sort by pool member.
Fix:
Pool members can be sorted by member.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1048137-3 : IPsec IKEv1 intermittent but consistent tunnel setup failures
Links to More Info: BT1048137
Component: TMOS
Symptoms:
IKEv1 tunnels fail to start or re-key after an upgrade.
In the racoon.log file a clear sign of this issue is the combination of an IPsec SA being established and a buffer space error immediately after:
INFO: IPsec-SA established: ESP/Tunnel 172.16.1.6[0]->172.16.12.6[0] spi=2956426629(0xb0377d85)
ERROR: pfkey UPDATE failed: No buffer space available
Conditions:
-- IPsec IKEv1 tunnels
Impact:
IPsec tunnels will stop working after being up for an initial period of time.
Workaround:
The only workaround is to switch to IKEv2.
Fix:
Internal message handling related to IKEv2 high availability (HA) has changed, unintentionally breaking IKEv1's ability to keep tunnel states up-to-date. IKEv1 can now track tunnel state correctly.
Note: IKEv1 high availability (HA) / mirroring is still not supported and there is no plan to support it.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.9
1047581-2 : Ramcache can crash when serving files from the hot cache
Links to More Info: BT1047581
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, TMM may crash when processing traffic for a virtual server that uses RAM Cache.
Conditions:
- RAM Cache configured
- Document served not out of the hotcache
- The server served with must-revalidate.
- The server 304 contains a 0 byte gzip payload
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1047389-2 : Bot Defense challenge hardening
Links to More Info: BT1047389
Component: Application Security Manager
Symptoms:
Under certain conditions, the Bot Defense profile does not follow current best practices.
Conditions:
Bot Defense profile used
Impact:
The Bot Defense profile does not follow current best practices.
Workaround:
None
Fix:
The Bot Defense profile now follows current best practices.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1047169-2 : GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.
Links to More Info: BT1047169
Component: TMOS
Symptoms:
A BIG-IP Administrator is incorrectly able to delete a GTM AAAA pool from the configuration, despite this object being referenced in an iRule in use by an AAAA wideip.
An error similar to the following example will be visible in the /var/log/gtm file should the iRule referencing the pool run after the pool has been deleted:
err tmm[11410]: 011a7001:3: TCL error: Rule /Common/my_rule <DNS_REQUEST> - GTM Pool 'my_pool' of type 'A' not found (line 1)GTM Pool 'my_pool' of type 'A' not found (line 1) invoked from within "pool my_pool"
Note the error message incorrectly reports the pool as type A (it should report type AAAA).
Conditions:
-- Two GTM pools of type A and AAAA share the same exact name (which is legal).
-- The pool name is referenced in an iRule by the 'pool' command.
-- The iRule is in use by an AAAA wideip.
-- A BIG-IP Administrator attempts to delete the AAAA pool.
Impact:
The system incorrectly allows the deletion of the AAAA pool from the configuration.
Consequently, the next time the GTM configuration is reloaded from file, the operation will fail.
Additionally, traffic which relied on the pool being present in the configuration will fail.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1046917-3 : In-TMM monitors do not work after TMM crashes
Links to More Info: BT1046917
Component: In-tmm monitors
Symptoms:
After TMM crashes and restarts, in-TMM monitors do not run. Monitored pool members are down.
Conditions:
-- In-TMM monitors are enabled.
-- TMM exits abnormally, as a result of one of the following:
+ TMM crashing and restarting
+ TMM being sent a termination signal (i.e. using 'pkill' to kill TMM)
Note: This issue does not occur if TMM is restarted using 'bigstart' or 'tmsh sys service'.
Impact:
Monitored pool members are offline.
Workaround:
One of the following:
1. Do not use in-TMM monitors.
2. After TMM restarts, manually restart bigd:
tmsh restart sys service bigd
3. Add an entry to /config/user_alert.conf such as the following, so that the system restarts bigd when TMM starts up.
On an appliance or single-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="bigstart restart bigd"
}
On a VIPRION or multi-slot vCMP guest/tenant:
alert id1046917 "Tmm ready - links up." {
exec command="clsh --color=all bigstart restart bigd"
}
Note: This change must be made separately on each device in a ConfigSync device group.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1046785-3 : Missing GTM probes when max synchronous probes are exceeded.
Links to More Info: BT1046785
Component: Global Traffic Manager (DNS)
Symptoms:
GTM probes are missing, resources are marked down.
When instances fail and BIG-IP is not aware of the failure, some virtual servers/pool members are marked as available and some objects are marked down on part of the sync group members.
In the /var/log/gtm file, the following message may be seen:
011ae116:4: The list processing time (x seconds) exceeded the interval value. There may be too many monitor instances configured with a y second interval
Note that this message is only logged once when gtmd is restarted, or when monitors are added or removed in the gtm configuration.
In 14.1.x and earlier the message will be slightly different:
011ae106:5: The monitor probing frequency has been adjusted because more than 130 synchronous monitors were detected
Conditions:
Max synchronous probes are exceeded. This value is controlled by the GTM global variable max-synchronous-monitor-requests.
Impact:
-- Resources are marked down.
-- Inconsistent monitor statuses across BIG-IP DNS systems in a single sync group, with some showing 'big3d: timed out' and others potentially showing a stale up or down status for the same targets.
-- Because some monitor instances don't have monitor traffic, if an instance fails, the BIG-IP DNS systems may not be aware of the failure.
Workaround:
Increase the value of Max Synchronous Monitor Requests:
tmsh modify gtm global-settings metrics max-synchronous-monitor-requests value <value - default is 20>
Fix:
All monitors are now allowed to probe without triggering a failure.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5
1046717 : Tmm crash when utilizing one-connect with inband monitors and ECMP or pool routes.
Links to More Info: BT1046717
Component: Local Traffic Manager
Symptoms:
Tmm crashes and restarts.
Conditions:
A virtual server that utilizes one-connect and a pool with an inband monitor and the pool members are reachable via a route. If the route changes back and forth between a gateway route and an ECMP or pool route, tmm could crash.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
15.1.9
1046693-3 : TMM with BFD confgured might crash under significant memory pressure
Links to More Info: BT1046693
Component: TMOS
Symptoms:
TMM might crash when processing BFD traffic under high memory pressure.
Conditions:
- BFD in use.
- TMM under high memory pressure.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1046669-2 : The audit forwarders may prematurely time out waiting for TACACS responses
Links to More Info: BT1046669
Component: TMOS
Symptoms:
If a TACACS server takes longer than five seconds to respond, the audit forwarder will reset the connection.
Conditions:
-- Using remote TACACS logging.
-- TACACS server takes longer than 5 seconds to respond to logging requests.
Impact:
Misleading log messages.
Fix:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.
Behavior Change:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1046633-2 : Rare tmm crash when sending packets to apmd fails
Links to More Info: BT1046633
Component: Access Policy Manager
Symptoms:
Tmm crashes while passing APM traffic
Conditions:
iRules involving ACCESS::session evaluate, or presence of access per-request policies that involves apmd like ldap/saml authentication.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1046401-1 : APM logs shows truncated OCSP URL path while performing OCSP Authentication.
Links to More Info: BT1046401
Component: Access Policy Manager
Symptoms:
While performing OCSP authentication, the APM log file (/var/log/apm) shows the incomplete path of the OCSP URL.
Conditions:
-- Configure OCSP Server object
-- Configure OCSP Agent in the VPE
-- Perform OCSP Authentication
Impact:
Incomplete path of the OCSP URL causes ambiguity and gives the impression that APM is not parsing the URL correctly, while LTM parses correctly at the same time.
Workaround:
N/A
Fix:
The APM deamon parses the given OCSP URL correctly but while printing it in the logs the apmd is reading it partially due to limited log buffer size.
The log buffer size is increased to print the complete OCSP URL paths.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1046317-1 : Violation details are not populated with staged URLs for some violation types
Links to More Info: BT1046317
Component: Application Security Manager
Symptoms:
The "Triggered Violations" field in the event log screen and corresponding data in remote logging is not populated.
Conditions:
- The URL is in staging
- The triggered violation is one of the following violations
VIOL_MANDATORY_REQUEST_BODY
VIOL_URL_CONTENT_TYPE
VIOL_METHOD
Impact:
Lack of details in the request log event.
Workaround:
None
Fix:
This defect is closely related to ID1036305 and both defects are fixed together
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
1045913-3 : COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression
Links to More Info: BT1045913
Component: Local Traffic Manager
Symptoms:
When using selective compression, COMPRESS::disable after a compressed response on the same connection will remove the Accept-Encoding header on the subsequent request and then correctly not compress the response. The Accept-Encoding header should be left in place to allow the server to compress the response, if able.
Conditions:
1. Virtual server with HTTP profile and selective compression using conditional COMPRESS::disable/COMPRESS::enable iRules with a server capable of responding with compressed content.
2. A client requests compressed documents over a persistent connection
Impact:
Client may receive some uncompressed responses in cases where compression was expected.
Workaround:
An iRule that can insert an Accept-Encoding header at HTTP_REQUEST_RELEASE time which would allow the server to compress, if capable.
Fixed Versions:
15.1.5.1, 14.1.4.5
1045549-3 : BFD sessions remain DOWN after graceful TMM restart
Links to More Info: BT1045549
Component: TMOS
Symptoms:
BFD sessions remain DOWN after graceful TMM restart
Conditions:
TMM is gracefully restarted, for example with 'bigstart restart tmm' command.
Impact:
BFD sessions remain DOWN after graceful TMM restart
Workaround:
After restarting TMM, restart tmrouted.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1045421-2 : No Access error when performing various actions in the TMOS GUI
Links to More Info: K16107301 , BT1045421
Component: TMOS
Symptoms:
An authenticated administrative user is redirected to a 'No Access' error page while performing various actions in the TMOS GUI, including when trying to:
-- Apply a policy to a virtual server
-- Import images (TMOS images / hotfixes / apmclients)
-- Export/apply an APM policy
-- Run the high availability (HA) setup wizard
-- Export a certificate/key through one of the following paths:
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / test-renew-self-sign / Renew
---- DNS / GSLB : Pools : Pool List / Click Testpool / Click Members / Click Manage
---- System / Software Management : APM Clients / Import
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / NewSSLCert / Certificate / Export / Click Download
Conditions:
This may occur when performing various actions in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .
Impact:
Cannot perform various actions in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
'No Access' errors no longer occur when performing various actions in the TMOS GUI under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1045229-2 : APMD leaks Tcl_Objs as part of the fix made for ID 1002557
Links to More Info: BT1045229
Component: Access Policy Manager
Symptoms:
APMD memory grows over time causing OOM killer to kill apmd
Conditions:
Access policy has resource assignment agents/variable assignments
Impact:
APMD memory grows over time and OOM killer may terminate apmd thereby affecting traffic. Access traffic disrupted while apmd restarts.
If APMD is not killed by OOM killer the system may start thrashing and become unstable, generally resulting in cores from innocent processes that are no longer scheduled correctly - keymgmtd, bigd, mcpd are typical victims.
Ultimately system may restart automatically as watchdogs fail.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1044893-3 : Kernel warnings from NIC driver Realtek 8139
Links to More Info: BT1044893
Component: TMOS
Symptoms:
Excessive kernel logs occur from the NIC driver Realtek 8139
Conditions:
-- Realtek 8139 driver is used
-- Packets with partial checksum and protocol IPPROTO_TCP/IPPROTO_UDP arrives
Impact:
The Realtek 8139 driver logs excessive kernel warnings.
Fix:
Updated in Realtek 8139 driver, for such a scenario the kernel logs would be triggered only at once.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1044457-2 : APM webtop VPN is no longer working for some users when CodeIntegrity is enabled.
Links to More Info: BT1044457
Component: Access Policy Manager
Symptoms:
Users are unable to use the BIG-IP VPN in Edge, Internet Explorer, Firefox, and Chrome.
Microsoft believes the issue is because the Network Access webtop is using MSXML 2.0a which is blocked by their desktop policy
Conditions:
-- Attempting to connect to Network Access VPN using Edge, Internet Explorer, Chrome and Firefox.
-- CodeIntegrity is enabled
Impact:
Users are not able to connect to F5 VPN through APM Browser.
Workaround:
Workaround is to use the BIG-IP Edge client.
Fix:
Users should be able to access Network Access VPN through APM Browser.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1044425-3 : NSEC3 record improvements for NXDOMAIN
Links to More Info: K85021277 , BT1044425
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses can be improved to support current best practices.
Conditions:
- DNSSEC zone configured
Impact:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses do not follow current best practices.
Workaround:
N/A
Fix:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses now follow current best practices.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1044121-2 : APM logon page is not rendered if db variable "ipv6.enabled" is set to false
Links to More Info: BT1044121
Component: Access Policy Manager
Symptoms:
When accessing a Virtual Server with an access policy, users are redirected to the hangup page.
Conditions:
Db variable "ipv6.enabled" is set to false
Impact:
Users will not be able to access the virtual server and associated resources behind it.
Workaround:
Keep the value of db variable "ipv6.enabled" set to true.
# setdb "ipv6.enabled" true
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1044089-1 : ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI.
Links to More Info: BT1044089
Component: TMOS
Symptoms:
Virtual address is reachable even when the virtual server is offline.
Conditions:
The virtual server status is updated to offline by modifying the virtual server and adding an iRule via the GUI.
Impact:
ICMP echo requests are still handled by the virtual address even though the virtual server is marked offline.
Workaround:
Use tmsh to attach the iRule to the virtual server:
tmsh modify ltm virtual <virtual_server_name> rules {<rule_name> }
Fix:
Virtual address is no longer reachable when virtual server is offline.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1043805-2 : ICMP traffic over NAT does not work properly.
Links to More Info: BT1043805
Component: Local Traffic Manager
Symptoms:
ICMP traffic hitting a NAT translation address is dropped and not sent further to the originating address.
Conditions:
-- An LTM NAT is configured.
-- ICMP traffic arrives.
Impact:
ICMP traffic fails to be forwarded over the NAT.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1
1043533-1 : Unable to pick up the properties of the parameters from audit reports.
Links to More Info: BT1043533
Component: Application Security Manager
Symptoms:
In the GUI under Security ›› Application Security : Audit : Reports, if you select "User-input parameters..." in the menu "Security Policy Audit Reports", then click on the parameter to retrieve the properties, you will see this error:
" Could not retrieve parameter; Could not get the Parameter, No matching record was found."
Conditions:
1) Create a new parameter.
2) Customize or overwrite an existing ASM signature for the parameter in question.
3) Save and apply to the policy the new changes
4) Go to:
Security ›› Application Security : Audit : Reports
Report Type : User-input parameters with overridden attacks signatures (this also happens for other "User-input parameters...")
Select the parameter to audit
Error: "Could not retrieve parameter; Could not get the Parameter, No matching record was found."
Impact:
A page error occurs.
Workaround:
1. Open in a separate tab the following screen: Security ›› Application Security : Parameters : Parameters List
2. Under "Parameter List" title, there is a filter dropdown with the "Parameter Contains" texting.
3. On the blank part (before "Go" button) type the name of the required parameter.
4. You will get the desired page with the desired parameter properties.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1043385-3 : No Signature detected If Authorization header is missing padding.
Links to More Info: BT1043385
Component: Application Security Manager
Symptoms:
If the Authentication scheme value in the Authorization header contains extra/missing padding in base64, then ASM does not detect any attack signatures.
Conditions:
HTTP request with Authorization header contains base64 value with extra/missing padding.
Impact:
Attack signature not detected.
Workaround:
N/A
Fix:
Base64 values with extra/missing padding has been handled to detect attack signature
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1043357-3 : SSL handshake may fail when using remote crypto client
Links to More Info: BT1043357
Component: Local Traffic Manager
Symptoms:
ServerSSL handshake fails when verifying ServerKeyExchange message.
Conditions:
Remote crypto client is configured and the ServerSSL profile connects using an ephemeral RSA cipher suite.
Impact:
The virtual server is unable to connect to the backend server.
Workaround:
Use non-ephemeral RSA or ECDSA cipher suite on ServerSSL.
Fix:
Fix remote crypto client.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1043277-3 : 'No access' error page displays for APM policy export and apply options.
Links to More Info: BT1043277
Component: TMOS
Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while exporting/applying an APM policy in the TMOS GUI.
Conditions:
This issue can occur when exporting/applying an APM policy in the TMOS GUI while running a BIG-IP Engineering Hotfix that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html.
Impact:
Cannot export/apply an APM policy in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
'No Access' errors no longer occur when exporting/applying an APM policy in the TMOS GUI under these conditions.
In BIG-IP 16.1.2, this was fixed as a result of fixes made for ID1045421 and ID1049229 (i.e., both fixes).
Fixed Versions:
17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
1043217-2 : NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform
Links to More Info: BT1043217
Component: Access Policy Manager
Symptoms:
NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform
Conditions:
Windows Server configured as a back-end and BIG-IP is acting as an RDP gateway. After recent upgrade of MacOS Client (iOS 14.0.1), the Remote desktop starts failing.
Latest Microsoft RDP clients mandate below three flags as part of NTLM CHALLENGE message which will sent from NTLM Auth Server/Proxy
1.NTLMSSP_NEGOTIATE_KEY_EXCH
2.NTLMSSP_NEGOTIATE_VERSION
3.NTLMSSP_REQUEST_TARGET
Due to this, RDP client rejecting the NTLM challenge, and authentication is failing.
Impact:
Users won't be able to establish RDP sessions to the backend Windows Server
Fix:
Updated the ECA (NTLM frontend auth service) to include these flags as part of NTLM Challenge.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1043017-3 : Virtual-wire with standard-virtual fragmentation
Links to More Info: BT1043017
Component: Local Traffic Manager
Symptoms:
A standard virtual-server configured on top of a virtual-wire has unexpected handling of fragmented IP traffic.
Conditions:
Standard virtual-server configured on top of a virtual-wire handling fragmented IP traffic.
Impact:
- Fragments missing on egress.
- Packet duplication on egress.
Workaround:
Use fastl4 virtual-server instead.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1043009-3 : TMM dump capture for compression engine hang
Links to More Info: BT1043009
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
The system detects a Nitrox hang and attempts to reset it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set Nitrox3.Compression.HangReset db variable to reset
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1042993-2 : Provisioning high availability (HA) setup wizard fails to load, reports 'No Access'
Links to More Info: K19272127 , BT1042993
Component: TMOS
Symptoms:
An authenticated administrative user is redirected to a 'NO ACCESS' error page while running the high availability (HA) setup wizard.
Conditions:
This may occur when running the high availability (HA) setup wizard in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .
Impact:
You are unable to run/finish the Config Sync/HA setup wizard to completion.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
'NO ACCESS' error pages no longer appear while running the high availability (HA) setup wizard in the TMOS GUI under these conditions.
In v16.1.2, ID1045421 and ID1049229 resolved the issue.
Fixed Versions:
17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
1042913 : Pkcs11d CPU utilization jumps to 100%
Links to More Info: BT1042913
Component: Local Traffic Manager
Symptoms:
CPU utilization of pkcs11d increases to 100%.
Conditions:
This occurs when pkcs11d is disconnected from the external HSM.
Impact:
As the pkcs11d consumes most of the CPU, other processes are starved for CPU.
Workaround:
None.
Fix:
Pkcs11d no longer consumes 100% CPU when it is disconnected from the external HSM.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1042737-3 : BGP sending malformed update missing Tot-attr-len of '0.
Links to More Info: BT1042737
Component: TMOS
Symptoms:
BIG-IP might send a malformed BGP update missing Tot-attr-len of '0 when performing a soft reset out.
Conditions:
-- Multiple traffic groups configured.
-- A BGP soft reset occurs.
Impact:
BGP peering resets.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1042605-3 : ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above ★
Links to More Info: BT1042605
Component: Application Security Manager
Symptoms:
Following an upgrade, an error occurs:
ERROR: Failed during loading ASM configuration.
An "ASM critical warning" banner is displayed in the ASM GUI.
Conditions:
-- ASM is upgraded to v15.1.0 or above
-- The following query returns results prior to upgrading:
SELECT policy_name_crc FROM DCC.ACCOUNTS accounts WHERE policy_name NOT IN (SELECT name FROM PLC.PL_POLICIES)
Impact:
ASM upgrade is aborted due to an exception:
Can't call method "clear_traffic_data" on unblessed reference
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1042589-2 : Wrong trunk_id is associated in bcm56xxd.
Links to More Info: BT1042589
Component: TMOS
Symptoms:
When a set of interfaces are moved from one trunk to another, the now empty trunk is left with a valid association in bcm56xxd, and deleting that trunk can cause a valid trunk to be removed in the BCM hardware.
'tmsh show net trunk MY_TRUNK' shows the trunk is UP, but in fact the trunk is unconfigured in hardware.
Conditions:
Moving the interfaces across trunks.
i.e.
tmsh modify net trunk MY_OLD_TRUNK interfaces none
tmsh modify net trunk MY_NEW_TRUNK interfaces add { 1.1 1.2 }
tmsh delete net trunk MY_OLD_TRUNK
Impact:
May cause an L2 traffic loop.
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
1042505-2 : Session variable "session.user.agent" does not get populated for edge clients
Links to More Info: BT1042505
Component: Access Policy Manager
Symptoms:
Access policy agents and iRules that depend on "session.user.agent" session variable fail to execute properly.
Conditions:
Access polices have agents that depend on the value of session variable "session.user.agent" for its execution.
Impact:
Any access policy agents that depend on this session variable will not be able to follow the rules.
Workaround:
An iRule can be used to generate a session variable. For example:
# This event fires once per session
when ACCESS_SESSION_STARTED {
log local0. "Setting User-Agent based on HTTP data - [HTTP::header User-Agent]"
ACCESS::session data set session.custom.client.useragent [HTTP::header User-Agent]
#Use this variable in the VPE to make some decision
}
Fix:
Fix now sets the session variable properly.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1042153-1 : AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.
Links to More Info: BT1042153
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.
Conditions:
Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.
Impact:
The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).
Workaround:
Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'
Fix:
Restoring the Timestamp is fine.
Fixed Versions:
17.1.1, 17.0.0, 16.1.5, 15.1.10
1042069-2 : Some signatures are not matched under specific conditions.
Component: Application Security Manager
Symptoms:
Some signatures are not matched and attack traffic can pass through.
Conditions:
There are more than 20 signatures that have a common keyword with a signature that does not match (and has a common keyword and a new keyword).
Impact:
Attacking traffic can bypass the WAF.
Workaround:
N/A
Fix:
Attack signatures that share words with other attack signatures will be matched correctly now.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5
1041985-3 : TMM memory utilization increases after upgrade ★
Links to More Info: BT1041985
Component: Access Policy Manager
Symptoms:
TMM memory utilization increases after upgrading.
The keep-alive interval of the _tmm_apm_portal_tcp default profile is set to a value that is less than the Idle Timeout setting.
Conditions:
-- APM enabled and passing traffic
-- The configuration has a profile that uses or is derived from _tmm_apm_portal_tcp where the keep-alive interval was reduced to 60
Note that this can be encountered any time a tcp profile contains a keep-alive interval setting that is less than the idle timeout.
For more information about the relationship between keep-alive and idle time out, see K13004262: Understanding Idle Timeout and Keep Alive Interval settings in the TCP profile, available at https://support.f5.com/csp/article/K13004262
Impact:
TMM memory may increase while passing traffic.
Workaround:
Change the tcp keep alive interval to the default setting of 1800 seconds.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1041865-3 : Correctable machine check errors [mce] should be suppressed
Links to More Info: K16392416 , BT1041865
Component: TMOS
Symptoms:
Log emerg in kern.log similar to:
emerg kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 10: cc003009000800c1
Conditions:
Correctable errors can be identified by analyzing the 16‐bit value shown in bits [31:16] of the 64‐bit error from the /var/log/kern.log message. There are many types of correctable errors that are not service impacting. Correctable errors are part of the ECC DIMM technology. The following is an example of a correctable error.
An example is shown below.
Log error matches this pattern:
Machine Check: 0 [bank number]: [cc003009][0008][00c1]
bits [31:16] = 0008
Impact:
Correctable errors are logged in kern.log and to the console. There is no functional impact.
Workaround:
If the error message matches the signature in the example above, an RMA is not needed.
If the error message does not match that signature, check the system's traffic condition and confirm there is no negative performance impact. If no performance impact is observed then it means the error is a correctable error and an RMA is not required.
F5 recommends that you upgrade to a fixed TMOS version, then check that the error message is eliminated. For more information, see K16392416: Memory errors and MCE errors
Fix:
Fixed “correctable MCE error suppressed” errors.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
1041765-1 : Racoon may crash in rare cases
Links to More Info: BT1041765
Component: TMOS
Symptoms:
Racoon may crash when NAT Traversal is on and passing IPsec traffic in IKEv1.
Conditions:
-- IKEv1 IPsec tunnel configured
-- NAT Traversal is on in ike-peer configuration.
Impact:
Racoon will crash and any IKEv1 tunnels will restart
Workaround:
Use IKEv2 only.
Fix:
This racoon crash has been stopped.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.10
1041149-2 : Staging of URL does not affect apply value signatures
Links to More Info: BT1041149
Component: Application Security Manager
Symptoms:
When a URL is staged and a value content signature is detected, the matched request is blocked.
Conditions:
-- URL is set to staging;
-- Only default ("Any") content profile is present, set to apply value signatures (all other content profiles deleted);
-- Request matches attack signature
Impact:
The request for staged URL is blocked
Workaround:
Configure relevant content profiles or leave the default content profiles configuration.
Fix:
Fixed to correctly handle URL staging in case of only "Any" content profile.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1040929 : Change F5OS BIG-IP tenant name from VELOS to F5OS.
Links to More Info: BT1040929
Component: TMOS
Symptoms:
Bundle images used to create F5OS tenants contain the name VELOS.
Conditions:
Prior to 15.1.4, Bundled images used to create F5OS tenants contain the name VELOS.
Impact:
15.1.5 bundle images for F5OS and future releases now contain F5OS instead of VELOS
Workaround:
N/A
Fix:
In 15.1.5, bundle images now contain the word F5OS instead of VELOS
Fixed Versions:
15.1.5
1040829-3 : Errno=(Invalid cross-device link) after SCF merge
Links to More Info: BT1040829
Component: Access Policy Manager
Symptoms:
A single config file (SCF) merge fails with the following error:
01070712:3: failed in syscall link(/var/system/tmp/tmsh/IHxlie/files_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1, /config/filestore/.trash_bin_d/.current_d/Common_d/customization_group_d/:Common:otters-connectivity_1_secure_access_client_customization_62552_1) errno=(Invalid cross-device link)
Conditions:
A customization group with the same name is present in both the SCF file and the BIG-IP device.
Impact:
SCF merge fails
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1040821-3 : Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes
Links to More Info: BT1040821
Component: TMOS
Symptoms:
Address Translation and Port Translation checkboxes are automatically checked under the virtual server's advanced configuration.
Conditions:
Virtual Server's Advanced configuration option is selected followed by adding an iRule or a pool.
Impact:
The Address and Port translation options are automatically checked when the default is to have them unchecked.
Workaround:
Manually un-check Address Translation and Port Translation checkboxes under virtual server's advanced configuration
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1040685-3 : Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier)
Links to More Info: BT1040685
Component: Advanced Firewall Manager
Symptoms:
Tmm crashes after reboot.
Conditions:
This is encountered intermittently after rebooting a blade.
Impact:
Slot usable until manual intervention. Traffic disrupted while tmm restarts.
Note: this issue happened only once and no further occurrence was reported.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
1040609-3 : RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server.
Links to More Info: K21800102 , BT1040609
Component: Local Traffic Manager
Symptoms:
Specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.
Conditions:
RFC enforcement enabled from the HTTP profile or tmm.http.rfc.enforcement db variable.
HTTP redirect irule applied to virtual server.
Running a BIG-IP version that contains the fix for the issue described in K50375550: A specifically crafted HTTP request might lead the BIG-IP system to pass malformed HTTP requests to a backend server
Impact:
Specifically crafted HTTP request might lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server.
Workaround:
N/A
Fix:
The issue is fixed with content-length header stripped off when both Content-Length and Transfer-Encoding present in the header.
Behavior Change:
The content-length header is removed when both content-length and Transfer-Encoding are present in the header.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1040573-2 : REST operation takes a long time when two different users perform tasks in parallel
Links to More Info: BT1040573
Component: TMOS
Symptoms:
A considerable delay is observed when different users attempt to execute multiple iControl Rest (iCR) requests in parallel.
The below restjavad error log will be observed as async context's state expired before icrd times out during delay in processing requests. This error can be observed when there is considerable delay in request processing irrespective of single user or different users.
[WARNING][7777][25 Jan 2024 16:09:47 UTC][RestOperation]
Exception in POST http://localhost:8100/mgmt/shared/appsvcs/declare failed. t: java.lang.IllegalStateException: AsyncContext completed and/or Request lifecycle recycled
Conditions:
Multiple iControl REST operations are performed by different users in parallel.
When attempting multiple requests by single or multiple users with and without bulk config, the following behaviors are observed:
5 ICRD children getting spawned successfully and same are being observed in logs and noticed that these children are serving multiple rest requests fired by multiple users
Observed expected results for all below scenarios, except the last scenario which has a caveat:
1. Verify multiple rest requests fired with single user
2. Verify multiple rest requests fired with multiple users(5 users )
3. Verify single rest request fired with multiple users (5 users)
4. Verify multiple rest requests fired from multiple users with Bulk config(5 users)
5. Verify single rest request fired from multiple users with Bulk Config(5 users)
Scenario 5 has a Caveat with the current fix, since this fix limits up to 4 concurrent requests, the connection may be refused for some of the requests if the concurrent requests are more than 4.
Impact:
BIG-IP system performance is impacted.
Workaround:
Use only one user to process the multiple requests.
OR
Send multiple requests in a single iControl Rest transaction.
Fix:
Create icrd child per user to avoid context switching. If maxNumChild threshold is reached then allocate users in round robin fashion to all available children to process the requests.
Increase the timeout values to the following:
# tmsh modify sys db icrd.timeout value 30
# tmsh modify sys db restjavad.timeout value 300
# tmsh modify sys db restnoded.timeout value 300
Save changes and restart related services:
# tmsh save sys config
# tmsh restart sys service restjavad
# tmsh restart sys service restnoded
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1040513-1 : The counter for "FTP commands" is always 0.
Links to More Info: BT1040513
Component: Application Security Manager
Symptoms:
On the FTP Statistics page, the "FTP Commands" value is always zero.
Conditions:
FTP security is applied and "FTP commands violations" is enforced.
Impact:
The FTP security does not show violations statistics regarding the FTP commands.
Workaround:
None
Fix:
"FTP commands statistics" now shows an accurate value in the UI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1040361-2 : TMM crashes during its startup when TMC destination port list attached/deleted to virtual server.
Links to More Info: BT1040361
Component: Local Traffic Manager
Symptoms:
-- Log message written to TMM log file:
panic: ../kern/page_alloc.c:736: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
-- Virtual Server using a traffic-matching-criteria (TMC) with a destination-port-list, with multiple distinct ranges of ports.
-- Config changes to virtual server with traffic-matching criteria can cause memory corruption which can lead to delayed TMM crashes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use Traffic Matching Criteria with destination port lists.
TMM restart is required in case the virtual server is modified with traffic-matching-criteria related config.
Fix:
TMM no longer crashes under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.5, 14.1.4.5
1040117-1 : BIG-IP Virtual Edition drops UDP packets
Links to More Info: BT1040117
Component: TMOS
Symptoms:
BIG-IP Virtual Edition drops padded UDP packets when the hardware will accept and forward these same packets.
Conditions:
-- BIG-IP Virtual Edition
-- Padded UDP packets are sent
Impact:
UDP packets are dropped, potentially disrupted traffic
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1040017-3 : Final ACK validation during flow accept might fail with hardware SYN Cookie
Links to More Info: BT1040017
Component: Local Traffic Manager
Symptoms:
With hardware SYN cookie mode enabled, final ACK validation during flow accept fails and ACK packets are dropped. Such error messages are being logged in LTM logs :
"An Enforced Device DOS attack start was detected for vector TCP half-open"
Conditions:
-- Hardware SYN Cookie is enabled
-- BIG-IP is under TCP half-open attack and packet hits a CMP forwarding flow
Impact:
ACK packets are wrongly dropped, causing traffic interruption.
Workaround:
Disable hardware SYN Cookie
Fixed Versions:
17.0.0, 16.1.4, 15.1.7
1039993-2 : AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE"
Links to More Info: BT1039993
Component: Advanced Firewall Manager
Symptoms:
Although Subscriber ID is not changed, "Port Block Updated","10.10.10.29","0","10.20.20.64","0","1025","1275","","unknown" is being written in the log
Conditions:
If "Log subscriber ID" field is selected in the log profile, this log will be printed.
Impact:
Excessive log messages occur.
Workaround:
If you deselect "Log subscriber ID" field in log profile, this message will not be written. Note that this workaround may impact other messages related to subscriber ID.
Fixed Versions:
15.1.9
1039941-2 : The webtop offers to download F5 VPN when it is already installed
Links to More Info: BT1039941
Component: Access Policy Manager
Symptoms:
A pop-up window shows up and requests to download the client component.
Conditions:
Either of these conditions can trigger this issue:
-- Network Access configured and webtop type to "Network Access"
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
or
-- Network Access (auto-launch) and webtop configured
-- VPE configured
[Machine Info (or Anti Virus Check)] -- [Resource Assignment (NA + Webtop)]
Impact:
End users are unable to use the browser-based VPN.
Workaround:
Any one of these following workarounds will work:
-- Use Internet Explorer.
-- Do not configure Network Access auto launch or "Network Access" for the webtop type.
-- Insert the message box between Client Inspection (Machine info, etc.) and "Resource Assignment" on the VPE.
-- Ignore the message (click "Click here"), and it allows you to move on to the next step.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1039805 : Save button in Response and Blocking Pages section is enabled when there are no changes to save.
Links to More Info: BT1039805
Component: Application Security Manager
Symptoms:
Save button remains enabled even though previous changes were already saved.
Conditions:
1. Create Parent Security Policy in the following screen
Security ›› Application Security : Security Policies :
Policies List ›› Create New Policy.
2. Click on "Response and Blocking Pages" tab.
3. Change any Blocking Response Page setting (e.g. XML, Blocking Page Default, etc.).
4. Click Save button.
5. Button remains enabled, thus falsely indicating changes are not being saved.
Impact:
No actual impact as the changed configuration is actually being saved once the Save button was clicked.
Workaround:
Ignore the enabled button, just refresh the page and you will see the changes were actually being saved if you already have clicked the Save button.
Fix:
N/A
Fixed Versions:
15.1.4.1
1039725-2 : Reverse proxy traffic fails when a per-request policy is attached to a virtual server.
Links to More Info: BT1039725
Component: Access Policy Manager
Symptoms:
Reverse proxy or inbound traffic fails during SSL renegotiation when a per-request policy is attached to the virtual server.
Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to virtual server.
-- Client or backend server initiates SSL renegotiation.
Impact:
Reverse proxy traffic fails during SSL renegotiation.
Workaround:
If renegotiation is not required then it can be disabled on BIG-IP. The client SSL and server SSL profiles have 'Renegotiation' settings. If it is set to disabled, BIG-IP or SSL Orchestrator does not do SSL renegotiation.
Fix:
Reverse proxy or inbound traffic no longer fails during SSL renegotiation when per-req policy is attached to the virtual server.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.9
1039553-2 : Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors
Links to More Info: BT1039553
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up, depending on the monitor's configuration).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The monitor tries to match an HTTP status code other than 200 (for example, 301).
-- The monitor uses HTTP version 1.0 or 1.1 for the request (the default is 0.9).
Impact:
The system incorrectly considers all non-200 responses a failed monitor attempt, despite what the user specified as acceptable status codes in the monitor's configuration. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue in any of the following ways:
-- Use HTTP version 0.9 for the monitor requests.
-- Match on the 200 HTTP status code.
-- Do not use HTTP status matching altogether.
Fix:
GTM HTTP(S) monitors using HTTP version 1.0 or 1.1 can now successfully match status codes other than 200 in the response.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1039329-1 : MRF per peer mode is not working in vCMP guest.
Links to More Info: BT1039329
Component: Service Provider
Symptoms:
MRF diameter setup, in peer profile "auto-initialization" and "per peer" mode are enabled, but no connection attempts towards the pool member occur.
When the mode is switched to "per tmm" or "per blade", connections are established.
Conditions:
The peer connection mode in the peer profile is set to "per peer".
Impact:
The "per peer" setting does not work.
Workaround:
Switch the connection mode to "per tmm" or "per blade"
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1039205 : DNSSEC key stored on netHSM fails to generate if the key name length is > 24
Links to More Info: BT1039205
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys are not generated successfully.
Errors in logs similar to:
gtm1 err tmsh[4633]: 01420006:3: Key management library returned bad status: -20, Domain names must be 63 characters or less.
Conditions:
Create DNSSEC key with a name longer than 24:
# tmsh create ltm dns dnssec key DNSSEC_with_long_name_21_ key-type zsk use-fips external
Impact:
DNSSEC keys are not generated successfully.
Fixed Versions:
15.1.5.1, 14.1.4.6
1039145-3 : Tenant mirroring channel disconnects with peer and never reconnects after failover.
Links to More Info: BT1039145
Component: Local Traffic Manager
Symptoms:
`tmctl -d blade ha_stat` shows missing mirroring connections.
Conditions:
This occurs with high availability (HA) pair. This is a VELOS hardware-specific issue.
Impact:
High availability (HA) mirroring does not function correctly.
Workaround:
N/A
Fix:
Fixed high availability (HA) mirroring connections
Fixed Versions:
17.0.0, 15.1.4
1039069-2 : Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049. ★
Links to More Info: BT1039069
Component: Global Traffic Manager (DNS)
Symptoms:
For more information on the specific issues fixed, please refer to:
https://cdn.f5.com/product/bugtracker/ID1010697.html
https://cdn.f5.com/product/bugtracker/ID1037005.html
https://cdn.f5.com/product/bugtracker/ID1038921.html
Please note the only versions 15.1.3.1 and 16.1.0 are affected.
Conditions:
-- Running BIG-IP version 15.1.3.1 or 16.1.0
-- RESOLV::lookup iRule is used
Impact:
Multiple issues can occur with the RESOLV::lookup command, such as DNS resolutions failing or incorrect DNS responses being received.
Workaround:
None
Fix:
-
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
1039049 : Installing EHF on particular platforms fails with error "RPM transaction failure"
Links to More Info: BT1039049
Component: TMOS
Symptoms:
-- Installing an EHF fails with the error "RPM transaction failure"
-- Errors similar to the following are seen in the liveinstall.log file:
info: RPM: /var/tmp/rpm-tmp.LooFVF: line 11: syntax error: unexpected end of file
info: RPM: error: %preun(fpga-tools-atlantis-15.1.3-0.0.11.i686) scriptlet failed, exit status 2
Conditions:
-- Installing an EHF that contains an updated version of the 'fpga-tools-atlantis' package
-- Using the following platforms:
+ BIG-IP i4600 / i4800
+ BIG-IP i2600 / i2800
+ BIG-IP i850
Impact:
EHF installation fails.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1038913-3 : The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category
Links to More Info: BT1038913
Component: Application Visibility and Reporting
Symptoms:
In GUI "Security ›› Reporting : Application : Charts" filtering "View By" as IP Intelligence "Last Week", "Last Month" and "Last Year" reports show the "Safe" category instead of "Aggregated".
Conditions:
-- ASM is provisioned
-- The system is under heavy traffic
-- The number of stats records per report period (5 min) is higher than 10,000
Impact:
Inaccurate Last Week IPI reporting
Fixed Versions:
16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1038753-3 : OAuth Bearer with SSO does not process headers as expected
Links to More Info: K75431121 , BT1038753
Component: Access Policy Manager
Symptoms:
Under certain conditions, OAuth Bearer SSO may forward HTTP headers as-is without the expected processing.
Conditions:
- APM Bearer SSO Configuration
- API Protection Profile
- OAuth token failure
Impact:
HTTP headers are forwarded without the expected processing, potentially leading to passthrough disclosure of request headers.
Workaround:
N/A
Fix:
HTTP headers are now processes as expected.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1038741-3 : NTLM type-1 message triggers "Unparsable request content" violation.
Links to More Info: BT1038741
Component: Application Security Manager
Symptoms:
When internal parameter for "authorization header decode failure" is disabled, Valid NTLM type-1 message will be blocked with "Unparsable request content" violation.
Conditions:
Disable internal parameter ignore_authorization_header_decode_failure
Impact:
Valid NTLM Type-1 message will be blocked by ASM.
Workaround:
Enable internal parameter ignore_authorization_header_decode_failure, ASM will not block the NTLM type-1 message request
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1038733-3 : Attack signature not detected for unsupported authorization types.
Links to More Info: BT1038733
Component: Application Security Manager
Symptoms:
ASM does not detect an Unsupported Bearer authorization type that contains header value in base64 format.
Conditions:
HTTP Request containing Bearer Authorization header which
contain a matching signature in base64 encoded format.
Impact:
ASM does not raise a violation and does not block the request.
Workaround:
N/A
Fix:
ASM decodes base64 value in Bearer Authorization header and perform attack signature matching, raises violation and block request if it contains attack.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1038669-2 : Antserver keeps restarting.
Links to More Info: BT1038669
Component: SSL Orchestrator
Symptoms:
Antserver keeps restarting, as indicated in /var/log/ecm:
notice ant_server.sh[5898]: starting ant_server on 057caae1e95a11d7ecd1118861fb49f30ce1c22d
notice ant_server.sh[6311]: no ant_server process
notice ant_server.sh[6312]: check: no running ant_server
Conditions:
The Secure Web Gateway is provisioned on i15800 or i15820 platform.
Impact:
User connection will be reset if request or response analytics agent is deployed with per-request policy.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2, 15.1.5
1038629 : DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client
Links to More Info: BT1038629
Component: Local Traffic Manager
Symptoms:
With the DTLS virtual server, when client sends the CLOSE_NOTIFY alert, BIG-IP is simply closing the connection without sending the CLOSE_NOTIFY back to client as well as the backend server. This causes the backend server to not close/shutdown the connection completely.
Conditions:
This issue occurs with all DTLS virtual servers which has associated client-ssl and server-ssl profiles.
Impact:
Backend server and client will have a dangling connection for certain period of time (Based on the timeout implementation at the respective ends).
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1038117 : TMM SIGSEGV with BDoS attack signature
Links to More Info: BT1038117
Component: Advanced Firewall Manager
Symptoms:
TMM core dumped with segmentation fault showing the below stack. Sometimes the crash stack might be different possibly due to memory corruption caused by the stale BDoS entries in sPVA temp table.
#0 0x00007fbb0f05fa01 in __pthread_kill (threadid=?, signo=signo@entry=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1 0x0000000001587e86 in signal_handler (signum=11, info=0x400a254018f0, ctx=0x400a254017c0) at ../kern/sys.c:3837
#2 <signal handler called>
#3 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#4 0x000000000156319b in spva_search_temp_table (p_arg=<synthetic pointer>, spva=0x400a25401e70) at ../base/tmm_spva.c:1827
#5 spva_dyentries_ack_nack_response (status=SPVA_STATUS_SUCCESS, spva=0x400a25401e70) at ../base/tmm_spva.c:1872
#6 spva_read (status=SPVA_STATUS_SUCCESS, spva=...) at ../base/tmm_spva.c:1560
Conditions:
BDoS enabled. The Dynamic BDoS signature created, attack detected, and signature is offloaded to hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable BDoS.
Fixed Versions:
17.1.0, 15.1.4
1038057-1 : Unable to add a serverssl profile into a virtual server containing a FIX profile
Links to More Info: BT1038057
Component: Service Provider
Symptoms:
You are unable to configure a virtual server to use server SSL encryption with FIX protocol messages.
Conditions:
This is encountered when serverssl needs to be configured for FIX profiles
Impact:
You are unable to assign a server-ssl profile to the virtual server.
Workaround:
None
Fix:
A serverssl profile can now be combined with a FIX profile.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1037877-2 : OAuth Claim display order incorrect in VPE
Links to More Info: BT1037877
Component: Access Policy Manager
Symptoms:
In the visual policy editor (VPE), it is difficult to re-order custom previously created Claims in the oAuth Authorization agent.
The following error is thrown in the developer tools screen of the client browser:
common.js?m=st&ver=15.1.2.1-0.0.10.0:902 Uncaught TypeError: Cannot read property 'row' of undefined
at Object.common_class.swap (common.js?m=st&ver=15.1.2.1-0.0.10.0:902)
at multipleObjectsSelectionCBDialogue_class.swapEntries (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263)
at HTMLAnchorElement.<anonymous> (multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185)
common_class.swap @ common.js?m=st&ver=15.1.2.1-0.0.10.0:902
multipleObjectsSelectionCBDialogue_class.swapEntries @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:263
(anonymous) @ multipleObjectsSelectionCBDialogue.js?m=st&ver=15.1.2.1-0.0.10.0:185
Conditions:
-- There are at least two claims in Access :: Federation : OAuth Authorization Server : Claim
-- You are attempting to reorder the claims in the visual policy editor
Impact:
It is not possible to re-order the claims
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1037645-1 : TMM may crash under memory pressure when using iRule 'AES::key' command
Links to More Info: BT1037645
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates core file.
Conditions:
-- TMM is under memory pressure
-- iRule using 'AES::key' command
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
The system no longer crashes under these conditions.
Fixed Versions:
17.0.0, 15.1.9
1037457-2 : High CPU during specific dos mitigation
Links to More Info: BT1037457
Component: Application Security Manager
Symptoms:
CPU is high.
Conditions:
A dos attack with specific characteristic is active and the policy is configured in a specific way.
Impact:
While the attack is mitigated on the BIG-IP system and does not reach the server, the CPU of the BIG-IP increases and this may impact other services on the BIG-IP device.
Workaround:
N/A
Fix:
A specific high CPU scenario during dos attacks was fixed.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1037265-1 : Improper handling of multiple cookies with the same name.
Links to More Info: K11453402 , BT1037265
Component: Local Traffic Manager
Symptoms:
Multiple cookies with the same name are not handled as expected
Conditions:
Create a Virtual server with an HTTP profile and cookie encryption.
Impact:
BIG-IP will not process multiple cookies with the same name as expected, possibly impacting back-end servers.
Fix:
Multiple cookies with the same name are processed as expected
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1037257 : SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check
Links to More Info: BT1037257
Component: Local Traffic Manager
Symptoms:
In logs the result of Dynamic CRL validation using SSL::verify_result is appearing as 0, which is not correct.
Conditions:
1. Use Dynamic CRL
2. Use a REVOKED certificate
Impact:
Incorrect information that certification validation is successful for a revoked certificate is logged.
Workaround:
Static CRL method of certificate validation can be used.
Fix:
iRule was configured to get certificate validation result.
But it was getting called before validation.
So with fix iRule deferred till validation result is available.
Fixed Versions:
17.1.1, 15.1.10
1036613-1 : Client flow might not get offloaded to PVA in embryonic state
Links to More Info: BT1036613
Component: TMOS
Symptoms:
The client flow is not offloaded in embryonic state, but only is only offloaded once the flow transitions to an established state.
Conditions:
-- FastL4 profile configured to offload TCP connections in embryonic state (this is the default)
-- Clientside and serverside ingress traffic is handled by different TMMs
-- Running on a platform with multiple HSB modules per TMM, i.e.:
--+ BIG-IP i11600 Series
--+ BIG-IP i15600 Series
Impact:
- minor performance degradation;
- PVA traffic counters show unexpectedly high values;
Fix:
Client flow is now offloaded in embryonic state (unless configured otherwise).
Fixed Versions:
17.1.0, 15.1.5.1
1036521-3 : TMM crash in certain cases
Links to More Info: BT1036521
Component: Application Security Manager
Symptoms:
TMM crash in certain case when dosl7 is attached
Conditions:
TMM is configured with dosl7
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1036305-4 : "Mandatory request body is missing" violation in staging but request is unexpectedly blocked
Links to More Info: BT1036305
Component: Application Security Manager
Symptoms:
Request is blocked on a staged URL for the violation "Mandatory request body is missing".
Conditions:
- "Mandatory request body is missing" violation is set for blocking
- The URL is in staging
- "Mandatory request body is missing" is enabled on the URL
Impact:
Requests are blocked unexpectedly
Workaround:
None
Fix:
This defect is closely related to ID1036305 and both defects are fixed together
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
1036169-3 : VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500".
Links to More Info: BT1036169
Component: Local Traffic Manager
Symptoms:
Guestagentd will log the message "Exit flags for PID <PID>:0x500" in guest ltm log, if vcmp host rsync server current active connection is more than 4.
Conditions:
-- vCMP guest.
-- Rsync transfer frequency is 10 seconds between vCMP guest to vCMP host.
-- more than 4 vCMP guests.
Impact:
Guest LTM logs fill with "Exit flags for PID <PID>: 0x500".
Workaround:
N/A
Fix:
A software version that conmtains this fix needs to be installed and running on the vCMP host. The vCMP guest software version doesn't matter in the context of this issue.
The changes below will need to be carried out on vCMP host only, and the final step is service affecting, restarting the vCMP guests.
To set the rsync connection limit to highest number of guests that blade supports, and so avoid issue of this bug:
tmsh modify sys db vcmp.dynamic_rsync_conn_allowed value true
(from bash shell)
To change back to original default rsync connection limit of four:
tmsh modify sys db vcmp.dynamic_rsync_conn_allowed value false
The next step is service affecting, and will restart the vCMP guests. If possible failover guests to peers on another vCMP host before carrying out this step. clsh should be used on multi-blade chassis.
Restart vcmpd by running 'clsh bigstart restart vcmpd'
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1036057-2 : Add support for line folding in multipart parser.
Links to More Info: BT1036057
Component: Application Security Manager
Symptoms:
RFC 2616 allowed HTTP header field values to be extended over multiple lines by preceding each extra line with at least one space or horizontal tab. This was then deprecated by RFC 7230.
The multipart parser of ASM does not support the multiple line header, so these requests cause false positives.
Conditions:
Multiline header in multipart request
Impact:
False positives.
Workaround:
None
Fix:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Behavior Change:
Introduced a new ASM internal parameter: multipart_allow_multiline_header
Note: default value is 0 (disabled)
Note: enabling/disabling the feature requires asm restart that triggers the unit going offline for a short time period. If the unit is a part of a high availability (HA) cluster, failover to the other unit will occur. If it is a standalone unit, traffic disruption until the unit comes back to online.
- Enable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 1
# bigstart restart asm
- Disable multiline header support
# /usr/share/ts/bin/add_del_internal add multipart_allow_multiline_header 0
# bigstart restart asm
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1035853-3 : Transparent DNS Cache can consume excessive resources.
Links to More Info: K41415626 , BT1035853
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, the Transparent DNS Cache can consume excessive resources.
Conditions:
- The BIG-IP system is licensed for DNS Services
- Transparent DNS Cache is configured on a virtual server
Impact:
Excessive resource consumption, which can lead to increased server-side load.
Workaround:
N/A
Fix:
The Transparent DNS Cache now consumes resources as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1035361-2 : Illegal cross-origin after successful CAPTCHA
Links to More Info: BT1035361
Component: Application Security Manager
Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.
Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly
Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.
Workaround:
- disable cross-origin violation enforcement.
Fix:
Fixing origin header offset in reconstruct challenge request.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5
1035133-3 : Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab
Links to More Info: BT1035133
Component: Application Visibility and Reporting
Symptoms:
In various BIG-IQ GUI forms under the "Monitoring" tab (for example Monitoring -> Local Traffic -> HTTP), data for some time periods are missing.
Multiple "Unexpected end of ZLIB input stream" errors appear in BIG-IQ DCD logs under /var/log/appiq/gc_agent-manager.log
Conditions:
BIG-IP is attached to BIG-IQ, traffic volume is high
Impact:
Data in BIG-IQ are missing therefore some graphs show incorrect information
Workaround:
None
Fix:
Fixed an issue with missing statistics.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1035121-3 : Configsync syncs the node's monitor status
Links to More Info: K94850939 , BT1035121
Component: TMOS
Symptoms:
After config sync, nodes may be marked marked down when they are up, even if the monitor determines that the node is up.
The logs will show something similar to :
notice mcpd[8091]: 010714a0:5: Sync of device group /Common/device_trust_group to commit id 1 6986973310536375596 /Common/xxxxxxxx 1 from device /Common/yyyyyyyy
notice mcpd[8091]: 01070640:5: Node /Common/node1 address 10.10.100.1 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]
notice mcpd[8091]: 01070640:5: Node /Common/node2 address 10.10.100.2 monitor status down. [ /Common/icmp: up ] [ was up for 0hr:3mins:15sec ]
The node/pool member/pool/virtual server will be marked down.
Checking the actual monitor it will be up, tcpdump will show successful monitor transactions.
Conditions:
1. Two or more devices in a sync/failover device group
2. The config sync from-device has marked nodes down
3. A config sync occurs
This can occur on both incremental and full config sync.
Impact:
The node's monitor status is synced to the peer device. If the from-device's monitor was unable to reach the nodes and was marking the nodes as DOWN, then the node status will be set to DOWN on the other device, even if the monitor is successfully connecting to the node. This can cause a traffic disruption.
Note: the opposite can occur, where a "node up" status is sent to a device whose monitor is failing to connect to the nodes due to a network issue.
Workaround:
If a device is in this state, you can work around this issue by doing one of the following:
-- Save and reload the configuration on the device with the bad state
tmsh save sys config && tmsh load sys config
-- Perform a full-load sync from the peer device to the affected device:
(On the peer) tmsh run cm config-sync force-full-load-push to-group group-name
Fix:
Node monitor statuses are not synced between devices.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1034941-2 : Exporting and then re-importing "some" XML policy does not load the XML content-profile properly
Links to More Info: BT1034941
Component: Application Security Manager
Symptoms:
Exporting and then re-importing an existing ASM policy in XML format does not load its XML content-profile properly. An XML content-profile containing a firewall configuration shows the 'Import URL' as N/A for most .xsd files.
Conditions:
Corner case, when the second import_url value is null
Impact:
The import_url field is set as N/A for all files, except for the first one
Workaround:
None
Fix:
Fixed incorrect XML export when we've multiple import_url in content-profile
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034589-2 : No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration.
Links to More Info: BT1034589
Component: TMOS
Symptoms:
It is possible to delete a Pool or Trunk from the configuration while one or more high availability (HA) Groups still reference it.
As a result, the configuration of affected high availability (HA) Groups is automatically and silently adjusted (i.e. the deleted object is no longer referenced by any high availability (HA) Group).
The lack of warning about this automatic change could lead to confusion.
Conditions:
A pool or trunk is deleted from the configuration while still being referenced from a high availability (HA) Group.
Impact:
The automatic and silent removal of the deleted object from all high availability (HA) Groups may go unnoticed by BIG-IP Administrators, with potential consequences on the failover behavior of the devices.
Fix:
A warning message is logged to /var/log/ltm, and is also presented in tmsh.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034365-2 : DTLS handshake fails with DTLS1.2 client version
Links to More Info: BT1034365
Component: Local Traffic Manager
Symptoms:
DTLS handshake will be unsuccessful when client initiates a handshake with BIG-IP with DTLS1.2 version
Conditions:
When there is a DTLS client which supports both DTLS 1.0 and DTLS 1.2, then this problem could occur.
Impact:
DTLS handshakes can fail.
Workaround:
If possible, force the client to use only DTLS 1.0 in the client hello negotiation.
Fixed Versions:
15.1.5, 14.1.4.5, 13.1.5
1034329-2 : SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com
Links to More Info: BT1034329
Component: TMOS
Symptoms:
SHA-512 checksums for BIG-IP Virtual Edition images are not available on downloads.f5.com.
Conditions:
You wish to perform a SHA-512 validation of the BIG-IP Virtual Edition images.
Impact:
Cannot download the SHA-512 checksum for checksums for BIG-IP Virtual Edition images.
Workaround:
None
Fix:
Added SHA-512 checksum for ISOs and BIG-IP Virtual Edition images to downloads.f5.com.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1034217-1 : Quic_update_rtt can leave ack_delay uninitialized.
Links to More Info: BT1034217
Component: Local Traffic Manager
Symptoms:
Retransmission times become very long if there is packet loss near the beginning of the connection.
Conditions:
-- Basic QUIC configuration.
-- The first couple of packets in the connection reaches an uninitialized variable path before the connection reaches the ESTABLISHED state.
Impact:
Uninitialized ack_delay variable could be any value and cause RTT measurements to be unusually large. That could cause retransmission times to be very long if there is packet loss near the beginning of the connection.
Workaround:
N/A
Fix:
Reusing existing ack-delay variable fixes the issue.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1034041-1 : Microsoft Intune Azure AD Graph cannot cannot migrate to Microsoft Graph.
Links to More Info: BT1034041
Component: Access Policy Manager
Symptoms:
APM cannot connect to Intune if Microsoft Graph permissions are not set on the Intune Server.
Conditions:
1. Microsoft Intune is configured.
2. Azure AD Graph permission set in Intune.
Impact:
APM cannot connect to Intune thus fails with Connection error.
Workaround:
N/A
Fix:
APM can now connect to Intune when Microsoft Graph permissions are updated in the Intune server.
Fixed Versions:
17.0.0, 15.1.7
1033837-2 : REST authentication tokens persist on reboot ★
Links to More Info: K23605346 , BT1033837
Component: TMOS
Symptoms:
REST authentication tokens persist across reboots. Current best practices require that they be invalidated at boot.
Conditions:
-- REST authentication token in use
-- BIG-IP restarts
Impact:
REST authentication tokens are not invalidated at boot.
Workaround:
None
Fix:
REST authentication tokens are invalidated at boot. Additionally, a new db variable is introduced: httpd.matchclient which is used to validate that the IP address of the creator of the token is the only valid user of that token.
Behavior Change:
Existing REST tokens are now invalidated on boot; new tokens will need to be generated after a reboot.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1033829-1 : Unable to load Traffic Classification package
Links to More Info: BT1033829
Component: Traffic Classification Engine
Symptoms:
After installation and initial configuration, the latest Traffic Classification IM package fails to load.
Conditions:
This type of behavior is observed when the system is configured as follows,
1. LTM provisioned
2. Create virtual servers with classification profile
3. Then provision PEM module
4. Do a Hitless upgrade
Impact:
The latest Traffic Classification IM package fails to load.
Workaround:
Once the TMM is restarted after the issue, the latest IM is loaded.
Fix:
The traffic classification package now loads successfully.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1033017-4 : Policy changes learning mode to automatic after upload and sync
Links to More Info: BT1033017
Component: Application Security Manager
Symptoms:
When newly created policies are synchronized, the learning states of the policies are different.
Conditions:
-- Active/Active high availability (HA) setup in sync-failover device group with ASM enabled.
-- Sync a new policy configured with disabled/manual learning mode.
Impact:
Learning mode changes from disabled to automatic on peer device after sync, so learning modes differ on the peer devices.
Workaround:
1. On the peer device, change the learning mode to disabled.
2. Push sync from the originator device.
Both devices are then in sync and policies have the same learning mode (disabled), so operations complete as expected.
Fix:
The sync operation no longer attempts to keep the learning flags enabled on the receiving device.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1032949 : Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate.
Links to More Info: BT1032949
Component: TMOS
Symptoms:
When you configure Dynamic CRL and set the client authentication as "Request", the handshake fails when clients do not supply a certificate.
Conditions:
Clientssl profile configured with the following:
1. Dynamic CRL
2. Client Authentication enabled with "Request" option
Impact:
SSL handshake fails
Workaround:
Workaround 1:
Use Static CRL
Workaround2:
Use Client authentication with either "Require" or "Ignore"
Workaround3:
Disable TLS1.2 and below versions in the Client SSL profile.
Which means allow only TLS1.3 traffic.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1032821-5 : Syslog: invalid level/facility from /usr/libexec/smart_parse.pl
Links to More Info: BT1032821
Component: TMOS
Symptoms:
When the smart_parse.pl script is run and finds a disk error, it attempts to log an error with an incorrect syslog level.
Conditions:
Run smart_parse.pl on a BIG-IP platform with a disk error.
Impact:
When this script is run (usually as a cron job) the following message occurs:
syslog: invalid level/facility: error at /etc/cron.daily/pendsect line 194.
Workaround:
None.
Fix:
Smart_parse.pl now logs errors at the correct level 'err'.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1032797-2 : Tmm continuously cores when parsing custom category URLs
Links to More Info: BT1032797
Component: SSL Orchestrator
Symptoms:
Tmm crashes when trying to parse more than 256 custom category URLs.
Conditions:
-- More than 256 URLs defined in custom url-category.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM no longer crashes and it can parse more than 256 custom category URLs.
Fixed Versions:
17.0.0, 16.1.2, 15.1.5
1032761 : HA mirroring may not function correctly.
Links to More Info: BT1032761
Component: TMOS
Symptoms:
-- High availability (HA) mirroring might not function correctly.
-- Health monitors might fail intermittently (though this symptom is not always seen).
-- Application response latency might increase slightly.
-- Running 'tmctl -d blade tmm/sdaglib_hash_table' on the BIG-IP tenant shows a different sequence of values in the hash table when compared to the output of "show dag-states" in the F5OS Partition CLI. (Though the former renders the values using zero-based indexing, while the latter uses one-based indexing.)
Conditions:
-- VELOS chassis in use.
-- High availability (HA) pair is formed using BIG-IP tenants.
-- 'tmsh list cm device mirror-ip' shows a mirror-ip set for each BIG-IP.
-- sys db statemirror.clustermirroring is set to 'between'.
Impact:
High availability (HA) mirroring might not function correctly.
Degraded application traffic.
Workaround:
None.
To recover, set sys db statemirror.clustermirroring to 'within' and restart tmm on all slots of the affected tenant.
Fix:
Fixed high availability (HA) mirroring.
Fixed Versions:
17.1.0, 15.1.4
1032737-1 : IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate
Links to More Info: BT1032737
Component: TMOS
Symptoms:
Tmm crashes while passing IPsec traffic
Conditions:
Wildcard selectors are used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Avoid the core dump by adding checks.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1032689-3 : UlrCat Custom db feedlist does not work for some URLs
Links to More Info: BT1032689
Component: Traffic Classification Engine
Symptoms:
The first URL getting normalized is not classified.
Conditions:
The URL contains caps or 'www' is not getting categorized in few cases.
Impact:
The 'custom' category is not displayed for all the apps available in the feedlist file.
Workaround:
None
Fix:
Starting normalized lines with \n.
Fixed Versions:
16.1.2, 15.1.4.1, 14.1.4.5
1032329 : A user with low privileges cannot open the Rule List editor.
Links to More Info: BT1032329
Component: Advanced Firewall Manager
Symptoms:
When a low privilege user attempts to access the Rule List editor page, they receive the error message "General database error retrieving information."
Conditions:
Attempting to access the Rule List editor as a user with a lower privilege, for example Firewall Manager.
Impact:
You cannot see the details of the Rule List via UI/tmsh
Workaround:
Use TMSH to view Rule List details
Fixed Versions:
16.1.5, 15.1.4.1
1032257-2 : Forwarded PVA offload requests fail on platforms with multiple PDE/TMM
Links to More Info: BT1032257
Component: TMOS
Symptoms:
Forwarded PVA requests use a static bigip_connection that does not have its pva_pde_info initialized, which results in offload failure on platforms that have multiple PDEs per TMM.
Conditions:
Pva_pde_info is not initialized and Forwarded PVA requests occur.
Impact:
Hardware offload does not occur.
Fixed Versions:
17.1.0, 15.1.5.1
1032077-2 : TACACS authentication fails with tac_author_read: short author body
Links to More Info: BT1032077
Component: TMOS
Symptoms:
If a TACACS user is part of a group with 10s of attribute value pairs (AVPs) were the length of all the avp's combined is such that the authorization reply message from the TACACS server is segmented, the login will fail.
The error message that is logged when the login fails is
"tac_author_read: short author body, 4468 of 6920: Operation now in progress" Where the numbers 4468 and 6920 will vary.
Conditions:
- TACACS authentication
- TACACS user that is part of a group where the combined length of the AVPs is greater then the largest TCP segment the TACACS server is able to send.
Impact:
User is unable to login.
Workaround:
If possible, reduce the number of attributes of the TACACS group or user.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1032001-1 : Statemirror address can be configured on management network or clusterd restarting
Links to More Info: BT1032001
Component: TMOS
Symptoms:
- Able to create statemirror address on the same network as management or cluster network.
- Validation issues when attempting to remove a management address.
- Clusterd process restarts constantly.
Conditions:
- Management/cluster address set up with IPv6 and statemirror address is configured with IPv4.
Impact:
- Unable to make configuration changes to the management or cluster address until the statemirror address is removed.
- Clusterd process restarts constantly causing the blade or cluster to report as offline.
Fixed Versions:
15.1.3.1
1031909-1 : NAT policies page unusable due to the page load time
Links to More Info: BT1031909
Component: Advanced Firewall Manager
Symptoms:
You cannot work with the NAT polices page because the page takes too long to load.
Conditions:
-- The device has a large number of VLANs and virtual servers
-- The device has a large number of NAT policies and partitions
-- From GUI navigate to the NAT policies page
Impact:
NAT policies page takes a long time to load.
Fix:
With given sescenario page is loading and showing up policies
Fixed Versions:
15.1.4.1
1031901-1 : In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked
Links to More Info: BT1031901
Component: Local Traffic Manager
Symptoms:
When request from client is forwarded to server which is in CLOSING state due to server sent GOAWAY but not yet close the connection, request will be failed to be forwarded to server and RST_STREAM will be sent to client
Conditions:
-- Virtual Server with HTTP2 profile
-- There is an open connection from BIG-IP to the server.
-- The server sends a GOAWAY message to the BIG-IP and the connection is kept open.
-- The client sends a request to BIG-IP, BIG-IP picks the connection mentioned above to forward the request to
Impact:
Traffic from the specific client is interrupted
Workaround:
N/A
Fix:
In HTTP2 deployment, RST_STREAM is no longer sent to client if server in CLOSING state is picked
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1031609 : Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package. ★
Links to More Info: BT1031609
Component: Local Traffic Manager
Symptoms:
Formerly Thales now nShield/Entrust has changed the directory structure of their client package and also added new libraries. Due to this change, install script will be incompatible with v12.60.10 onwards.
Conditions:
Upgrading to PKCS11 client package v12.60.10.
Impact:
The installation script will fail while extracting the package.
Workaround:
N/A
Fix:
Extracted all the tarballs in the target directory to resolve the issue.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
1031425-2 : Provide a configuration flag to disable BGP peer-id check.
Links to More Info: BT1031425
Component: TMOS
Symptoms:
A fix for ID 945265 (https://cdn.f5.com/product/bugtracker/ID945265.html) introduced strict checking of a peer-id. This check might be not desired in some configurations.
Conditions:
EBGP peering with two routers in the same autonomous system, configured with the same peer-id.
Impact:
BIG-IP will not pass the NLRIs between two eBGP peers. The following message can be seen in debug logs:
172.20.10.18-Outgoing [RIB] Announce Check: 0.0.0.0/0 Route Remote Router-ID is same as Remote Router-ID
Workaround:
Change peer-ids to be unique on eBGP peers.
Fix:
New, neighbor-specific, af-specific configuration option is provided to allow routes to be passed to external peers sharing the same router-id. The check is done on egress, so the configuration should be changed towards the peer that is supposed to receive a route.
router bgp 100
bgp graceful-restart restart-time 120
neighbor as200 peer-group
neighbor as200 remote-as 200
neighbor as200 disable-peerid-check
neighbor 172.20.8.16 peer-group as200
neighbor 172.20.8.16 disable-peerid-check
neighbor 172.20.10.18 peer-group as200
neighbor 172.20.10.18 disable-peerid-check
!
address-family ipv6
neighbor as200 activate
neighbor as200 disable-peerid-check
neighbor 172.20.8.16 activate
neighbor 172.20.8.16 disable-peerid-check
neighbor 172.20.10.18 activate
neighbor 172.20.10.18 disable-peerid-check
exit-address-family
When configured on a single neighbor it will cause session to be re-established.
When configured on a peer-group a manual session restart is required for changes to take effect.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1030853-2 : Route domain IP exception is being treated as trusted (for learning) after being deleted
Links to More Info: BT1030853
Component: Application Security Manager
Symptoms:
Traffic is considered trusted for learning even though a trusted IP exception was deleted.
Conditions:
Creating and deleting a route domain-specific IP exception
Impact:
Traffic learning suggestions scores are miscounted.
In automatic policy builder mode the policy can be updated by the policy builder based on the wrong score counting.
Workaround:
Stop and restart learning for the relevant policy
Fix:
When a route domain IP Exception configured for trusted learning is deleted, the upcoming suggestions scores will be calculated correctly without considering the deleted IP trusted.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1030845-2 : Time change from TMSH not logged in /var/log/audit.
Links to More Info: BT1030845
Component: TMOS
Symptoms:
Whenever time is changed, the message is not logged in /var/log/audit.
Conditions:
This occurs when the system time is changed manually using either the 'date' command or 'tmsh modify sys clock'.
Impact:
The time change is not logged to the audit log.
Workaround:
N/A
Fix:
Time changes are now logged to the audit log.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1030645-3 : BGP session resets during traffic-group failover
Links to More Info: BT1030645
Component: TMOS
Symptoms:
BGP session might be hard reset during a traffic group failover. The following log is displayed:
BGP[11111]: BGP : %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer reset due to nh address change
Conditions:
Floating self-ips defined on a single vlan/subnet, with different traffic-groups configured.
Impact:
BGP session goes down during traffic-group failover.
Fix:
Soft clear is performed instead.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1030533-2 : The BIG-IP system may reject valid HTTP responses from OCSP servers.
Links to More Info: BT1030533
Component: Local Traffic Manager
Symptoms:
When this happens, the BIG-IP system can be seen closing the TCP connection to the OCSP server prematurely (for instance, as soon as the HTTP response headers are received, before the response body is transmitted).
If log.keymgmtd.level is set to debug, an error similar to the following example will be logged to the /var/log/ltm file:
Jun 22 14:40:08 bigip1.local debug tmm[9921]: 01a40004:7: OCSP validation result of certificate(/config/filestore/files_d/Common_d/certificate_d/:Common:endpoint-intermediate_69993_1): OCSP response - (connection - HTTP error), certificate status - (error), lifetime - 10.
Conditions:
The server uses a Content-Type HTTP header in its response that isn't just "application/ocsp-response" (for instance, it may include a charset specification after that string, or the string may use a mix of uppercase and lowercase letters).
Impact:
Valid HTTP responses from OCSP servers are rejected. OCSP stapling and OCSP validation are not available on the BIG-IP system.
Workaround:
If you control the OCSP server and are able to customize its HTTP response headers, setting the Content-Type to simply "application/ocsp-response" (all lowercase) is a workaround for this issue.
Otherwise, no workaround exists.
Fix:
Valid HTTP responses from OCSP servers are not longer rejected.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1030185-3 : TMM may crash when looking up a persistence record using "persist lookup" iRule commands
Links to More Info: BT1030185
Component: Local Traffic Manager
Symptoms:
Tmm may crash with a SIGSEGV when looking up a persistence record in an iRule when using the "any" flag
Conditions:
-- The persistence entry exists on a virtual server other than the virtual server the iRule is configured on.
-- The iRule contains [persist lookup source_addr "[IP::client_addr] any"]
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Discontinue the use of the "any" flag in the persist lookup iRule.
Fix:
TMM no longer crashes
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1030133-3 : BD core on XML out of memory
Links to More Info: BT1030133
Component: Application Security Manager
Symptoms:
Missing error handling in lib xml parser.
Conditions:
XML parser going out of memory.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1029989-2 : CORS : default port of origin header is set 80, even when the protocol in the header is https
Links to More Info: BT1029989
Component: Application Security Manager
Symptoms:
Destination port is set to 80, instead of 443, for Origin header value that has https in the schema field.
This causes unexpected "Illegal cross-origin request" violation.
Conditions:
- Using CORS enforcement where you allow HTTPS and port 443 for an origin name
- The Origin header value has https in the schema
- The Origin header value does not specify non default port number
Impact:
Unexpected "Illegal cross-origin request" violation.
Workaround:
Allow port 80 or use 'any' for the given origin name.
Fix:
When schema in the header is https, considers port 443 instead of 80.
Fixed Versions:
16.1.4, 15.1.10
1029897-2 : Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members.
Links to More Info: K63312282 , BT1029897
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may pass malicious requests to server-side pool members.
Conditions:
1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side.
2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members:
a. H2.TE request line injection
I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value
II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header
b. Request line injection (folder traps)
c. Request line injection (rule bypass)
Impact:
Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, This could result in unauthorized data injection in HTTP requests. When the affected virtual server is configured with the OneConnect profile, a malicious actor might be able to impact the responses sent to a different client.
Workaround:
You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.
Fix:
This has been fixed so that client requests are appropriately rejected by BIG-IP.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1029869-3 : Use of ha-sync script may cause gossip communications to fail
Links to More Info: BT1029869
Component: SSL Orchestrator
Symptoms:
Using the ha-sync script on platforms in a sync-failover device group may cause gossip communications to fail.
Conditions:
This issue occurs after using the ha-sync script on devices that are in a sync-failover device-group.
Impact:
When the gossip communications fail, SSL Orchestrator will be unable to communicate iAppLX configuration from one device to the other. This can lead to deployment failures upon redeployment of SSL Orchestrator topologies.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1029689-3 : Incosnsitent username "SYSTEM" in Audit Log
Links to More Info: BT1029689
Component: Application Security Manager
Symptoms:
The Security Policy Auto Log in ASM displays the system component that triggered the event. The component name is sometimes shown as 'SYSTEM', other times shown as 'System'
Conditions:
The value is "SYSTEM" when Apply Policy was initiated locally.
The value is "System" when Apply Policy was initiated by the peer unit
Impact:
Component name inconsistency causing confusion
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1029585-3 : Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync
Links to More Info: BT1029585
Component: SSL Orchestrator
Symptoms:
Following the use of the ha-sync script on platforms in a sync-failover device group to become out of sync.
Conditions:
This can occur following the use of the ha-sync script.
Impact:
Both platforms in the sync-failover device group to fall out of sync. Forcing the admin to perform a device-group sync operation.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1029397-1 : Tmm may crash with SIP-ALG deployment in a particular race condition
Links to More Info: BT1029397
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment, when lsn DB callback is returned from a different tmm, and the SIP connection has been lost on tmm where the REGISTER request arrived.
Conditions:
--- SIP-ALG is deployed
--- Processing of SIP REGISTER message at server side
--- lsn DB entry is mapped to a different tmm
Impact:
Traffic disrupted while tmm restarts
Workaround:
NA
Fix:
Tmm no longer crashes in this race condition
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1029357 : Performance drop during traffic test on VIPRION (B2250, C2400) platforms
Links to More Info: BT1029357
Component: Local Traffic Manager
Symptoms:
Huge TPS performance drop in Compression, L4, L7, Ramcache, SSL
Conditions:
TPS performance drop observed in VIPRION (B2250, C2400) with each of the following individual profiles with various file size(transactions):
1) httpcompression profile
2) FastL4
3) FastHTTP
4) HTTP with OneConnect, Web acceleration
5) TLS1.2 AES128-SHA
Impact:
Slowness in user response due to low TPS
Workaround:
None
Fix:
Make tmm's Daglib wrapper correctly handle hsb's edag versions
Fixed Versions:
15.1.4
1029105 : Hardware SYN cookie mode state change logs bogus virtual server address
Links to More Info: BT1029105
Component: TMOS
Symptoms:
When a virtual server enters or exits hardware SYN cookie mode, a bogus IP address is logged in /var/log/ltm. For example:
Syncookie HW mode activated, server name = /Common/vs server IP = 0.0.0.3:0
Conditions:
A virtual server enters or exits hardware SYN cookie mode.
Impact:
Only the logging information is wrong, the hardware SYN cookie mode functions correctly.
Workaround:
None
Fix:
TMM now logs the correct IP address of the virtual server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4
1028473-2 : URL sent with trailing slash might not be matched in ASM policy
Links to More Info: BT1028473
Component: Application Security Manager
Symptoms:
Request sent to a specific URL with added trailing slash may not be handled according to expected policy.
Conditions:
-- Request is sent with URL containing trailing slash.
-- Security policy contains the same URL, but without slash.
Impact:
URL enforcement is not done according to expected rules.
Workaround:
Add configuration for same URL with added trailing slash.
Fix:
URL with trailing slash is now handled as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1028269-1 : Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id.
Links to More Info: BT1028269
Component: Carrier-Grade NAT
Symptoms:
On a BIG-IP device configured with CGNAT + subscriber discovery license, the LSN log shows "unknown" for the pem_subscriber-id field.
Conditions:
-- PEM and CGNAT enabled
-- RADIUS and CGNAT traffic are in different route domains
Impact:
LSN log shows "unknown" for the pem_subscriber-id field.
Workaround:
N/A
Fix:
Subscriber-id now shows correctly in the LSN log after it is added with CGNAT provisioned check in subscriber-discovery.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1028081 : [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page
Links to More Info: BT1028081
Component: Access Policy Manager
Symptoms:
1. Users connecting with F5 Access from an Android device see string "function () {[native code]}" in the Logon Page Form 'Username' field.
2. This issue only affects the F5 Access embedded browser. It works fine when connecting from the same Android device using Chrome. F5 Access from iOS is also working fine.
Conditions:
Configure an access policy with modern customization that includes a Logon Page.
Impact:
The string "function () {[native code]}" appears in the Logon Page Form 'Username' field.
Workaround:
This solution is temporal as changes are lost after an upgrade.
steps:
1) create a copy of the original "main.js" file
# cp /var/sam/www/webtop/public/include/js/modern/main.js /var/sam/www/webtop/public/include/js/modern/main.js.origin
2) edit the file using an editor (e.g., vi).
# vi /var/sam/www/webtop/public/include/js/modern/main.js
modify
window.externalAndroidWebHost.getWebLogonUserName to window.externalAndroidWebHost.getWebLogonUserName()
and
window.externalAndroidWebHost.getWebLogonPassword to window.externalAndroidWebHost.getWebLogonPassword()
3) Restart BIG-IP
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1027805-3 : DHCP flows crossing route-domain boundaries might fail.
Links to More Info: BT1027805
Component: Local Traffic Manager
Symptoms:
DHCP flows crossing route-domain boundaries might fail.
Conditions:
Example of a configuration leading to the problem:
- route-domain RD%2 with parent defined as route-domain RD%1.
- Virtual-server in route-domain RD%2.
- Pool member configured in RD%2 (sharing IP addressing with RD1)
- DHCP client connects to the virtual-server in route-domain RD%2.
- Route lookup for a pool member ends up with connection in route-domain RD%1
Impact:
The second and subsequent DHCP clients requests will not be forwarded to the DHCP pool members.
Workaround:
When configuring a DHCP pool member, use the ID of the parent route-domain (the one that will be returned by a route-lookup for the pool member's IP address).
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1027713 : SELinux avc: denied { signull } for pid=6207 comm="useradd" on vCMP guest during its deployment.
Links to More Info: BT1027713
Component: TMOS
Symptoms:
SELinux violations occur on vCMP guest during its deployment.
Conditions:
This occurs during vCMP guest deployment.
Impact:
An SELinux error is logged. If it occurs during vCMP guest deployment, it can be safely ignored.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
15.1.4.1
1027657-3 : Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.
Links to More Info: BT1027657
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent monitor intervals for resource monitoring.
Conditions:
"require M from N" monitor rules configured.
Impact:
Monitor status flapping.
Workaround:
Do not use "require M from N" monitor rules.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1027637 : System controller failover may cause dropped requests
Links to More Info: BT1027637
Component: TMOS
Symptoms:
A system controller failover may cause dropped requests to a change in the CMP hash algorithm.
Conditions:
1. The system controller fails over
2. The CMP hash algorithm changes
Impact:
Incorrect CMP hash settings
Workaround:
Change the CMP hash to another setting and back
Fix:
Fixed dropped requests to change CMP hash algorithm after a system controller failover
Fixed Versions:
17.1.0, 15.1.4
1027217 : Script errors in Network Access window using browser.
Links to More Info: BT1027217
Component: Access Policy Manager
Symptoms:
1. Users may receive JavaScript errors in their browser when starting Network Access resources.
2. User resources may fail to display when accessing a Full webtop.
3. When logging out, users may be redirected to https://apm-virtual-server/vdesk/undefined and get a blank page
4. Logon Page from SWG Policies may fail to display inside a browser.
Conditions:
The issue can be observed with at least one of these conditions.
1. Accessing APM virtual server using a browser.
2. Accessing APM resources via a Full webtop.
3. Starting APM resources via a Full webtop.
4. Accessing Logon Page in SWG deployment.
Impact:
1. Users cannot start Network Access resources.
2. Users are unable to logout properly from full webtop.
3. Logon page is not rendered and users will not be able to access resources.
Workaround:
1. Log into BIG-IP.
2. mount -o remount,rw /usr/.
3. Add "response_chunking 2" to _tmm_apm_portal_http in "/usr/lib/tmm/tmm_base.tcl" Example:
profile http _tmm_apm_portal_http {
max_header_size 32768
max_header_count 64
known_methods "CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK"
response_chunking 2
}
4. Restart tmm once the above param is added.
5. Garbage values in JavaScript aren't inserted after this change.
6. Remount the /usr directory as read-only.
mount -o remount,ro /usr/
-------------------------
Note: If you have configured your device to add this file to a UCS and you upgrade to a version where this bug is fixed then tmm may fail to start.
Fix:
The logon page now renders correctly, resources are properly displayed on the webtop, you can start resources without JavaScript errors, and you no longer receive blank pages when logging out.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1026873-5 : CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets
1026605-4 : When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes
Links to More Info: BT1026605
Component: Local Traffic Manager
Symptoms:
When bigd.mgmtroutecheck is enabled and monitors are configured in a non-default route-domain, bigd may calculate the interface index incorrectly. This can result in monitor probes improperly being denied when they egress a non-mgmt VLAN. Or monitor probes might be allowed to egress the management interface
Conditions:
-- Bigd.mgmtroutecheck is enabled.
-- Monitor probes in a non-default route domain
-- More than one VLAN configured in the route-domain
Impact:
Monitor probes may be denied even thought they egress a non-mgmt VLAN.
Monitor probes may be improperly allowed out a mgmt interface.
/var/log/ltm:
err bigd.0[19431]: 01060126:3: Health check would route via mgmt port, node fc02:0:0:b::1%1. Check routing table.
bigd debug log:
:(_do_ping): probe denied; restricted egress device and route check [ tmm?=false td=true tr=false addr=fc02:0:0:b::1%1:0 srcaddr=none ]
Workaround:
Disable bigd.mgmtroutecheck, reduce the number of VLANs inside the route-domain
Fix:
The Bigd interface index is now calculated properly
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1026549-3 : Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd
Links to More Info: BT1026549
Component: TMOS
Symptoms:
For some BIG-IP Virtual Edition drivers, TMM may occasionally communicate an incorrect interface state change that might cause the interface to flap.
Conditions:
-- BIG-IP Virtual Edition using ixlv, ixvf, mlx5, or xnet drivers.
-- More TMMs and interfaces configured make this issue more likely to happen, but it happens randomly.
Impact:
In the case where the interface is part of a trunk a flap will occur when this happens.
There may be other as-yet unknown impacts for this issue.
Workaround:
Use a different VE driver than one of the ones listed above.
Fix:
BIG-IP Virtual Edition drivers no longer communicate incorrect interface states to mcpd.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1026005-2 : BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms.
Links to More Info: BT1026005
Component: Local Traffic Manager
Symptoms:
The ordering of NICs 5-10 in VMware ESXi is based on PCI coordinates for the first boot and the order is ensured based on the /etc/ethmap script written by the kernel during initialization. BIG-IP VE does not follow/maintain the NIC order defined in the VMware ESXi hypervisor.
Conditions:
Using 5-10 interfaces, swap/remove/add an interface at the hypervisor level.
Impact:
When using 5-10 NICs in VMware ESXi and NSXT platforms, automation is prohibited due to BIG-IP VE not maintaining the NIC order defined in the hypervisor.
Workaround:
None
Fix:
Enabled BIG-IP VE scripts to honor the NIC order defined by the user in the VMware ESXi hypervisor and NSXT platforms.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1025529-1 : TMM generates core when iRule executes a nexthop command and SIP traffic is sent
Links to More Info: BT1025529
Component: Service Provider
Symptoms:
If an iRule uses the 'nexthop' command to select a VLAN for a virtual server, TMM may crash.
Conditions:
-- Virtual server with SIP profile and iRule that executes a 'nexthop' command
-- SIP network traffic occurs
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Avoid using 'nexthop vlan' in an iRule in a SIP environment.
Fix:
iRule creation does not cause any TMM core.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
1025497-2 : BIG-IP may accept and forward invalid DNS responses
Links to More Info: BT1025497
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP may forward invalid DNS responses to a client if the DNS server provides an invalid response.
Conditions:
BIG-IP configured as a proxy for a misbehaving backend DNS server.
Impact:
Invalid DNS responses are forwarded to client.
Fix:
The 'dns.responsematching' DB variable has been created to prevent forwarding invalid responses.
When the DB variable 'dns.responsematching' is enable, DNS responses will be matched by transaction ID, query name, and the client's and server's IP addresses and port numbers.
Behavior Change:
The 'dns.responsematching' DB variable has been created to prevent forwarding invalid responses.
When the DB variable 'dns.responsematching' is set to enable, DNS responses will be matched by transaction ID, query name, and the client's and server's IP addresses and port numbers.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1025261-2 : Restjavad uses more resident memory in control plane after software upgrade
Links to More Info: BT1025261
Component: TMOS
Symptoms:
The restjavad process immediately reserves more memory and the process size (as shown by RSS) increases as the starting heap size has been made to be the same as maximum heap size for performance reasons.
(Note the process name displays as 'java', but there are multiple independent Java processes on the system. The parent process of restjavad is 'runsv restjavad', and the command line arguments may have 'logging' in them.)
For restjavad with the default size, the increase is usually 200 MB-300 MB.
The increase is particularly apparent where restjavad.useextramb is set to the value 'true' and provision.extramb is set to a high value but restjavad had not required that much extra memory previously.
Conditions:
After upgrading to a BIG-IP software version with the fix for ID 776393 ( https://cdn.f5.com/product/bugtracker/ID776393.html ), where more memory has been allocated for restjavad.
Impact:
The memory Resident Set Size (RSS) of the restjavad process will be larger than needed, possibly constricting other processes in the control plane.
Workaround:
If restjavad.useextramb is set to value true you may find that if only a small amount of extra restjavad memory was required (~192 MB or less extra) that it can be set to false.
This is because the default size of restjavad has increased by 192 MB to 384MB.
Restart restjavad after the change.
Fix:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.
It takes effect only if sys db restjavad.useextramb is true. It can be used to set restjavad heap size both above and below the default heap size of 384 MB.
Note: Since the introduction of ID 1153865 (from v15.1.9, v16.1.4, v17.1.0) restjavad.useextramb is removed and provision.restjavad.extramb is set automatically on upgrade based on existing settings to a value that should be sensible. Now, only provision.restjavad.extramb is used to set restjavad heap size within constraints set by provision.extramb.
Behavior Change:
A new sys DB variable, provision.restjavad.extramb has been introduced to allow finer-grained control of restjavad memory.
The variable is particularly useful when you need restjavad to be slightly bigger and also need a much larger provision.extramb without most of that being taken by restjavad.
Since the introduction of ID 1153865 (from v15.1.9, v16.1.4, v17.1.0) restjavad.useextramb is removed and provision.restjavad.extramb is set automatically on upgrade based on existing settings to a value that should be sensible. The information below is for upgrades to the few interim versions where current behaviour didn't apply.
For the variable to take effect, sys db restjavad.useextramb must be set to 'true'; otherwise, default memory values are used.
The variable sets the heap size, and defaults to and has a minimum value of 192 MB.
If the value of provision.restjavad.extramb is set above a certain cap value, the heap size will be set to the cap value. In this release, the cap value 384 MB + 80% of provision.extramb.
So with restjavad.useextramb set to 'true', you can set the restjavad heap size from 192 MB to 384 MB + 80% of provision.extramb using the provision.restjavad.extramb variable.
After changing value of provision.restjavad.extramb, restart restjavad to enable the change in memory size:
bigstart restart restjavad
Or on multi-blade systems:
clsh bigstart restart restjavad
If using a sys db restjavad.useextramb value of true and needing to restore your previous restjavad memory setting ( based on maximum heap size) please look at advice below.
Before upgrade - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSLO systems would typically need a higher amount towards the maximum.
Example 1: If provision.restjavad was 1000 MB on previous version, the possible range of restjavad heap size would have been between (20% of 1000 + 192) = 392 MB and (80% of 1000 + 192) = 992 MB.
Example 2: If provision.extramb was 4000 MB, the possible range would be between (20 % of 2500 + 192) = 692 MB and (80% of 2500 + 192) = 2192 MB.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
Example 3: If provision.extramb was 500 MB, the restjavad heap size on the previous version would have been 80% of 500 + 384 = 784 MB.
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
Example 4: If provision.extramb was 2000 MB, the restjavad heap size on the previous version would have been 90% of 2000 + 384 = 2184 MB.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1024877-2 : Systemd[]: systemd-ask-password-serial.service failed.
Links to More Info: BT1024877
Component: TMOS
Symptoms:
After doing PXE installation with BIG-IP iso, you encounter an error in the dmesg log:
systemd-ask-password-serial.service failed
Conditions:
This occurs after performing a PXE install.
Impact:
This log message is cosmetic and can be safely ignored.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
1024853 : Platform Agent logs to ERROR severity on success
Links to More Info: BT1024853
Component: TMOS
Symptoms:
Platform Agent logs all messages at the ERROR level during tenant key processing.
Conditions:
This occurs during normal startup of the BIG-IP tenant.
Impact:
Logs that should be logged at the NOTICE or INFO level are actually logged at the ERROR level.
Workaround:
None
Fix:
Fixed the Platform Agent log levels.
Fixed Versions:
15.1.4
1024841-1 : SSL connection mirroring with ocsp connection failure on standby
Links to More Info: BT1024841
Component: Local Traffic Manager
Symptoms:
SSL connection mirroring with ocsp stapling connection failure on standby, active completes handshake with delay.
Conditions:
SSL connection mirroring with ocsp stapling
Impact:
Handshake delay on active
Workaround:
Disable ocsp stapling or ssl connection mirroring
Fix:
SSL connection mirroring handshake with ocsp stapling completes normally.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1024761-3 : HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body
Links to More Info: BT1024761
Component: Local Traffic Manager
Symptoms:
When rechunking is requested, HTTP responses with methods or status codes indicating that no body be present (like HEAD or 304) are receiving a Transfer-Encoding header and a terminating chunk. These responses should not have a body of any sort.
Conditions:
HTTP virtual server with rewrite profile present with the server that does HTTP caching.
Impact:
HTTP clients are unable to connect.
Workaround:
Remove the rewrite profile.
Possibly change http profile response-chunking from sustain to unchunk. This resolves the issue for the 304, but means that all other requests are changed from either chunking or unchunked with Content-Length header to unchunked without Content-Length and with "Connection: Close".
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1024661-2 : SCTP forwarding flows based on VTAG for bigproto
Links to More Info: BT1024661
Component: TMOS
Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.
Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down
Impact:
Flow creation on the wrong TMM and some traffic is dropped.
Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1024621-3 : Re-establishing BFD session might take longer than expected.
Links to More Info: BT1024621
Component: TMOS
Symptoms:
It might take a few minutes for a BFD session to come up. During this time you will notice session state transition multiple times between 'Admin Down' <-> 'Down'.
Conditions:
BFD peer trying to re-establish a session with BIG-IP, choosing ephemeral ports dis-aggregating to different TMMs.
Impact:
It might take a few minutes for a BFD session to come up.
Workaround:
Increasing Tx/Rx timers will minimize a chance of hitting the problem (For example 1000 TX/RX)
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1024553-2 : GTM Pool member set to monitor type "none" results in big3d: timed out
Links to More Info: BT1024553
Component: Global Traffic Manager (DNS)
Symptoms:
A pool member is marked down with a 'none' type monitor attached.
Conditions:
-- GTM pool member with a 'none' monitor configured
Impact:
Setting a pool member to have "none" monitor should result in a blue "checking" status but it may mark the pool member as down/unavailable.
Workaround:
NA.
Fixed Versions:
15.1.5, 14.1.4.5, 13.1.5
1024437-3 : Urldb index building fails to open index temp file
Links to More Info: BT1024437
Component: Access Policy Manager
Symptoms:
The following error message shows up in /var/log/urldbmgr-trace.log:
THREAD: 2CDD4700; ERROR; WsFileOpen: Could not open file /var/urldb/staging/current/host.6417.byte.dat.003
THREAD: 2CDD4700; ERROR; WsIndexBuilderOpenFile: Failed to open index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7OpenFile: Failed to open Host index file /var/urldb/staging/current/host.6417.byte.dat.003.
THREAD: 2CDD4700; ERROR; WsHostIndexV7BuildProcessTempFiles: Failed to open host index temp file
As a result of this error, some requested URL category lookups return "Uncategorized".
Conditions:
The error can happen during index building after a new primary URLDB is downloaded.
Impact:
Some websites are categorized as "Uncategorized"
Workaround:
1) Stop urldbmgrd:
bigstart stop urldb urldbmgrd
2) Delete databases:
rm -rf /var/urldb/master/
rm -rf /var/urldb/rtu/
3) Start urldbmgrd:
bigstart start urldb urldbmgrd
4) Force database download:
- tmsh command: "modify sys url-db download-schedule urldb download-now true", or
- Admin GUI: Access >> Secure Web Gateway >> Database Settings >> Database Download >> Download Now
Databases will re-download and index.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.9
1024421-1 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
Links to More Info: BT1024421
Component: TMOS
Symptoms:
TMM log shows clock advancing and MPI timeout messages:
notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks
Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time
Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.
Fix:
Modified the "Pva.Standby.Flush" DB key to take two new values ("2" and "3"). This DB key defines actions that the system takes when a traffic-group goes standby.
The values of this DB key are now:
-- 0: do nothing (the default)
-- 1: evict all ePVA accelerated flows for all traffic-groups
-- 2: inform the ePVA to stop processing traffic destined for the MAC masquerade address for this traffic-group
-- 3: perform both of the above actions (evict all ePVA accelerated flows, and inform the ePVA to stop processing traffic for the MAC masquerade address)
Behavior Change:
The DB variable Pva.Standby.Flush accepts two new values ("2" and "3"). This DB key defines actions that the system takes when a traffic-group goes standby.
The values of this DB key are now:
-- 0: do nothing (the default)
-- 1: evict all ePVA accelerated flows for all traffic-groups
-- 2: inform the ePVA to stop processing traffic destined for the MAC masquerade address for this traffic-group
-- 3: perform both of the above actions (evict all ePVA accelerated flows, and inform the ePVA to stop processing traffic for the MAC masquerade address)
Fixed Versions:
17.1.0, 15.1.3.1
1024241-2 : Empty TLS records from client to BIG-IP results in SSL session termination
Links to More Info: BT1024241
Component: Local Traffic Manager
Symptoms:
After client completes TLS handshake with BIG-IP, when it sends an empty TLS record (zero-length cleartext), the client BIG-IP SSL connection is terminated.
Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled.
Impact:
SSL connection termination is seen in TLS clients.
Workaround:
Disable hardware crypto acceleration.
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1024225 : BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request
Links to More Info: BT1024225
Component: Local Traffic Manager
Symptoms:
BIG-IP proxying http2 -> http1.1. In response to a HEAD request, pool member sends response with "Transfer-Encoding: chunked" header without chunked payload. BIG-IP sends "Transfer-Encoding: chunked" header back to http2 client which generates RST_STREAM, PROTOCOL_ERROR. According to RFC 7450 a proxy SHOULD remove such headers.
Conditions:
1) H2 <-> H1 is configured on virtual server
2) HEAD request over http2->http1.1 gateway getting chunked response.
Impact:
Http2 connection is reset
Workaround:
iRule to remove "Transfer-Encoding: Chunked" header from response.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1023993-3 : Brute Force is not blocking requests, even when auth failure happens multiple times
Links to More Info: BT1023993
Component: Application Security Manager
Symptoms:
Send traffic with multiple Authorization headers in the request after configuring the brute force. The traffic will not be blocked, when it is supposed to be.
Conditions:
When there is more than one Authorization header present in the requests.
Impact:
Brute force is possible with specially crafted requests having multiple Authorization headers and will be able to bypass brute force checks.
Workaround:
Enable "Illegal repeated header violation" and configure Authorization header repeated occurrence to disallow.
Fix:
ASM detects the brute force attempt with multiple Authorization headers in the request.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1023889-2 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
Links to More Info: BT1023889
Component: Application Security Manager
Symptoms:
Protocol filter does not suppress WS/WSS server->client message.
Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests
Impact:
Remote log server receives unexpected messages
Workaround:
None
Fix:
Protocol filter suppresses WS server->client message.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1023829 : Security->Policies in Virtual Server web page spins mcpd 100%, which later cores
Links to More Info: BT1023829
Component: TMOS
Symptoms:
With a large number of VLANs (3000+) and virtual servers (2000+), the virtual server list page consumes excessive resources, eventually leading to a mcpd crash.
Conditions:
-- A huge number of VLANs and virtual servers exist.
-- The virtual server list page is displayed
Impact:
Page becomes inaccessible. Mcpd may crash. Traffic and control plane disrupted while mcpd restarts.
Fix:
Listing of virtual servers on the webpage will work as expected.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1023817-1 : Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning
Links to More Info: BT1023817
Component: TMOS
Symptoms:
While loading the configuration or specifying that NAT64 should be disabled on a virtual server, a warning is displayed or logged:
"Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required."
This warning should only be displayed when a virtual server has both NAT64 enabled and a security NAT policy present, but may occur incorrectly even when NAT64 is disabled.
Conditions:
This warning may be incorrectly generated when all of these conditions are met:
-- a multi-bladed VIPRION
-- virtual servers in the configuration security NAT policies
-- receiving a ConfigSync from a peer, or running "tmsh load sys config" on the primary blade
Impact:
An erroneous warning is logged. It can be safely ignored.
Fix:
The warning message is now only generated when both NAT64 and a security NAT policy are present on a virtual server.
Fixed Versions:
17.0.0, 15.1.5.1
1023461 : Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created
Links to More Info: BT1023461
Component: Carrier-Grade NAT
Symptoms:
Two pools are configured, for example:
A: any destination
B: destination 8.8.8.8
1. Making connections and utilizing port block allocation (PBA) pool A works as expected; pools are correctly allocated and released as needed.
2. When a client has active PBA pool A allocated and requests pool B (because of connectivity to specific destination IP), then each subsequent connection request from that client results in new PBA pool B allocation.
Conditions:
Multiple rules are defined to configure PBA.
Impact:
If a request does not belong to the first pool then it will not belong any other, so the system creates a new pool.
Workaround:
None
Fix:
BIG-IP checks all allocated pools first before creating a new pool.
Fixed Versions:
17.0.0, 15.1.9
1023437-3 : Buffer overflow during attack with large HTTP Headers
Component: Anomaly Detection Services
Symptoms:
When the HTTP Headers are larger than 1024 characters and one of the anomalous textual headers is located after 1024, a buffer overflow might occur.
Conditions:
HTTP or TLS Signature protection is activated and during attack anomalous request arrives.
Impact:
Most of the time results in bad characters in the signature name, more rarely results in Memory Access Violation which could be exploited as buffer overflow attack.
Fix:
Enforce HTTP metadata size limit to be within the first 1024 characters of the HTTP Headers payload.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1023365-1 : SSL server response could be dropped on immediate client shutdown.
Links to More Info: BT1023365
Component: Local Traffic Manager
Symptoms:
SSL server response might be dropped if peer shutdown arrives before the server response.
Conditions:
-- the virtual server is using a Server SSL profile
-- the client sends FIN/ACK before the server responds
Impact:
The response from the pool member may be dropped.
Workaround:
N/A.
Fix:
Serverssl response now received after peer shutdown
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1023341-2 : HSM hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, HSM interactions do not follow current best practices.
Conditions:
- HSM in use
Impact:
Certain HSM interactions do not follow current best practices.
Workaround:
N/A
Fix:
HSM interactions now follow current best practices.
Fixed Versions:
17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5
1022757-3 : Tmm core due to corrupt list of ike-sa instances for a connection
Links to More Info: BT1022757
Component: TMOS
Symptoms:
Tmm generates a core when a corrupt list of ike-sa instances is processed.
Conditions:
Deletion of an expired ike-sa.
Impact:
Restart of tmm and re-negotiation of IPsec tunnels. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
The internal list data structure has been reorganized to use fewer entities in less-complex relationships. This makes it less likely for a corrupted list to occur, so this issue is less likely to occur.
Fixed Versions:
17.0.0, 16.1.2, 15.1.9
1022637-2 : A partition other than /Common may fail to save the configuration to disk
Links to More Info: BT1022637
Component: TMOS
Symptoms:
A mismatch between the running-configuration (i.e. what is returned by "tmsh list ...") and the saved-configuration (i.e. what is stored in the flat configuration files) for a partition other than /Common, despite a "tmsh save config" operation was just performed (either by the user or as a result of a config-sync).
Conditions:
- One or more partitions other than /Common exist on the system.
- One or more of said partitions have no more configuration objects defined in them (i.e. are empty).
- A config save operation similar to "tmsh save sys config partitions { Common part1 [...] }" occurs, either manually initiated by an Administrator or as a result of a config-sync operation (in which case the device-group must be configured for manual synchronization).
Impact:
Should a BIG-IP Administrator notice the mismatch, the only immediate impact is confusion as to why the config save operation was not effective.
However, as the flat config files are now out-of-date, performing a config load operation on a unit in this state will resurrect old configuration objects that had been previously deleted.
On an Active unit, this may affect traffic handling. On a redundant pair, there is the risk that the resurrected objects may make it to the Active unit after a future config-sync operation.
Workaround:
If you notice the mismatch, you can resolve it by performing a config save operation for all partitions (i.e. "tmsh save sys config").
Fix:
Non /Common partitions now get saved to disk as intended.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1022493-2 : Slow file descriptor leak in urldbmgrd (sockets open over time)
Links to More Info: BT1022493
Component: Access Policy Manager
Symptoms:
Unix domain sockets are opened and never closed in urldbmgrd. This is a very slow leak over time.
Conditions:
SWG or URLDB is provisioned.
Impact:
Urldbmgrd may hit a limit of open file descriptors, and may eventually core and restart. When urldbmgrd restarts, urldb also restarts. This may result in a momentary instant where URL categorization is not available.
Workaround:
Restarting urldbmgrd will clear the open file descriptors. Performing a forced restart during a time of no traffic will mitigate the risk of urldbmgrd restarting at an inconvenient time if there are too many sockets open.
"bigstart restart urldbmgrd" will restart the daemon.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.10
1022453-2 : IPv6 fragments are dropped when packet filtering is enabled.
Links to More Info: BT1022453
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
Some or all of the fragments of an IPv6 packet are lost.
Workaround:
Disable packet filtering
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1022417-2 : Ike stops with error ikev2_send_request: [WINDOW] full window
Links to More Info: BT1022417
Component: TMOS
Symptoms:
IKE SAs will be lost.
Conditions:
A failover occurs while IKE is sending DPD to the peer, and the reply is received by the newly active BIG-IP.
Multiple failovers can increase the likelihood that this occurs.
Impact:
IKE SAs may be deleted and there will be traffic loss.
Workaround:
Increase in DPD interval to reduce the probability of occurrence of the issue.
Fix:
Fixed an issue where IKE SAs were being lost during failover events.
Fixed Versions:
17.0.0, 16.1.2, 15.1.9
1022269-2 : False positive RFC compliant violation
Links to More Info: BT1022269
Component: Application Security Manager
Symptoms:
False positive RFC compliant violation.
Conditions:
Authorization header with specific types.
Impact:
False positive violations.
Workaround:
Turn on an internal parameter:
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1
Fix:
Added tolerance to the authorization headers parser.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5
1021773-3 : Mcpd core.
Links to More Info: BT1021773
Component: TMOS
Symptoms:
Mcpd crashes and leaves a core file.
Conditions:
This issue can occur if BIG-IP fails to allocate huge pages, which can occur during module provisioning.
Impact:
Mcpd crashes and the system goes into an inoperative state.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2, 15.1.7
1021637-2 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
Links to More Info: BT1021637
Component: Application Security Manager
Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list
Conditions:
ASM policy with CSRF settings
Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.6.1
1021485-2 : VDI desktops and apps freeze with Vmware and Citrix intermittently
Links to More Info: BT1021485
Component: Access Policy Manager
Symptoms:
VMware VDI:
Blank screen is seen while opening remote desktop when VDI is configured with VMware.
Citrix:
Desktop freezes immediately after opening remote desktop when VDI is configured with Citrix.
Conditions:
VMware VDI:
-- VDI is configured with VMware
-- Desktop or App is launched using native client from Webtop.
wait till 2X inactivity timeout if inactivity timeout
Citrix:
-- VDI is configured with Citrix
-- Desktop or App is launched using native client from Webtop.
-- Configure Inactivity timeout to 0.
Impact:
VDI desktops freeze while opening or immediately after opening.
The following error is seen in APM logs:
"Session stats update failed: ERR_NOT_FOUND"
Workaround:
No
Fix:
Users should not experience any intermittent desktop freeze.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1021417-3 : Modifying GTM pool members with replace-all-with results in pool members with order 0
Links to More Info: BT1021417
Component: Global Traffic Manager (DNS)
Symptoms:
GTMpool has multiple members with order 0.
Conditions:
There is an overlap for the pool members for the command replace-all-with and the pool members to be replaced.
Impact:
Multiple pool members have the same order.
Workaround:
Perform this procedure:
1. Delete all pool members from the GTM pool.
2. Use replace-all-with.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1021061-3 : Config fails to load for large config on platform with Platform FIPS license enabled
Links to More Info: BT1021061
Component: Global Traffic Manager (DNS)
Symptoms:
Config fails to load.
Conditions:
-- Platforms with Platform FIPS license enabled.
-- There are several ways to encounter this. One is with a large GTM (DNS) configuration that requires extending the gtmd stats file.
Impact:
Config file fails to load. For the gtmd configuration, gtmd repeatedly logs error messages similar to:
err gtmd[14954]: 011af002:3: TMSTAT error 'Invalid argument' creating row '/Common/vs_45_53' in table 'gtm_vs_stat'
For merged daemon, reports messages similar to:
err merged[9166]: 011b0900:3: TMSTAT error tmstat_row_create: Invalid argument.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1021005 : IPI IPV6 traffic Reputation.
Links to More Info: BT1021005
Component: Advanced Firewall Manager
Symptoms:
The IPI module in BIG-IP is responsible for the reputation of IP addresses. IPI only works on IPv4 traffic.
Conditions:
-- IP Intelligence License installed
-- The environment has a mix of IPv4 and IPv6
Impact:
The BIG-IP Intelligence features cannot do IPV6 traffic reputation.
Workaround:
N/A
Fix:
The BIG-IP Intelligence features can now do both IPv4 and IPV6 traffic Reputation
Behavior Change:
The BIG-IP Intelligence features can do both IPv4 and IPV6 traffic Reputation
Fixed Versions:
17.0.0, 15.1.6
1020941-2 : HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags
Links to More Info: BT1020941
Component: Local Traffic Manager
Symptoms:
HTTP/2 request fails with COMPRESSION_ERROR.
Conditions:
HTTP/2 header frames are received in multiple xfrags in such a way that the first 2 bytes of 'encoded' header-field 'value-length' are the last 2 bytes of the xfrag, and the remaining bytes are in the next xfrag.
Impact:
The header value length is incorrectly updated, and the HTTP/2 request fails.
Workaround:
None
Fix:
HTTP/2 now parses the request, regardless of its xfrags distribution.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.5
1020789-3 : Cannot deploy a four-core vCMP guest if the remaining cores are in use.
Links to More Info: BT1020789
Component: TMOS
Symptoms:
When trying to deploy a vCMP guest on an i11800 vCMP host using four or more cores while all of the other cores are in use, the following error message may be seen:
err mcpd[<pid>]: 0107131f:3: Could not allocate vCMP guest (<guest_name>) because fragmented resources
--------------------------------------------------
one more similar issue has raised for 8 guests allocation failure
When trying to deploy a eight core guest on an i11800 vCMP host where four 2 cores are in use, the following error message may be seen:
0107131f:3: Could not allocate vCMP guest (guest-8cores-A) because fragmented resources
Conditions:
-- VCMP provisioned and all or most cores are in use.
-- Attempt to deploy a guest.
This is more likely to occur with vCMP guests that use four or more cores.
Impact:
All of the available cores cannot be used.
Workaround:
You may be able to work around this by deploying the largest guests first, then any remaining 2-core guests.
There is currently no other fix.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1020717-3 : Policy versions cleanup process sometimes removes newer versions
Links to More Info: BT1020717
Component: Application Security Manager
Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.
Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.
Impact:
Newer versions are removed.
Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1020705-1 : tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name
Links to More Info: BT1020705
Component: Application Visibility and Reporting
Symptoms:
Output of "tmsh show analytics dos-l3 report view-by attack-id" command has changed from version 13.x to 15.x. "Attack type" was removed from the system, so it was automatically replaced by the first metric "allowed-requests-per-second". For DOS L3 "Attack type" was replaced by "Vector Name" but it currently is not shown in the report along wit "Attack ID"
Conditions:
AFM is provisioned
Impact:
This change might cause scripts to fail if they use the name of the field.
Workaround:
1) edit /etc/avr/monpd/monp_dosl3_entities.cfg file. Change [dosl3_attack_id] section the following way: add 'vector_name' to measures list and add an additional parameter 'default_measure' as specified below :
[dosl3_attack_id]
...
measures=allowed_requests_per_sec,count,drop_per_sec,drop_count,total_per_sec,total_count,attacks_count,attack_type_name,category_name,vip_name,period,vector_name
default_measure=vector_name
...
2) edit /etc/avr/monpd/monp_dosl3_measures.cfg file. Add in the end the following section:
[vector_name]
id=vector_crc
formula=IF(count(distinct FACT.vector_crc)>1,'Aggregated',attack_vector_str)
merge_formula=IF(count(distinct vector_name)>1,'Aggregated',vector_name)
dim=AVR_DIM_DOS_VIS_ATTACKS_VECTOR
dim_id=attack_vector_crc
tmsh_display_name=vector-name
display_name=Vector
comulative=false
priority=65
3) restart the BIG-IP system: bigstart restart
After the system is up you can apply the same tmsh command: "tmsh show analytics dos-l3 report view-by attack-id"
You will get a result similar to 13.x. Note that "attack_type_name" is replaced by "vector-name"
Fix:
Workaround applied as fix.
Fixed Versions:
17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4
1020645-1 : When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered
Links to More Info: BT1020645
Component: Local Traffic Manager
Symptoms:
In an explicit proxy configuration when an HTTP request is sent to an HTTPS destination server via proxy, the HTTP CONNECT method is sent, but the iRule event HTTP_RESPONSE_RELEASE is not fired.
Conditions:
- Simple HTTP explicit proxy virtual server
- An HTTP request from the client is sent to an 'https://' destination server
Impact:
iRule event HTTP_RESPONSE_RELEASE does not get triggered.
Workaround:
None
Fix:
When HTTP CONNECT is sent, the iRule event HTTP_RESPONSE_RELEASE is now triggered.
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.4.1
1020561-1 : Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case
Links to More Info: BT1020561
Component: Access Policy Manager
Symptoms:
Session memory is growing over time. memory_usage_stat indicates 'session' is growing.
Conditions:
Db_access_set_accessinfo is hitting the error case
Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.
Workaround:
Restart the tmms periodically when the memory grows
Fixed Versions:
17.0.0, 15.1.5
1020349-2 : APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL
Links to More Info: BT1020349
Component: Access Policy Manager
Symptoms:
APM daemon (apmd) crashes and a coredump is created at '/var/core/'
Conditions:
-- Configure On-Demand Cert Auth with any Auth Mode
-- 'Request/Require'
-- Configure AAA CRLDP
Impact:
All CRLDP based authentications fail.
Workaround:
None
Fix:
The system now handles this condition.
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.4.4
1020337-1 : DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator
Links to More Info: BT1020337
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores with umem debug enabled.
Conditions:
A string operation is performed against DNS resource records (RRs) from DNSMSG::section in an iRule.
Impact:
Tmm memory corruption. In some situations, tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use string operations against DNS RRs returned from DNSMSG::section.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1020129-1 : Turboflex page in GUI reports 'profile.Features is undefined' error ★
Links to More Info: BT1020129
Component: TMOS
Symptoms:
The System :: Resource Provisioning : TurboFlex page is unusable, and the BIG-IP GUI reports an error:
An error occurred: profile.Features is undefined.
Conditions:
-- BIG-IP iSeries appliance
-- Upgrade to:
--- v15.1.3 or later within v15.1.x
--- v16.0.1.2 or later within v16.0.x
--- v16.1.0 or later
-- Accessing the System :: Resource Provisioning : TurboFlex page in the BIG-IP GUI
Impact:
Unable to manage TurboFlex profile via the BIG-IP GUI.
Workaround:
Use tmsh or iControl REST to manage TurboFlex profile configuration.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1020061-1 : Nested address lists can increase configuration load time
Links to More Info: BT1020061
Component: Advanced Firewall Manager
Symptoms:
Whenever there are a number of nested address lists configured, the 'load sys config' command takes a long time to complete.
Conditions:
-- Several nested Address Lists are configured.
-- The 'load sys config' command is run.
Impact:
Upgrading (load sys config) takes a lot of time of time to complete, which sometimes causes Packet Correlation Classification Daemon (pccd) to fail.
If pccd fails, the system is unable to detect and compile firewall configuration changes, meaning that changes made to the firewall configuration are not enforced.
Note: The firewall configuration that was running before pccd goes down continues to be enforced; only changes are not enforced.
Workaround:
None
Fix:
Fixed an issue with config load time when nested address lists are used.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1020041-2 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs
Links to More Info: BT1020041
Component: Policy Enforcement Manager
Symptoms:
The following message may be logged to /var/log/tmm*
Can't process event 16, err: ERR_NOT_FOUND
Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'
Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.
Workaround:
--
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1019853-2 : Some signatures are not matched under specific conditions
Links to More Info: K30911244 , BT1019853
Component: Application Security Manager
Symptoms:
Some signatures are not matched, attacking traffic may pass through.
Conditions:
- Undisclosed signature conditions
Impact:
Attacking traffic can bypass the WAF.
Workaround:
N/A
Fix:
Signatures are now matched as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1019793 : Image2disk does not work on F5OS BIG-IP tenant. ★
Links to More Info: BT1019793
Component: TMOS
Symptoms:
Image2disk fails to recognize the correct disk to install and installation fails.
Conditions:
This occurs with BIG-IP tenants that are running in F5OS partitions.
Impact:
Installation fails.
Workaround:
None
Fixed Versions:
17.1.0, 15.1.5
1019613-3 : Unknown subscriber in PBA deployment may cause CPU spike
Links to More Info: BT1019613
Component: Carrier-Grade NAT
Symptoms:
in PBA deployment, a CPU spike may be observed if the subscriber-id log is enabled and the subscriber-id is unknown.
Conditions:
-- PBA configuration
-- Address translation persistent is enabled
-- Subscriber-id log is enabled
-- There is an unknown subscriber
Impact:
Overall system capacity reduces.
Workaround:
Disable subscriber-id logging.
Fix:
Unknown subscriber in PBA deployment no longer causes a CPU spike.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1019609 : No Error logging when BIG-IP device's IP address is not added in client list on netHSM. ★
Links to More Info: BT1019609
Component: Local Traffic Manager
Symptoms:
"Ensure BIG-IP's IP address is added to the client list"
error log is not displayed, despite the BIG-IP not being added to the client list in Thales/nShield/Entrust HSM.
Conditions:
BIG-IP is not added to the client list in Thales/nShield/Entrust HSM.
Impact:
Difficult to debug the error condition to due lack of error message
Workaround:
None
Fix:
Grep error text information on stderror stream now works.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
1019481 : Unable to provision PEM on VELOS platform
Links to More Info: BT1019481
Component: Policy Enforcement Manager
Symptoms:
Unable to provision PEM on VELOS platform
Conditions:
When trying to provision PEM
Impact:
PEM functionality cannot be achieved
Workaround:
Change sys db provision.enforce value to false and load sys config
Fix:
Added VELOS platform to PEM provision list
Fixed Versions:
17.1.0, 15.1.4
1019453-3 : Core generated for autodosd daemon when synchronization process is terminated
Links to More Info: BT1019453
Component: Advanced Firewall Manager
Symptoms:
Autodosd cores on SIGSEGV.
Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown
Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.
Workaround:
None
Fix:
Fixed an autodosd crash.
Fixed Versions:
17.0.0, 15.1.3.1
1019429-3 : CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated
Links to More Info: BT1019429
Component: TMOS
Symptoms:
Virtuals with CMP forwarded flows and PVA acceleration may see a higher than expected syncache counter which can lead to permanent syncookie activation.
Also, under certain conditions the internal listeners used for config-sync may have syncookies activated. Logs will show the syncookie counter increasing after every activation.
bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9830 exceeded vip threshold 2496 for virtual = 192.168.1.1:4353
bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9834 exceeded vip threshold 2497 for virtual = 192.168.1.1:4353
Conditions:
-- Virtual servers with CMP forwarded flows - commonly occurring when the FTP profile is in use.
-- A platform with PVA acceleration enabled.
-- Only the server-side flow of a connection is offloaded to hardware.
Impact:
Elevated syncache_curr, epva_connstat.embryonic_hw_conns, epva_connstat, embryonic_hw_tcp_conns stas. Improper syncooke activation. Syncookie activation on the config-sync listener may cause config-sync to fail.
Workaround:
Remove the ftp profile or disable PVA acceleration:
modify sys db pva.acceleration value none
Fix:
Counters are now correctly decremented.
Fixed Versions:
17.0.0, 16.1.5, 15.1.4.1
1019357-1 : Active fails to resend ipsec ikev2_message_id_sync if no response received
Links to More Info: BT1019357
Component: TMOS
Symptoms:
In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device.
If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow.
After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.
Conditions:
-- High availability (HA) environment
-- IKE tunnels configured
-- A failover occurs
Impact:
Traffic loss.
Workaround:
None
Fix:
Fetch latest connection flow during retransmission of IKE/IPSEC packet.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1019161-4 : Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files ★
1019085-1 : Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file. ★
Links to More Info: BT1019085
Component: TMOS
Symptoms:
Network virtual-addresses default to "arp disabled" and "icmp-echo disabled". However, a BIG-IP Administrator can change these settings to "enabled", if required.
Either following a software upgrade or a reload of the configuration from file, network virtual-addresses that had previously been set to "icmp-echo enabled" revert to the default of "icmp-echo disabled".
Conditions:
- One or more network virtual-addresses configured with "icmp-echo enabled".
- A software upgrade or reload of the configuration from file occurs (for example, taking and restoring a UCS archive, removing the mcpd binary database and reloading the config, etc.).
Impact:
Traffic failures can occur as a result of the affected network virtual-addresses not being presented to the surrounding network as originally intended by the BIG-IP Administrator.
Workaround:
Manually configure the affected virtual-addresses to "icmp-echo enabled" again. This workaround is not permanent, and the issue will occur again in the future given the right conditions.
Fix:
Network virtual-addresses no longer lose the "icmp-echo enabled" property.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
1019081-3 : HTTP/2 hardening
Links to More Info: K97045220 , BT1019081
Component: Local Traffic Manager
Symptoms:
Under certain condition, the HTTP/2 profile does not follow current best practices
Conditions:
- HTTP/2 profile enabled
Impact:
The HTTP/2 profile does not follow current best practices.
Workaround:
N/A
Fix:
TMM now processes HTTP/2 traffic as expected
Fixed Versions:
16.1.0, 15.1.3.1, 14.1.4.5, 13.1.5
1018877-1 : Subsession variable values mixing between sessions
Links to More Info: BT1018877
Component: Access Policy Manager
Symptoms:
Subsession variable lookup internally assumes that a complete session DB lookup name (Session ID + Subsession key) is used. However, when using the lookup table, only the subsession key is passed in.
Conditions:
Subsession variables are referenced in the Per-Request Policy outside of the Subsession without the Session ID.
Impact:
A Per-Request Policy execution may get the value of the subsession variable from a different APM session.
Workaround:
Add the session ID to the reference to the subsession variables used in Per-Request Policies.
Fix:
Fixed an issue with subsession variable lookup.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1018613-3 : Modify wideip pools with replace-all-with results pools with same order 0
Links to More Info: BT1018613
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wideip pools have the order 0.
Conditions:
There are overlap for the pools for command replace-all-with and the pools to be replaced.
Impact:
iQuery flapping between GTMs.
Workaround:
First delete all pools from the wideip and then use replace-all-with.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1018577-3 : SASP monitor does not mark pool member with same IP Address but different Port from another pool member
Links to More Info: BT1018577
Component: Local Traffic Manager
Symptoms:
When the LTM SASP monitor is applied to a pool with multiple members having the same IP Address but different Ports, only one of the pool members with the duplicated IP Address will be monitored (marked UP or DOWN as appropriate). Other pool members sharing the same IP Address will remain in a 'checking' state.
Conditions:
This occurs when using the SASP monitor in a pool with multiple members having the same IP Address but different Ports.
For example:
ltm pool sasp_test_pool {
members {
sasp_1:80 {
address 10.10.10.1
}
sasp_1:8080 {
address 10.10.10.1
}
sasp_2:80 {
address 10.10.10.2
}
sasp_2:8080 {
address 10.10.10.2
}
}
monitor sasp_test
}
In this case, only one pool member with a given IP Address will be correctly monitored by the sasp monitor.
Any additional pool members with the same IP Address but different port will not be monitored by the SASP monitor and will remain in a 'checking' state.
Impact:
Not all pool members may be effectively/accurately monitored by the SASP monitor.
Fix:
The ltm sasp monitor correctly monitors members of a pool which share the same IP Address but different Ports.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1018493-2 : Response code 304 from TMM Cache always closes TCP connection.
Links to More Info: BT1018493
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured to accelerate HTTP traffic, it caches responses with 200 and 304 response codes. Serving a response with "304 Not Modified" code, TMM may close a connection to a client.
Conditions:
-- A virtual server has a web-acceleration profile (without a web application for versions prior 16.0.0).
-- A response with code 304, stored in TMM cache, is served to a request.
Impact:
A client needs to open a new TCP connection every time when a response with "304 Not Modified" code is served.
Fix:
TMM correctly serves a response with "304 Not Modified" code, allowing to correctly handle TCP connection status.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5
1018309-3 : Loading config file with imish removes the last character
Links to More Info: BT1018309
Component: TMOS
Symptoms:
While loading a configuration from the file with IMISH ('imish -f <f_name>'),truncating the last line.
printf 'log file /var/log/zebos.log1' >/shared/tmp/new.cfg
Running imish -r 0 -f /shared/tmp/new.cfg have the last character missing like below:
log file /var/log/zebos.log
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Configuration commands cannot be created properly.
Workaround:
For CLI, use extra control char at the end or \n.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1
1018285-1 : MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction
Links to More Info: BT1018285
Component: Service Provider
Symptoms:
MRF DIAMETER is not DIAMETER-application aware. It does not have application-specific business logic. When creating a DIAMETER solution, BIG-IP operators often need to write iRule scripts that remove a session persistence entry at the end of a transaction.
Conditions:
Some applications require removal of the persistence entry upon successful and unsuccessful completion of a transaction.
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule log_dia_error
ltm rule log_dia_error {
when DIAMETER_INGRESS {
set cmd_code [DIAMETER::command]
if { $cmd_code == 272 } {
set cc_req_type [DIAMETER::avp data get 416 integer32]
if {[DIAMETER::is_response] && $cc_req_type == 3 } {
log local0. "Persistence record delete-on-any"
DIAMETER::persist delete-on-any
}
}
}
Impact:
iRule script is required.
Fix:
DIAMETER::persist irule are supported to remove a persistence entry based on the result status of a answer message.
below irule commands are supported.
DIAMETER::persist delete-on-any
DIAMETER::persist delete-on-success
DIAMETER::persist delete-on-failure
DIAMETER::persist delete-none
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1018145-1 : Firewall Manager user role is not allowed to configure/view protocol inspection profiles
Links to More Info: BT1018145
Component: Protocol Inspection
Symptoms:
A user account with the "firewall-manager" role that is assigned permissions only to custom partitions will not be able to configure protocol inspection profiles.
Conditions:
-- A user account is created with the role firewall-manager.
-- A custom partition is created.
-- The newly created user is given access to the newly created partition.
Impact:
Any user account without access to "/Common" partition is not allowed to configure protocol inspection profiles.
Workaround:
- If the user account is provided access to "/Common" partition as well, the user should be able to configure protocol-inspection profiles in the newly created custom partitions.
Fix:
The permissions are granted for any non-admin user to configure protocol inspection profiles in a custom partition as long as they have access to "/Common" partition as well.
Fixed Versions:
16.1.1, 15.1.4
1017841 : High tmm memory use when transferring large documents to slow clients
Links to More Info: BT1017841
Component: Local Traffic Manager
Symptoms:
Excessive buffering in tmm memory
Conditions:
- HTTP virtual server with HTTP compression
- NTLM profile
- large documents
- slow clients
Impact:
- Higher than expected tmm memory use
Fixed Versions:
15.1.10
1017721-3 : WebSocket does not close cleanly when SSL enabled.
Links to More Info: BT1017721
Component: Local Traffic Manager
Symptoms:
After sending a close frame to the WebSocket server, the WebSocket client receives 1006 response.
Conditions:
Virtual server with the following profiles:
-- WebSocket
-- HTTP over SSL (at least server side SSL)
and connection closure is initiated by the client.
Impact:
Client side applications experience errors in the form of WebSocket abnormally closing connections with error code 1006.
Workaround:
Avoid using SSL on WebSocket server context.
Fix:
WebSocket connections close without any error.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1
1017645-2 : False positive HTTP compliance violation
Links to More Info: BT1017645
Component: Application Security Manager
Symptoms:
False-positive HTTP compliance violation.
Conditions:
Authorization header with bearer token and/or some other authorization headers types.
Impact:
False-positive traffic blocking.
Workaround:
Turn on an internal parameter by entering the following command from the BIG-IP CLI:
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1
Then restart ASM for this to take effect:
bigstart restart asm
Fix:
The RFC compliance violation is no longer issued for unknown types of authorization headers.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
1017557-3 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
Links to More Info: BT1017557
Component: Application Security Manager
Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response
Impact:
Valid requests can be reset.
Workaround:
Any one of the following workarounds can be applied.
-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1
Fix:
Fix ASM to properly handle bad chunked response followed by FIN
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1017533-2 : Using TMC might cause virtual server vlans-enabled configuration to be ignored
Links to More Info: BT1017533
Component: Local Traffic Manager
Symptoms:
When switching between traffic-matching-criteria (TMC) and regular virtual-server configuration, the vlans-enabled option might be ignored, causing unexpected traffic handling.
Conditions:
Changing virtual-server configuration when using traffic-matching-criteria.
Impact:
Unexpected traffic handling and disruption
Workaround:
Avoid using TMC (port lists and address lists). When in a 'faulty' state you can try changing vlan-enabled on and changing it back on the virtual server, you might need to clear existing connections afterwards.
Follow below articles.
K53851362: Displaying and deleting BIG-IP connection table entries from the command line
K52091701: Handling Connections that have been matched to the wrong Virtual Server.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1017513-3 : Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking
Links to More Info: BT1017513
Component: Local Traffic Manager
Symptoms:
If you remove or attach a different monitor to an fqdn pool, then perform a full config-sync, an error occurs:
Load failed from /Common/bigip1 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 58.
This error can occur on FQDN nodes or regular nodes. It's the use of fqdn nodes that allows this issue to occur.
Conditions:
-- BIG-IP device is configured with fqdn nodes/pools with monitors.
-- Modify an fqdn pool to remove or attach a different monitor.
-- Run the command:
run cm config-sync to-group Failover
-- Perform a full config-sync.
Impact:
You might experience the following:
-- Sync to the peer devices fails.
-- Monitors may be stuck in an unexpected state such as down (even with a good reply) or checking even though an up or down response is received.
Workaround:
Use incremental-sync.
If incremental sync fails to correct the issue it can sometimes be recovered by running the following command:
bigstart restart mcpd
Note: Traffic disrupted while the system restarts.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
1017233-1 : APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption
Links to More Info: BT1017233
Component: Access Policy Manager
Symptoms:
A corrupted password is sent as part of the "Authorization" header to the backend device and as a result, http 404 is returned
Conditions:
-- iRule for ActiveSync is used
-- The BIG-IP system has multiple tmms running
Impact:
User Authentication is failed by the backed server
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1017153-2 : Asmlogd suddenly deletes all request log protobuf files and records from the database.
Links to More Info: BT1017153
Component: Application Security Manager
Symptoms:
Asmlogd suddenly deletes all request log protobuf files and records from the database.
Additionally, after the deletion happens, newly generated event logs seen in database do not show up in TMUI.
Conditions:
-- ASM provisioned
-- Config-sync setup, with frequent sync recovery and/or with a manual-sync device-group with ASM sync enabled.
Impact:
Sudden loss of request logs.
Workaround:
Delete all empty partitions and restart asmlogd.
1) View all the partitions:
# perl -MF5::Db::Partition -MData::Dumper -MF5::DbUtils -e 'print Dumper(F5::Db::Partition::retrieve_partitions_info(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG"))'
Take note of the 'PARTITION_NAME' and 'TABLE_ROWS' for each partition.
2) For every partition_X (in PARTITION_NAME) with '0' in TABLE_ROWS, delete it by:
# perl -MF5::Db::Partition -MF5::DbUtils -e 'F5::Db::Partition::delete_partition(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG", partition_name => "partition_X")'
3) restart asmlogd if and after done all deletes:
# pkill -f asmlogd
NOTE: this workaround is temporary. Meaning, that the number of empty partitions will again accumulate and the same issue will happen again. The MAX number of partitions is - 100. Thus, it is advised to monitor the total number of *empty* partitions and repeat the workaround periodically. A cron script should work well. Normally, empty partitions should NOT accumulate. Thus, it is safe to run this script once an hour and remove all empty partitions.
Optionally, if you are having TMUI issue with newly generated event logs, perform the additional command below to delete rows from PRX.REQUEST_LOG_PROPERTIES for which no corresponding rows exist in PRX.REQUEST_LOG.
# mysql -t -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'delete from PRX.REQUEST_LOG_PROPERTIES where request_log_id > (select id from PRX.REQUEST_LOG order by id desc limit 1)'
Fix:
Upgrading to a fixed software version will not delete accumulated partitions and will not clear the symptom away. The fix will prevent ASM from accumulating partitions unnecessarily in the scenarios.
If your ASM system is experiencing this and partitions are accumulated, perform the workaround to clear the symptom. Using a fixed software version, you only need to perform the workaround once. You no longer have to perform it periodically.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1017053-1 : [SSL Orchestrator] Policy fails to complete when URL branching is configured
Links to More Info: BT1017053
Component: SSL Orchestrator
Symptoms:
SessionDB returns ERR_NOT_FOUND when Allow Agent attempts to update URL info in the session entry.
Conditions:
SSL Orchestrator session does not have a session entry in the SessionDB corresponding to the URL info.
Impact:
This causes policy execution failure and connection aborts.
Workaround:
Setting perflow.branching.url with no value, then the Allow Agent will not update the session entry. This will avoid the ERR_NOT_FOUND error message.
Fix:
Ensure the session is an APM session before setting the URL info for the session entry.
Fixed Versions:
17.0.0, 15.1.9
1016633 : iprep.protocol with auto-detect fails when DNS takes time to resolve
Links to More Info: BT1016633
Component: TMOS
Symptoms:
On some hardware platforms, after a reboot, DNS takes a significant amount of time to come up.
Conditions:
This is encountered on either a fresh installation, or upon a reboot of a BIG-IP system.
Impact:
DNS takes time to come up (after a reboot) and till then DNS resolution fails. During this, iprepd with auto-detect fails
Workaround:
None
Fix:
Fixed connectivity issues in case of auto-detect protocol mode.
Fixed Versions:
15.1.4
1016449-2 : After certain configuration tasks are performed, TMM may run with stale Self IP parameters.
Links to More Info: BT1016449
Component: Local Traffic Manager
Symptoms:
A Self IP instantiated by performing specific configuration tasks (see Conditions) does not work (e.g. the system does not respond to ARP requests for it).
On the contrary, the system continues to use (e.g. respond to ARP requests for) an old version of the Self IP specifying a different address.
Conditions:
This issue is known to occur when one of the following operations is performed:
- Restoring a UCS or SCF archive in which a Self IP with a specific name specifies a different address.
- Performing a config-sync between redundant units in which the sender changes a Self IP with a specific name to use a different address. For example:
tmsh delete net self <name>
tmsh create net self <name> address <new_address> ...
tmsh run cm config-sync to_group ...
- Performing specific tmsh CLI transactions involving Self IP modifications.
Impact:
The system does not utilise the configured Self IP address. Traffic will be impacted as a result (for example, in connections to the unit, in snat automap, etc.).
Workaround:
Restart TMM (bigstart restart tmm) on affected units.
Fix:
TMM now correctly handles supported Self IP address modifications.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016441-3 : RFC Enforcement Hardening
Links to More Info: K11342432 , BT1016441
Component: Local Traffic Manager
Symptoms:
When the HTTP profile RFC Enforcement Flag is enabled, certain non-RFC compliant headers are still allowed.
Conditions:
- Virtual Server with HTTP profile.
- RFC Enforcement Flag enabled.
- HTTP request with non-RFC compliant headers.
Impact:
Non-RFC compliant headers passed to server.
Workaround:
N/A
Fix:
BIG-IP will drop non-RFC compliant HTTP requests when the RFC compliance flag is ON.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016309-1 : When two policies with the same properties are configured with geo property, the geo for the second policy is ignored.
Links to More Info: BT1016309
Component: Advanced Firewall Manager
Symptoms:
If two policies are configured with rule lists of same type of properties (1 allow and 1 deny) with the geo property used, the geo settings of the first rule will be used in the second rule.
Conditions:
-- Two policies having the same type of rule lists (1 allow rule and 1 deny rule)
-- The same geo is configured in a rule in each of the rule lists.
-- One rule is configured to allow, one is configured to deny
Impact:
Connection requests for the second virtual server that uses the second policy will use the geo settings from the first policy.
Workaround:
None
Fix:
Connection request for second virtual server will be dropped and allowed as configured in the policy that is attached.
Fixed Versions:
17.0.0, 15.1.4
1016113-3 : HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile.
Links to More Info: BT1016113
Component: Local Traffic Manager
Symptoms:
Configurations containing HTTP response-chunking 'sustain' and a Web Acceleration profile do not rechunk payload regardless of whether the web server responds with a chunked response.
Conditions:
-- Incoming response payload to the BIG-IP system is chunked.
-- HTTP profile is configured with response-chunking 'sustain'.
-- Web Acceleration profile also configured on the same virtual server.
Impact:
The BIG-IP response is not chunked, regardless of whether the associated web server responds with a chunked payload when the Web Acceleration is utilized.
Workaround:
For a chunked response to be delivered to the client, apply the iRule command 'HTTP::rechunk' to responses when a Web Acceleration profile is used.
Fix:
The BIG-IP response is chunked appropriately when a Web Acceleration profile is used.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4
1016049-4 : EDNS query with CSUBNET dropped by protocol inspection
Links to More Info: BT1016049
Component: Local Traffic Manager
Symptoms:
EDNS query might be dropped by protocol inspection with an error log in /var/log/ltm similar to:
info tmm[21575]: 23003139 SECURITYLOG Drop sip:192.168.0.0 sport:64869 dip:1.1.1.1 dport:53 query:test.f5.com qtype:malformed attack:malformed
Conditions:
Query containing CSUBNET option.
Impact:
Some queries might fail.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016045-3 : OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows.
Links to More Info: BT1016045
Component: Carrier-Grade NAT
Symptoms:
OOPS logging may appear in /var/log/ltm and /var/log/tmm
Conditions:
1. Active ftp connection.
2. Sending the port command immediately followed by a quit.
Impact:
Log pollution and potential for performance degradation.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.4, 15.1.9
1016033-2 : Remote logging of WS/WSS shows date_time equal to Unix epoch start time
Links to More Info: BT1016033
Component: Application Security Manager
Symptoms:
Enable the BD_MISC log and notice the REMOTE_LOG buffer printed in the bd logs. The date_time field will be set as closer to epoch time, for eg: "1969-12-31 16:27:00", instead of the current date. The same will be reflected in the remote logs as well.
Conditions:
Remote logging is enabled and the WS/WSS requests are sent to the BIG-IP
Impact:
The date_time information in WS traffic logged to a remote destination is incorrect. This makes correlating data difficult or impossible depending on the traffic.
Fixed Versions:
17.0.0, 16.1.5, 15.1.5
1015881-3 : TMM might crash after configuration failure
Links to More Info: BT1015881
Component: Application Security Manager
Symptoms:
TMM crashes after DoSL7 application configuration failure
Conditions:
DoSL7 configuration is changed, and the configuration change fails in TMM.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.7
1015201 : HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted.
Links to More Info: BT1015201
Component: Local Traffic Manager
Symptoms:
The HTTP unchunking satellite leaks ERR_MORE_DATA when processing payload - this error code is then returned to other filters which will abort the connection due to this unexpected error (like PLUGIN).
Conditions:
Virtual server with HTTP, compression and NTLM profiles.
Impact:
Connection is aborted
Fix:
HTTP unchunking satellite no longer leaks ERR_MORE_DATA.
Connection is not aborted and response is received by the client.
Fixed Versions:
15.1.5, 14.1.4.4
1015161-2 : Ephemeral pool member may not be created when FQDN resolves to address that matches static node
Links to More Info: BT1015161
Component: Local Traffic Manager
Symptoms:
An ephemeral pool member may not created if the FQDN name resolves to a new IP address that matches an existing statically-configured node.
When this occurs, a message like the following appears in the LTM log:
err mcpd[4498]: 01070734:3: Configuration error: node (/Common/_auto_10.10.120.12) not found.
Note that the node name in the message is the expected name of an ephemeral node created for this address, not the actual name of the statically-configured node with that IP address.
Conditions:
This may occur if:
-- The FQDN node and pool member are created with the "autopopulate enabled" option.
-- The FQDN name resolves to more than one IP address.
-- One of these IP addresses was not included in the previous DNS query result.
-- There is a statically-configured node with the same IP address.
Impact:
An ephemeral pool member is not created for the IP address newly included in the DNS query result. This results in traffic not being load-balanced to all of the expected pool members.
Workaround:
Use one of the following methods to prevent this issue from occurring:
-- Avoid creating statically-configured nodes using the same IP addresses returned by resolution of configured node/pool member FQDN names.
-- Configure the FQDN pool member with "autopopulate disabled" (default), which creates only a single ephemeral pool member.
Perform this sequence of actions to recover from an occurrence of this issue:
1. Remove any pool members referencing the conflicting IP address(es) from their respective pool(s).
2. Delete the statically-configured node(s) using the conflicting IP address(es).
3. Add any pool members referencing the conflicting IP address(es) back to their respective pool(s).
Fix:
Ephemeral pool members are successfully created when the corresponding FQDN name resolves to one or more new IP addresses that conflict with statically-configured nodes.
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5
1015133-3 : Tail loss can cause TCP TLP to retransmit slowly.
Links to More Info: BT1015133
Component: Local Traffic Manager
Symptoms:
If a long tail loss occurs during transmission, TCP might be slow to recover.
Conditions:
-- A virtual server is configured with the TCP profile attached.
-- SACK and TLP are enabled.
-- A tail loss of multiple packets sent by the BIG-IP occurs.
Impact:
BIG-IP retransmits one packet per RTT, causing a long recovery. The impact is more pronounced if an entire window is lost.
Workaround:
Disabling TLP may improve performance in this particular case, but may degrade performance in other situations.
Fix:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.
Behavior Change:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1015093-3 : The "iq" column is missing from the ndal_tx_stats table
Links to More Info: BT1015093
Component: TMOS
Symptoms:
When viewing the ndal_tx_stats statistics table, the "iq" column is not present.
Conditions:
-- BIG-IP Virtual Edition.
-- Viewing statistics tables.
Impact:
Missing statistic; less information available.
Fixed Versions:
15.1.4.1, 14.1.4.5
1014973-3 : ASM changed cookie value.
Links to More Info: BT1014973
Component: Application Security Manager
Symptoms:
ASM changes the value of a cookie going to the server.
Conditions:
Specific conditions.
Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.
Workaround:
Change the following db variable:
tmsh modify sys db asm.strip_asm_cookies (https://support.f5.com/csp/article/K30023210) value false.
There is no need to restart asm.
Add an iRule without the use of strip_asm_cookies:
https://support.f5.com/csp/article/K13693.
Fix:
Original cookies not being deleted/modified after the removing of TS cookies in ASM.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1014609 : Tunnel_src_ip support for dslite event log for type field list
Links to More Info: BT1014609
Component: Advanced Firewall Manager
Symptoms:
When storage-format is set to None the dslite_dst_ip and dslite_src_ip fields are displayed; however, the field list only displays dslite_dst_ip and you are unable to configure dslite_src_ip.
Conditions:
-- AFM configured
-- You are configuring a logging profile and are choosing fields from the field list
Impact:
The dslite_src_ip field cannot be selected in the logging profile when choosing fields from the field list.
Workaround:
Do not choose fields from the field list and dslite_src_ip will be logged.
Fix:
For NAPT mode dslite tunnel_src_ip is now supported for field list for all 6 event type (inbound start/stop, outbound start/stop, error and quota exceeded).
Fixed Versions:
17.1.2, 15.1.4
1014573-2 : Several large arrays/objects in JSON payload may core the enforcer
Links to More Info: BT1014573
Component: Application Security Manager
Symptoms:
Requests with JSON payload that consists of more than one object with elements, such as a couple of large arrays, may cause the enforcer to crash.
Conditions:
Each of the objects/arrays in JSON payload has to consist lesser amount of elements than defined in the "Maximum Array Length" JSON profile attribute.
Impact:
Large enough arrays may cause performance decrease, in addition, the enforcer may crash.
Workaround:
Set "Maximum Array Length" to a lower value than the requests array length.
Fix:
Added internal param "count_overall_child_elements_in_json" to control "Maximum Array/Object Elements" behaviour:
0 (default) - retain current behaviour (check max elements in each array/object separately);
1 - count overall elements in all arrays/objects.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1014433 : Time stamp format is not the same for all LTM logs
Links to More Info: BT1014433
Component: TMOS
Symptoms:
After the device reboots, the LTM logs time stamp provided for "boot_marker" and "Shutdown cleanly" are of two different formats.
Conditions:
This may occur when ISO date format is disabled (tmsh modify sys syslog iso-date disable).
The "boot_marker" log entries cannot be configured with regards to ISO date format, and so are always written in ISO date format to ensure ICSA compliance.
When ISO date format is enabled (tmsh modify sys syslog iso-date enable), all log entries use ISO date format and thus match the "boot_marker" log entries.
Impact:
The time stamp format of some log entries may appear in ISO date format and thus not be consistent with other log entries when ISO date format is disabled.
Workaround:
The time stamp format of "boot_marker" log entries is expected to always appear in ISO date format.
Fix:
The boot marker log entry now uses a non-ISO time stamp format with this fix in place.
Behavior Change:
The boot marker log entry now uses a consistent time stamp when ISO date format is disabled, but no longer complies with ISO date format when ISO date format is enabled, breaking ICSA compliance.
Fixed Versions:
15.1.4
1013729-3 : Changing User login password using VMware View Horizon client results in “HTTP error 500”
Links to More Info: BT1013729
Component: Access Policy Manager
Symptoms:
“HTTP error 500" is shown when user changes the password using VMware view horizon client.
Conditions:
User tries to change user password using the VMware native client.
Impact:
Users can't login to the VMware VDI.
Workaround:
None
Fix:
Users can now modify their password via the VMware native client and are able to login to VMware vdi.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
1013649-4 : Leftover files in /var/run/key_mgmt after key export
Links to More Info: BT1013649
Component: TMOS
Symptoms:
Files accumulate in /var/run/key_mgmt
qkview grows too large to be processed by iHealth
Conditions:
iControl SOAP used for key export
Impact:
Thousands of files can eventually accumulate in /var/run/key_mgmt, impacting ability to process qkviews
it takes long time to process.
Workaround:
Delete files in /var/run/key_mgmt manually
Fix:
Earlier f5km_shutdown is called with DONT_DELETE argument, now it is called with DELETE_ENTIRE_KEYMGMT_DIR so it will clean up temp files in /var/run/key_mgmt properly.
Fixed Versions:
16.1.0, 15.1.4
1013629-3 : URLCAT: Scan finds many Group/User Read/Write (666/664/662) files
Links to More Info: BT1013629
Component: Traffic Classification Engine
Symptoms:
Shared memory files in relation with URLCAT have file permissions set to (-rwxrwxrwx), which is not necessary and needs to be restricted to (-rw-rw-r--).
Conditions:
Policy Enforcement Manager is provisioned
Impact:
Full permission can result in unintentional/unauthorized access, which could result in unexpected behavior of the URLCAT feature.
Workaround:
Manually change permissions from (-rwxrwxrwx) to (-rw-rw-r--) using the chmod command.
Fix:
Shared Memory file permissions are now set to (-rw-rw-r--).
Fixed Versions:
17.0.0, 16.1.2, 15.1.9
1013181-2 : TMM may produce core when dynamic CRL check is enabled on the client SSL profile
Links to More Info: BT1013181
Component: Local Traffic Manager
Symptoms:
Possible tmm crash during ssl handshake with client SSL virtual server when dynamic CRL check is used.
Conditions:
All these 3 conditions need to be met.
- Client Certificate is set to "request" on the client SSL profile or using APM "On-Demand Cert Auth" agent set to "request".
- Dynamic CRL check is configured on the client SSL profile.
- Client does not submit its client certificate to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
- Configure Client Certificate "require" on the client SSL profile or, if using APM "On-Demand Cert Auth" agent, configure it to "require".
or
- Disable Dynamic CRL check. You can use static CRL file on the client SSL profile instead.
Fixed Versions:
16.1.0, 15.1.5
1012721-1 : Tmm may crash with SIP-ALG deployment in a particular race condition
Links to More Info: BT1012721
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment
Conditions:
--- SIP-ALG is deployed
--- While processing first SIP REGISTER at server-side
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes in this race condition
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5
1012581-3 : Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered
Links to More Info: BT1012581
Component: Advanced Firewall Manager
Symptoms:
As soon as global syncookie enabled stats counts starts decrementing and when attack_detection_common callback function calls, the stats range is always under the configured packets per-second threshold, resulting in some tmms not being able to detect the attack but syncookies are already enabled on these tmms, and no statistics are gathered.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
SYN cookies may still be sent after traffic goes below the attack detection threshold.
Workaround:
Restart tmm
Fix:
Now, global syncookie state changing from full-hardware to non-activated when attack ends.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1012533-1 : `HTTP2::disable serverside` can cause cores
Links to More Info: BT1012533
Component: Service Provider
Symptoms:
If `HTTP2::disable serverside` is called on a flow that has no HTTP2 configured on the server-side then it can incorrectly report an error and RST the flow (this is ID1013597).
Because of the timing of this RST, tmm may crash.
Conditions:
1) iRule calls `HTTP2::disable serverside` on HTTP_REQUEST.
2) No HTTP2 configured on server-side.
3) server-side has already handled a flow.
Or
Some internal timing conditions without an iRule involved.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't call `HTTP2::disable serverside` (the iRule condition) if there is no HTTP2 on server-side.
Fixed Versions:
15.1.4.1
1012521-2 : BIG-IP UI file permissions
Links to More Info: BT1012521
Component: Advanced Firewall Manager
Symptoms:
Some GUI files have incorrect permission settings.
Conditions:
Files installed by the security-ui rpm.
Impact:
File permissions are incorrect.
Fix:
Installation script updated to set permissions to remove write privileges for the Group and User level
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
1012413-3 : Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled
Links to More Info: BT1012413
Component: Advanced Firewall Manager
Symptoms:
When a DoS profile is attached to a virtual server, the mitigation limit is set to the system limit and not the HSB limit. This causes more packets to be handled by software. Depending on attack size, it could pass up to 200% of the set mitigation limit. This can impact tmm performance.
Conditions:
-- Dos profile is configured on virtual server.
-- Hardware platform that has HSB
-- Hardware mitigation is enabled
Impact:
Tmm performance may be degraded.
Workaround:
None
Fix:
The HSB limit is set to (vector configured mitigation limit) / (number of hsbs on BIG-IP)
Fixed Versions:
17.0.0, 15.1.4
1012221-2 : The childInheritanceStatus is not compatible with parentInheritanceStatus ★
Links to More Info: BT1012221
Component: Application Security Manager
Symptoms:
The BIG-IP system is unable to deploy a revision of upgraded child policies and you see an error:
Failed pushing changed objects to device <device>: Could not update the Section 'Threat Campaigns'. childInheritanceStatus is not compatible with parentInheritanceStatus.
Conditions:
-- An ASM Child Policy is present on the BIG-IP device in a version earlier than BIG-IP 14.0.0.
-- The BIG-IP system is upgraded to BIG-IP 14.0.0 or later.
Impact:
This corruption impacts BIG-IQ interactions with the Child Policy and causes exported Child Policies to be incorrect.
Workaround:
After upgrading to BIG-IP 14.0.0 or later, perform the following:
1. Log in to the BIG-IP Configuration Utility.
2. Go to Security :: Application Security :: Security Policies :: Policies List.
3. Select the first Parent Policy.
4. Go to Inheritance settings and change Threat Campaigns from None to Optional.
5. Click Save Changes.
6. Change Threat Campaigns from Optional back to None.
7. Click Save Changes.
8. Click Apply.
9. Repeat steps 3 to 8 for each additional Parent Policy.
Fix:
Made childInheritanceStatus compatible with
parentInheritanceStatus after the upgrade.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1012009-1 : MQTT Message Routing virtual may result in TMM crash
Links to More Info: BT1012009
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an option to use Message Routing virtual servers for MQTT traffic. It uses a different approach to associate a client side and a server side than a standard virtual server. In some instances, a server side is incorrectly handled.
Conditions:
-- A Message Routing virtual with MQTT protocol.
-- A client attempts to reconnect.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
When a client attempts to reconnect, and an existing server side connection is used, TMM correctly handles the connection's state and no longer crashes for this reason.
Fixed Versions:
15.1.4.1
1011433-3 : TMM may crash under memory pressure when performing DNS resolution
Links to More Info: BT1011433
Component: Global Traffic Manager (DNS)
Symptoms:
When running low on free memory, TMM may crash when performing DNS resolution.
Conditions:
-- TMM is under memory pressure.
-- TMM is performing DNS resolution via one of the following mechanisms:
--+ iRule using the "RESOLV::lookup" command
--+ AFM firewall rules that reference hostnames
--+ APM
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1011285-2 : The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects.
Links to More Info: BT1011285
Component: Global Traffic Manager (DNS)
Symptoms:
If you attempt a POST or PATCH iControl REST request against a wide IP, and you include an empty 'lastResortPool' property in the JSON body, the system rejects the request as invalid and returns the following validation error:
{
"code": 400,
"message": "\"last-resort-pool\" requires a value",
"errorStack": [],
"apiError": 26214401
}
Conditions:
A POST or PATCH command against a wide IP object includes an empty lastResortPool property.
Impact:
Inability to create or modify the wide IP object.
Workaround:
You can use either of the following, depending on what you want to do:
-- To create a new wide IP object, remove the empty 'lastResortPool' property from the JSON body.
-- To remove the last-resort-pool from an already existing wide IP, define the property as follows instead:
"lastResortPool":"none"
Fixed Versions:
16.1.0, 15.1.5, 13.1.5
1011217-3 : TurboFlex Profile setting reverts to turboflex-base after upgrade ★
Links to More Info: BT1011217
Component: TMOS
Symptoms:
Custom TurboFlex Profile settings revert to the default turboflex-base profile after an upgrade.
Conditions:
-- iSeries platform with ix800 performance license
-- A non-default TurboFlex Profile is applied
-- The BIG-IP device is upgraded
Impact:
Some features of the previously selected TurboFlex Profile that are not part of the turboflex-base profile, are missing after upgrade. The TurboFlex Profile must be reconfigured after upgrade.
Workaround:
Reconfigure the TurboFlex Profile after upgrade.
Fix:
TurboFlex Profile settings are now preserved after the upgrade.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
1011069-3 : Group/User R/W permissions should be changed for .pid and .cfg files.
Links to More Info: BT1011069
Component: Application Security Manager
Symptoms:
The following files should be set with lower permissions:
/etc/ts/dcc/dcc.cfg (-rw-rw--w-)
/run/asmcsd.pid (-rw-rw--w-)
/run/bd.pid (-rw-rw--w-)
/run/dcc.pid (-rw-rw--w-)
/run/pabnagd.pid (-rw-rw--w-)
Conditions:
Always
Impact:
Incorrect file permissions.
Workaround:
Chmod 664 <files_list>
Fix:
The corrected permissions 664 are applied to the given list of files.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1011065-2 : Certain attack signatures may not match in multipart content
Links to More Info: K39002226 , BT1011065
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.
Conditions:
- ASM provisioned
- Request contains multipart body that matches specific attack signatures.
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
1011061-2 : Certain attack signatures may not match in multipart content
Links to More Info: K39002226 , BT1011061
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.
Conditions:
- ASM provisioned
- Request contains a specially-crafted multipart body
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1011045-1 : GUI does not reflect 'Fully Automatic' state , which is substate of Automatic learning mode.
Links to More Info: BT1011045
Component: Application Security Manager
Symptoms:
When disabling 'Fully Automatic' mode in policy configuration (either through the GUI or REST) the GUI still indicates that the policy is in Automatic learning mode.
Conditions:
1. Configure a policy using the Fundamental template.
2. Change Learning Mode to 'automatic only' by REST, or uncheck the 'Fully Automatic' box in the GUI (Policy Configuration page).
Impact:
The GUI still shows the Learning Mode state, but not the 'Fully Automatic' state.
As a result, the administrator cannot be sure of the actual state of learning mode via the GUI.
Workaround:
The actual state is reflected properly when viewed via the REST command.
GET https://big-ip-mgmt/mgmt/tm/asm/policies/policy_id/policy-builder
Fixed Versions:
16.1.0, 15.1.10
1010809-2 : Connection is reset when sending a HTTP HEAD request to APM Virtual Server
Links to More Info: BT1010809
Component: Access Policy Manager
Symptoms:
Connection is reset when sending a HTTP HEAD request to APM Virtual Server
Conditions:
-- A virtual server with APM implemented
-- A HTTP HEAD request is sent to the virtual server
Impact:
Connection is reset
Workaround:
To work around this issue, implement the following iRule on the virtual server:
when HTTP_REQUEST priority 500 {
if {[HTTP::method] equals "HEAD"
&& [HTTP::path] equals "/"} {
HTTP::respond 404
}
}
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1010617-3 : String operation against DNS resource records cause tmm memory corruption
Links to More Info: BT1010617
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores with umem debug enabled.
Conditions:
A string operation is performed against DNS resource records (RRs) in an iRule.
Impact:
Tmm memory corruption. In some situations, tmm could crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use string operation against DNS RRs.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1010597-2 : Traffic disruption when virtual server is assigned to a non-default route domain ★
Links to More Info: BT1010597
Component: Access Policy Manager
Symptoms:
Assigning a virtual server to a non-default route domain might cause a traffic disruption.
Conditions:
-- An APM virtual server is assigned to a route domain other than 0 (zero, the default).
-- An access policy has an agent that results in tmm communicating to the renderer (e.g., Logon agent, HTTP 401 Response agent, and others).
Impact:
Access policy fails.
Workaround:
1. Log in to the Configuration utility.
2. Go to Network > Route Domains > affected route domain.
3. In the section Parent Name select '0 (Partition Default Route Domain)'.
4. Select Update.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1010393-4 : Unable to relax AS-path attribute in multi-path selection
Links to More Info: BT1010393
Component: TMOS
Symptoms:
In BIG-IP versions where ID933461 (https://cdn.f5.com/product/bugtracker/ID933461.html) is fixed, you are unable to relax AS-path attribute in multi-path selections.
Conditions:
BGP multi-path routes with different AS_PATH attributes.
Impact:
Some routes might not be considered as multipath. ECMP routes are not installed properly.
Workaround:
Consider using 'bgp bestpath as-path ignore' or alter the AS_PATH attribute upstream.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
1010245-1 : Duplicate ipsec-sa SPI values shown by tmsh command
Links to More Info: BT1010245
Component: TMOS
Symptoms:
A tmsh command which shows ipsec-sa instances can display the 32-bit SPI more than once for the same security association (SA) but in different tmm instances.
Conditions:
Especially in the context of failover where Standby becomes Active, sometimes the same SA appears more than once when shown by a tmsh command, but in different tmms.
Impact:
The duplicate SPI displayed is a cosmetic effect only.
Workaround:
None
Fix:
Fixed an issue with duplicate SA reporting when using the tmsh show net ipsec ipsec-sa command.
Fixed Versions:
16.1.0, 15.1.4.1
1009949-2 : High CPU usage when upgrading from previous version ★
Links to More Info: BT1009949
Component: TMOS
Symptoms:
When upgrading version from 12.x to 14.1.4, ospfd has high cpu utilization.
Conditions:
-- OSPF is enabled.
-- The BIG-IP system is upgraded from 12.x to 14.1.4.
Impact:
Performance Impact.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
1009161-1 : SSL mirroring protect for null sessions
Links to More Info: BT1009161
Component: Local Traffic Manager
Symptoms:
Possible tmm crash during ssl handshake with connection mirroring enabled.
Conditions:
14.1 after changes applied for ID760406 and ssl handshake dropped during ssl handshake session state.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable connection mirroring
Fix:
Prevent possible crash on ssl connection mirroing in 14.1
Fixed Versions:
15.1.5.1, 14.1.4.5
1009093-1 : GUI widgets pages are not functioning correctly
Links to More Info: BT1009093
Component: Application Visibility and Reporting
Symptoms:
Some links and drop-down fields are not available for 'pressing/clicking' on AVR-GUI widgets pages
Conditions:
AVR/ASM is provisioned
Impact:
Cannot use AVR GUI pages correctly
Workaround:
1. Back up the following file, and then edit it:
/var/ts/dms/amm/templates/overview.tpl
1.a. Remove the following line:
<script type="text/javascript" src="script/analytics_stats.js{{BIGIP_BUILD_VERSION_JS}}"></script>
1.b. Add the following lines after the 'var _default_smtp = '{{smtp_mailer}}';' line:
$(document).ready(function() {
if(!window.AVR_LOCALIZATION) return;
$('.need-localization-avr').each(function() {
var item = $(this);
if (item.is("input")) {
var key = "avr." + item.val().replace(/\s/g, '');
item.val(window.AVR_LOCALIZATION[key] || item.val());
} else {
var key = "avr." + item.text().replace(/\s/g, '');
item.text(window.AVR_LOCALIZATION[key] || item.text());
}
}).removeClass('need-localization-avr');
});
1.c. Save and exit (might require the 'force' save with root user).
2. Log out of the GUI.
3. Log back in.
Fix:
GUI widgets pages now function correctly.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1009037-3 : Tcl resume on invalid connection flow can cause tmm crash
Links to More Info: BT1009037
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm crashes.
Tmm logs contain a line that looks like: "Oops @ 0x2bbd463:139: Unallocated flow while polling for rule work. Skipping."
Conditions:
1) iRule uses a function that may suspend iRule processing (see https://support.f5.com/csp/article/K12962 for more about this).
2) The connflow associated with the iRule is being torn down by tmm.
3) Depending upon the exact timing there is a rare chance that the iRule will resume on the wrong connflow which can cause a core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1008849-3 : OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration.
Links to More Info: BT1008849
Component: Application Security Manager
Symptoms:
To fulfill "A4 XML External Entities (XXE)", some required signatures need to be enforced.
Due to an update in some of those attack signatures names, this section does not find the signatures and by mistake it shows that the signatures are not enforced.
Also, when you choose to enforce the required signatures, this section tries to enforce the signatures, but looks for them via the old name, so it does not find them, and can't enforce them.
Conditions:
The attack signatures file is updated with the new names for the XXE signatures.
The old names are in use while trying to find and enforce the signatures, but it does not find them and can't enforce them and also can't see if they are already enforced.
Impact:
"A4 XML External Entities (XXE)" Compliance can't be fully compliant.
Workaround:
N/A
Fix:
The signature ID is being used instead of signature name, and now it can find them and enforce them if needed.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
1008837-2 : Control plane is sluggish when mcpd processes a query for virtual server and address statistics
Links to More Info: BT1008837
Component: TMOS
Symptoms:
When there are thousands of rows in the virtual_server_stat table and mcpd receives a query for for all virtual server or virtual address statistics, mcpd can take a long time to process the request.
There might be thousands of rows if thousands of virtual servers server are configured.
There could also be thousands of rows if there are virtual servers configured for source or destination address lists, where those lists contain tens or hundreds of addresses.
Conditions:
-- Thousands of virtual_server_stat rows.
-- mcpd processes a query_stats request for the virtual_server_stat table.
Impact:
When mcpd is processing a query for virtual server statistics:
-- TMSH and GUI access is very slow or non-responsive.
-- SNMP requests timeout.
-- mcpd CPU usage is high.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4
1008525-2 : The partition text field becomes unusable when the user enters an invalid entry such as, "<, >, &, ", ', ', etc.
Links to More Info: BT1008525
Component: Local Traffic Manager
Symptoms:
The partition text field becomes unusable. This problem occurs when the user enters an invalid entry such as'<'. The entry is replaced by the escape characters on every keyup. Once this happens, the text field is not reusable unless the user refreshes the page or clicks on the breadcrumb "External HSM".
Conditions:
NA
Impact:
The partition text field is not reusable.
Workaround:
The partition text field is not reusable unless the user refreshes the page or clicks on the breadcrumb "External HSM".
Fix:
The escaped sequence should not be shown on the text field, the user should not know that the characters are being escaped at the same time disallowing the unescaped sequence from being sent to the BIG-IP.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3
1008501-3 : TMM core
Links to More Info: BT1008501
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
Transparent monitors monitoring a virtual server's IP address.
Note: Although this is the current understanding of the issue, it is not clear whether this is an true requirement for the issue to occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008269-3 : Error: out of stack space
Links to More Info: BT1008269
Component: TMOS
Symptoms:
When polling for profile statistics via iControl REST, the BIG-IP system returns an error:
Error: out of stack space
Conditions:
Polling stats via iControl REST.
Impact:
You are intermittently unable to get stats via iControl REST.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1008265-3 : DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond ★
Links to More Info: K92306170 , BT1008265
Component: Advanced Firewall Manager
Symptoms:
DoS Flood and Sweep vector states are disabled after upgrade.
Conditions:
DoS Flood and Sweep vectors are enabled prior to an upgrade to software release 14.x and beyond.
Impact:
DoS Flood and Sweep vector states are disabled. System is susceptible to a DoS attack.
Workaround:
Reset the DoS Flood and Sweep vectors to their previous state.
Fix:
Removed default disabled state from upgrade scripts so that both vectors were restored to previous configured state
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008017-5 : Validation failure on Enforce TLS Requirements and TLS Renegotiation
Links to More Info: BT1008017
Component: Local Traffic Manager
Symptoms:
The configuration load fails with an error:
err mcpd[4182]: 0107186b:3: Invalid "enforce-tls-requirements" value for profile /prod/my_profile. In Virtual Server (/common/my_virtual_server) an http2 profile with enforce-tls-requirements enabled is incompatible with client-ssl/server-ssl profile with renegotiation enabled. Value must be disabled.
Conditions:
BIG-IP system allows this configuration and fails later:
-- Virtual server with HTTP/2, HTTP, and client SSL profiles (with renegotiation disabled).
1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add server SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.
4. Load the configuration.
Impact:
The configuration will not load if saved.
Workaround:
If enabling 'Enforce TLS Requirements' in a HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in the Server SSL profiles on that virtual server.
Fix:
There is now a validation check to prevent this configuration, which is the correct functionality.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1008009-2 : SSL mirroring null hs during session sync state
Links to More Info: BT1008009
Component: Local Traffic Manager
Symptoms:
Tmm crashes.
Conditions:
-- SSL connection mirroring enabled
-- Running a version where ID 760406 is fixed (https://cdn.f5.com/product/bugtracker/ID760406.html)
-- A handshake failure occurs during session sync
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable connection mirroring
Fix:
The system now protects for dropped SSL handshakes during connection mirror session sync.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1007821-1 : SIP message routing may cause tmm crash
Links to More Info: BT1007821
Component: Service Provider
Symptoms:
In very rare circumstances, tmm may core while performing SIP message routing.
Conditions:
This can occur while passing traffic when SIP message routing is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
SIP message routing no longer results in a core due to internal memory errors in message parsing.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
1007749-1 : URI TCL parse functions fail when there are interior segments with periods and semi-colons
Links to More Info: BT1007749
Component: Local Traffic Manager
Symptoms:
URI::path, URI::basename, etc., return the wrong strings, e.g., URI::path can return a subset of what it should return.
Conditions:
This happens for URIs like these:
/alpha/beta/Sample.text;param/trailer/
/alpha/beta/Sample.text;param/file.txt
Impact:
iRules fail to work as expected for these types of URIs.
This occurs because the combination of the period and semi-colon in 'Some.thing;param' confuses the BIG-IP system parser, causing incorrect results to be returned.
Workaround:
If this is happening for known URIs, then it should be possible to process those URIs in a special way within iRules to do things like temporarily replacing interior periods with another character, like a plus sign.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
1007677-1 : Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector'
Links to More Info: BT1007677
Component: Access Policy Manager
Symptoms:
SAML fails on APM SAML IdP after receiving the SAML ArtifactResolve Request, and needs to extract Artifact data from sessionDB to build the assertion. An error is logged:
-- err tmm[24421]: 014d1211:3: ::ee23458f:SAML SSO: Cannot find SP connector (/Common/example_idp)
-- err tmm[24421]: 014d0002:3: SSOv2 plugin error(12) in sso/saml.c:11864
Conditions:
The 'session-key' in the sessiondb includes a colon ':' in its value.
Impact:
SAML may fail on APM SAML IdP using artifact binding.
Fix:
The system now handles this occurrence of 'session-key'.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1
1007629-1 : APM policy configured with many ACL policies can create APM memory pressure
Links to More Info: BT1007629
Component: Access Policy Manager
Symptoms:
High APM memory usage even in idle state when no traffic is flowing.
Conditions:
APM policies configured with resource assignment agents with ACL policies configured. The idle state memory usage will be proportional to the number of resource assignment agents and ACL policies configured
Impact:
If idle state memory of APM is high then less memory is available for use during traffic flow and thereby can lead to OOM crashes and failover.
Workaround:
None
Fix:
APM policy configured with many ACL policies no longer creates APM memory pressure
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
1007113-1 : Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds
Links to More Info: BT1007113
Component: Service Provider
Symptoms:
In case of diameter over SCTP, while aborting the connection of the pool member, if SCTP INIT is sent by the BIG-IP system before the SCTP ABORT is processed, the pool member is marked UP (provided the SCTP connection is established successfully), and then goes down later, immediately after ABORT is fully processed.
Conditions:
The time difference between SCTP ABORT and SCTP INIT is very small, i.e., 2 seconds or less
Impact:
Pool member is marked DOWN even though it is active
Workaround:
If the watchdog is configured in the diameter session profile (i.e., watchdog-timeout is greater than 0), the pool member is marked UP after DWA is received from the pool member.
Fix:
The system now marks the pool member as UP if DWA is received from the pool member.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1007109-1 : Flowmap entry is deleted before updating its timeout to INDEFINITE
Links to More Info: BT1007109
Component: Service Provider
Symptoms:
A sessiondb entry cannot be looked up.
Conditions:
A connection takes more than 5 seconds to establish. For example, in SCTP, the connection establishment might take more than 5 seconds with a maximum timeout of 60 seconds
Impact:
The session db lookup failure leads to the establishment of a new connection, even though there is an existing connection to the pool member.
Workaround:
Increase the temporary timeout of the session db entry to 60 seconds.
Fix:
Fixed the temporary timeout of the session db entry
Fixed Versions:
16.1.0, 15.1.5.1, 14.1.4.6
1006893-2 : Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core
Links to More Info: BT1006893
Component: Access Policy Manager
Symptoms:
When ACCESS::oauth is used after ACCESS::session create/delete in an iRule event, TMM may core.
Conditions:
ACCESS::oauth is used after ACCESS::session create/delete in an iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
TMM does not core and functionality works as expected.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1006781-1 : Server SYN is sent on VLAN 0 when destination MAC is multicast
Links to More Info: BT1006781
Component: Local Traffic Manager
Symptoms:
TCP connections cannot be established when a multicast destination MAC is used. Traffic outage occurs.
Conditions:
Virtual wire with multicast destination MAC used while establishing TCP connections.
Impact:
Traffic outage.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.4.1
1006509 : TMM memory leak ★
Links to More Info: BT1006509
Component: Access Policy Manager
Symptoms:
After upgrading to 15.1.0.4, tmm memory grows and tmm may restart or the BIG-IP system may reboot.
Conditions:
-- APM provisioned
-- Other conditions are unknown but it linked to single sign-on functionality
Impact:
Tmm memory grows and tmm may restart. Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm memory leak.
Fixed Versions:
16.1.5, 15.1.7
1006345-1 : Static mac entry on trunk is not programmed on CPU-only blades
Links to More Info: BT1006345
Component: TMOS
Symptoms:
More traffic egressing out from primary link of lacp when there is DLFs (destination lookup failures) since static mac is not present on CPU-only blades
Conditions:
Static mac configured on trunk on all platforms except i4000, i850/i2000, 2000/2200, 4000/4200,4100
Impact:
DLFs (destination lookup failures) will cause the first interface in the trunk to egress all DLF'd traffic
Fixed Versions:
15.1.3.1
1006157-1 : FQDN nodes not repopulated immediately after 'load sys config'
Links to More Info: BT1006157
Component: Local Traffic Manager
Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.
Conditions:
This occurs when 'load sys config' is executed.
Impact:
Name addresses do not resolve to IP addresses until the TTL expires.
Workaround:
You can use either of the following workarounds:
-- Change the default TTL value to be fewer than 300 seconds (the default value is 3600 seconds).
-- Restart dynconfd daemon:
tmsh restart sys service dynconfd
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1005489-2 : iRules with persist command might result in tmm crash.
Links to More Info: BT1005489
Component: Local Traffic Manager
Symptoms:
BIG-IP systems may experience a tmm crash if iRules containing 'persist' command are being used.
Conditions:
-- BIG-IP systems with multiple TMMs
-- Virtual server with HTTP/HTTP/2 profile attached.
-- Virtual server has iRules containing the 'persist add' command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4
1005109-2 : TMM crashes when changing traffic-group on IPv6 link-local address
Links to More Info: BT1005109
Component: Local Traffic Manager
Symptoms:
TMM crashes when changing the traffic-group on an IPv6 link-local address.
Conditions:
Changing the traffic-group on an IPv6 link-local address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1005105-1 : Requests are missing on traffic event logging
Links to More Info: BT1005105
Component: Application Security Manager
Symptoms:
Some traffic requests are missing in Security :: Event Logs.
Conditions:
-- Local logging enabled
-- Two or more virtual servers passing heavy traffic
Impact:
High CPU load prevents the Policy Builder from analyzing and sending all traffic requests to the request log.
Workaround:
None
Fix:
The Policy Builder now attempts to send traffic requests to the request log, even when learning analysis is limited due to high CPU load.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.5
1004929-2 : During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid.
Links to More Info: BT1004929
Component: TMOS
Symptoms:
While receiving a config sync operation, mcpd on a secondary blade may restart, logging:
err mcpd[6383]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020012:3: A unsigned four-byte integer message item is invalid.... failed validation with error 16908306
Conditions:
-- A VIPRION system (or cluster-based vCMP guest) with more than one blade processes a full configuration load, i.e. as a result of running "tmsh load sys config" or receiving a full-load config sync from peer BIG-IP.
-- The system generates a large number of warning messages during a configuration load, whose total length is larger than 65,535 bytes.
These warnings can be seen in the output of "tmsh load sys config" or "tmsh load sys config verify", or are logged under message ID 01071859
An example of such a warning is:
SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string of the ssl profile (/Common/ssl-profile-1) has been ignored.
Impact:
MCPD on secondary blades restart. Those blades are inoperative while services restart.
Workaround:
Address the warnings reported by the system.
Fixed Versions:
17.0.0, 16.1.5, 15.1.5, 14.1.4.5, 13.1.5
1004897-4 : 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
Links to More Info: BT1004897
Component: Local Traffic Manager
Symptoms:
In HTTP2 setup, when the header count from the client request exceeds max-header-count value in the HTTP profile , COMPRESSION_ERROR(0x09) is seen in GoAway frame instead of FRAME_SIZE_ERROR(0x06)
Conditions:
- Virtual server with HTTP2 enabled
- A http2 request has a header count that exceeds 'Maximum Header Count' in the HTTP profile (default value is 64)
Impact:
Wrong GoAway Reason is logged
Fix:
When header count in client request exceeds max-header-count value in HTTP profile
1) FRAME_SIZE_ERROR(0x06) error code sent with GoAway frame
2) In http2 profile stats (tmsh show ltm profile http2 all) 'Max Headers Exceeded' is logged as GoAway reason
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4
1004833-2 : NIST SP800-90B compliance
Links to More Info: BT1004833
Component: TMOS
Symptoms:
Common Criteria and FIPS 140-2 certifications require compliance with NIST SP800-90B; this completes that compliance.
Conditions:
This applies to systems requiring Common Criteria and/or FIPS 140-2 compliance.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 14.1.4.2 or BIG-IP 15.1.2.1) will not be running a Common Criteria and/or FIPS 140-2 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with NIST SP800-90B.
Fixed Versions:
17.0.0, 16.1.3, 15.1.4, 14.1.4.2
1004697-2 : Saving UCS files can fail if /var runs out of space
Links to More Info: BT1004697
Component: iApp Technology
Symptoms:
When saving a UCS, /var can fill up leading to UCS failure and the following log message:
err diskmonitor[1441]: 011d0004:3: Disk partition /var has only 0% free
Conditions:
-- iApps LX installed.
-- Multiple iApps LX applications.
-- A /var partition of 1.5 GB.
Impact:
UCS archives can not be created.
Workaround:
You can use either of the following Workarounds:
-- Manually remove the /var/config/rest/node/tmp/BUILD and /var/config/rest/node/tmp/BUILDROOT directories.
-- Increase the size of /var/. For information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952
Fixed Versions:
17.1.2, 16.1.4, 15.1.10
1004689-3 : TMM might crash when pool routes with recursive nexthops and reselect option are used.
Links to More Info: BT1004689
Component: Local Traffic Manager
Symptoms:
When re-selecting to the non-directly-connected pool route member for which the route was withdrawn, TMM might experience a crash.
Conditions:
- Pool routes with non-directly-connected or recursive nexthops (pool members).
- Reselect option enabled.
- Pool members go down/up so that the re-select is triggered.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Do not use non-directly-connected/recursive nexthops (pool members) in pool routes.
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1004633-3 : Performance degradation on KVM and VMware platforms.
Links to More Info: BT1004633
Component: Performance
Symptoms:
CPU utilization is increased.
Conditions:
-- KVM or VMware platforms are deployed.
-- FastHTTP or L7 HTTP virtual servers are configured.
Impact:
A 3-13% increase in CPU utilization which may degrade throughput with higher volumes of traffic.
Fixed Versions:
16.1.0, 15.1.4
1004537-1 : Traffic Learning: Accept actions for multiple suggestions not localized
Links to More Info: BT1004537
Component: Application Security Manager
Symptoms:
When you open the accept suggestions actions list, the actions are not localized. Labels are shown instead of text, for example asm.button.Accept instead of Accept.
Conditions:
This occurs after selecting several suggestions and opening the Accept suggestions actions list.
Impact:
Actions not localized.
Workaround:
None
Fix:
Fixed localization for Accept suggestions actions list.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4
1004517-2 : BIG-IP tenants on VELOS cannot install EHFs
Links to More Info: BT1004517
Component: TMOS
Symptoms:
BIG-IP tenants created on VELOS using v14.1.4 software earlier than v14.1.4.3 cannot accept engineering hotfixes (EHF).
Conditions:
Installing EHF updates to BIG-IP tenants on VELOS running BIG-IP v14.1.4 software earlier than v14.1.4.3.
Impact:
EHF installation fails.
Workaround:
None
Fix:
BIG-IP tenants on VELOS can now install EHFs.
Fixed Versions:
17.1.0, 15.1.4, 14.1.4.3
1004417-3 : Provisioning error message during boot up ★
Links to More Info: BT1004417
Component: TMOS
Symptoms:
Error message in /var/log/ltm:
Could not retrieve DB variable for (provision.datastor)
Conditions:
Upgrade BIG-IP software from version 12.x to version 13.x or higher.
Impact:
The error message is logged after the first boot after the upgrade. There is no impact on functionality and the error message can be ignored.
Workaround:
None
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
1004069-1 : Brute force attack is detected too soon
Links to More Info: BT1004069
Component: Application Security Manager
Symptoms:
A Brute force attack is detected too soon.
Conditions:
The login page has the expected header validation criteria.
Impact:
The attack is detected earlier than the setpoint.
Workaround:
N/A
Fixed Versions:
17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1003765-1 : Authorization header signature triggered even when explicitly disabled
Links to More Info: BT1003765
Component: Application Security Manager
Symptoms:
Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.
Conditions:
Base64 encoded Authorization header is included in the request.
Impact:
A signature violation is detected, even though the signature is disabled.
Workaround:
None
Fix:
No violation for disabled signatures.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4.1
1003633-3 : There might be wrong memory handling when message routing feature is used
Links to More Info: BT1003633
Component: Service Provider
Symptoms:
The following log is observed from /var/log/ltm
Oops @ 0x28c3060:232: buf->ref == 0
Conditions:
Message routing is used either by
- Generic message (ltm message-routing generic) or
- HTTP2 with Message router option enabled
Impact:
For most cases, this kind of incorrect memory handling may only generate warning log message. In rare case, it might lead to a tmm crash.
Workaround:
N/A
Fix:
Wrong memory handling in message routing is fixed.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1003377-1 : Disabling DoS TCP SYN-ACK does not clear suspicious event count option
Links to More Info: BT1003377
Component: Advanced Firewall Manager
Symptoms:
When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.
Conditions:
Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.
Impact:
BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.
Workaround:
Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.
Fixed Versions:
16.1.4, 15.1.9
1003257-4 : ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected
Links to More Info: BT1003257
Component: TMOS
Symptoms:
ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' commands are not working properly. The address is always set to interface-configured global/local addresses respectively.
Conditions:
Using BGPv4 with IPv6 capability extension and a route-map with 'set ipv6 next-hop' and/or 'set ipv6 next-hop local' configuration.
Impact:
Wrong next-hop is advertised.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1003081-2 : GRE/TB-encapsulated fragments are not forwarded.
Links to More Info: BT1003081
Component: TMOS
Symptoms:
IP fragments that arrive over a GRE/TB tunnel are not reassembled, and are not forwarded through the BIG-IP system.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP system with more than one TMM instance running.
-- Running a version or Engineering Hotfix that contains a fix for ID997541 (https://cdn.f5.com/product/bugtracker/ID997541.html).
-- GRE Round Robin DAG (the DB variable dag.roundrobin.gre) is enabled.
-- IP fragments arrive over GRE tunnel.
Impact:
BIG-IP system fails to process fragmented IP datagrams.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1002945-2 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1002945
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1002809-1 : OSPF vertex-threshold should be at least 100
Links to More Info: BT1002809
Component: TMOS
Symptoms:
OSPF vertex-threshold should be at least 100, but you are able to set it to any number between 0 and 10000000.
Conditions:
-- Using OSPFv2/OSPFv3
-- Configuring the vertex-threshold setting
Impact:
When the setting is less than the default of 100, routes may not be installed properly.
Workaround:
Ensure that vertex-threshold is set to 100 (default) or above.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1002761-1 : SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure
Links to More Info: BT1002761
Component: TMOS
Symptoms:
A SCTP client's INIT chunks are rejected repeatedly.
Conditions:
-- Client-side SCTP association times out and is terminated with ABORT.
-- The client attempts to INIT the association again using the same source port.
Impact:
Client cannot reconnect to BIG-IP systems, even after the network failures are resolved.
Workaround:
Fail over and restart tmm on the affected device.
Fixed Versions:
17.0.0, 16.0.1.2, 15.1.4
1002557-2 : Tcl free object list growth
Links to More Info: BT1002557
Component: Access Policy Manager
Symptoms:
Apmd memory usage grows over time when a single agent with a Tcl object is shared across multiple threads.
Conditions:
This is encountered in APM environments when passing traffic.
Impact:
Tcl free object list grows and apmd memory usage increases over time.
Workaround:
None
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
1002385-3 : Fixing issue with input normalization
Links to More Info: K67397230 , BT1002385
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6
1002109-3 : Xen binaries do not follow security best practices
Links to More Info: BT1002109
Component: TMOS
Symptoms:
The following xen* binaries have multiple violations of security best practices.
usr/bin/xenstore
/usr/bin/xenstore-exists
/usr/bin/xenstore-ls
/usr/bin/xenstore-read
/usr/bin/xenstore-rm
/usr/bin/xenstore-watch
/usr/bin/xenstore-chmod
/usr/bin/xenstore-list
/usr/bin/xenstore-write
Conditions:
The violations can be seen on BIG-IP by running following script.
https://github.com/slimm609/checksec.sh
Impact:
The issue lead to violation of security best practices.
Fix:
Fixed an issue with certain xen* binaries.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
1001865-2 : No platform trunk information passed to tenant
Component: TMOS
Symptoms:
Trunk information is not being published to BIG-IP tenants for use in high availability (HA) group definitions.
Conditions:
When defining high availability (HA) groups.
Impact:
No trunk or trunk member information is reported. This reduces the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.
Workaround:
None
Fix:
Trunk information is now synchronized between the VELOS system and tenants, enhancing the tenant high availability (HA) health check.
Behavior Change:
Trunk information is now synchronized between the VELOS system and tenants, which increases the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.
Fixed Versions:
17.1.0, 15.1.4
1001509 : Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates
Links to More Info: K11162395 , BT1001509
Component: Local Traffic Manager
Symptoms:
-- A client system or browser does not trust forged certificates, and reports a cert verification warning: ERR_CERT_AUTHORITY_INVALID.
-- The forged certificate received by the client has the same values set for AKI and SKI certificate extensions.
Conditions:
Client SSL profile in SSL forward proxy is configured with the same certificate for Cert Key Chain and CA Cert Key Chain, and that certificate has an SKI extension.
Impact:
Client does not trust forged certificates and can not connect to the backend.
Workaround:
Modify the Cert Key Chain on the Client SSL profile to have a different certificate from CA Cert Key Chain.
You can find details in K11162395: A client browser may not trust the certificate issued by the BIG-IP SSL forward proxy :: https://support.f5.com/csp/article/K11162395
Fix:
Certificate forged by SSL forward proxy does not contain AKI and SKI extensions, so this issue no longer occurs.
Fixed Versions:
15.1.3, 14.1.4.3
1001369-2 : D-Bus vulnerability CVE-2020-12049
Links to More Info: K16729408
1001337-1 : Cannot read single sign-on configuration from GUI when logged in as guest
Links to More Info: BT1001337
Component: Access Policy Manager
Symptoms:
When logging in to the BIG-IP GUI and attempting to read an existing single sign-on configuration from Access :: Single Sign-On, you see the following error from GUI.
General database error retrieving information.
Conditions:
-- The logged in BIG-IP user account is configured with the guest role.
-- Go to Access :: Single Sign-On to read existing SSO configurations.
Impact:
Cannot read SSO configurations from the GUI when logged on as guest.
Workaround:
Use tmsh commands to read SSO configuration.
Fix:
BIG-IP users with guest user account roles can now read SSO configurations from the GUI.
Fixed Versions:
15.1.4.1, 14.1.4.5
1001069-3 : VE CPU usage higher after upgrade, given same throughput
Links to More Info: BT1001069
Component: TMOS
Symptoms:
Significant increase in CPU usage post-upgrade.
Conditions:
- Upgrading from version 13.x to a later version.
- Configured BIG-IP Virtual Edition (VE) that uses the sock driver.
Impact:
Significant increase in CPU usage, leading to potential degradation or disruption of traffic.
Workaround:
Create the following overrides:
- In '/config/tmm_init.tcl' add or append the following:
ndal mtu 1500 1137:0043
device driver vendor_dev 1137:0043 xnet
- In '/config/xnet_init.tcl' add or append the following:
device driver vendor_dev 1137:0043 dpdk
Note: These overrides must be re-applied every time an upgrade is done.
Fix:
Changed configuration to use DPDK-XNet as the default driver for Cisco eNIC.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1001041-3 : Reset cause 'Illegal argument'
Links to More Info: BT1001041
Component: Access Policy Manager
Symptoms:
Client connections get aborted usually after the full transfer of the HTTP Post request.
If logging of reset reason is enabled using:
tmsh modify sys db tm.rstcause.log value enable
LTM logs report the reset reason as 'Illegal Argument'.
Conditions:
When using the APM PingAccess feature, any HTTP transaction that takes a long time to complete can result in this issue. This issue can be triggered if there is a large POST request or if the backend server is slow in responding to the requests.
Impact:
Clients cannot post large files to backend servers with APM PingAccess support.
Workaround:
None
Fix:
The timeout is now properly handled for large post requests, so that no reset occurs.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
1000973-3 : Unanticipated restart of TMM due to heartbeat failure
Links to More Info: BT1000973
Component: TMOS
Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process. A core file might be generated without any message logged in /var/log/*.
High resolution timers (hrtimer) may be lost.
Conditions:
This occurs when data in kernel hrtimer module is corrupted by a kernel bug, so a tmm thread may fail to wake at the appropriate time after having entered a planned short sleep.
The precise details in this particular case are not knowable.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Very rarely, this might take a long time, in which case there is no mitigation except to wait for the operation to complete.
Alternatively, the unit might remain offline, in which rebooting the system is the better option.
Fix:
Fixed kernel issue that led to an unanticipated restart of tmm due to heartbeat failure.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
1000789-2 : ASM-related iRule keywords may not work as expected
Links to More Info: BT1000789
Component: Application Security Manager
Symptoms:
Some ASM-related iRule keywords may not work as expected when DoSL7 is used.
Conditions:
ASM iRule keywords are used in a bot defense- or DoSL7-related event, and DoSL7 is used.
Impact:
ASM-related iRule keywords may not work as expected.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1000741-3 : Fixing issue with input normalization
Links to More Info: K67397230 , BT1000741
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
1000669-2 : Tmm memory leak 'string cache' leading to SIGFPE
Links to More Info: BT1000669
Component: Access Policy Manager
Symptoms:
SIGFPE core on tmm. The tmm string cache leaks aggressively and memory reaches 100% and triggers a core.
In /var/log/tmm you see an error:
Access encountered error: ERR_OK. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete_callback, Line: 2123
Conditions:
This can be encountered while APM is configured and passing traffic. Specific conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed mishandled error code path
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
1000561-3 : HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side
Links to More Info: BT1000561
Component: Local Traffic Manager
Symptoms:
HTTP/2 virtual servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.
This results in a malformed HTTP response.
Conditions:
-- BIG-IP configured with a HTTP/2 virtual server using OneConnect and request-logging profiles.
-- The pool member sends a chunked response.
Impact:
The HTTP response passed to the client-side includes chunk size header values when it should not, resulting in a malformed HTTP response.
Workaround:
Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
Fix:
The HTTP response egressing the client-side no longer includes chunk size bytes.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1000405-2 : VLAN/Tunnels not listed when creating a new rule via GUI
Links to More Info: BT1000405
Component: Advanced Firewall Manager
Symptoms:
Available tunnels are not displayed on the AFM rules-creation page in the GUI.
Conditions:
-- Navigate to the firewall network rules creation page in the GUI.
-- In the rules source section, under the VLAN/Tunnel dropdown, select the 'specify' option.
Impact:
Available tunnels do not display in the select box. Cannot specify tunnels for firewall rules from the GUI.
Workaround:
Use tmsh to specify tunnels for firewall rules.
Fix:
The available tunnels now display in the VLAN/Tunnels dropdown.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
1000069-1 : Virtual server does not create the listener
Links to More Info: BT1000069
Component: Local Traffic Manager
Symptoms:
A virtual-address is in an offline state.
Conditions:
An address-list is used on a virtual server in a non-default route domain.
Impact:
The virtual IP address remains in an offline state.
Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
Known Issues in BIG-IP v15.1.x
TMOS Issues
| ID Number | Severity | Links to More Info | Description |
| 1305069 | 0-Unspecified | BT1305069 | [vCMP] Guest on v15.1.8+, on startup chmand publishes incorrect interface_media_active for mgmt interface |
| 934133-1 | 1-Blocking | BT934133 | Unable to Create/delete ltm virtual server via CLI transaction when destination is not specified on the ltm virtual object |
| 913713-2 | 1-Blocking | BT913713 | Rebooting a blade causes MCPd to core as it rejoins the cluster |
| 858173-3 | 1-Blocking | BT858173 | SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1 ★ |
| 1395081-3 | 1-Blocking | K000137514 , BT1395081 | Remote users are unable to generate authentication tokens |
| 1284709 | 1-Blocking | F5RSS based BIG-IP system does not support `pkill -9 tmm` | |
| 1273041-4 | 1-Blocking | BT1273041 | Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts |
| 1226585-4 | 1-Blocking | BT1226585 | Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode |
| 1190777-3 | 1-Blocking | Unable to add a device to a device trust when the BigDB variable icontrol.basic_auth is set to disable on target device | |
| 1106521 | 1-Blocking | BT1106521 | Boot Marker logs missing ISO formatted date |
| 1049085-2 | 1-Blocking | BT1049085 | Booting into a newly installed hotfix volume may stall on RAID-capable platforms ★ |
| 998945-2 | 2-Critical | BT998945 | Load sys config is failing with OOM in MCPD processing |
| 997793-2 | 2-Critical | K34172543 , BT997793 | Error log: Failed to reset strict operations; disconnecting from mcpd ★ |
| 990853-3 | 2-Critical | BT990853 | Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway. |
| 979045-3 | 2-Critical | BT979045 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms |
| 967769-2 | 2-Critical | BT967769 | During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks |
| 967573-2 | 2-Critical | BT967573 | Qkview generation from Configuration Utility fails |
| 937481-2 | 2-Critical | BT937481 | Tomcat restarts with error java.lang.OutOfMemoryError |
| 929133-2 | 2-Critical | BT929133 | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' |
| 910325 | 2-Critical | BT910325 | DDoS Vector - TCP BAD ACK is not hardware-accelerated |
| 907645-1 | 2-Critical | BT907645 | IPsec SAs may not be mirrored to HA standby |
| 888765-1 | 2-Critical | BT888765 | After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files ★ |
| 882757-1 | 2-Critical | BT882757 | Sflow_agent crash SIGABRT in the cleanup flow |
| 865653-3 | 2-Critical | BT865653 | Wrong FDB table entries with same MAC and wrong VLAN combination |
| 858877-3 | 2-Critical | BT858877 | SSL Orchestrator config sync issues between HA-pair devices |
| 842669-3 | 2-Critical | BT842669 | Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log |
| 840769-2 | 2-Critical | BT840769 | Having more than one IKE-Peer version value results in upgrade failure ★ |
| 838597-1 | 2-Critical | BT838597 | Unable to load license/dossier when going down for vCMP |
| 808149-2 | 2-Critical | BT808149 | Tmm crash |
| 780437-6 | 2-Critical | BT780437 | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. |
| 777389-5 | 2-Critical | BT777389 | In rare occurrences related to PostgreSQL monitor, the mcpd process restarts |
| 767473-1 | 2-Critical | BT767473 | SMTP Error: Could not authenticate |
| 758929-6 | 2-Critical | BT758929 | Bcm56xxd MIIM bus access failure |
| 750588-3 | 2-Critical | BT750588 | While loading large configurations on BIG-IP systems, some daemons may core intermittently. |
| 742764-2 | 2-Critical | BT742764 | If two racoon daemon are spawned on startup, one fails and cores. |
| 742419-4 | 2-Critical | BT742419 | BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi |
| 721591-1 | 2-Critical | BT721591 | Java crashes with core during with high load on REST API |
| 712925-2 | 2-Critical | BT712925 | Unable to query a monitor status through iControl REST if the monitor is in a non-default partition |
| 671545-2 | 2-Critical | BT671545 | MCPD core while booting up device with error "Unexpected exception caught" |
| 652877-6 | 2-Critical | BT652877 | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades |
| 382363-3 | 2-Critical | K30588577 | min-up-members and using gateway-failsafe-device on the same pool. |
| 1758141 | 2-Critical | BT1758141 | CGNAT/NAPT Translation failure for clients in SDAG |
| 1678105-2 | 2-Critical | BT1678105 | F5OS tenant, TMM crashing after loading a UCS |
| 1632745-3 | 2-Critical | BT1632745 | Tmctl snapshots fail to work when slow_merge is enabled |
| 1598465-4 | 2-Critical | BT1598465 | Tmm core while modifying traffic selector |
| 1580229-1 | 2-Critical | BT1580229 | Tmm tunnel failed to respond to ISAKMP |
| 1571817-3 | 2-Critical | BT1571817 | FQDN pool member status down event is not synced to the peer device |
| 1491001 | 2-Critical | BT1491001 | Page allocation failure: order:2, mode:0x204020" on BIG-IP i5820-DF (C125) |
| 1410953-3 | 2-Critical | BT1410953 | Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path. |
| 1365861 | 2-Critical | BT1365861 | TMM crash due to SIGABRT |
| 1360757-2 | 2-Critical | BT1360757 | The OWASP compliance score generation failing with error 501 "Invalid Path" |
| 1330213-4 | 2-Critical | BT1330213 | SIGABRT is sent when single quotes are not closed/balanced in TMSH commands |
| 1329545 | 2-Critical | BT1329545 | Guest user is able to save configuration |
| 1321029-3 | 2-Critical | BT1321029 | BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN |
| 1296925-2 | 2-Critical | BT1296925 | Unable to create two boot locations using the 'ALL' F5OS tenant image at default storage size |
| 1295481-1 | 2-Critical | BT1295481 | FIPS keys are not restored when BIG-IP license is renewed after it expires |
| 1124837-1 | 2-Critical | BT1124837 | Detaching-then-reattaching VLAN on an active LACP trunk on r2k and r4k systemsneeds tmm restart |
| 1093717-2 | 2-Critical | BT1093717 | BGP4 SNMP traps are not working. |
| 1077789-3 | 2-Critical | BT1077789 | System might become unresponsive after upgrading. ★ |
| 1067857-5 | 2-Critical | BT1067857 | HSB completion time out causes unexpected reboot |
| 1065041 | 2-Critical | BT1065041 | Web Application shows 'Not Found' in GUI. |
| 1039609-3 | 2-Critical | BT1039609 | Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain |
| 1029949-1 | 2-Critical | BT1029949 | IPsec traffic selector state may show incorrect state on high availability (HA) standby device |
| 1027961-1 | 2-Critical | BT1027961 | Changes to an admin user's account properties may result in MCPD crash and failover |
| 1024269-2 | 2-Critical | BT1024269 | Forcing a file system check on the next system reboot does not check all filesystems. |
| 1020049 | 2-Critical | BT1020049 | iControl REST 401 error caused by pam-authenticator failure |
| 1014361-1 | 2-Critical | BT1014361 | Config sync fails after provisioning APM or changing BIG-IP license |
| 1012493-4 | 2-Critical | BT1012493 | Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check |
| 1011801 | 2-Critical | BT1011801 | L2 behavior becomes inconsistent while scaling address space |
| 999021-3 | 3-Major | BT999021 | IPsec IKEv1 tunnels fail after a config sync from Standby to Active |
| 998957-3 | 3-Major | BT998957 | MCPD consumes excessive CPU while collecting statistics |
| 998649-3 | 3-Major | BT998649 | Hostnames that contain a period are logged incorrectly |
| 997541-3 | 3-Major | BT997541 | Round-robin GRE Disaggregator for hardware and software |
| 995605-1 | 3-Major | BT995605 | PVA accelerated traffic does not update route domain stats |
| 994365-3 | 3-Major | BT994365 | Inconsistency in tmsh 'object mode' for some configurations |
| 994361-3 | 3-Major | BT994361 | Updatecheck script hangs/Multiple updatecheck processes |
| 992449-3 | 3-Major | BT992449 | The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI |
| 992253-2 | 3-Major | BT992253 | Cannot specify IPv6 management IP addresses using GUI |
| 992113-1 | 3-Major | BT992113 | Page allocation failures on VIPRION B2250 blades |
| 991829-3 | 3-Major | BT991829 | Continuous connection refused errors in restjavad |
| 988745-3 | 3-Major | BT988745 | On reboot, 'could not find platform object' errors may be seen in /var/log/ltm |
| 987081-3 | 3-Major | BT987081 | Alarm LED remains active on Secondary blades even after LCD alerts are cleared |
| 981485-4 | 3-Major | BT981485 | Neurond enters a restart loop after FPGA update. |
| 977953-2 | 3-Major | BT977953 | Show running config interface CLI could not fetch the interface info and crashes the imi |
| 976013-4 | 3-Major | BT976013 | If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards |
| 971009-1 | 3-Major | BT971009 | SNMPv3 alerts are not sent after upgrade to post 15.1.0.3 firmware |
| 969345-2 | 3-Major | BT969345 | Temporary TMSH files not always removed after session termination |
| 969329-2 | 3-Major | BT969329 | Dashboard: Chart title/legend 'Control Plane' needs to be modified within dashboard of BIG-IP |
| 967557-2 | 3-Major | BT967557 | Improve apm logging when loading sys config fails due to corruption of epsec rpm database |
| 965941-2 | 3-Major | BT965941 | Creating a net packet filter in the GUI does not work for ICMP for IPv6 |
| 962477-3 | 3-Major | BT962477 | REST calls that modify GTM objects as a user other than admin may take longer than expected |
| 960029-2 | 3-Major | BT960029 | Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error |
| 959241-2 | 3-Major | BT959241 | Fix for ID871561 might not work as expected on the VCMP host |
| 959057-3 | 3-Major | BT959057 | Unable to create additional login tokens for the default admin user account |
| 958601-2 | 3-Major | BT958601 | In the GUI, searching for virtual server addresses does not match address lists |
| 957993-2 | 3-Major | BT957993 | Unable to set a port list in the GUI for an IPv6 address for a virtual server |
| 956625-2 | 3-Major | BT956625 | Port and port-list type are both stored in a traffic-matching-criteria object |
| 955897-2 | 3-Major | BT955897 | Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain ★ |
| 953477-3 | 3-Major | BT953477 | Syncookie HW mode not cleared when modifying VLAN config. |
| 948601-3 | 3-Major | BT948601 | File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU |
| 948101-1 | 3-Major | BT948101 | Pair of phase 2 SAs missing after reboot of standby BIG-IP device |
| 946121-2 | 3-Major | BT946121 | SNMP user added with password less than 8 characters through tmsh is allowed but fails during snmpwalk. |
| 945413-3 | 3-Major | BT945413 | Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync |
| 943641-1 | 3-Major | BT943641 | IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfiguration |
| 943473-2 | 3-Major | BT943473 | LDAP monitor's test functionality has an incorrect and non-modifiable IP address field in GUI |
| 943045-2 | 3-Major | BT943045 | Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name. |
| 942217-3 | 3-Major | BT942217 | Virtual server rejects connections even though the virtual status is 'available' |
| 941381-3 | 3-Major | BT941381 | MCP restarts when deleting an application service with a traffic-matching-criteria |
| 939249-3 | 3-Major | BT939249 | iSeries LCD changes to secure mode after multiple reboots |
| 938145-1 | 3-Major | BT938145 | DAG redirects packets to non-existent tmm |
| 937601-2 | 3-Major | BT937601 | The ip-tos-to-client setting does not affect traffic to the server. |
| 935485-2 | 3-Major | BT935485 | BWC: flows might stall when using dynamic BWC policy |
| 931797-1 | 3-Major | BT931797 | LTM virtual address netmask does not persist after a reboot |
| 931629-2 | 3-Major | BT931629 | External trunk fdb entries might end up with internal MAC addresses. |
| 928389-2 | 3-Major | BT928389 | GUI becomes inaccessible after importing certificate under import type 'certificate' |
| 928353-2 | 3-Major | BT928353 | Error logged installing Engineering Hotfix: Argument isn't numeric ★ |
| 927025-3 | 3-Major | BT927025 | Sod restarts continuously |
| 924297-2 | 3-Major | BT924297 | Ltm policy MCP objects are not being synced over to the peer device |
| 923745-3 | 3-Major | BT923745 | Ctrl-Alt-Delete in virtual console reboots BIG-IP Virtual Edition |
| 922885-3 | 3-Major | K27872027 , BT922885 | BIG-IP Virtual Edition (VE) does not pass traffic on ESXi 6.5 |
| 922613-2 | 3-Major | BT922613 | Tunnels using autolasthop might drop traffic with ICMP route unreachable |
| 922153-2 | 3-Major | BT922153 | Tcpdump is failing on tmm 0.x interfaces |
| 922069 | 3-Major | BT922069 | Increase iApp block configuration processor timeout |
| 921121-4 | 3-Major | BT921121 | Tmm crash with iRule and a PEM Policy with BWC Enabled |
| 921069-2 | 3-Major | BT921069 | Neurond cores while adding or deleting rules |
| 920893-1 | 3-Major | BT920893 | GUI banner for configuration issues frozen after repeated forced VIPRION blade failover |
| 920761-2 | 3-Major | BT920761 | Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values |
| 920517-2 | 3-Major | BT920517 | Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI |
| 919401-2 | 3-Major | BT919401 | Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed |
| 919185-2 | 3-Major | BT919185 | Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed |
| 915829-2 | 3-Major | BT915829 | Particular Users unable to login with LDAP Authentication Provider |
| 915557-2 | 3-Major | BT915557 | The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status. |
| 915493-4 | 3-Major | BT915493 | imish command hangs when ospfd is enabled |
| 913573-2 | 3-Major | BT913573 | Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint. |
| 909505-3 | 3-Major | BT909505 | Creating LTM data group external object fails. |
| 909485-3 | 3-Major | BT909485 | Deleting LTM data-group external object incorrectly reports 200 when object fails to delete |
| 908753-3 | 3-Major | BT908753 | Password memory not effective even when password policy is configured |
| 908453-3 | 3-Major | BT908453 | Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly |
| 906505-2 | 3-Major | BT906505 | Display of LCD System Menu cannot be configured via GUI on iSeries platforms |
| 905749-1 | 3-Major | BT905749 | imish crash while checking for CLI help string in BGP mode |
| 904401-1 | 3-Major | BT904401 | Guestagentd core |
| 903265-3 | 3-Major | BT903265 | Single user mode faced sudden reboot |
| 901989-2 | 3-Major | BT901989 | Boot_marker writes to /var/log/btmp |
| 901529 | 3-Major | BT901529 | AFM Debug Reroute feature not supported |
| 900485-2 | 3-Major | BT900485 | Syslog-ng 'program' filter does not work |
| 899933-2 | 3-Major | BT899933 | Listing property groups in TMSH without specifying properties lists the entire object |
| 899085-6 | 3-Major | BT899085 | Configuration changes made by Certificate Manager role do not trigger saving config |
| 898577-2 | 3-Major | BT898577 | Executing a command in "mgmt tm" using iControl REST results in tmsh error |
| 895845-5 | 3-Major | BT895845 | Implement automatic conflict resolution for gossip-conflicts in REST |
| 894593-1 | 3-Major | BT894593 | High CPU usage caused by the restjavad daemon continually crashing and restarting |
| 892445-2 | 3-Major | BT892445 | BWC policy names are limited to 128 characters |
| 891333-1 | 3-Major | K32545132 , BT891333 | The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption. |
| 891221-2 | 3-Major | BT891221 | Router bgp neighbor password CLI help string is not helpful |
| 888081-4 | 3-Major | BT888081 | BIG-IP VE Migration feature fails for 1NIC |
| 884989-1 | 3-Major | BT884989 | IKE_SA's Not mirrored of on Standby device if it reboots |
| 884729-2 | 3-Major | BT884729 | The vCMP CPU usage stats are incorrect |
| 883149-1 | 3-Major | BT883149 | The fix for ID 439539 can cause mcpd to core. |
| 882833-2 | 3-Major | BT882833 | SELinux issue cause zrd down ★ |
| 882609-1 | 3-Major | BT882609 | ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back |
| 880689-2 | 3-Major | Update oprofile tools for compatibility with current architecture | |
| 880473-1 | 3-Major | BT880473 | Under certain conditions, the virtio driver may core during shutdown |
| 880013-1 | 3-Major | BT880013 | Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration |
| 880009-1 | 3-Major | BT880009 | Tcpdump does not export the TLS1.3 early secret |
| 879969-5 | 3-Major | BT879969 | FQDN node resolution fails if DNS response latency >5 seconds |
| 876809-3 | 3-Major | BT876809 | GUI cannot delete a cert with a name that contains with * or \ or [ ] within the cert name that ends with .crt |
| 872165-2 | 3-Major | BT872165 | LDAP remote authentication for REST API calls may fail during authorization |
| 871705-6 | 3-Major | BT871705 | Restarting bigstart shuts down the system |
| 867549-3 | 3-Major | BT867549 | LCD touch panel reports "Firmware update in progress" indefinitely ★ |
| 867253-3 | 3-Major | BT867253 | Systemd not deleting user journals |
| 867249-1 | 3-Major | BT867249 | New SNMP authentication type and privacy protocol algorithms not available in UI |
| 867177-3 | 3-Major | BT867177 | Outbound TFTP and Active FTP no longer work by default over the management port |
| 864321-3 | 3-Major | BT864321 | Default Apache testing page is reachable at <mgmt-ip>/noindex |
| 862525-1 | 3-Major | GUI Browser Cache Timeout option is not available via tmsh | |
| 860245-1 | 3-Major | BT860245 | SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x |
| 860181-1 | 3-Major | BT860181 | After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error |
| 853617-1 | 3-Major | BT853617 | Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles |
| 852565-5 | 3-Major | BT852565 | On Device Management::Overview GUI page, device order changes |
| 852265-1 | 3-Major | BT852265 | Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width |
| 851837-2 | 3-Major | BT851837 | Mcpd fails to start for single NIC VE devices configured in a trust domain |
| 851021-1 | 3-Major | Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error | |
| 850357-1 | 3-Major | BT850357 | LDAP - tmsh cannot add config to nslcd.conf |
| 846141-1 | 3-Major | BT846141 | Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name. |
| 844925-3 | 3-Major | BT844925 | Command 'tmsh save /sys config' fails to save the configuration and hangs |
| 843661-1 | 3-Major | BT843661 | TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command |
| 841721-2 | 3-Major | BT841721 | BWC::policy detach appears to run, but BWC control is still enabled |
| 838337-1 | 3-Major | BT838337 | The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST. |
| 837885-1 | 3-Major | BT837885 | Error message: Unable to parse availability log. |
| 827293-3 | 3-Major | BT827293 | TMM may crash running remote tcpdump |
| 827209-4 | 3-Major | BT827209 | HSB transmit lockup on i4600 |
| 827021-7 | 3-Major | BT827021 | MCP update message may be lost when primary blade changes in chassis |
| 826313-6 | 3-Major | BT826313 | Error: Media type is incompatible with other trunk members ★ |
| 824809-6 | 3-Major | BT824809 | bcm56xxd watchdog restart |
| 819457-1 | 3-Major | BT819457 | LTM high availability (HA) sync should not sync GTM zone configuration |
| 819261-4 | 3-Major | BT819261 | Log HSB registers when parts of the device becomes unresponsive |
| 818505-1 | 3-Major | BT818505 | Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
| 817089-3 | 3-Major | BT817089 | Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing |
| 814353-6 | 3-Major | BT814353 | Pool member silently changed to user-disabled from monitor-disabled |
| 814273-1 | 3-Major | BT814273 | Multicast route entries are not populating to tmm after failover |
| 810613-5 | 3-Major | BT810613 | GUI Login History hides informative message about max number of lines exceeded |
| 807837-2 | 3-Major | BT807837 | Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain. ★ |
| 806881-6 | 3-Major | BT806881 | Loading the configuration may not set the virtual server enabled status correctly |
| 803457-3 | 3-Major | BT803457 | SNMP custom stats cannot access iStats |
| 803157-3 | 3-Major | BT803157 | LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots |
| 798885-4 | 3-Major | BT798885 | SNMP response times may be long when processing requests |
| 796985-3 | 3-Major | BT796985 | Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative' ★ |
| 791365-3 | 3-Major | BT791365 | Bad encryption password error on UCS save |
| 791061-5 | 3-Major | BT791061 | Config load in /Common removes routing protocols from other partitions |
| 788645-5 | 3-Major | BT788645 | BGP does not function on static interfaces with vlan names longer than 16 characters. |
| 786633-2 | 3-Major | BT786633 | Debug-level messages are being logged even when the system is not set up for debug logging |
| 781733-5 | 3-Major | BT781733 | SNMPv3 user name configuration allows illegal names to be entered |
| 780745-3 | 3-Major | BT780745 | TMSH allows creation of duplicate community strings for SNMP v1/v2 access |
| 778041-3 | 3-Major | BT778041 | tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option) |
| 776489-5 | 3-Major | BT776489 | Remote authentication attempts to resolve only LDAP host against the first three name servers configured. |
| 775845-1 | 3-Major | BT775845 | Httpd fails to start after restarting the service using the iControl REST API |
| 775797-3 | 3-Major | BT775797 | Previously deleted user account might get authenticated |
| 773577-5 | 3-Major | BT773577 | SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted |
| 773173-2 | 3-Major | BT773173 | LTM Policy GUI is not working properly |
| 771137-1 | 3-Major | BT771137 | vCMP host reports much larger 'Virtual-disk' usage than du reports on the guest |
| 767305-5 | 3-Major | BT767305 | If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried |
| 764969-2 | 3-Major | BT764969 | ILX no longer supports symlinks in workspaces as of v14.1.0 |
| 762097-3 | 3-Major | BT762097 | No swap memory available after upgrading to v14.1.0 and above ★ |
| 760982-1 | 3-Major | BT760982 | An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios |
| 760932-1 | 3-Major | BT760932 | Part of audit log messages are also in other logs when strings are long |
| 760354-4 | 3-Major | BT760354 | Continual mcpd process restarts after removing big logs when /var/log is full |
| 759737-3 | 3-Major | BT759737 | Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests |
| 759258-5 | 3-Major | BT759258 | Instances shows incorrect pools if the same members are used in other pools |
| 757787-3 | 3-Major | BT757787 | Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. |
| 755207-1 | 3-Major | BT755207 | Large packets silently dropped on VE mlxvf5 devices |
| 751409-7 | 3-Major | BT751409 | MCP Validation does not detect when virtual servers differ only by overlapping VLANs |
| 749757-1 | 3-Major | BT749757 | -s option in qkview help does not indicate maximum size |
| 748206-3 | 3-Major | BT748206 | Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position |
| 746758-1 | 3-Major | BT746758 | Qkview produces core file if interrupted while exiting |
| 744924-2 | 3-Major | BT744924 | Bladed unit goes offline after UCS install |
| 739820-7 | 3-Major | BT739820 | Validation does not reject IPv6 address for TACACS auth configuration |
| 739118-5 | 3-Major | BT739118 | Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration |
| 725646-2 | 3-Major | BT725646 | The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly |
| 721892-1 | 3-Major | BT721892 | Pfmand on vCMP guests does not recover after service interruption |
| 718291-3 | 3-Major | BT718291 | iHealth upload error does not clear |
| 714216-4 | 3-Major | BT714216 | Folder in a partition may result in load sys config error |
| 711747-3 | 3-Major | BT711747 | Vcmp_pde_state_memcpy core during http traffic and pfmand resets. |
| 708991-3 | 3-Major | BT708991 | Newly entered password is not remembered. |
| 703226-2 | 3-Major | BT703226 | Failure when using transactions to create and publish policies |
| 698594-3 | 3-Major | K53752362 , BT698594 | Cave Creek Crypto hardware reports a false positive of a stuck queue state |
| 691219-2 | 3-Major | BT691219 | Hardware syncookie mode is used when global auto last hop is disabled. |
| 690928-7 | 3-Major | BT690928 | System posts error message: 01010054:3: tmrouted connection closed |
| 688231-3 | 3-Major | BT688231 | Unable to set VET, AZOT, and AZOST timezones |
| 673952-5 | 3-Major | BT673952 | 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot |
| 658850-3 | 3-Major | BT658850 | Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP |
| 654635-1 | 3-Major | K34003145 , BT654635 | FTP virtual server connections may rapidly reuse ephemeral ports |
| 637827-3 | 3-Major | BT637827 | VADC: after re-deploying a single-nic VM with multiple nics, a load can fail due to stp member 1.0 |
| 627760-7 | 3-Major | BT627760 | Gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card |
| 615329-1 | 3-Major | BT615329 | Special Virtual IP configuration required for IPv6 connectivity on some Virtual Edition interfaces |
| 612083-2 | 3-Major | BT612083 | The System Event Log may list correctable hardware, PCIe or DMI errors. |
| 587821-10 | 3-Major | BT587821 | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. |
| 554506-1 | 3-Major | K47835034 , BT554506 | PMTU discovery from the management interface does not work |
| 538283-2 | 3-Major | BT538283 | iControl REST asynchronous tasks may block other tasks from running |
| 528314-3 | 3-Major | K16816 , BT528314 | Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh |
| 499348-11 | 3-Major | BT499348 | System statistics may fail to update, or report negative deltas due to delayed stats merging. |
| 493740-3 | 3-Major | BT493740 | tmsh allows cipher group creation with non-existent "require" or "exclude" cipher rule. |
| 469724-3 | 3-Major | BT469724 | When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire |
| 385013-2 | 3-Major | Certain user roles do not trigger a sync for a 'modify auth password' command | |
| 342319-2 | 3-Major | BIND forwarder server list and the recursion and forward options. | |
| 1759261-1 | 3-Major | OSPF might fail to install external routes after topology change. | |
| 1696541-3 | 3-Major | BT1696541 | Engineering Hotfix may fail to install with "RPM transaction failure" message ★ |
| 1690721-3 | 3-Major | BT1690721 | Bgpd crashes on `write` config or running show running-config CLI, when trying to delete neighbor with wrong peer-group |
| 1679633-1 | 3-Major | BT1679633 | Custom SNMP OID script using clsh/ssh fails due to SElinux permissions |
| 1677429-1 | 3-Major | BT1677429 | BFD: TMM might not agree on session ownership. |
| 1670465-1 | 3-Major | BT1670465 | TMMs might not agree on session ownership when multiple cluster geometry changes occur. |
| 1644497-1 | 3-Major | BT1644497 | TMM retains old Certificate Revocation List (CRL) data in memory until the existing connections are closed |
| 1633925-1 | 3-Major | BT1633925 | Neurond is crashing intermittently during the creation/deletion of Neuron rules. |
| 1629693-3 | 3-Major | BT1629693 | Continuous rise in DHCP pool current connections statistics |
| 1629465-3 | 3-Major | BT1629465 | Configuration synchronization fails when there is large number of user partitions (characters in user partition names exceeds sixty five thousand) |
| 1620725-1 | 3-Major | BT1620725 | IPsec traffic-selector modification can leak memory |
| 1617229-1 | 3-Major | BT1617229 | The tmsh ipsec ike command causes mcp memory leak |
| 1615081-3 | 3-Major | BT1615081 | Remove SHA and AES Constraint Checks in SNMPv3 |
| 1603445-1 | 3-Major | BT1603445 | Wccpd can have high CPU when transitioning from active to standby |
| 1602209-2 | 3-Major | BT1602209 | The bigipTrafficMgmt.conf file is not copied from UCS to /config/snmp ★ |
| 1602033-3 | 3-Major | BT1602033 | Delays in REST API Calls post upgrade to 17.1.1.x ★ |
| 1600617-1 | 3-Major | BT1600617 | Few virtio driver configurations may result in excessive memory usage |
| 1593621-4 | 3-Major | BT1593621 | TMM core on IPSEC config load/sync stats ★ |
| 1589753-1 | 3-Major | BT1589753 | [BGP] IPv6 routes not installed/pushed after graceful restart when IPv6 peer-groups are configured. |
| 1588841-4 | 3-Major | BT1588841 | SA Delete is not send to other end |
| 1582593-1 | 3-Major | BT1582593 | F5OS tenant may not pass FastL4 accelerated traffic through VLAN group |
| 1581001-1 | 3-Major | BT1581001 | Memory leak in ipsec code |
| 1580369-3 | 3-Major | BT1580369 | MCPD thrown exception when syncing from active device to standby device. |
| 1562833-3 | 3-Major | BT1562833 | Qkview truncates log files without notification |
| 1549661-3 | 3-Major | BT1549661 | Logs sent to syslog-ng on VIPRION devices utilize truncated hostname instead of FQDN |
| 1538185-1 | 3-Major | BT1538185 | Broadcast destination MAC may get offloaded |
| 1496269-1 | 3-Major | BT1496269 | VCMP guest on version 16.1.4 or above might experience constant TMM crashes. ★ |
| 1492337-3 | 3-Major | BT1492337 | TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU |
| 1491165-3 | 3-Major | BT1491165 | TMM crashes when saving DAG setting and there are 7 or more blades |
| 1490861-4 | 3-Major | BT1490861 | "Virtual Server (/Common/xxx yyy)" was not found" error while deleting a virtual server in GTM |
| 1489817-1 | 3-Major | BT1489817 | Fix crash due to number of VLANs |
| 1475041-3 | 3-Major | BT1475041 | Token is getting deleted in 10 mins instead of 20 minutes. |
| 1472853-1 | 3-Major | BT1472853 | PVA may not fully come up on large platforms with many tmms |
| 1469897-2 | 3-Major | BT1469897 | Memory leak is observed in IMI when it is invoked via icall script |
| 1462421-1 | 3-Major | BT1462421 | PVA connections are not re-accelerated after a failover. |
| 1447389-2 | 3-Major | BT1447389 | Dag context may not match the current cluster state |
| 1438801-2 | 3-Major | BT1438801 | VLAN name greater than or equal to 32 characters causes VLAN to lose member information |
| 1409537-2 | 3-Major | BT1409537 | The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses |
| 1408229-3 | 3-Major | BT1408229 | VCMP guest deployment may fail on newly installed blade |
| 1407929-1 | 3-Major | BT1407929 | Virtual-wire HW offload statistics are incorrect |
| 1403869-2 | 3-Major | BT1403869 | CONNFLOW_FLAG_DOUBLE_LB flows might route traffic to a stale next hop |
| 1401569-3 | 3-Major | BT1401569 | Engineering Hotfix readme file refers to non-applicable "full_box_reboot" command ★ |
| 1400001-2 | 3-Major | BT1400001 | PVA dedicated mode does not accelerate all connections |
| 1399741-3 | 3-Major | BT1399741 | [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty |
| 1398809-1 | 3-Major | BT1398809 | TMM can not process traffic on Cisco ENIC |
| 1395257-2 | 3-Major | BT1395257 | Processes that are using libcrypto during their startup are causing high CPU usage |
| 1389401-3 | 3-Major | BT1389401 | Peer unit incorrectly shows the pool status as unknown after merging the configuration |
| 1377737 | 3-Major | BT1377737 | SSL Orchestrator does not pass traffic when MAC masquerading is configured on R4k or R2k systems |
| 1353957-3 | 3-Major | K000137505 , BT1353957 | The message "Error getting auth token from login provider" is displayed in the GUI ★ |
| 1350717-1 | 3-Major | BT1350717 | When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off' |
| 1350693-3 | 3-Major | BT1350693 | Log publisher using replicated destination with unreliable destination servers may leak xfrags |
| 1348061 | 3-Major | BT1348061 | [Dual Stack MGMT] - Upgrade of BIG-IP in HA with Dual stacked mgmt IP causes deletion of peers failover IPv4 unicast address ★ |
| 1347861-3 | 3-Major | BT1347861 | Monitor status update logs unclear for FQDN template pool member |
| 1347825-3 | 3-Major | BT1347825 | Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time |
| 1345989-2 | 3-Major | BT1345989 | "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page |
| 1340513-3 | 3-Major | BT1340513 | The "max-depth exceeds 6" message in TMM logs |
| 1338993-3 | 3-Major | BT1338993 | Failing to fetch the installed RPM, throwing an error Object contains no token child value |
| 1332473-3 | 3-Major | BT1332473 | Configuring SNAT Origin IPv6 address through GUI in non RD0 incorectly expands subnet mask to '/32' causes error during configuration load |
| 1332401-3 | 3-Major | BT1332401 | Errors after config sync with FIPS keys |
| 1324197-2 | 3-Major | BT1324197 | The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI |
| 1322413-3 | 3-Major | BT1322413 | FQDN node status changes to Unknown/Unchecked on peer device after config sync |
| 1321305 | 3-Major | BT1321305 | Deleting a partition may cause a sync validation error |
| 1320389-2 | 3-Major | BT1320389 | vCMP guest loses connectivity because of bad interface mapping |
| 1319385-3 | 3-Major | BT1319385 | Syncookies may always show as enabled if a listener address is changed while syncookies is on |
| 1318041-3 | 3-Major | BT1318041 | Some OIDs using type as counter instead of expected type as gauge |
| 1316481-3 | 3-Major | BT1316481 | Large CRL file update fails with memory allocation failure |
| 1316113-1 | 3-Major | 1nic VE reloads on every reboot | |
| 1314545-2 | 3-Major | BT1314545 | Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms |
| 1312225-3 | 3-Major | BT1312225 | System Integrity Status: Invalid with some Engineering Hotfixes |
| 1311613-3 | 3-Major | BT1311613 | UCS obtained from F5OS tenant with FPGA causes continuous TMM restarts when loaded to BIG-IP |
| 1311125-4 | 3-Major | BT1311125 | DDM Receive Power value reported in ltm log is ten times too high |
| 1305897-1 | 3-Major | BT1305897 | A platform error can cause DAG context to be out of sync with the tenant |
| 1302777 | 3-Major | BT1302777 | One defective SFP blocks all other SFP ports on I2C |
| 1302101-2 | 3-Major | BT1302101 | Sflow receiver flows are not established at TMM startup on sDAG platforms due to sDAG delay |
| 1301897-2 | 3-Major | BT1301897 | DAG transition does not complete when TMM starts in FORCED_OFFLINE mode |
| 1298133-2 | 3-Major | BT1298133 | BFD sessions using floating self IP do not work well on multi-blade chassis and HA environments. |
| 1297257-3 | 3-Major | BT1297257 | Pool member Forced Offline then Enabled is marked down on peer after Incremental sync |
| 1295353-3 | 3-Major | BT1295353 | The vCMP guest is not sending HTTP flow samples to sFlow receiver |
| 1294109-2 | 3-Major | BT1294109 | MCP does not properly read certificates with empty subject name |
| 1291121-2 | 3-Major | BT1291121 | BIG-IP tenants on F5OS r5000, r10000, and r12000 platforms don't pass traffic properly while in forced offline state |
| 1289705-1 | 3-Major | BT1289705 | MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant |
| 1288009-2 | 3-Major | BT1288009 | Vxlan tunnel end point routed through the tunnel will cause a tmm crash |
| 1287649-2 | 3-Major | BT1287649 | The qkview qkvcmp (vcmp_module.xml) needs to be updated for F5OS tenancy |
| 1283721-3 | 3-Major | BT1283721 | Vmtoolsd memory leak |
| 1282193-2 | 3-Major | BT1282193 | Missing NAT46/64 offload support on F5OS platforms |
| 1282181-4 | 3-Major | High CPU or increased translation errors following upgrade or restart when DAG distribution changes | |
| 1271941 | 3-Major | BT1271941 | Tomcat CPU utilization increased after upgrading to 15.1.6 and higher versions. ★ |
| 1267353 | 3-Major | BT1267353 | HSB pause frames on iSeries |
| 1253449-2 | 3-Major | BT1253449 | After publishing, the draft LTM policy configuration might not be updated (intermittently) into the bigip.conf |
| 1252389 | 3-Major | BT1252389 | The restjavad restarted per 30 seconds due to OOM with many device discovery tasks |
| 1229309-1 | 3-Major | BT1229309 | The read-only net interfaces are allowed to be updated from TMSH but not from configuration utility |
| 1222649 | 3-Major | BT1222649 | Interface(s) can be write-able on R4K or R2K based tenant |
| 1217473-3 | 3-Major | BT1217473 | All the UDP traffic is sent to a single TMM |
| 1211797-2 | 3-Major | BT1211797 | MCPD CPU usage is 100% on updating long address-list through GUI |
| 1211089-2 | 3-Major | BT1211089 | Traffic to IPv6 all nodes address not received by TMM on VE with ixlv driver |
| 1196665-1 | 3-Major | BT1196665 | Required TCAM rules are deleted when virtual server configuration is modified |
| 1194409-3 | 3-Major | BT1194409 | Dropped messages seen in auditforwarder logging |
| 1188817-1 | 3-Major | BT1188817 | BIG-IP tenant on F5OS not allowed to modify VLAN tag value |
| 1185605-1 | 3-Major | BT1185605 | The iCall EventTriggeredHandler in non-common partition break after scriptd daemon restart |
| 1181757-3 | 3-Major | BT1181757 | BGPD assert when sending an update |
| 1170217 | 3-Major | BT1170217 | Monthly CA Bundle not removing the certificates which are going to expire |
| 1169141-2 | 3-Major | BT1169141 | Bash tab-completion Issue |
| 1166329-3 | 3-Major | BT1166329 | The mcpd process fails on secondary blades, if the predefined classification applications are updated. |
| 1153853-3 | 3-Major | BT1153853 | Revision of default value for provision.restjavad.extramb to avoid OOM errors in restjavad |
| 1148053-1 | 3-Major | BT1148053 | When client SSL profile has "cache-size 0", BIG-IP is unable to decrypt client-side traffic |
| 1145749-3 | 3-Major | BT1145749 | Locally defined BIG-IP users can be lost during a failed config-sync |
| 1137269-3 | 3-Major | BT1137269 | MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes |
| 1136781-3 | 3-Major | BT1136781 | Incorrect parsing of 'bfd notification' CLI in IMI Shell (imish) |
| 1132949-3 | 3-Major | BT1132949 | GUI reported error when changing password after mgmt port was changed |
| 1127881-3 | 3-Major | BT1127881 | Deprecate sysClientsslStatFullyHwAcceleratedConns, sysClientsslStatPartiallyHwAcceleratedConns and sysClientsslStatNonHwAcceleratedConns |
| 1126761 | 3-Major | BT1126761 | Increase "/shared" directory size on VELOS tenants from 15 GB |
| 1126561-2 | 3-Major | BT1126561 | Connections over IPsec fail when hardware acceleration in fastl4 is enabled |
| 1126505 | 3-Major | BT1126505 | HSB and switch pause frames impact data traffic |
| 1126181-3 | 3-Major | BT1126181 | ZebOS "no log syslog" configuration is not surviving reboot |
| 1124733 | 3-Major | BT1124733 | Unnecessary internal traffic is observed on the internal tmm_bp vlan |
| 1122021-2 | 3-Major | BT1122021 | Killall command might create corrupted core files |
| 1120345-4 | 3-Major | BT1120345 | Running tmsh load sys config verify can trigger high availability (HA) failover |
| 1114137-3 | 3-Major | BT1114137 | LibUV library for latest bind 9.16 |
| 1113693-2 | 3-Major | BT1113693 | SSL Certificate List GUI page takes a long time to load |
| 1106441 | 3-Major | BT1106441 | Tcpdump SSL provider generates invalid trailer |
| 1105021-1 | 3-Major | BT1105021 | F5OS BIG-IP tenants perform an MCPD "forceload" operation after a reboot |
| 1102717-1 | 3-Major | BT1102717 | High availability messages are dropped by the Standby device. |
| 1099685-2 | 3-Major | BT1099685 | Prevent crash due to lack of queue buffers |
| 1093973-5 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. |
| 1093553-3 | 3-Major | BT1093553 | OSPF "default-information originate" injects a new link-state advertisement |
| 1093313-4 | 3-Major | BT1093313 | CLIENTSSL_CLIENTCERT iRule event is not triggered for TLS1.3 when the client sends an empty certificate response |
| 1090313-2 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
| 1089857 | 3-Major | BT1089857 | HSB transmitter failure triggers device reboot |
| 1088981 | 3-Major | BT1088981 | iControl REST API endpoint to get pool member stats returns pool stats along with pool member stats if no partition information is specified along with pool name. |
| 1086393-2 | 3-Major | BT1086393 | Sint Maarten and Curacao are missing in the GTM region list |
| 1082829 | 3-Major | F5OS: Removing and recreating VLANs in the tenant does not not recreate the VLANs the same way | |
| 1082133-2 | 3-Major | iSeries LCD displays "Host inaccessible or in diagnostic mode" | |
| 1080925-2 | 3-Major | BT1080925 | Changed 'ssh-session-limit' value is not reflected after restarting mcpd |
| 1076801-2 | 3-Major | Loaded system increases CPU usage when using CS features | |
| 1074841-2 | 3-Major | BT1074841 | Invalid syslog configuration kills syslog-ng after restarting syslog-ng. |
| 1074053-2 | 3-Major | BT1074053 | Delay in displaying the "Now Halting..." message while performing halt from LCD. |
| 1073429-2 | 3-Major | BT1073429 | Auth partition definition is incorrectly synchronized to peer and then altered. |
| 1072081-2 | 3-Major | BT1072081 | Imish segmentation fault when running 'ip pim sparse-mode ?' on interface config. |
| 1071441 | 3-Major | BT1071441 | RPM error log in liveinstall.log and tmm error with failed to load/open library during upgrade. ★ |
| 1064893-2 | 3-Major | BT1064893 | Keymgmtd memory leak occurs while configuring ca-bundle-manager. |
| 1064257-1 | 3-Major | BT1064257 | Bundled SSL certificates may not get revalidated successfully over OCSP after stapling parameters have been modified. |
| 1062953-2 | 3-Major | BT1062953 | Unable to save configuration via tmsh or the GUI. |
| 1062901-2 | 3-Major | BT1062901 | The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface. |
| 1062857-2 | 3-Major | BT1062857 | Non-tmm source logs stop populating after a system time change. |
| 1061905-2 | 3-Major | BT1061905 | Adding peer unit into device trust changes the failover address family. |
| 1058789-3 | 3-Major | BT1058789 | Virtual addresses are not created from an address list that includes an IP address range. |
| 1058765-3 | 3-Major | BT1058765 | Virtual Addresses created from an address list with prefix all say Offline (enabled) |
| 1057709-3 | 3-Major | BT1057709 | Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2. |
| 1057501-3 | 3-Major | BT1057501 | Expired DST Root CA X3 resulting in http agent request failing. |
| 1057305-2 | 3-Major | BT1057305 | On deployments that use DPDK, "-c" may be logged as the TMM process/thread name. |
| 1052893-3 | 3-Major | BT1052893 | Configuration option to delay reboot if dataplane becomes inoperable |
| 1050457-2 | 3-Major | BT1050457 | The "Permitted Versions" field of "tmsh show sys license" only shows on first boot |
| 1046261-2 | 3-Major | BT1046261 | Asynchronous REST task IDs do not persist across process restarts |
| 1045277-2 | 3-Major | BT1045277 | The /var partition may become 100% full requiring manual intervention to clear space |
| 1044281-2 | 3-Major | BT1044281 | In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled |
| 1044021-1 | 3-Major | BT1044021 | Searching for IPv4 strings in statistics module does not work. |
| 1043141-2 | 3-Major | K36822000 , BT1043141 | Misleading error 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP |
| 1041317-2 | 3-Major | BT1041317 | MCPD delay in processing a query_all message if the update_status bit is set |
| 1040277 | 3-Major | BT1040277 | Syslog-ng issue may cause logging to stop and possible reboot of a system |
| 1036557-3 | 3-Major | BT1036557 | Monitor information not seen in GUI |
| 1036541-3 | 3-Major | BT1036541 | Inherited-traffic-group setting of floating IP does not sync on incremental sync |
| 1036461-3 | 3-Major | K81113851 , BT1036461 | icrd_child may core with high numbers of open file descriptors. |
| 1036217-2 | 3-Major | BT1036217 | Secondary blade restarts as a result of csyncd failing to sync files for a device group |
| 1036097-3 | 3-Major | BT1036097 | VLAN failsafe does not trigger on guest |
| 1035661-2 | 3-Major | BT1035661 | REST Requests return 401 Unauthorized when using Basic Auth |
| 1033689-2 | 3-Major | BT1033689 | BGP route map community value cannot be set to the required range when using AA::NN notation |
| 1033333-3 | 3-Major | FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device | |
| 1031413 | 3-Major | BT1031413 | "tmsh load sys config default" does not reset the configs to default in VELOS tenant after reboot |
| 1031117-2 | 3-Major | BT1031117 | The mcpd error for virtual server profiles incompatible needs to have more details |
| 1031025-2 | 3-Major | BT1031025 | Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade. ★ |
| 1028969-2 | 3-Major | BT1028969 | An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working |
| 1027601 | 3-Major | BT1027601 | AFM IP Error Checksum and Bad TCP Checksum vectors not supported |
| 1027481-2 | 3-Major | BT1027481 | The log messages 'error: /bin/haloptns unexpected error -- 768' generated on A110 and D112 platforms |
| 1027477-2 | 3-Major | BT1027477 | Virtual server created with address-list in custom partition non-RD0 does not create listener |
| 1027237-3 | 3-Major | BT1027237 | Cannot edit virtual server in GUI after loading config with traffic-matching-criteria |
| 1026989-2 | 3-Major | BT1026989 | More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet. |
| 1026973-2 | 3-Major | BT1026973 | Static routes created for application traffic processing can erroneously replace the route to the management subnet. |
| 1026861-2 | 3-Major | BT1026861 | Live Update of Browser Challenges and Anti-Fraud are not cleaned up |
| 1026581-1 | 3-Major | BT1026581 | NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly. |
| 1026273-1 | 3-Major | BT1026273 | HA failover connectivity using the cluster management address does not work on VIPRION platforms ★ |
| 1025513-2 | 3-Major | BT1025513 | PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog |
| 1022997-3 | 3-Major | BT1022997 | TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC) |
| 1021925-3 | 3-Major | BT1021925 | During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface |
| 1021873-2 | 3-Major | BT1021873 | TMM crash in IPIP tunnel creation with a pool route |
| 1020377-2 | 3-Major | BT1020377 | Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon |
| 1020277-2 | 3-Major | BT1020277 | Mcpd may run out of memory when build image is missing ★ |
| 1020089-2 | 3-Major | BT1020089 | MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks |
| 1020005-2 | 3-Major | BT1020005 | OOM errors after upgrade and VE instance unresponsive ★ |
| 1019829-1 | 3-Major | BT1019829 | Configsync.copyonswitch variable is not functioning on reboot |
| 1019749-1 | 3-Major | BT1019749 | Enabling DHCP for management should not be allowed on vCMP guest |
| 1019709-2 | 3-Major | BT1019709 | Modifying mgmt-dhcp options should not be allowed on VCMP guest |
| 1019285-3 | 3-Major | BT1019285 | Systemd hangs and is unresponsive |
| 1019129-3 | 3-Major | BT1019129 | Changing syslog remote port requires syslog-ng restart to take effect |
| 1018673-2 | 3-Major | BT1018673 | Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop |
| 1018165-2 | 3-Major | BT1018165 | GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain |
| 1017897-2 | 3-Major | BT1017897 | Self IP address creation fails with 'ioctl failed: No such device' |
| 1017857-3 | 3-Major | BT1017857 | Restore of UCS leads to incorrect UID on authorized_keys ★ |
| 1016433 | 3-Major | BT1016433 | URI rewriting is incorrect for "data:" and "javascript:" |
| 1015645-1 | 3-Major | BT1015645 | IPSec SA's missing after reboot |
| 1015453-3 | 3-Major | BT1015453 | In few circumstances, the Local Traffic menu in System > Configuration is inaccessible in the GUI |
| 1014285-3 | 3-Major | BT1014285 | Set auto-failback-enabled moved to false after upgrade ★ |
| 1012601-2 | 3-Major | BT1012601 | Alarm LED and LCD alert cleared prematurely on startup for missing PSU input |
| 1012449-3 | 3-Major | BT1012449 | Unable to edit custom inband monitor in the GUI |
| 1012049-3 | 3-Major | BT1012049 | Incorrect virtual server list returned in response to status request |
| 1011265-1 | 3-Major | BT1011265 | Failover script cannot read /config/partitions/ after upgrade ★ |
| 1010341-2 | 3-Major | BT1010341 | Slower REST calls after update for CVE-2021-22986 |
| 1009337-1 | 3-Major | BT1009337 | LACP trunk down due to bcm56xxd send failure |
| 1007909-3 | 3-Major | BT1007909 | Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs |
| 1004469-2 | 3-Major | BT1004469 | SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string |
| 1003225-3 | 3-Major | BT1003225 | 'snmpget F5-BIGIP-LOCAL-MIB::ltmWebAccelerationProfileStat* returns zeroes |
| 1002417-1 | 3-Major | BT1002417 | Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk |
| 1001129-3 | 3-Major | Maximum Login Failures lockout for root and admin | |
| 1000325-2 | 3-Major | BT1000325 | UCS load with 'reset-trust' may not work properly if base configuration fails to load ★ |
| 992241-1 | 4-Minor | BT992241 | Unable to change initial admin password from GUI after root password change |
| 983021-2 | 4-Minor | BT983021 | Tmsh does not correctly handle the app-service for data-group records |
| 977681-2 | 4-Minor | BT977681 | Incorrect error message when changing password using passwd |
| 976517-1 | 4-Minor | BT976517 | Tmsh run sys failover standby with a device specified but no traffic group fails |
| 962605-4 | 4-Minor | BIG-IP may go offline after installing ASU file with insufficient disk space | |
| 957461-2 | 4-Minor | BT957461 | Creating virtual server with IPv6 address or port list in destination should display source address in IPv6 format |
| 955593-2 | 4-Minor | BT955593 | "none" missing from the error string when snmp trap is configured with an invalid network type |
| 944485-5 | 4-Minor | BT944485 | License activation through proxy server uses IP address in proxy CONNECT, not nameserver |
| 943597-2 | 4-Minor | BT943597 | 'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart |
| 939517-4 | 4-Minor | BT939517 | DB variable scheduler.minsleepduration.ltm changes to default value after reboot |
| 929813-2 | 4-Minor | BT929813 | "Error loading object from cursor" while updating a client SSL profile |
| 929173-2 | 4-Minor | BT929173 | Watchdog reset due to CPU stall detected by rcu_sched |
| 928665-2 | 4-Minor | BT928665 | Kernel nf_conntrack table might get full with large configurations. |
| 927441-3 | 4-Minor | BT927441 | Guest user not able to see virtual server details when ASM policy attached |
| 919861-1 | 4-Minor | BT919861 | Tunnel Static Forwarding Table does not show entries per page |
| 918013-1 | 4-Minor | BT918013 | Log message with large wchan value |
| 915473-1 | 4-Minor | BT915473 | Accessing Dashboard page with AVR provisioned causes continuous audit logs |
| 915141-2 | 4-Minor | BT915141 | Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown' |
| 911713-3 | 4-Minor | BT911713 | Delay in Network Convergence with RSTP enabled |
| 910645-1 | 4-Minor | BT910645 | Upgrade error 'Parsing default XML files. Failed to parse xml file' ★ |
| 908005-3 | 4-Minor | BT908005 | Limit on log framework configuration size |
| 906449-2 | 4-Minor | BT906449 | Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load |
| 905881 | 4-Minor | BT905881 | MTU assignment to non-existent interface |
| 901985-6 | 4-Minor | BT901985 | Extend logging for incomplete HTTP requests |
| 899097-2 | 4-Minor | BT899097 | Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking ★ |
| 896693-4 | 4-Minor | BT896693 | Patch installation is failing for iControl REST endpoint. |
| 896689-4 | 4-Minor | BT896689 | Asynchronous tasks can be managed via unintended endpoints |
| 895669-1 | 4-Minor | BT895669 | VCMP host does not validate when an unsupported TurboFlex profile is configured |
| 893813-3 | 4-Minor | BT893813 | Modifying pool enables address and port translation in TMUI |
| 893093-2 | 4-Minor | BT893093 | An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing. |
| 884953-3 | 4-Minor | BT884953 | IKEv1 IPsec daemon racoon goes into an endless restart loop |
| 878469-2 | 4-Minor | BT878469 | System uptime in bgpBackwardTransNotification is incorrect |
| 869237-5 | 4-Minor | Management interface might become unreachable when alternating between DHCP/static address assignment. | |
| 868801-3 | 4-Minor | BT868801 | BIG-IP still sends STARTTLS if the 'No encryption' SNMP option is enabled |
| 860573-3 | 4-Minor | BT860573 | LTM iRule validation performance improvement by tracking procedure/event that have been validated |
| 858609-7 | 4-Minor | BT858609 | TMM crash on hypervisors that use MHDAG or DAGv2 hashes |
| 857045-1 | 4-Minor | BT857045 | LDAP system authentication may stop working |
| 848681-7 | 4-Minor | BT848681 | Disabling the LCD on a VIPRION causes blade status lights to turn amber |
| 846521-7 | 4-Minor | BT846521 | Config script does not refresh management address entry properly when alternating between dynamic and static |
| 843293-3 | 4-Minor | BT843293 | When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga. |
| 838925-7 | 4-Minor | BT838925 | Rewrite URI translation profile can cause connection reset while processing malformed CSS content |
| 832665-1 | 4-Minor | BT832665 | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5 |
| 828625-3 | 4-Minor | BT828625 | User shouldn't be able to configure two identical traffic selectors |
| 826189-3 | 4-Minor | BT826189 | The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask. |
| 824205-3 | 4-Minor | BT824205 | GUI displays error when a virtual server is modified if it is using an address-list |
| 822253-1 | 4-Minor | BT822253 | After starting up, mcpd may have defunct child "run" and "xargs" processes |
| 818737-3 | 4-Minor | BT818737 | Improve error message if user did not select a address-list or port list in the GUI |
| 816353-3 | 4-Minor | BT816353 | Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 |
| 809089-1 | 4-Minor | BT809089 | TMM crash after sessiondb ref_cnt overflow |
| 808481-5 | 4-Minor | BT808481 | Hertfordshire county missing from GTM Region list |
| 807309-3 | 4-Minor | BT807309 | Incorrect Active/Standby status in CLI Prompt after failover test |
| 805325-6 | 4-Minor | BT805325 | tmsh help text contains a reference to bigpipe, which is no longer supported |
| 803773-2 | 4-Minor | BT803773 | BGP Peer-group route-maps are not applied to newly configured address-family ipv6 peers |
| 795429-5 | 4-Minor | BT795429 | Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks. |
| 784981-2 | 4-Minor | BT784981 | Modifying 'local-ip' for a remote syslog requires restarting syslog-ng |
| 766321-2 | 4-Minor | BT766321 | boot slots created on pre-14.x systems lack ACLs |
| 761981-3 | 4-Minor | BT761981 | Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors |
| 759852-4 | 4-Minor | BT759852 | SNMP configuration for trap destinations can cause a warning in the log |
| 759606-3 | 4-Minor | BT759606 | REST error message is logged every five minutes on vCMP Guest |
| 759590-6 | 4-Minor | BT759590 | Creation of RADIUS authentication fails with service types other than 'authenticate only' |
| 757167-3 | 4-Minor | BT757167 | TMM logs 'MSIX is not supported' error on vCMP guests |
| 756714-1 | 4-Minor | BT756714 | UIDs on /home directory are scrambled after upgrade ★ |
| 753712-1 | 4-Minor | BT753712 | Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family. |
| 745125-1 | 4-Minor | BT745125 | Network Map page Virtual Servers with associated Address/Port List have a blank address. |
| 742105-3 | 4-Minor | BT742105 | Displaying network map with virtual servers is slow |
| 714705-6 | 4-Minor | BT714705 | Excessive 'The Service Check Date check was skipped' log messages. |
| 713183-4 | 4-Minor | BT713183 | Malformed JSON files may be present on vCMP host |
| 712241-3 | 4-Minor | BT712241 | A vCMP guest may not provide guest health stats to the vCMP host |
| 696363-4 | 4-Minor | BT696363 | Unable to create SNMP trap in the GUI |
| 694765-6 | 4-Minor | BT694765 | Changing the system's admin user causes vCMP host guest health info to be unavailable |
| 690781-3 | 4-Minor | BT690781 | VIPRION systems with B2100 or B2150 blades cannot run certain combinations of vCMP guest sizes |
| 689147-3 | 4-Minor | BT689147 | Confusing log messages on certain user/role/partition misconfiguration when using remote role groups |
| 675772-2 | 4-Minor | BT675772 | IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy |
| 673573-1 | 4-Minor | BT673573 | tmsh logs boost assertion when running child process and reaches idle-timeout |
| 659579-4 | 4-Minor | BT659579 | Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time |
| 658943-3 | 4-Minor | BT658943 | Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants |
| 646768-1 | 4-Minor | K71255118 , BT646768 | VCMP Guest CM device name not set to hostname when deployed |
| 631083-5 | 4-Minor | BT631083 | Some files in home directory are overwritten on password change |
| 603693-2 | 4-Minor | K52239932 , BT603693 | Brace matching in switch statement of iRules can fail if literal strings use braces |
| 550526-5 | 4-Minor | K84370515 , BT550526 | Some time zones prevent configuring trust with a peer device using the GUI. |
| 539648-3 | 4-Minor | K45138318 , BT539648 | Disabled db var Watchdog.State prevents vCMP guest activation. |
| 472645-2 | 4-Minor | BT472645 | Memory issues when there is a lot of data in /var/annotate (annotations for dashboard) |
| 447522-2 | 4-Minor | BT447522 | GUI: SNMPV3 Incorrectly requires "OID" when creating an SNMP user. |
| 1709689-1 | 4-Minor | BT1709689 | BGP 'no bgp default ipv4-unicast' might lead to config load problems and crashes. ★ |
| 1701381-3 | 4-Minor | BT1701381 | Silent failure when modifying members of a pool that does not exist. |
| 1635013-2 | 4-Minor | BT1635013 | The "show sys service" command works only for users with Administrator role |
| 1612561-1 | 4-Minor | BT1612561 | The "Source Address" field on the Virtual Server configuration page does not accept IPv4-mapped IPv6 addresses |
| 1600669-1 | 4-Minor | BT1600669 | Inconsistency in iRule parsing for iControl REST and tmsh/WebUI |
| 1600333-1 | 4-Minor | BT1600333 | When using long VLAN names, ECMP routes with multiple nexthop addresses may fail to install |
| 1590689-4 | 4-Minor | BT1590689 | Loss of kernel routes occurs on 1NIC Virtual Edition when the DHCP lease expires. |
| 1589293-3 | 4-Minor | BT1589293 | Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm |
| 1579637-1 | 4-Minor | BT1579637 | Incorrect statistics for LTM. Rewrite profile with rewrite_uri_translation mode |
| 1576593-1 | 4-Minor | BT1576593 | Unable to tcpdump on interface name with length = 64. |
| 1560853-3 | 4-Minor | BT1560853 | [GUI] error while updating the rewrite profile uri-rules name have both leading and trailing "/" |
| 1550933-3 | 4-Minor | BT1550933 | Gtm virtual server query_all related SNMP query could get wrong result |
| 1526589-2 | 4-Minor | BT1526589 | Hostname changes to localhost.localdomain on rebooting other slots |
| 1497989-1 | 4-Minor | BT1497989 | Community list might get truncated |
| 1493869-3 | 4-Minor | BT1493869 | 'Duplicate OID index found' warning observed while running snmpwalk for F5-BIGIP-SYSTEM-MIB::sysProcPidStatProcName periodically |
| 1473181 | 4-Minor | BT1473181 | Unexpected rule invocation in tmsh displays ltm policy output |
| 1462337-3 | 4-Minor | BT1462337 | Intermittent false PSU status (not present) through SNMP |
| 1401961-1 | 4-Minor | BT1401961 | A blade with a non-functional backplane may override the dag context for the whole system |
| 1367017 | 4-Minor | BT1367017 | AFM allows to delete the virtual server which is applied in a FW rule |
| 1355309-3 | 4-Minor | BT1355309 | VLANs and VLAN groups are not automatically saved to bigip_base.conf on first boot or modification of a tenants VLANs or virtual wire |
| 1355149-2 | 4-Minor | BT1355149 | The icrd_child might block signals to child processes |
| 1354765 | 4-Minor | BT1354765 | The prompt promptstatusd may create a core during system restart or shutdown |
| 1354309-2 | 4-Minor | BT1354309 | IKEv1 over IPv6 does not work on VE |
| 1352445-3 | 4-Minor | BT1352445 | Executing 'tmsh load sys config verify', changes Last Configuration Load Status value to 'config-load-in-progress' |
| 1331257 | 4-Minor | BT1331257 | TMSH should not allow configuring HTTP/3 on Standalone Advanced WAF |
| 1331037-2 | 4-Minor | BT1331037 | The message MCP message handling failed logs in TMM with FQDN nodes/pool members |
| 1328341 | 4-Minor | BT1328341 | BIG-IP 7200 models bcm56xxd switch hardware stops incrementing interface stats |
| 1326333 | 4-Minor | BT1326333 | Case unexpected large amount of "Calling RcvrTableHandler handler" from sflow_agent cause suppressing |
| 1324969 | 4-Minor | BT1324969 | Inconsistent behavior is observed when monitor settings are updated |
| 1324681-2 | 4-Minor | BT1324681 | Virtual-server might stop responding when traffic-matching-criteria is removed. |
| 1320889-2 | 4-Minor | BT1320889 | Sock interface driver might fail to forward some packets. |
| 1314769-3 | 4-Minor | BT1314769 | The error "No Access" is displayed when trying to remove Bundle Manager object from list |
| 1311977-1 | 4-Minor | IPsec interface mode tunnel not sending icmp unreachable fragmentation needed | |
| 1307197 | 4-Minor | BT1307197 | IKEv2 allow SK_ logging to be enabled without debug2 |
| 1301865-2 | 4-Minor | BT1301865 | OSPF summary might have incorrect cost when advertised by Standby unit. |
| 1301317-3 | 4-Minor | BT1301317 | Update Check request using a proxy will fail if the proxy inserts a custom header |
| 1297745 | 4-Minor | BT1297745 | IPsec IKEv2 tunnel may not start after it is allowed to expire |
| 1283749-4 | 4-Minor | BT1283749 | Systemctl start and restart fail to start the vmtoolsd service |
| 1282421 | 4-Minor | BT1282421 | IS-IS protocol may discard Multi-Topology Reachable IPv6 Prefixes |
| 1270989-4 | 4-Minor | BT1270989 | REST MemcachedClient uses fixed TMM address 127.1.1.2 to connect to memcached |
| 1270165 | 4-Minor | BT1270165 | The command "tmsh show sys hardware" giving incorrect value for AOM backup firmware |
| 1256777-2 | 4-Minor | BT1256777 | In BGP, as-origination interval not persisting after restart when configured on a peer-group. |
| 1252537-2 | 4-Minor | BT1252537 | Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role |
| 1229325-4 | 4-Minor | BT1229325 | Unable to configure IP OSPF retransmit-interval as intended |
| 1223589-2 | 4-Minor | BT1223589 | Network Map page is unresponsive when a node name has the form "<IPv4>:<port>" |
| 1217077-3 | 4-Minor | BT1217077 | Race condition processing network failover heartbeats with timeout of 1 second |
| 1209589-3 | 4-Minor | BT1209589 | BFD multihop does not work with ECMP routes |
| 1195061 | 4-Minor | BT1195061 | Custom MIB fails due to SSL certs access permission denied with SELinux issue |
| 1145729-1 | 4-Minor | BT1145729 | Partition description between GUI and REST API/TMSH does not match |
| 1144729-3 | 4-Minor | BT1144729 | PVA stats may be incorrect when PVA offloaded flows have their nexthops changed to a different VLAN |
| 1142445-3 | 4-Minor | BT1142445 | Multicast handling on wildcard virtual servers leads to TMM memory leak |
| 1141213-3 | 4-Minor | BT1141213 | Peer is aborting the connection when PEM client runs diameter traffic over SCTP |
| 1125125-1 | 4-Minor | BT1125125 | Command "tmsh delete sys crypto csr" does not delete the CSR object file |
| 1114253-3 | 4-Minor | BT1114253 | Weighted static routes do not recover from BFD link failures |
| 1101741-3 | 4-Minor | BT1101741 | Virtual server with default pool down and iRule pool up will flap for a second during a full config-sync. |
| 1096461-4 | 4-Minor | BT1096461 | TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server |
| 1095973-2 | 4-Minor | BT1095973 | Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager |
| 1095205-3 | 4-Minor | BT1095205 | Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder. |
| 1090441-2 | 4-Minor | BT1090441 | IKEv2: Add algorithm info to SK_ logging |
| 1089005-3 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. |
| 1082193-2 | 4-Minor | BT1082193 | TMSH: Need to update the version info for SERVER_INIT in help page |
| 1077293-1 | 4-Minor | BT1077293 | APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ. |
| 1074513-2 | 4-Minor | BT1074513 | Traffic class validation does not detect/prevent attempts to add duplicate traffic classes to virtual |
| 1073965-2 | 4-Minor | BT1073965 | IPsec IKEv2 tunnel may report huge "life" for IKE SA. |
| 1067653-1 | 4-Minor | BT1067653 | Ndisc6 is not working with non-default route domain. |
| 1065821-3 | 4-Minor | BT1065821 | Cannot create an iRule with a newline between event and opening brace. |
| 1060769-2 | 4-Minor | BT1060769 | The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries. |
| 1060721-1 | 4-Minor | BT1060721 | Unable to disable auto renew in Certificate order manager via GUI. |
| 1059441-2 | 4-Minor | BT1059441 | Upgrading with a configuration that contains objects with properties that override the TCP profile can result in incorrect property values being used. ★ |
| 1057925-3 | 4-Minor | BT1057925 | GTP iRule generates a warning. |
| 1055053-3 | 4-Minor | BT1055053 | "tmsh load sys config default" does not clear Zebos config files. |
| 1054497-2 | 4-Minor | BT1054497 | Tmsh command "show sys fpga" does not report firmware for all blades. |
| 1053037-5 | 4-Minor | BT1053037 | MCP error on loading a UCS archive with a global flow eviction policy |
| 1046025-1 | 4-Minor | BT1046025 | The iavf and ixlv drivers have incorrect VHO flag for all packets |
| 1045717 | 4-Minor | IPSEC: IKEV1: Algorithms changing from one to another for authentication or encryption tunnel is not establishing | |
| 1036265-3 | 4-Minor | BT1036265 | Overlapping summary routes might not be advertised after ospf process restart. |
| 1035017-2 | 4-Minor | Remove unused CA-bundles | |
| 1034509-4 | 4-Minor | BT1034509 | Sensor read errors on VIPRION C2200 chassis |
| 1033969-3 | 4-Minor | BT1033969 | MPLS label stripping needs next protocol indicator |
| 1032921-3 | 4-Minor | BT1032921 | VCMP Guest CPU usage shows abnormal values at the Host |
| 1029173-3 | 4-Minor | BT1029173 | MCPD fails to reply and does not log a valid message if there are problems replicating a transaction to PostgreSQL |
| 1025965-3 | 4-Minor |