Supplemental Document : BIG-IP 15.1.2 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.2

BIG-IP APM

  • 15.1.2

BIG-IP Link Controller

  • 15.1.2

BIG-IP Analytics

  • 15.1.2

BIG-IP LTM

  • 15.1.2

BIG-IP AFM

  • 15.1.2

BIG-IP PEM

  • 15.1.2

BIG-IP DNS

  • 15.1.2

BIG-IP FPS

  • 15.1.2

BIG-IP ASM

  • 15.1.2
Updated Date: 05/28/2022

BIG-IP Release Notes BIG-IP Release Information

Version: 15.1.2
Build: 9.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Known Issues in BIG-IP v15.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
882189-6 CVE-2020-5897 K20346072 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897
882185-6 CVE-2020-5897 K20346072 BIG-IP Edge Client Windows ActiveX
881317-6 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
881293-6 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
924961-2 CVE-2019-20892 K45212738 CVE-2019-20892: SNMP Vulnerability
881445-7 CVE-2020-5898 K69154630 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
842717-6 CVE-2020-5855 K55102004 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
773693-7 CVE-2020-5892 K15838353 CVE-2020-5892: APM Client Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
920961-2 3-Major   Devices incorrectly report 'In Sync' after an incremental sync
756139-3 3-Major   Inconsistent logging of hostname files when hostname contains periods
754924-1 3-Major   New VLAN statistics added.
921421-3 4-Minor   iRule support to get/set UDP's Maximum Buffer Packets


TMOS Fixes

ID Number Severity Solution Article(s) Description
957337-1 2-Critical   Mgmt in tmsh broken
933409-2 2-Critical   Tomcat upgrade via Engineering Hotfix causes live-update files removal
927033-2 2-Critical   Installer fails to calculate disk size of destination volume
910201-3 2-Critical   OSPF - SPF/IA calculation scheduling might get stuck infinitely
829677-2 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
796601-2 2-Critical   Invalid parameter in errdefsd while processing hostname db_variable
943669-1 3-Major   B4450 blade reboot
935801-4 3-Major   HSB diagnostics are not provided under certain types of failures
932233-2 3-Major   '@' no longer valid in SNMP community strings
930741-2 3-Major   Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
920301-1 3-Major   Unnecessarily high number of JavaScript Obfuscator instances when device is busy
916821-2 3-Major   An authenticated user on iControlREST may gain elevated privilege level
911809-2 3-Major   TMM might crash when sending out oversize packets.
902401-5 3-Major   OSPFd SIGSEGV core when 'ospf clear' is done on remote device
898705-5 3-Major   IPv6 static BFD configuration is truncated or missing
889041-3 3-Major   Failover scripts fail to access resolv.conf due to permission issues
879405-1 3-Major   Incorrect value in Transparent Nexthop property
867181-1 3-Major   ixlv: double tagging is not working
865241-1 3-Major   Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
860317-3 3-Major   JavaScript Obfuscator can hang indefinitely
858197-2 3-Major   Merged crash when memory exhausted
846441-2 3-Major   Flow-control is reset to default for secondary blade's interface
846137-4 3-Major   The icrd returns incorrect route names in some cases
843597-1 3-Major   Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
841649-4 3-Major   Hardware accelerated connection mismatch resulting in tmm core
838901-4 3-Major   TMM receives invalid rx descriptor from HSB hardware
826905-3 3-Major   Host traffic via IPv6 route pool uses incorrect source address
816229-3 3-Major   Kernel Log Messages Logged Twice
811053-6 3-Major   REBOOT REQUIRED prompt appears after failover and clsh reboot
811041-7 3-Major   Out of shmem, increment amount in /etc/ha_table/ha_table.conf
810821-3 3-Major   Management interface flaps after rebooting the device
789181-5 3-Major   Link Status traps are not issued on VE based BIG-IP systems
755197-5 3-Major   UCS creation might fail during frequent config save transactions
754932-1 3-Major   New SNMP MIB, sysVlanIfcStat, for VLAN statistics.
737098-1 3-Major   ASM Sync does not work when the configsync IP address is an IPv6 address
933461-4 4-Minor   BGP multi-path candidate selection does not work properly in all cases.
924429-2 4-Minor   Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
892677-1 4-Minor   Loading config file with imish adds the newline character
882713-3 4-Minor   BGP SNMP trap has the wrong sysUpTime value
583084-6 4-Minor K15101680 iControl produces 404 error while creating records successfully


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
941089-3 2-Critical   TMM core when using Multipath TCP
919989-2 2-Critical   TMM does not follow TCP best practices
915957-1 2-Critical   The wocplugin may get into a restart loop when AAM is provisioned
908873-1 2-Critical   Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core
908621-2 2-Critical   Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core
891849-1 2-Critical   Running iRule commands while suspending iRule commands that are running can lead to a crash
876801-5 2-Critical   Tmm crash: invalid route type
866481-2 2-Critical   TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode
851345-1 2-Critical   The TMM may crash in certain rare scenarios involving HTTP/2
850873-3 2-Critical   LTM global SNAT sets TTL to 255 on egress.
726518-1 2-Critical   Tmsh show command terminated with CTRL-C can cause TMM to crash.
705768-2 2-Critical   The dynconfd process may core and restart with multiple DNS name servers configured
949145-5 3-Major   Improve TCP's response to partial ACKs during loss recovery
948757-2 3-Major   A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
940209 3-Major   Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.
939961-2 3-Major   TCP connection is closed when necessary after HTTP::respond iRule.
934993-2 3-Major   BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams
932033 3-Major   Chunked response may have DATA frame with END_STREAM prematurely
915605-6 3-Major   Image install fails if iRulesLX is provisioned and /usr mounted read-write
913249-2 3-Major   Restore missing UDP statistics
901929-2 3-Major   GARPs not sent on virtual server creation
892941-2 3-Major K20105555 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
888113-3 3-Major   TMM may core when the HTTP peer aborts the connection
880361-1 3-Major   TMM may crash while processing iRules LX commands
879413-1 3-Major   Statsd fails to start if one or more of its *.info files becomes corrupted
878925-2 3-Major   SSL connection mirroring failover at end of TLS handshake
860005-1 3-Major   Ephemeral nodes/pool members may be created for wrong FQDN name
857845-1 3-Major   TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule
850145-1 3-Major   Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
820333-1 3-Major   LACP working member state may be inconsistent when blade is forced offline
809701-7 3-Major   Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist
803233-1 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
790845-4 3-Major   An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
724824-1 3-Major   Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
714642-2 3-Major   Ephemeral pool-member state on the standby is down
935593-4 4-Minor   Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
895153 4-Minor   HTTP::has_responded returns incorrect values when using HTTP/2
883105-1 4-Minor   HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect
808409-4 4-Minor   Unable to specify if giaddr will be modified in DHCP relay chain


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
918169-1 2-Critical   The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
916753-2 2-Critical   RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core
905557-1 2-Critical   Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
850509-1 2-Critical   'Decryption of the field (privatekey) for object (13079) failed' message
837637-1 2-Critical   Orphaned bigip_gtm.conf can cause config load failure after upgrading
926593-2 3-Major   GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
852101-1 3-Major   Monitor fails.
844689-1 3-Major   Possible temporary CPU usage increase with unusually large named.conf file
746348-4 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
693360-2 3-Major   A virtual server status changes to yellow while still available
644192-2 3-Major K23022557 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
940249-2 2-Critical   Sensitive data is not masked after "Maximum Array/Object Elements" is reached
927617-2 2-Critical   "Illegal Base64 value" violation is detected for cookie with valid base64 value
943125-2 3-Major   Web-Socket request with JSON payload causing core during the payload parsing
941853-1 3-Major   Logging Profiles do not disassociate from virtual server when multiple changes are made
940897-3 3-Major   Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
921337-2 3-Major   ASM processes some web-sockets requests longer than usual
918933-2 3-Major   Some ASM attack signatures do not match on cookies
913137-1 3-Major   No learning suggestion on ASM policies enabled via LTM policy
904053-2 3-Major   Unable to set ASM Main Cookie/Domain Cookie hashing to Never
893061-2 3-Major   Out of memory for restjavad
882769-1 3-Major   Request Log: wrong filter applied when searching by Response contains or Response does not contain
919001-2 4-Minor   Live Update: Update Available notification is shown twice in rare conditions
896285-2 4-Minor   No parent entity in suggestion to add predefined-filetype as allowed filetype


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
924301-1 3-Major   Incorrect values in REST response for DNS/SIP


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
910097-2 2-Critical   Changing per-request policy while tmm is under traffic load may drop heartbeats
924857-1 3-Major   Logout URL with parameters resets TCP connection
914649-3 3-Major   Support USB redirection through VVC (VMware virtual channel) with BlastX
739570-4 3-Major   Unable to install EPSEC package
833049-4 4-Minor   Category lookup tool in GUI may not match actual traffic categorization
766017-6 4-Minor   [APM][LocalDB] Local user database instance name length check inconsistencies


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
942581-1 1-Blocking   Timestamp cookies do not work with hardware accelerated flows
938165-1 2-Critical   TMM Core after attempted update of IP geolocation database file
938149-1 3-Major   Port Block Update log message is missing the "Start time" field
910417-2 3-Major   TMM core may be seen when reattaching a vector to a DoS profile
872049-1 3-Major   Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command
871985-1 3-Major   No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection
851745-3 3-Major   High cpu consumption due when enabling large number of virtual servers


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
842989-6 3-Major   PEM: tmm could core when running iRules on overloaded systems


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
944785-2 3-Major   Admd restarting constantly. Out of memory due to loading malformed state file
923125-2 3-Major   Huge amount of admd processes caused oom



Cumulative fixes from BIG-IP v15.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
935721-5 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
879745-4 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic
876353-1 CVE-2020-5941 K03125360 iRule command RESOLV::lookup may cause TMM to crash
839453-6 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
834257-1 CVE-2020-5931 K25400442 TMM may crash when processing HTTP traffic
814953 CVE-2020-5940 K43310520 TMUI dashboard hardening
917469-2 CVE-2020-5946 K53821711 TMM may crash while processing FPS traffic
910017-2 CVE-2020-5945 K21540525 Security hardening for the TMUI Interface page
889557-1 CVE-2019-11358 K20455158 jQuery Vulnerability CVE-2019-11358
880001-1 CVE-2020-5937 K58290051 TMM may crash while processing L4 behavioral DoS traffic
870273-5 CVE-2020-5936 K44020030 TMM may consume excessive resources when processing SSL traffic
868349-1 CVE-2020-5935 K62830532 TMM may crash while processing iRules with MQTT commands
858349-3 CVE-2020-5934 K44808538 TMM may crash while processing SAML SLO traffic
848405-2 CVE-2020-5933 K26244025 TMM may consume excessive resources while processing compressed HTTP traffic
839761-1 CVE-2020-5932 K12002065 Response Body preview hardening
778049-2 CVE-2018-13405 K00854051 Linux Kernel Vulnerability: CVE-2018-13405
887637-2 CVE-2019-3815 K22040951 Systemd-journald Vulnerability: CVE-2019-3815
852929-6 CVE-2020-5920 K25160703 AFM WebUI Hardening
818213-4 CVE-2019-10639 K32804955 CVE-2019-10639: KASLR bypass using connectionless protocols
818177-6 CVE-2019-12295 K06725231 CVE-2019-12295 Wireshark Vulnerability
858537-2 CVE-2019-1010204 K05032915 CVE-2019-1010204: Binutilis Vulnerability
834533-7 CVE-2019-15916 K57418558 Linux kernel vulnerability CVE-2019-15916


Functional Change Fixes

ID Number Severity Solution Article(s) Description
912289-1 2-Critical   Cannot roll back after upgrading on certain platforms
890229-1 3-Major   Source port preserve setting is not honored
858189-3 3-Major   Make restnoded/restjavad/icrd timeout configurable with sys db variables.
719338-1 4-Minor   Concurrent management SSH connections are unlimited


TMOS Fixes

ID Number Severity Solution Article(s) Description
864513-1 1-Blocking K48234609 ASM policies may not load after upgrading to 14.x or later from a previous major version
896217-2 2-Critical   BIG-IP GUI unresponsive
876957-1 2-Critical   Reboot after tmsh load sys config changes sys FPGA firmware-config value
871561-5 2-Critical   Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'
860517-1 2-Critical   MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
818253-3 2-Critical   Generate signature files for logs
805417-3 2-Critical   Unable to enable LDAP system auth profile debug logging
706521-2 2-Critical   The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
593536-9 2-Critical K64445052 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
928321-1 3-Major   Hardening of HSM UI
924493-2 3-Major   VMware EULA has been updated
921361-2 3-Major   SSL client and SSL server profile names truncated in GUI
915825-2 3-Major   Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
904845-2 3-Major   VMware guest OS customization works only partially in a dual stack environment.
904705-2 3-Major   Cannot clone Azure marketplace instances.
898461-2 3-Major   Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
886689-6 3-Major   Generic Message profile cannot be used in SCTP virtual
880625-3 3-Major   Check-host-attr enabled in LDAP system-auth creates unusable config
880165-2 3-Major   Auto classification signature update fails
867013-2 3-Major   Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
850777-3 3-Major   BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
838297-2 3-Major   Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
828789-1 3-Major   Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
807337-5 3-Major   Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
788577-7 3-Major   BFD sessions may be reset after CMP state change
759564-2 3-Major   GUI not available after upgrade
740589-4 3-Major   Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
719555-3 3-Major   Interface listed as 'disable' after SFP insertion and enable
489572-5 3-Major K60934489 Sync fails if file object is created and deleted before sync to peer BIG-IP
921369 4-Minor   Signature verification for logs fails if the log files are modified during log rotation
914761-3 4-Minor   Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
906889-4 4-Minor   Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
902417-2 4-Minor   Configuration error caused by Drafts folder in a deleted custom partition
890277-3 4-Minor   Full config sync to a device group operation takes a long time when there are a large number of partitions.
864757-3 4-Minor   Traps that were disabled are enabled after configuration save
822377-6 4-Minor   CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability
779857-2 4-Minor   Misleading GUI error when installing a new version in another partition
751103-2 4-Minor   TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
849085-1 5-Cosmetic   Lines with only asterisks filling message and user.log file
714176-1 5-Cosmetic   UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
889209-2 2-Critical   Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
879409-3 2-Critical   TMM core with mirroring traffic due to unexpected interface name length
858429-3 2-Critical   BIG-IP system sending ICMP packets on both virtual wire interface
851857-1 2-Critical   HTTP 100 Continue handling does not work when it arrives in multiple packets
851581-3 2-Critical   Server-side detach may crash TMM
842937-6 2-Critical   TMM crash due to failed assertion 'valid node'
931513-3 3-Major   Some sequence of HTTP packets may cause TMM to crash
915713-2 3-Major   Support QUIC and HTTP3 draft-29
915689-1 3-Major   HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
915281-2 3-Major   Do not rearm TCP Keep Alive timer under certain conditions
892385 3-Major   HTTP does not process WebSocket payload when received with server HTTP response
883529-1 3-Major   HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path
851789-2 3-Major   SSL monitors flap with client certs with private key stored in FIPS
851477-1 3-Major   Memory allocation failures during proxy initialization are ignored leading to TMM cores
851045-1 3-Major   LTM database monitor may hang when monitored DB server goes down
830797-3 3-Major   Standby high availability (HA) device passes traffic through virtual wire
816881-2 3-Major   Serverside conection may use wrong VLAN when virtual wire is configured
801497-3 3-Major   Virtual wire with LACP pinning to one link in trunk.
932937-2 4-Minor   HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
926997-1 4-Minor   QUIC HANDSHAKE_DONE profile statistics are not reset
852373-3 4-Minor   HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
814037-6 4-Minor   No virtual server name in Hardware Syncookie activation logs.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
919553-2 2-Critical   GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
908673-5 2-Critical   TMM may crash while processing DNS traffic
788465-5 2-Critical   DNS cache idx synced across HA group could cause tmm crash
783125-1 2-Critical   iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
898093-2 3-Major   Removing one member from a WideIP removes it from all WideIPs.
869361-1 3-Major   Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated
904937-2 4-Minor   Excessive resource consumption in zxfrd


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
868641-3 2-Critical   Possible TMM crash when disabling bot profile for the entire connection
843801-2 2-Critical   Like-named previous Signature Update installations block Live Update usage after upgrade
918081-1 3-Major   Application Security Administrator role cannot create parent policy in the GUI
917509-3 3-Major   ASM processes some requests longer than usual
913761-2 3-Major   Security - Options section in navigation menu is visible for only Administrator users
903357-2 3-Major   Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
901061-2 3-Major   Safari browser might be blocked when using Bot Defense profile and related domains.
898741-2 3-Major   Missing critical files causes FIPS-140 system to halt upon boot
892637-1 3-Major   Microservices cannot be added or modified
888285-1 3-Major K18304067 Sensitive positional parameter not masked in 'Referer' header value
888261-1 3-Major   Policy created with declarative WAF does not use updated template.
881757-1 3-Major   Unnecessary HTML response parsing and response payload is not compressed
880753-3 3-Major K38157961 Possible issues when using DoSL7 and Bot Defense profile on the same virtual server
879777-3 4-Minor   Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
919841-3 3-Major   AVRD may crash while processing Bot Defense traffic
908065-2 3-Major   Logrotation for /var/log/avr blocked by files with .1 suffix
819301-2 3-Major   Incorrect values in REST response for dos-l3 table
866613-4 4-Minor   Missing MaxMemory Attribute


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
928037-2 2-Critical   APM Hardening
905125-2 2-Critical   Security hardening for APM Webtop
886729-2 2-Critical   Intermittent TMM crash in per-request-policy allow-ending agent
838861-3 2-Critical   TMM might crash once after upgrading SSL Orchestrator
579219-5 2-Critical   Access keys missing from SessionDB after multi-blade reboot.
904165-1 3-Major   APMD may crash while processing certain parameters
892937-2 3-Major K20105555 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
857589-1 3-Major   On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'
771961-3 3-Major   While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
747020-2 3-Major   Requests that evaluate to same subsession can be processed concurrently
679751-2 4-Minor   Authorization header can cause a connection reset


Service Provider Fixes

ID Number Severity Solution Article(s) Description
898997-2 3-Major   GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
891385-2 3-Major   Add support for URI protocol type "urn" in MRF SIP load balancing
697331-2 3-Major   Some TMOS tools for querying various DBs fail when only a single TMM is running
924349-2 4-Minor   DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
872645-2 3-Major   Protected Object Aggregate stats are causing elevated CPU usage
852289-4 3-Major K23278332 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
789857 3-Major   "TCP half open' reports drops made by LTM syn-cookies mitigation.
920361-2 4-Minor   Standby device name sent in Traffic Statistics syslog/Splunk messages


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
935029-3 2-Critical   TMM may crash while processing IPv6 NAT traffic


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
933741-2 2-Critical   Security hardening in FPS GUI
876581-2 3-Major   JavaScript engine file is empty if the original HTML page cached for too long
891729-2 4-Minor   Errors in datasyncd.log
759988-2 4-Minor   Geolocation information inconsistently formatted
940401-2 5-Cosmetic   Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'


Device Management Fixes

ID Number Severity Solution Article(s) Description
932065-2 3-Major   iControl REST framework exception handling hardening
911761-2 3-Major   iControl REST endpoint response includes the request content


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
912969-2 3-Major   iAppsLX Security Hardening


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
754855-7 2-Critical   TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile



Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
912221-1 CVE-2020-12662
CVE-2020-12663
K37661551 CVE-2020-12662 & CVE-2020-12663
900905-3 CVE-2020-5926 K42830212 TMM may crash while processing SIP data
888417-5 CVE-2020-8840 K15320518 Apache Vulnerability: CVE-2020-8840
883717-1 CVE-2020-5914 K37466356 BD crash on specific server cookie scenario
841577-2 CVE-2020-5922 K20606443 iControl REST hardening
838677-1 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
837773-7 CVE-2020-5912 K12936322 Restjavad Storage and Configuration Hardening
788057-3 CVE-2020-5921 K00103216 MCPD may crash while processing syncookies
917005-5 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619
902141-1 CVE-2020-5919 K94563369 TMM may crash while processing APM data
888489-2 CVE-2020-5927 K55873574 ASM UI hardening
886085-5 CVE-2020-5925 K45421311 TMM may crash while processing UDP traffic
872673-1 CVE-2020-5918 K26464312 TMM can crash when processing SCTP traffic
856961-7 CVE-2018-12207 K17269881 INTEL-SA-00201 MCE vulnerability CVE-2018-12207
837837-2 CVE-2020-5917 K43404629 SSH Client Requirements Hardening
832885-1 CVE-2020-5923 K05975972 Self-IP hardening
830481-1 CVE-2020-5916 K29923912 SSL TMUI hardening
816413-5 CVE-2019-1125 K31085564 CVE-2019-1125: Spectre SWAPGS Gadget
811789-7 CVE-2020-5915 K57214921 Device trust UI hardening
888493-2 CVE-2020-5928 K40843345 ASM GUI Hardening
748122-8 CVE-2018-15333 K53620021 BIG-IP Vulnerability CVE-2018-15333
746091-8 CVE-2019-19151 K21711352 TMSH Vulnerability: CVE-2019-19151
717276-9 CVE-2020-5930 K20622530 TMM Route Metrics Hardening
839145-3 CVE-2019-10744 K47105354 CVE-2019-10744: lodash vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
816233-1 2-Critical   Session and authentication cookies should use larger character set
890421-2 3-Major   New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers
691499-5 3-Major   GTP::ie primitives in iRule to be certified
745465-4 4-Minor   The tcpdump file does not provide the correct extension


TMOS Fixes

ID Number Severity Solution Article(s) Description
934241-2 1-Blocking   TMM may core when using FastL4's hardware offloading feature
891477-3 2-Critical   No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
890513-2 2-Critical   MCPD fails to load configuration from binary database
849405-2 2-Critical   LTM v14.1.2.1 does not log after upgrade
842865-2 2-Critical   Add support for Auto MAC configuration (ixlv)
739507-3 2-Critical   Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check
927901-4 3-Major   After BIG-IP reboot, vxnet interfaces come up as uninitialized
915497-2 3-Major   New Traffic Class Page shows multiple question marks.
907549-1 3-Major   Memory leak in BWC::Measure
891721-3 3-Major   Anti-Fraud Profile URLs with query strings do not load successfully
888497-2 3-Major   Cacheable HTTP Response
887089-1 3-Major   Upgrade can fail when filenames contain spaces
877145-4 3-Major   Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
871657-1 3-Major   Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
844085-1 3-Major   GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
842125-6 3-Major   Unable to reconnect outgoing SCTP connections that have previously aborted
821309-1 3-Major   After an initial boot, mcpd has a defunct child "systemctl" process
814585-1 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
807005-5 3-Major   Save-on-auto-sync is not working as expected with large configuration objects
802685-2 3-Major   Unable to configure performance HTTP virtual server via GUI
797829-6 3-Major   The BIG-IP system may fail to deploy new or reconfigure existing iApps
785741-3 3-Major K19131357 Unable to login using LDAP with 'user-template' configuration
760622-5 3-Major   Allow Device Certificate renewal from BIG-IP Configuration Utility
405329-3 3-Major   The imish utility cores while checking help strings for OSPF6 vertex-threshold
919745-2 4-Minor   CSV files downloaded from the Dashboard have the first row with all 'NaN
918209-3 4-Minor   GUI Network Map icons color scheme is not section 508 compliant
851393-1 4-Minor   Tmipsecd leaves a zombie rm process running after starting up
804309-1 4-Minor   [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
713614-7 4-Minor   Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
767269-5 5-Cosmetic   Linux kernel vulnerability: CVE-2018-16884


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
925989 2-Critical   Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4
909837-1 2-Critical   TMM may consume excessive resources when AFM is provisioned
898949-1 2-Critical   APM may consume excessive resources while processing VPN traffic
839749-3 2-Critical   Virtual server with specific address list might fail to create via GUI
715032-1 2-Critical K73302459 iRulesLX Hardening
916589-2 3-Major   QUIC drops 0RTT packets if CID length changes
910521-2 3-Major   Support QUIC and HTTP draft-28
893281-3 3-Major   Possible ssl stall on closed client handshake
813701-6 3-Major   Proxy ARP failure
788753-2 3-Major   GATEWAY_ICMP monitor marks node down with wrong error code
786517-5 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
720440-6 3-Major   Radius monitor marks pool members down after 6 seconds
914681-2 4-Minor   Value of tmm.quic.log.level can differ between TMSH and GUI
714502-3 4-Minor   bigd restarts after loading a UCS for the first time


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
789421-4 3-Major   Resource-administrator cannot create GTM server object through GUI
774257-4 5-Cosmetic   tmsh show gtm pool and tmsh show gtm wideip print duplicate object types


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
904593-1 2-Critical   Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
865461-1 2-Critical   BD crash on specific scenario
900797-2 3-Major   Brute Force Protection (BFP) hash table entry cleanup
900793-1 3-Major K32055534 APM Brute Force Protection resources do not scale automatically
900789-2 3-Major   Alert before Brute Force Protection (BFP) hash are fully utilized
892653-1 3-Major   Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
880789-3 3-Major   ASMConfig Handler undergoes frequent restarts
874753-3 3-Major   Filtering by Bot Categories on Bot Requests Log shows 0 events
871905-2 3-Major K02705117 Incorrect masking of parameters in event log
868721-1 3-Major   Transactions are held for a long time on specific server related conditions
863609-4 3-Major   Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
854177-5 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
850677-4 3-Major   Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
848445-1 3-Major K86285055 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer
833685-5 3-Major   Idle async handlers can remain loaded for a long time doing nothing
809125-5 3-Major   CSRF false positive
799749-2 3-Major   Asm logrotate fails to rotate
783165-1 3-Major   Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
742549-3 3-Major   Cannot create non-ASCII entities in non-UTF ASM policy using REST
722337-2 3-Major   Always show violations in request log when post request is large
640842-5 3-Major   ASM end user using mobile might be blocked when CSRF is enabled


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
828937-1 2-Critical K45725467 Some systems can experience periodic high IO wait due to AVR data aggregation
902485-3 3-Major   Incorrect pool member concurrent connection value
841305-2 3-Major   HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log
838685-4 3-Major   DoS report exist in per-widget but not under individual virtual


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
884797-4 3-Major   Portal Access: in some cases data is not delivered via WebSocket connection


Service Provider Fixes

ID Number Severity Solution Article(s) Description
904373-3 3-Major   MRF GenericMessage: Implement limit to message queues size
876953-2 3-Major   Tmm crash while passing diameter traffic
876077-1 3-Major   MRF DIAMETER: stale pending retransmission entries may not be cleaned up
868381-1 3-Major   MRF DIAMETER: Retransmission queue unable to delete stale entries
866021-1 3-Major   Diameter Mirror connection lost on the standby due to "process ingress error"
824149-5 3-Major   SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
815877-2 3-Major   Information Elements with zero-length value are rejected by the GTP parser
696348-5 3-Major   "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
788513-6 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
793005-1 5-Cosmetic   'Current Sessions' statistic of MRF/Diameter pool may be incorrect


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
802421-6 2-Critical   The /var partition may become 100% full requiring manual intervention to clear space
757279-3 3-Major   LDAP authenticated Firewall Manager role cannot edit firewall policies
896917 4-Minor   The fw_zone_stat 'Hits' field may not increment in some scenarios


Device Management Fixes

ID Number Severity Solution Article(s) Description
839597-6 3-Major   Restjavad fails to start if provision.extramb has large value



Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
900757-2 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895525-2 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
909237-6 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability
909233-6 CVE-2020-8616 K97810133 DNS Hardening
905905-1 CVE-2020-5904 K31301245 TMUI CSRF vulnerability CVE-2020-5904
895993-2 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895981-2 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895881-1 CVE-2020-5903 K43638305 BIG-IP TMUI XSS vulnerability CVE-2020-5903
891457-2 CVE-2020-5939 K75111593 NIC driver may fail while transmitting data
859089-7 CVE-2020-5907 K00091341 TMSH allows SFTP utility access


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
882557-2 3-Major   TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
878893-3 3-Major   During system shutdown it is possible the for sflow_agent to core
858769-6 3-Major   Net-snmp library must be upgraded to 5.8 in order to support SHA-2
829193-4 3-Major   REST system unavailable due to disk corruption
826265-5 3-Major   The SNMPv3 engineBoots value restarts at 1 after an upgrade
812493-4 3-Major   When engineID is reconfigured, snmp and alert daemons must be restarted
810381-2 3-Major   The SNMP max message size check is being incorrectly applied.
743234-6 3-Major   Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
774617-3 4-Minor   SNMP daemon reports integer truncation error for values greater than 32 bits


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
910177 2-Critical   Poor HTTP/3 throughput


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
892621-1 3-Major   Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software



Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
889505 3-Major   Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available
888569 3-Major   Added PBA stats for total number of free PBAs, and percent free PBAs


TMOS Fixes

ID Number Severity Solution Article(s) Description
795649-5 3-Major   Loading UCS from one iSeries model to another causes FPGA to fail to load


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
883513-1 3-Major   Support for QUIC and HTTP/3 draft-27
828601-1 3-Major   IPv6 Management route is preferred over IPv6 tmm route
758599-3 3-Major   IPv6 Management route is preferred over IPv6 tmm route


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
846713-1 2-Critical   Gtm_add does not restart named


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
903905-2 2-Critical   Default configuration of security mechanism causes memory leak in TMM
889477-1 2-Critical   Modern customization does not enforce validation at password changing



Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
879025-2 CVE-2020-5913 K72752002 When processing TLS traffic, LTM may not enforce certificate chain restrictions
871633-1 CVE-2020-5859 K61367237 TMM may crash while processing HTTP/3 traffic
846917-1 CVE-2019-10744 K47105354 lodash Vulnerability: CVE-2019-10744
846365-1 CVE-2020-5878 K35750231 TMM may crash while processing IP traffic
830401-1 CVE-2020-5877 K54200228 TMM may crash while processing TCP traffic with iRules
819197-2 CVE-2019-13135 K20336394 BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-1 CVE-2019-13136 K03512441 BIGIP: CVE-2019-13136 ImageMagick vulnerability
636400 CVE-2019-6665 K26462555 CPB (BIG-IP->BIGIQ log node) Hardening
873469-2 CVE-2020-5889 K24415506 APM Portal Access: Base URL may be set to incorrectly
864109-1 CVE-2020-5889 K24415506 APM Portal Access: Base URL may be set to incorrectly
838881-1 CVE-2020-5853 K73183618 APM Portal Access Vulnerability: CVE-2020-5853
832021-3 CVE-2020-5888 K73274382 Port lockdown settings may not be enforced as configured
832017-3 CVE-2020-5887 K10251014 Port lockdown settings may not be enforced as configured
829121-1 CVE-2020-5886 K65720640 State mirroring default does not require TLS
829117-1 CVE-2020-5885 K17663061 State mirroring default does not require TLS
789921-5 CVE-2020-5881 K03386032 TMM may restart while processing VLAN traffic
868097-3 CVE-2020-5891 K58494243 TMM may crash while processing HTTP/2 traffic
846157-1 CVE-2020-5862 K01054113 TMM may crash while processing traffic on AWS
838909-3 CVE-2020-5893 K97733133 BIG-IP APM Edge Client vulnerability CVE-2020-5893
823893-7 CVE-2020-5890 K03318649 Qkview may fail to completely sanitize LDAP bind credentials


Functional Change Fixes

ID Number Severity Solution Article(s) Description
870389-3 3-Major   Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
858229-5 3-Major K22493037 XML with sensitive data gets to the ICAP server


TMOS Fixes

ID Number Severity Solution Article(s) Description
854493-5 2-Critical   Kernel page allocation failures messages in kern.log
841953-7 2-Critical   A tunnel can be expired when going offline, causing tmm crash
841581 2-Critical   License activation takes a long time to complete on Google GCE platform
841333-7 2-Critical   TMM may crash when tunnel used after returning from offline
817709-3 2-Critical   IPsec: TMM cored with SIGFPE in racoon2
811701-3 2-Critical   AWS instance using xnet driver not receiving packets on an interface.
811149-2 2-Critical   Remote users are unable to authenticate via serial console.
866925-5 3-Major   The TMM pages used and available can be viewed in the F5 system stats MIB
865225-1 3-Major   Finisar QSFP28 OPT-0039 modules may not work properly in i15000 and i15800 platforms
852001-1 3-Major   High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
830717 3-Major   Appdata logical volume cannot be resized for some cloud images
829317-5 3-Major   Memory leak in icrd_child due to concurrent REST usage
828873-3 3-Major   Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
812981-6 3-Major   MCPD: memory leak on standby BIG-IP device
802281-3 3-Major   Gossip shows active even when devices are missing
793121-5 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
742628-1 3-Major K53843889 Tmsh session initiation adds increased control plane pressure
605675-6 3-Major   Sync requests can be generated faster than they can be handled
831293-5 4-Minor   SNMP address-related GET requests slow to respond.
755317-3 4-Minor   /var/log logical volume may run out of space due to agetty error message in /var/log/secure
722230-1 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
860881-3 2-Critical   TMM can crash when handling a compressed response from HTTP server
839401-1 2-Critical   Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
872965-1 3-Major   HTTP/3 does not support draft-25
862597-7 3-Major   Improve MPTCP's SYN/ACK retransmission handling
853613-4 3-Major   Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
852873-2 3-Major   Proprietary Multicast PVST+ packets are forwarded instead of dropped
852861-1 3-Major   TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario
851445-1 3-Major   QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams
850973-1 3-Major   Improve QUIC goodput for lossy links
850933-1 3-Major   Improve QUIC rate pacing functionality
847325-3 3-Major   Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.
818853-1 3-Major   Duplicate MAC entries in FDB
809597-5 3-Major   Memory leak in icrd_child observed during REST usage
714372-5 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
705112-6 3-Major   DHCP server flows are not re-established after expiration
859113-1 4-Minor   Using "reject" iRules command inside "after" may causes core
839245-3 4-Minor   IPother profile with SNAT sets egress TTL to 255
824365-5 4-Minor   Need informative messages for HTTP iRule runtime validation errors
822025 4-Minor   HTTP response not forwarded to client during an early response


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
760471-1 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
858025-1 2-Critical K33440533 Proactive Bot Defense does not validate redirected paths
852437-3 2-Critical K25037027 Overly aggressive file cleanup causes failed ASU installation
846073-1 2-Critical   Installation of browser challenges fails through Live Update
850673-1 3-Major   BD sends bad ACKs to the bd_agent for configuration
842161-1 3-Major   Installation of Browser Challenges fails in 15.1.0
793017-3 3-Major   Files left behind by failed Attack Signature updates are not cleaned
778261-2 3-Major   CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate
739618-3 3-Major   When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
681010-4 3-Major K33572148 'Referer' is not masked when 'Query String' contains sensitive parameter


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
838709-4 2-Critical   Enabling DoS stats also enables page-load-time
870957-4 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
863161-1 3-Major   Scheduled reports are sent via TLS even if configured as non encrypted
835381-3 3-Major   HTTP custom analytics profile 'not found' when default profile is modified
830073-2 3-Major   AVRD may core when restarting due to data collection device connection timeout
865053-3 4-Minor   AVRD core due to a try to load vip lookup when AVRD is down
863069-1 4-Minor   Avrmail timeout is too small


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
876393-1 2-Critical   General database error while creating Access Profile via the GUI
871761-1 2-Critical   Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
871653-1 2-Critical   Access Policy cannot be created with 'modern' customization
866685-1 3-Major   Empty HSTS headers when HSTS mode for HTTP profile is disabled
866161-1 3-Major   Client port reuse causes RST when the security service attempts server connection reuse.
853325-1 3-Major   TMM Crash while parsing form parameters by SSO.
852313-4 3-Major   VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
850277-1 3-Major   Memory leak when using OAuth
844781-3 3-Major   [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
844685-1 3-Major   Per-request policy is not exported if it contains HTTP Connector Agent
844573-1 3-Major   Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
844281-3 3-Major   [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
835309-1 3-Major   Some strings on BIG-IP APM Server pages are not localized
832881-1 3-Major   F5 Endpoint Inspection helper app is not updated
832569-3 3-Major   APM end-user connection reset
831781-4 3-Major   AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
803825-5 3-Major   WebSSO does not support large NTLM target info length
761303-5 3-Major   Upgrade of standby BIG-IP system results in empty Local Database
744407-1 3-Major   While the client has been closed, iRule function should not try to check on a closed session
706782-5 3-Major   Inefficient APM processing in large configurations.


Service Provider Fixes

ID Number Severity Solution Article(s) Description
853545-1 3-Major   MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
842625-5 3-Major   SIP message routing remembers a 'no connection' failure state forever
840821-1 3-Major   SCTP Multihoming not working within MRF Transport-config connections
825013-1 3-Major   GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
803809-4 3-Major   SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
859721-1 4-Minor   Using GENERICMESSAGE create together with reject inside periodic after may cause core
836357-5 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2



Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
834853 3-Major   Azure walinuxagent has been updated to v2.2.42


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
862557-1 3-Major   Client-ssl profiles derived from clientssl-quic fail validation

 

Cumulative fix details for BIG-IP v15.1.2 that are included in this release

957337-1 : Mgmt in tmsh broken

Component: TMOS

Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:

(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"

Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete

Impact:
You are unable to configure objects in mgmt.

This issue also prevents users with the admin role from accessing the following REST endpoints:

shared/authz/users
shared/echo-js

The error returned was HTTP/1.1 401 F5 Authorization Required

Fix:
Removing the condition that checks admin role of authUserReference during evaluatePermission.


949145-5 : Improve TCP's response to partial ACKs during loss recovery

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.


948757-2 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

Component: Local Traffic Manager

Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.

Conditions:
A snat-translation address is configured with ARP enabled.

Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.

Workaround:
None.

Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.


944785-2 : Admd restarting constantly. Out of memory due to loading malformed state file

Component: Anomaly Detection Services

Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.

Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.

Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption

Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD

If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD

Fix:
No more memory corruption, no OOM nor ADMD restarts.


943669-1 : B4450 blade reboot

Component: TMOS

Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.

Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.

Impact:
Traffic disrupted while the blade reboots.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when needed.


943125-2 : Web-Socket request with JSON payload causing core during the payload parsing

Component: Application Security Manager

Symptoms:
Any web-socket request with JSON payload may cause a core witihin the JSON parser, depending on the used machine memory distribution.

Conditions:
Depends on the memory distribution of the used machine.
Sending web-socket request with JSON payload to the backend server.

Impact:
BD crash while parsing the JSON payload.

Workaround:
N/A

Fix:
No crashes during JSON payload parsing.


942581-1 : Timestamp cookies do not work with hardware accelerated flows

Component: Advanced Firewall Manager

Symptoms:
Time stamp cookies and hardware accelerated flows are mutually exclusive.

Conditions:
Time stamp cookie enabled for TCP flows on a VLAN with hardware offload enabled as well.

Impact:
Reduced traffic throughput and increased CPU usage

Fix:
FPGA and software enhancement to allow hardware accelerate of TCP flows that have time stamp cookie enabled.


941853-1 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.


941089-3 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.


940897-3 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.


940401-2 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.


940249-2 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.


940209 : Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.

Component: Local Traffic Manager

Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, the BIG-IP system may not properly close established server-side connections causing subsequent HTTP/2 requests to stall.

Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.

Impact:
HTTP/2 requests intermittently stall due to the existing server-side TCP connection remaining open.

Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.

Fix:
HTTP/2 requests no longer stall, as the server side TCP connection is properly closed.


939961-2 : TCP connection is closed when necessary after HTTP::respond iRule.

Component: Local Traffic Manager

Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
N/A

Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.


938165-1 : TMM Core after attempted update of IP geolocation database file

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.

https://support.f5.com/csp/article/K11176#restore

Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.


938149-1 : Port Block Update log message is missing the "Start time" field

Component: Advanced Firewall Manager

Symptoms:
Port Block Update log message is missing the "Start time" field.

Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.

Impact:
NAT Log information is not usable for accounting purpose.

Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.


935801-4 : HSB diagnostics are not provided under certain types of failures

Component: TMOS

Symptoms:
In rare cases where the HSB detects an error and triggers an high availability (HA) failover, HSB-specific diagnostic data is not provided.

An example are XLMAC errors, which can be seen in the LTM logs:

<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.

Conditions:
The HSB detects an internal error.

Impact:
There is less HSB data for analysis when an internal HSB occurs.

Workaround:
None.

Fix:
Dump HSB registers on all HSB initiated high availability (HA) failovers.


935721-5 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291


935593-4 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.


935029-3 : TMM may crash while processing IPv6 NAT traffic

Component: Carrier-Grade NAT

Symptoms:
Under certain conditions, TMM may crash while processing IPv6 NAT traffic

Conditions:
-IPv6 NAT configured

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes IPv6 NAT traffic as expected.


934993-2 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams

Component: Local Traffic Manager

Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.

Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.

Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.

Workaround:
None.

Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.


934241-2 : TMM may core when using FastL4's hardware offloading feature

Component: TMOS

Symptoms:
TMM cores.

Conditions:
FastL4's hardware offloading is used.

Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.

Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.

Workaround:
Disable PVA/EPVA on all FastL4 profiles

Fix:
Fix the internal logic error.


933741-2 : Security hardening in FPS GUI

Component: Fraud Protection Services

Symptoms:
FPS GUI does not follow current best practices.

Conditions:
* Provision and license Fraud Protection Service (FPS).

Impact:
FPS GUI does not follow current best practices.

Workaround:
None.

Fix:
FPS GUI now follows current best practices.


933461-4 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.


933409-2 : Tomcat upgrade via Engineering Hotfix causes live-update files removal

Component: TMOS

Symptoms:
After applying an Engineering Hotfix ISO that contains the tomcat package, live-update files are inadvertently removed and live update no longer works properly.

Conditions:
-- Engineering Hotfix contains the tomcat package.
-- Engineering Hotfix installation.

Impact:
Live-update functionality does not work properly.

Workaround:
There is no workaround to avoid this issue. But you can reinstall a newly created Engineering Hotfix that uses a fixed version of the live-install package.

Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.


932937-2 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

Component: Local Traffic Manager

Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.

Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.

Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.

Workaround:
Use an iRule to prevent connections from hanging:

when HTTP_REJECT {
    after 1
}

Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.


932233-2 : '@' no longer valid in SNMP community strings

Component: TMOS

Symptoms:
The '@' character is no longer valid in SNMP community strings.

Conditions:
Attempting to use the '@' character in SNMP community strings.

Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.

Workaround:
Use a community string that does not contain the '@' character.


932065-2 : iControl REST framework exception handling hardening

Component: Device Management

Symptoms:
iControl REST framework does not follow best practices for exception handling

Conditions:
iControl REST framework use by an authenticated user.

Impact:
iControl REST framework does not follow best practices for exception handling

Workaround:
None.

Fix:
iControl REST framework now follows best practices for exception handling


932033 : Chunked response may have DATA frame with END_STREAM prematurely

Component: Local Traffic Manager

Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, BIG-IP systems may send the END_STREAM flag before transmitting a whole payload.

Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.

Impact:
A browser may not receive the whole payload, or it may not recognize that the payload has been delivered fully (partially prior to the DATA frame with END_STREAM flag, partially after the frame).

Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.

Fix:
BIG-IP systems no longer send a DATA frame with END_STREAM flag prematurely when a connection to a client is congested.


931513-3 : Some sequence of HTTP packets may cause TMM to crash

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic.

Conditions:
A virtual with standard HTTP profile is configured.

Impact:
When TMM crashes it causes a failover event and may interrupt traffic processing.

Workaround:
None

Fix:
TMM now processes HTTP traffic as expected.


930741-2 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.


928321-1 : Hardening of HSM UI

Component: TMOS

Symptoms:
Under certain conditions, the Hardware Security Module UI does not follow current best practices.

Conditions:
Authenticated access of the HSM UI

Impact:
Under certain conditions, the Hardware Security Module UI does not follow current best practices.

Workaround:
None.

Fix:
The ardware Security Module UI now follows current best practices.


928037-2 : APM Hardening

Component: Access Policy Manager

Symptoms:
Under certain conditions APM does not follow current best practices.

Conditions:
Undisclosed conditions.

Impact:
Under certain conditions APM does not follow current best practices.

Workaround:
None.

Fix:
APM now follows current best practices.


927901-4 : After BIG-IP reboot, vxnet interfaces come up as uninitialized

Component: TMOS

Symptoms:
1. After BIG-IP reboot, vxnet interfaces come up as uninitialized.
2. The driver does not log any issues:
 echo "device driver [client-specific driver info] mlxvf5" >> /config/tmm_init.tcl

Conditions:
Running BIG-IP Virtual Edition (VE) v15.1.0.4 software.

Impact:
Vxnet driver requires manual intervention after reboot.

Workaround:
Tmsh enable/disable interface brings it back up until next reboot.


927617-2 : "Illegal Base64 value" violation is detected for cookie with valid base64 value

Component: Application Security Manager

Symptoms:
Request that should be passed to the backend server with cookie header which contain cookie valid value encoded to base64 is blocked.

Conditions:
A cookie name has to be defined in "Security ›› Application Security : Headers : Cookies List ›› New Cookie..." with enabled "Base64 Decoding".

Impact:
Blocking page, while the request should not be blocked.

Workaround:
Disable "Base64 Decoding" for the desired cookie.

Fix:
Requests with valid base64 encoding cookies should not get blocked by the enforcer.


927033-2 : Installer fails to calculate disk size of destination volume

Component: TMOS

Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:

error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.

Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:

[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map

Impact:
Unable to successfully upgrade.

Workaround:
Create the expected symlink manually:

cd /dev/md
ln -s ../md127 _none_\:0


926997-1 : QUIC HANDSHAKE_DONE profile statistics are not reset

Component: Local Traffic Manager

Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.

Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.

Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.

Workaround:
Restart tmm to reset all statistics:

Impact of Workaround: Traffic disrupted while tmm restarts.

bigstart restart tmm

Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.


926593-2 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets


925989 : Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4

Component: Local Traffic Manager

Symptoms:
After upgrade to v15.1.0.4, config does not load. Logs show:

-- err mcpd[11863]: 01b50049:3: FipsUserMgr Error: Master key load failure.
-- err mcpd[11863]: 01070712:3: Caught configuration exception (0), FIPS 140 operations not available on this system.
-- err tmsh[14528]: 01420006:3: Loading configuration process failed.

Conditions:
-- Upgrading to v15.1.0.4.
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Cannot upgrade to v15.1.0.4, and the system is offline.

Important: Although you cannot prevent this from happening (except by not upgrading to 15.1.0.4), you can boot back into the previous configuration to recover BIG-IP system operation.

Workaround:
None.


924961-2 : CVE-2019-20892: SNMP Vulnerability

Solution Article: K45212738


924857-1 : Logout URL with parameters resets TCP connection

Component: Access Policy Manager

Symptoms:
TCP connection reset when 'Logout URI Include' configured.

Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
 /logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
 /logoff.html?a=b

Impact:
TCP connection resets, reporting BIG-IP APM error messages.

'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.


Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.

Workaround:
None

Fix:
The system now ignores unsupported query parameters.


924493-2 : VMware EULA has been updated

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.


924429-2 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.

Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.


924349-2 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

Component: Service Provider

Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.

Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses

Impact:
Unable to see multiple HostIPAddress in CER/CEA

Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.


924301-1 : Incorrect values in REST response for DNS/SIP

Component: Application Visibility and Reporting

Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.

Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached

Impact:
An incorrect value is calculated in the REST response.

Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation


923125-2 : Huge amount of admd processes caused oom

Component: Anomaly Detection Services

Symptoms:
Top shows that a large number of admd processes are running.

Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.

Impact:
Memory is exhausted.

Workaround:
Restart admd:
bigstart restart admd


921421-3 : iRule support to get/set UDP's Maximum Buffer Packets

Component: Local Traffic Manager

Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.

Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.

Impact:
Unable to dynamically change the max buffer packets setting in an iRule.

Workaround:
None

Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts

Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.


921369 : Signature verification for logs fails if the log files are modified during log rotation

Component: TMOS

Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.

Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs

Impact:
Signature verification may fail on rotated log files.

Fix:
Fixed an issue with signature verification failing on valid log files.


921361-2 : SSL client and SSL server profile names truncated in GUI

Component: TMOS

Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.

Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.

Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.

Note: The fields remain at the limited width even when the browser window is maximized.

Workaround:
Use tmsh to see the full SSL client and SSL server name.


921337-2 : ASM processes some web-sockets requests longer than usual

Component: Application Security Manager

Symptoms:
ASM processes some web-socket requests longer than usual and can cause some latency when passing requests to the backend server.

Conditions:
Content profile parsing is enabled in ASM.

Impact:
Latency can be noted when passing web-socket requests to the backend server.

Workaround:
N/A

Fix:
ASM is processes web-socket requests as expected


920961-2 : Devices incorrectly report 'In Sync' after an incremental sync

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
   # tmsh modify ltm policy <LTM Policy Name> legacy

Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.


920361-2 : Standby device name sent in Traffic Statistics syslog/Splunk messages

Component: Advanced Firewall Manager

Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.

Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.

Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.

Workaround:
None.

Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.


920301-1 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy

Component: TMOS

Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.

Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.

Impact:
High CPU Usage.

Workaround:
None.

Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.


919989-2 : TMM does not follow TCP best practices

Component: Local Traffic Manager

Symptoms:
Under certain conditions, on specific platforms, TMM does not follow best practices for TCP connections.

Conditions:
-- Platforms without HW based syn-cookie capability.
-- System DB variable connection.syncookies.algorithm value is set to "hardware."

Impact:
TMM does not follow best practices for TCP connections.

Workaround:
Set 'sys db connection.syncookies.algorithm value' to "software".

Fix:
TMM now follows best practices for TCP connections.


919841-3 : AVRD may crash while processing Bot Defense traffic

Component: Application Visibility and Reporting

Symptoms:
Under certain conditions, the AVRD application on BIG-IP may crash.

Conditions:
-- Bot Defense Profile is attached to the virtual server.
-- Mobile SDK is licensed and enabled.

Impact:
Instability in the avrd process. Statistics data can be lost.

Workaround:
None.

Fix:
AVRD now processes Bot Defense traffic as expected.


919745-2 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.


919553-2 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.


919001-2 : Live Update: Update Available notification is shown twice in rare conditions

Component: Application Security Manager

Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.

Conditions:
You first enters Live Update page.

Impact:
Notification is shown twice.

Workaround:
None.

Fix:
Notification is shown only once in all cases.


918933-2 : Some ASM attack signatures do not match on cookies

Component: Application Security Manager

Symptoms:
Some ASM attack signatures are not matching as expected on a cookie value.

Conditions:
Matching enabled for specific attack signatures.

Impact:
False negative. A signature does not match and an attack is getting through.

Workaround:
There is no valid workaround except creating custom signatures for cookies from all these signatures.

Fix:
Signatures now match on cookies as expected.


918209-3 : GUI Network Map icons color scheme is not section 508 compliant

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.

Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.


918169-1 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.


918081-1 : Application Security Administrator role cannot create parent policy in the GUI

Component: Application Security Manager

Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created

Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.

Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.

Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.

Fix:
The Application Security Administrator role can now create the parent policy when required.


917509-3 : ASM processes some requests longer than usual

Component: Application Security Manager

Symptoms:
ASM processes some requests longer than usual and can cause some latency when passing requests to the backend server.

Conditions:
Content profile parsing is enabled in ASM

Impact:
Latency can be noted when passing requests to the backend server

Workaround:
N/A

Fix:
ASM is processes requests as expected


917469-2 : TMM may crash while processing FPS traffic

Solution Article: K53821711


917005-5 : ISC BIND Vulnerability: CVE-2020-8619

Solution Article: K19807532


916821-2 : An authenticated user on iControlREST may gain elevated privilege level

Component: TMOS

Symptoms:
An authenticated iControl REST user may gain elevated privileges using unspecified means.

Conditions:
iControl REST users with non-admin privileges configured

Impact:
A lower privileged iControl REST user may be able to execute functions requiring a higher privilege level.

Fix:
Privilege levels now properly enforced in iControl REST.


916753-2 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.

Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:

    RESOLV::lookup @/Common/my_dns_virtual www.example.com

Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.

For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:

instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53


916589-2 : QUIC drops 0RTT packets if CID length changes

Component: Local Traffic Manager

Symptoms:
QUIC sometimes rejects valid 0RTT packets.

Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.

Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.

Workaround:
None.

Fix:
Fixed an issue with 0RTT packets when using QUIC.


915957-1 : The wocplugin may get into a restart loop when AAM is provisioned

Component: Local Traffic Manager

Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.

Conditions:
Application Acceleration Manager (AAM) is provisioned

Impact:
AAM is not functional

Workaround:
None

Fix:
The wocplugin is now correctly provisioned and runs without restarts.


915825-2 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.


915713-2 : Support QUIC and HTTP3 draft-29

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.

Conditions:
Browser requests draft-29.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-29 and draft-28, and has removed draft-27 support.


915689-1 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.


915605-6 : Image install fails if iRulesLX is provisioned and /usr mounted read-write

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume:

Could not access configuration source.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr


915497-2 : New Traffic Class Page shows multiple question marks.

Component: TMOS

Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.

Conditions:
This is encountered when creating a new Traffic Class.

Impact:
Multi-byte characters are displayed incorrectly.

Workaround:
None.

Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.


915281-2 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.


914761-3 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.

Component: TMOS

Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:

Unexpected Error: UCS saving process failed.

Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.

Impact:
UCS file is not successfully saved and backup fails.

Workaround:
None.


914681-2 : Value of tmm.quic.log.level can differ between TMSH and GUI

Component: Local Traffic Manager

Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.

Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.

Impact:
Misleading log level displayed in the GUI.

Workaround:
Use TMSH to set and view values for tmm.quic.log.level.

Fix:
GUI values for tmm.quic.log.level are now displayed properly.


914649-3 : Support USB redirection through VVC (VMware virtual channel) with BlastX

Component: Access Policy Manager

Symptoms:
USB is unavailable after opening VMware View Desktop.

Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client

Impact:
USB is unavailable after opening VMware View Desktop

Workaround:
None.

Fix:
USB is now available after opening VMware View Desktop


913761-2 : Security - Options section in navigation menu is visible for only Administrator users

Component: Application Security Manager

Symptoms:
The Security - Options section in the left navigation menu is visible for only for user accounts configured with the Administrator role.

Conditions:
You logged in as a user configured with a role other than Administrator.

Impact:
No direct access to many settings that are available only for user account configured with the Administrator role.

Workaround:
Direct links to the pages work for those with the appropriate roles.

Fix:
Security - Options section is available for all user roles when at least one of the following is enabled:
-- ASM
-- DoS
-- FPS
-- AFM


913249-2 : Restore missing UDP statistics

Component: Local Traffic Manager

Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

Conditions:
Viewing UDP statistics.

Impact:
Unable to view these UDP statistics.

Workaround:
None.

Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes


913137-1 : No learning suggestion on ASM policies enabled via LTM policy

Component: Application Security Manager

Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.

Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.

This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.

Impact:
No learning suggestions.

Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.

Fix:
Policy builder now classifies non-bot traffic and applies learning suggestions.


912969-2 : iAppsLX Security Hardening

Component: iApp Technology

Symptoms:
Under certain conditions, iAppsLX does not follow current best security practices.

Conditions:
iAppsLX REST access by an authenticated administrative user

Impact:
iAppsLX does not follow current best security practices.

Workaround:
None

Fix:
iAppsLX now follows current best security practices.


912289-1 : Cannot roll back after upgrading on certain platforms

Component: Local Traffic Manager

Symptoms:
On certain platforms, after upgrade to BIG-IP v16.0.0, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

-- Upgrade the software to v16.0.0.

-- Attempt to roll back to a previous version.

Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.

Workaround:
None.

Fix:
Contact F5 Support for the reversion process if this is required.

Behavior Change:
On certain platforms, after upgrade to BIG-IP v16.0.0, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

The particular platforms are:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F


912221-1 : CVE-2020-12662 & CVE-2020-12663

Solution Article: K37661551


911809-2 : TMM might crash when sending out oversize packets.

Component: TMOS

Symptoms:
TMM crashes with an assert; Drop assertion similar to the following:
notice panic: ../dev/ndal/ndal.c:758: Assertion "pkt length cannot be greater than MAX_PKT_LEN" failed.

Conditions:
-- Xnet driver is used in BIG-IP Virtual Edition (VE).
-- TMM tries to send oversize packets.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


911761-2 : iControl REST endpoint response includes the request content

Component: Device Management

Symptoms:
Under certain conditions, iControl REST endpoint return the request contents in the response, potentially disclosing sensitive information.

Conditions:
-iControl REST request processed by an authenticated administrative user.
-Undisclosed environmental conditions

Impact:
Potential disclosure of information from REST requests.

Workaround:
None.

Fix:
Responses are now sanitized to suppress disclosure of request data.


910521-2 : Support QUIC and HTTP draft-28

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-25 and draft-27. IETF has released draft-28.

Conditions:
Browser requests draft-28.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-28 and draft-27, and has removed draft-25 support.


910417-2 : TMM core may be seen when reattaching a vector to a DoS profile

Component: Advanced Firewall Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.


910201-3 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.


910177 : Poor HTTP/3 throughput

Component: Local Traffic Manager

Symptoms:
HTTP/3 throughput is poor.

Conditions:
Virtual Server configured with an HTTP/3 profile.

Impact:
Performance might be severely degraded.

Workaround:
There is no alternative other than not using the HTTP/3 profile.

Fix:
Erroneously enabled debug logs are now turned off, so performance is improved.


910097-2 : Changing per-request policy while tmm is under traffic load may drop heartbeats

Component: Access Policy Manager

Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash

Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.


910017-2 : Security hardening for the TMUI Interface page

Solution Article: K21540525


909837-1 : TMM may consume excessive resources when AFM is provisioned

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources when processing forwarding flows while AFM is provisioned.

Conditions:
- AFM provisioned
- Virtual is CMP-disabled

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
TMM now consumes resources as expected when AFM is provisioned


909237-6 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642


909233-6 : DNS Hardening

Solution Article: K97810133


908873-1 : Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached.
-- Certain scenarios where the proxy goes into passthrough mode.

This was encountered during internal testing of a certain iRule configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


908673-5 : TMM may crash while processing DNS traffic

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, TMM may crash with a SIGABRT while processing DNS traffic.

Conditions:
Undisclosed series of DNS requests.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes DNS traffic as expected.


908621-2 : Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached to it.
-- Certain scenarios where the proxy goes into passthrough mode.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now correctly manages proxy handling of passthrough mode in specific scenarios, so the tmm crash no longer occurs.


908065-2 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.


907549-1 : Memory leak in BWC::Measure

Component: TMOS

Symptoms:
Memory leak in BWC calculator.

Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.

Impact:
A memory leak occurs.

Workaround:
None.

Fix:
Memory is not leaked.


906889-4 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Component: TMOS

Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:

  Packets In 2 shows as 016 in the GUI
  Packets Out 0 shows as 8 in the GUI

Workaround:
View statistics in tmsh.


905905-1 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245


905557-1 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure

Component: Global Traffic Manager (DNS)

Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.

Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure HSL with only a single log destination.


905125-2 : Security hardening for APM Webtop

Component: Access Policy Manager

Symptoms:
Under certain conditions, the APM Webtop does not follow current best practices.

Conditions:
-APM access policy is configured with webtop enabled.

Impact:
APM Webtop does not follow current best practices.

Workaround:
None.

Fix:
The APM Webtop now follows current best practices.


904937-2 : Excessive resource consumption in zxfrd

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, zxfrd may consume excessive resources.

Conditions:
-- Provision GTM (Global Traffic DNS).
-- Create one or more zones in the GUI via DNS::Zones::Zones::Zone List.

Impact:
Excessive resources consumption, potentially leading to failover event.

Workaround:
None.

Fix:
zxfrd no longer consumes excessive resources.


904845-2 : VMware guest OS customization works only partially in a dual stack environment.

Component: TMOS

Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).

By default, DHCP is enabled on the management interface.

During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.

Conditions:
Applying a customization profile to VMware VM in a dual stack environment.

Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.

Workaround:
Configure the mgmt interface addresses using the config script.

Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.


904705-2 : Cannot clone Azure marketplace instances.

Component: TMOS

Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.

Conditions:
Applies to any Azure marketplace instance.

Impact:
Cannot clone Azure marketplace instances.

Workaround:
None.

Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.


904593-1 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.

Impact:
Configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable


904373-3 : MRF GenericMessage: Implement limit to message queues size

Component: Service Provider

Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.

Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.

Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.

Workaround:
None.

Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.


904165-1 : APMD may crash while processing certain parameters

Component: Access Policy Manager

Symptoms:
Under certain conditions APMD may crash while processing certain parameters.

Conditions:
-APM active.
-Pre-inspection checks active.

Impact:
APMD crash, leading to a failover event

Workaround:
None.

Fix:
APMD now processes parameters as expected.


904053-2 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never

Component: Application Security Manager

Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.

Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.

Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.

Workaround:
Disable Learning mode for the Policy disables Cookie hashing.

Note: This affects all learning, not just Cookie hashing.

Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".


903905-2 : Default configuration of security mechanism causes memory leak in TMM

Component: Access Policy Manager

Symptoms:
Over time, memory is allocated by the TMM processes for use as 'xdata' buffers, yet this memory is never de-allocated; it is leaked and becomes unusable. Eventually a disruption of service occurs.

Conditions:
-- The BIG-IP system has been running for 8 weeks or longer without a system restart.

-- The BIG-IP system's internal risk-policy subsystem (used by the security feature modules) has not been configured to communicate with an external risk-policy server.

-- In a vCMP configuration, the BIG-IP 'host' instance is always susceptible, since no security features can be configured in its context.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Default configuration of security mechanism no longer causes memory leak in TMM.


903357-2 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers

Component: Application Security Manager

Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.

Workaround:
None.


902485-3 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.


902417-2 : Configuration error caused by Drafts folder in a deleted custom partition

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.


902401-5 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.

Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.


902141-1 : TMM may crash while processing APM data

Solution Article: K94563369


901929-2 : GARPs not sent on virtual server creation

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.

Fix:
GARPs are now sent when a virtual server is created.


901061-2 : Safari browser might be blocked when using Bot Defense profile and related domains.

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.

Fix:
Set the cookie so all requests in the target domain will contain it.


900905-3 : TMM may crash while processing SIP data

Solution Article: K42830212


900797-2 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.


900793-1 : APM Brute Force Protection resources do not scale automatically

Solution Article: K32055534

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.


900789-2 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.


900757-2 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


898997-2 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted

Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes


898949-1 : APM may consume excessive resources while processing VPN traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, APM may consume excessive resources while processing VPN traffic

Conditions:
-APM provisioned
-VPN clients connected

Impact:
Excessive resources consumption, potentially leading to a TMM crash and failover event.

Workaround:
None.

Fix:
APM now processes VPN traffic as expected.


898741-2 : Missing critical files causes FIPS-140 system to halt upon boot

Component: Application Security Manager

Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.

Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing

Impact:
System halts during boot because of sys-eicheck.py failure.

Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.

If the missing files are due to missing signature update files:

- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.


898705-5 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.


898461-2 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.

Fix:
These iRule commands are now available within these iRule events.


898093-2 : Removing one member from a WideIP removes it from all WideIPs.

Component: Global Traffic Manager (DNS)

Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.

Conditions:
Use the 'Remove' button.

Impact:
Unintended configuration changes via GUI.

Workaround:
Use the 'Manage' button, rather than the 'Remove' button.


896917 : The fw_zone_stat 'Hits' field may not increment in some scenarios

Component: Advanced Firewall Manager

Symptoms:
The fw_zone_stat 'Hits' field does not reflect the current stats.

Conditions:
When the firewall rule has multiple VLANs defined as destinations (in a zone).

Impact:
The counter for all VLANs does not hit : fw_zone_stat. The corresponding stat value does not increment.

Workaround:
None.


896285-2 : No parent entity in suggestion to add predefined-filetype as allowed filetype

Component: Application Security Manager

Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.

Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.

Impact:
No parent entity appears in the sugestion.

Workaround:
None.

Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.


896217-2 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat


895993-2 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895981-2 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895881-1 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305


895525-2 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895153 : HTTP::has_responded returns incorrect values when using HTTP/2

Component: Local Traffic Manager

Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always return the value 'false'.

Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.

Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.

Workaround:
None.

Fix:
HTTP::has_responded is now properly detected in iRules where HTTP/2 is used.


893281-3 : Possible ssl stall on closed client handshake

Component: Local Traffic Manager

Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.

Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.

Impact:
Some ssl client connection remain until idle timeout.

Fix:
Allow transmit of any pending crypto during ssl shutdown.


893061-2 : Out of memory for restjavad

Component: Application Security Manager

Symptoms:
REST framework not available due to Out of memory error

Conditions:
Long list of Live Update installations

Impact:
Live Update GUI is not responding.

Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)

# tmsh modify sys db provision.extramb value 1000

2) Allow restjavad to access the extra memory:

# tmsh modify sys db restjavad.useextramb value true

3) Save the config:

# tmsh save sys config

4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.

5) Increase the restjavad maxMessageBodySize property:

# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
  "maxMessageBodySize": 134217728,
  "localhostRestnodedConnectionLimit": 8,
  "defaultEventHandlerTimeoutInSeconds": 60,
  "minEventHandlerTimeoutInSeconds": 15,
  "maxEventHandlerTimeoutInSeconds": 60,
  "maxActiveLoginTokensPerUser": 100,
  "generation": 6,
  "lastUpdateMicros": 1558012004824502,
  "kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
  "selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}

Ensure the command returns output showing the limit has been increased (as shown above).

6) Reboot the unit.


892941-2 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Solution Article: K20105555

Component: Local Traffic Manager

Symptoms:
https://support.f5.com/csp/article/K20105555

Conditions:
https://support.f5.com/csp/article/K20105555

Impact:
https://support.f5.com/csp/article/K20105555

Workaround:
https://support.f5.com/csp/article/K20105555

Fix:
https://support.f5.com/csp/article/K20105555


892937-2 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Solution Article: K20105555

Component: Access Policy Manager

Symptoms:
https://support.f5.com/csp/article/K20105555

Conditions:
https://support.f5.com/csp/article/K20105555

Impact:
https://support.f5.com/csp/article/K20105555

Workaround:
https://support.f5.com/csp/article/K20105555

Fix:
https://support.f5.com/csp/article/K20105555


892677-1 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted


892653-1 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html

Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.


892637-1 : Microservices cannot be added or modified

Component: Application Security Manager

Symptoms:
The 'Add' button is grayed out on Security :: Application Security :: Microservices, where in previous version, minimal microservice creation/modification was available.

Conditions:
-- Navigate to Security :: Application Security :: Microservices.
-- Attempt to add a microservice.

Impact:
Cannot add or modify a microservice in this version, where it was available in previous versions.

Workaround:
None.

Fix:
The 'Add' button is now available to create basic microservices for Application Security.


892621-1 : Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software

Component: Advanced Firewall Manager

Symptoms:
BDoS Signature mitigated in software.

Conditions:
IP packets size metric in BDoS signature.

Impact:
BDoS Signature with IP packet size metric mitigated only in software for IPv6 packets.

Workaround:
None.

Fix:
IP packets size metric bin calculation algorithm for IPv6 packets in software now matches hardware version.


892385 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.


891849-1 : Running iRule commands while suspending iRule commands that are running can lead to a crash

Component: Local Traffic Manager

Symptoms:
Running iRule commands while suspending iRule commands that are running can lead to a crash.

Conditions:
-- Running iRule commands.
-- iRule commands that suspend iRules are running.

For more information on the conditions that trigger iRule suspend, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running iRule commands while suspending iRule commands are running no longer results in a tmm crash.


891729-2 : Errors in datasyncd.log

Component: Fraud Protection Services

Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM

Conditions:
Upgrades from version 13.x to 14.0.0 or higher.

Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.

Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.

If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.

Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.


891721-3 : Anti-Fraud Profile URLs with query strings do not load successfully

Component: TMOS

Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:

010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.

Conditions:
Adding a query string to a URL for an anti-fraud profile.

Impact:
After a BIG-IP config save, loading of new bigip.conf fails.

Workaround:
Follow this procedure:

1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.

Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.


891477-3 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server

Component: TMOS

Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None.


891457-2 : NIC driver may fail while transmitting data

Solution Article: K75111593


891385-2 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.

Fix:
Added support for the urn URI protocol type.


890513-2 : MCPD fails to load configuration from binary database

Component: TMOS

Symptoms:
Mcpd errors are found in /var/log/ltm:

-- err mcpd[16068]: 01070734:3: Configuration error: MCPProcessor::initializeDB: basic_string::_S_create
-- err mcpd[16068]: 01070596:3: An unexpected failure has occurred, basic_string::_S_create, exiting...
-- err mcpd[16978]: 01b50049:3: FipsUserMgr Error: Master key load failure.

Conditions:
-- Restart MCPD (e.g. by rebooting the BIG-IP)
-- This affects BIG-IP v15.1.0.4 running on all platforms with the exception of the following:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
MCPD does not restore the configuration from its binary database, but instead re-reads the text config files (bigip.conf, et al.).

Workaround:
None.

Fix:
MCPD is again able to restore its configuration from the binary database during startup


890421-2 : New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers

Component: TMOS

Symptoms:
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217

Conditions:
When 15.0.1.2 is upgraded to 15.1.0 then the traps would be renumbered.

Impact:
This may be confusing for SNMP clients expecting specific trap IDs.

Workaround:
None.

Fix:
The traps have been correctly numbered in 15.0.1.3.

Behavior Change:
New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers. These traps will be renumbered when you upgrade 15.0.1.2 to 15.1.0.

The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217


890277-3 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.


890229-1 : Source port preserve setting is not honored

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when both of the following conditions are met:

-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
    - Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
    - Configuring a VLAN's 'CMP Hash' setting to a non-default value.
    - Using a special variable such as non-default udp.hash or tcp.hash.

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

Fix:
Now source-port preserve setting does best effort to preserve the source port.

Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.

The source-port preserve setting now does best effort to preserve the source port.


889557-1 : jQuery Vulnerability CVE-2019-11358

Solution Article: K20455158


889505 : Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available

Component: Advanced Firewall Manager

Symptoms:
Several SNMP OIDs need to be added to provide the total number of port block allocations (PBAs) and the percentage of PBAs that are available.

Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.

Impact:
Need to manually calculate the values.

Workaround:
Make manual calculations from the current stats or configuration.

Fix:
-- Can now directly gather the total number of PBA and percentage of ports available.

There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.

Behavior Change:
The following new MIBs are now available:

F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatPercentFreePortBlocksSnmp

F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaPercentFreePortBlocksSnmp


889477-1 : Modern customization does not enforce validation at password changing

Component: Access Policy Manager

Symptoms:
You can change the password even if there are different values in the fields 'New Password' and 'Confirm Password' or if 'Confirm Password' is empty.

Conditions:
-- Access Policy with 'Modern' customization.
-- Configure an access policy with 'Logon Page' and 'AD Auth' agents.
-- When forced to change passwords, type different values in 'New Password' and 'Confirm Password', or leave 'Confirm Password' empty.

Impact:
The system allows the password change, even though the 'New Password' and 'Confirm Password' do not match.

Workaround:
None.


889209-2 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.

Component: Local Traffic Manager

Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.

Conditions:
Enabled sflow receiver is configured.

Impact:
Egress traffic is dropped.

Workaround:
Disable Sflow receiver, save configuration, reboot.


889041-3 : Failover scripts fail to access resolv.conf due to permission issues

Component: TMOS

Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:

/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file

Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.

Impact:
Failover does not complete. Floating IP addresses do not move to the active device.

Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0

Impact of workaround: these commands disable SELinux policy enforcement.


888569 : Added PBA stats for total number of free PBAs, and percent free PBAs

Component: Advanced Firewall Manager

Symptoms:
There are several port block allocation (PBA) statistics that need to be added.

Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.

Impact:
Need to manually calculate the values.

Workaround:
Make manual calculations from the current stats or configuration.

Fix:
The first and second item described are available using the 'tmsh show' command, and the third item is available in the tmstat tables (e.g., reported in response to the command 'tmctl lsn_pool_pba_stat' as total_port_blocks).

-- Total number of port blocks available:
The total amount of port blocks available according to the PBA configuration. For example, if you have 3 IP addresses for NAT pool/source translation and blocks of 128 ports, and ports from 1024 to 65535, then this stat indicates that you have a total of 1509 port blocks. This number is the result of (64511 (ports available) / 128 (ports per block)) * 3 (number of IP addresses)).

-- Percentage of port available (percentage is available in TMSH only):
Using the same example, where there are 1509 total blocks and currently are assigned 600 blocks, then there are 909 blocks free. This stat show that are 60.23% of ports available. (100*free ports / total ports).

-- Directly gather the values.
There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.

Behavior Change:
The following new tmstat value is now available, in both 'tmctl fw_lsn_pool_pba_stat' and 'tmctl lsn_pool_pba_stat:

    total_port_blocks

The relevant TMSH show commands have been updated to include these new values:

-- Total Port Blocks
-- Percent Free Port Blocks


888497-2 : Cacheable HTTP Response

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.


888493-2 : ASM GUI Hardening

Solution Article: K40843345


888489-2 : ASM UI hardening

Solution Article: K55873574


888417-5 : Apache Vulnerability: CVE-2020-8840

Solution Article: K15320518


888285-1 : Sensitive positional parameter not masked in 'Referer' header value

Solution Article: K18304067

Component: Application Security Manager

Symptoms:
When the URI and 'Referer' header share the same positional parameter, the 'Referer' positional parameter is not masked in logs.

Conditions:
Sending a request with positional parameter in URI and 'Referer' header.

Impact:
'Referer' header positional parameter value is not masked in logs.

Workaround:
None.

Fix:
'Referer' positional parameter value is masked as expected.


888261-1 : Policy created with declarative WAF does not use updated template.

Component: Application Security Manager

Symptoms:
When importing a declarative policy with an updated template, the operation uses the old version of the template, which is saved on the machine.

Conditions:
Declarative policy is created from a user-defined template and then re-created after updating the template.

Impact:
The re-created declarative policy is based on the old template, which is saved without the changes that were made in the template.

Workaround:
Create new template and use it when recreating the declarative policy.

Fix:
While creating the policy, if the saved template on the machine is older than the template file, the system replaces the file on the machine and uses the updated template.


888113-3 : TMM may core when the HTTP peer aborts the connection

Component: Local Traffic Manager

Symptoms:
TMM cores in the HTTP proxy.

Conditions:
-- HTTP and HTTP Router profiles are configured on the virtual server.
-- The HTTP peer aborts the connection unexpectedly.

Impact:
Failover (in a DSC), or outage (standalone) as traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores in the HTTP proxy when the HTTP peer aborts the connection.


887637-2 : Systemd-journald Vulnerability: CVE-2019-3815

Solution Article: K22040951


887089-1 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.


886729-2 : Intermittent TMM crash in per-request-policy allow-ending agent

Component: Access Policy Manager

Symptoms:
TMM crash.

Conditions:
When user trying to access a URL with unique hostname in the current session.

Impact:
TMM crash. No access to the URL. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This intermittent TMM crash no longer occurs.


886689-6 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.

Fix:
Generic Message profile can be used in SCTP virtual


886085-5 : TMM may crash while processing UDP traffic

Solution Article: K45421311


884797-4 : Portal Access: in some cases data is not delivered via WebSocket connection

Component: Access Policy Manager

Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.

Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client

Impact:
Data is not delivered to the client browser via the WebSocket connection.

Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.


883717-1 : BD crash on specific server cookie scenario

Solution Article: K37466356


883529-1 : HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path

Component: Local Traffic Manager

Symptoms:
HTTP/2 request is not forwarded and RST_STREAM with PROTOCOL_ERROR is sent back to the client.

Conditions:
HTTP/2 request with method OPTIONS and pseudo header :path value equal to something other than '*' (asterisk).

Impact:
HTTP/2 request with Method OPTIONS is limited to :path '*' only. Any other URIs are not forwarded to the server but are rejected with RST_STREAM with PROTOCOL_ERROR.

Workaround:
None.

Fix:
HTTP/2 request with Method OPTIONS now allows the URI to be something other than '*'. This request is not rejected, but is forwarded to the server.


883513-1 : Support for QUIC and HTTP/3 draft-27

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-24 and draft-25. IETF released draft-27 in February 2020, and major browser vendors have announced they intend to widely deploy support for it, unlike previous drafts.

Conditions:
Browser requests draft-27.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-27. (The QUIC community skipped draft-26), has deleted draft-24 support from the implementation, and deprecates support for draft-25.


883105-1 : HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect

Component: Local Traffic Manager

Symptoms:
If a virtual server is configured with both client-side and server-side using HTTP/2, and with translate-address disabled, the connection to the server-side does not succeed.

Conditions:
-- HTTP/2 profiles on both client-side and server-side, using an http-router profile.
-- Translate-address is disabled.

Impact:
Connections fail.

Workaround:
None.


882769-1 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters


882713-3 : BGP SNMP trap has the wrong sysUpTime value

Component: TMOS

Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.

Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition

Impact:
The sysUpTime in the trap generated by BGP is incorrect.

Workaround:
None.

Fix:
Fixed an incorrect calculation of sysUpTime.


882557-2 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance


882189-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897

Solution Article: K20346072


882185-6 : BIG-IP Edge Client Windows ActiveX

Solution Article: K20346072


881757-1 : Unnecessary HTML response parsing and response payload is not compressed

Component: Application Security Manager

Symptoms:
When either DoS Application Profile or Bot Defense profile are used, or ASM Policy with complex LTM Policy, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload.

Conditions:
One of these options:
-- Bot Defense Profile is associated with the Virtual Server.
-- DoS Profile is associated with the Virtual Server and has Application (L7) enabled.
-- ASM Policy is associated with the Virtual Server and has complex LTM Policy: multiple ASM Policies, or additional rules.

Impact:
-- Response payload sent by the backend server is uncompressed.
-- Performance impact caused by response parsing.

Workaround:
The workaround is to disable the option for modification of Referer header:
tmsh modify sys db asm.inject_referrer_hook value false

Note: Using this brings back the impact of bug 792341.

Fix:
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.


881445-7 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Solution Article: K69154630


881317-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


881293-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


880789-3 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.

Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.

Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None.

Fix:
The botd handler is now restored to a more robust process lifecycle.


880753-3 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server

Solution Article: K38157961

Component: Application Security Manager

Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.

Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).

Impact:
Some requests might not be processed by the Bot Defense profile.

Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable

Fix:
The mechanism which caused this issue is now correctly enabled.


880625-3 : Check-host-attr enabled in LDAP system-auth creates unusable config

Component: TMOS

Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.

Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.

Impact:
LDAP-based auth does not function.

Workaround:
None.


880361-1 : TMM may crash while processing iRules LX commands

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing iRules LX commands

Conditions:
-iRules LX in use

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes iRules LX commands as expected.


880165-2 : Auto classification signature update fails

Component: TMOS

Symptoms:
During classification update, you get an error:

"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"

An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".

Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.

It can occur when something goes wrong during license activation, but license activation ultimately succeeds.

Impact:
When this issue occurs, auto classification signature update will fail.

Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.


880001-1 : TMM may crash while processing L4 behavioral DoS traffic

Solution Article: K58290051


879777-3 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Component: Application Security Manager

Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.

Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Workaround:
Use "validate in a bulk" option.

Fix:
Retrieving the cookie from the related domain even if the page is qualified.


879745-4 : TMM may crash while processing Diameter traffic

Solution Article: K82530456


879413-1 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.


879409-3 : TMM core with mirroring traffic due to unexpected interface name length

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.

Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the length of the interface name before processing the HA message at the receiver side and ignores the HA message if the interface name length is wrong.


879405-1 : Incorrect value in Transparent Nexthop property

Component: TMOS

Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN.

Conditions:
-- Virtual server configured with with transparent next-hop bychecking 'Transparent Nexthop' in the GUI on the LTM Virtual Server page: Transparent Nexthop = None

   Works fine with:

Impact:
Incorrect value shown in Transparent Nexthop property field.

Workaround:
Use tmsh to complete the action successfully.


879025-2 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Solution Article: K72752002


878925-2 : SSL connection mirroring failover at end of TLS handshake

Component: Local Traffic Manager

Symptoms:
In some cases, HTTP requests may fail if system failover occurs immediately after the TLS handshake finishes.

Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.

Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.

Workaround:
None.

Fix:
System now updates the high availability (HA) state at end of the TLS handshake to prevent this issue if failover occurs at end of the handshake but before client/server data.


878893-3 : During system shutdown it is possible the for sflow_agent to core

Component: TMOS

Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.

Conditions:
BIG-IP reboot can cause the sflow_agent to core.

Impact:
There is a core file in the /var/core directory after a system reboot.

Fix:
Fixed an issue causing a core of sflow_agent during shutdown.


877145-4 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException

Component: TMOS

Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.

Conditions:
This can be encountered intermittently while using iControl REST.

Impact:
Login failure.

Workaround:
None.

Fix:
Fixed an issue related to authenticating to the iControl REST endpoint /mgmt/TOC.


876957-1 : Reboot after tmsh load sys config changes sys FPGA firmware-config value

Component: TMOS

Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.

Chmand reports errors:

chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]

Conditions:
Running either of the following commands:

tmsh load sys config
/etc/init.d/fw_update_post reload

Impact:
Firmware update fails.

Workaround:
Use this procedure:

1. Mount /usr:
mount -o rw,remount /usr

2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload

3. Reload systemctl:
systemctl daemon-reload

4. Reload the file:
/etc/init.d/fw_update_post reload

Fix:
Added the reload option in fw_update_post service file.


876953-2 : Tmm crash while passing diameter traffic

Component: Service Provider

Symptoms:
Tmm crashes with the following log message.

-- crit tmm1[11661]: 01010289:2: Oops @ 0x2a3f440:205: msg->ref > 0.

Conditions:
This can be encountered while passing diameter traffic when one or more of the pool members goes down and retransmissions occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash while passing diameter traffic.


876801-5 : Tmm crash: invalid route type

Component: Local Traffic Manager

Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:

tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **

Conditions:
The issue is intermittent.

1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.

Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.


876581-2 : JavaScript engine file is empty if the original HTML page cached for too long

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

Fix:
FPS now also removes ETag headers from protected HTML pages.


876393-1 : General database error while creating Access Profile via the GUI

Component: Access Policy Manager

Symptoms:
While trying to create an Access profile, the GUI reports a general database error. There are errors in /var/log/tomcat:

profiles.ProfileUtils$SettingsHandler:error - java.sql.SQLException: Column not found: SOURCE in statement [INSERT into
profile_access

Conditions:
This occurs when you try to create an Access Profile of type SSO from the GUI.

Impact:
You are unable to create the profile using the GUI.

Workaround:
You can create the Access Profile using TMSH.

tmsh create access access_test_sso type sso accept-languages add { en } sso-name sso_test1

Fix:
Access Profile of type SSO can now be created and edited from the GUI.


876353-1 : iRule command RESOLV::lookup may cause TMM to crash

Solution Article: K03125360


876077-1 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up

Component: Service Provider

Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.

Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
Stale pending retransmission entries are cleaned up properly.


874753-3 : Filtering by Bot Categories on Bot Requests Log shows 0 events

Component: Application Security Manager

Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.

When filtering for only Bot Category: Browser Automation, nothing Shows up.

Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log

Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.

Workaround:
None.

Fix:
Filtering by Bot Categories on Bot Requests Log is now fixed on the GUI page.


873469-2 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506


872965-1 : HTTP/3 does not support draft-25

Component: Local Traffic Manager

Symptoms:
Clients attempting to connect with QUIC version 25 and ALPN h3-25 are unable to connect.

Conditions:
An end user client attempts to connect using QUIC version 25 and ALPN h3-25.

Impact:
Attempts to use HTTP/3 with some clients may fail.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-24 and draft-25.


872673-1 : TMM can crash when processing SCTP traffic

Solution Article: K26464312


872645-2 : Protected Object Aggregate stats are causing elevated CPU usage

Component: Advanced Firewall Manager

Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.

Conditions:
AFM, ASM, or DoS features are provisioned.

Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.

Workaround:
None.

Fix:
Protected Object Aggregate stats no longer cause elevated CPU usage.


872049-1 : Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command

Component: Advanced Firewall Manager

Symptoms:
Value in mitigation thresholds are above infinite value (4294967295)

Conditions:
Multiplier based mitigation mode for Dos static vectors after run relearn thresholds command

Impact:
Incorrect display value for DoS thresholds in GUI and tmctl

Fix:
Do not apply multiplayer for infinite threshold value (4294967295).


871985-1 : No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection

Component: Advanced Firewall Manager

Symptoms:
There are no hardware mitigation for DoS attacks

Conditions:
Auto-threshold mode and detection for attacked destinations should be activate for DoS static vector

Impact:
DoS attack mitigation performed only by software

Fix:
Improved search in already hardware offloaded entities


871905-2 : Incorrect masking of parameters in event log

Solution Article: K02705117

Component: Application Security Manager

Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.

Conditions:
The request contains a CSRF token and sensitive parameters.

Impact:
Sensitive parameters values can be masked incorrectly in the event log.

Workaround:
None.

Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.


871761-1 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.


871657-1 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.


871653-1 : Access Policy cannot be created with 'modern' customization

Component: Access Policy Manager

Symptoms:
Per-Request Policy (PRP) Access Policy with Customization Type set to Modern cannot be created due to internal error.

Conditions:
Creating a PRP Access Policy with Customization Type set to Modern.

Impact:
Administrator cannot use modern customization.

Workaround:
1. In bigip.conf find the following line:

     apm policy customization-source /Common/standard { }

2. Add the following line:

     apm policy customization-source /Common/modern { }

3. Save the changes.

4. Load the config:

     tmsh load sys config

Fix:
Now modern customization can be used for any Access Policy.


871633-1 : TMM may crash while processing HTTP/3 traffic

Solution Article: K61367237


871561-5 : Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'

Component: TMOS

Symptoms:
Due to a known issue, software upgrade to an engineering hotfix might fail with a log message in /var/log/ltm similar to:

info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)

Conditions:
Performing a software upgrade to a hotfix release on a vCMP guest.

Impact:
Unable to perform an upgrade.

Workaround:
Option 1:
Make sure that .iso files for both base image and hotfix reside only on a vCMP guest before starting the installation.

Option 2:
Even if the hotfix installation has failed, the base image should still have been installed properly, so you can restart the vCMP guest and perform a hotfix installation on top of already installed base image.

Option 3:
Even if the hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the hotfix locally within the vcmp Guest. Then restart the lind service

  tmsh restart sys service lind

The hotfix installation should begin again this time using the hotfix from within the guest /shared/images/ location.


870957-4 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.


870389-3 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images

Component: TMOS

Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.

Conditions:
This applies to deployments that use declarative onboarding for configuration.

Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.

Workaround:
The workaround is to manually extend the /var logical volume.

For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.

Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.

Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.


870273-5 : TMM may consume excessive resources when processing SSL traffic

Solution Article: K44020030


869361-1 : Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated

Component: Global Traffic Manager (DNS)

Symptoms:
Load balance methods for Link Controller inbound wide IP are always set to default values when the load balancing method is updated through GUI.

Conditions:
-- Multiple inbound wide IPs are configured;
-- Load balancing methods are updated through GUI once.

Impact:
Unable to manage wide IPs through the GUI.

Workaround:
Use tmsh to manage Inbound WideIPs.


868721-1 : Transactions are held for a long time on specific server related conditions

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.

Fix:
Add a check for this scenario so transactions will be released correctly.


868641-3 : Possible TMM crash when disabling bot profile for the entire connection

Component: Application Security Manager

Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.

Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.

Fix:
TMM no longer crashes when disabling bot defense profile for the entire connection.


868381-1 : MRF DIAMETER: Retransmission queue unable to delete stale entries

Component: Service Provider

Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.

Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.


868349-1 : TMM may crash while processing iRules with MQTT commands

Solution Article: K62830532


868097-3 : TMM may crash while processing HTTP/2 traffic

Solution Article: K58494243


867181-1 : ixlv: double tagging is not working

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.

Fix:
Both VLAN tags are now present in packets.


867013-2 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.


866925-5 : The TMM pages used and available can be viewed in the F5 system stats MIB

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.


866685-1 : Empty HSTS headers when HSTS mode for HTTP profile is disabled

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.

Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.

Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:

when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
        HTTP::header remove "Strict-Transport-Security"
    }
}

Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.


866613-4 : Missing MaxMemory Attribute

Component: Application Visibility and Reporting

Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.

Conditions:
This is encountered when viewing the System Monitor report.

Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').

Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.

Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.

Fix:
The MaxMemory attribute is now reported in System Monitor statistics.


866481-2 : TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode

Component: Local Traffic Manager

Symptoms:
TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode.

Conditions:
-- HTTP profile is attached to the virtual server.
-- The httprouter profile is attached to the virtual server.
-- HTTP goes into passthrough mode for any variety of reasons.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when HTTP-MR proxy attempts goes into passthrough mode.


866161-1 : Client port reuse causes RST when the security service attempts server connection reuse.

Component: Access Policy Manager

Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.

Conditions:
-- Service profile is attached to virtual server.
   or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.


866021-1 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.


865461-1 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.


865241-1 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.


865225-1 : Finisar QSFP28 OPT-0039 modules may not work properly in i15000 and i15800 platforms

Component: TMOS

Symptoms:
The tuning values programmed in the switch are not correct for Finisar OPT-0039 QSFP28 modules.

Conditions:
-- Using Finisar OPT-0039 QSFP28 modules.
-- Running on i15000 and i15800 platforms.

Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.

Impact:
You might see traffic drop.

Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.

Workaround:
None.


865053-3 : AVRD core due to a try to load vip lookup when AVRD is down

Component: Application Visibility and Reporting

Symptoms:
AVRD cores during startup.

Conditions:
Avrd receives a SIGTERM while it is starting.

Impact:
This can lead to an AVRD core.

Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.


864757-3 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.


864513-1 : ASM policies may not load after upgrading to 14.x or later from a previous major version

Solution Article: K48234609

Component: TMOS

Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.

Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.

Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.

Workaround:
You can use either of the following workarounds.

-- Remove ASM Policies while upgrading:
  1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
  2. Upgrade.
  3. Reassociate each ASM Security Policy with its original virtual server.

-- Restore the UCS on a new boot location after upgrade:
  1. Prior to upgrade, create a UCS.
  2. Upgrade or create a new instance of the software version at the target location.
  3. Restore the UCS at the new location.

Fix:
ASM policies now load as expected after upgrading to 14.x or later from a previous major version.


864109-1 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506


863609-4 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies

Component: Application Security Manager

Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.

Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes

Impact:
There are differences after deploy.

Workaround:
Discover and deploy again from BIG-IQ

Fix:
Changes are deployed from BIG-IQ without causing unexpected changes.


863161-1 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.


863069-1 : Avrmail timeout is too small

Component: Application Visibility and Reporting

Symptoms:
AVR report mailer times out prematurely and reports errors:

AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.

Conditions:
Configure reports, which will be sent to e-mail

Impact:
Error response from SMTP server, and the report is not sent

Workaround:
Increase timeout in avrmail.php via bash commands

Fix:
The timeout was increased in avrmail.php


862597-7 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.


862557-1 : Client-ssl profiles derived from clientssl-quic fail validation

Component: Local Traffic Manager

Symptoms:
After configuring a clientssl-quic profile, you get a validation error:

01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/clientssl-f5quic-udp).

Conditions:
This can occur when using the clientssl-quic built-in profile to build a profile that can serve HTTP/3 over QUIC.

Impact:
You are unable to configure a clientssl profile to work with HTTP/3 + QUIC that is also customized to serve the right certificate, etc.

Workaround:
Modify the clientssl-quic profile to have the following properties:
    cipher-group quic
    ciphers none
This requires the following additional config objects:
ltm cipher group quic {
    allow {
        quic { }
    }
}
ltm cipher rule quic {
    cipher TLS13-AES128-GCM-SHA256,TLS13-AES256-GCM-SHA384
    description "Ciphers usable by QUIC"
}

Fix:
Update the built-in configuration to pass validation.


860881-3 : TMM can crash when handling a compressed response from HTTP server

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.


860517-1 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.


860317-3 : JavaScript Obfuscator can hang indefinitely

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process

Fix:
Datasyncd daemon kills hanging obfuscator processes if they stop responding.


860005-1 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.


859721-1 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core


859113-1 : Using "reject" iRules command inside "after" may causes core

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using "reject" iRules command inside "after" no longer cause core.


859089-7 : TMSH allows SFTP utility access

Solution Article: K00091341


858769-6 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2

Component: TMOS

Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.

Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.

Impact:
The longer keys lengths for SNMPv3 cannot be used.

Fix:
With the net-snmp 5.8 libraries there is SHA-2 support for longer SHA and AES keys. New options are: SHA-224, 256, 384, and 512 and AES-192, 192-C, 256, 256-C.


858537-2 : CVE-2019-1010204: Binutilis Vulnerability

Solution Article: K05032915


858429-3 : BIG-IP system sending ICMP packets on both virtual wire interface

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.


858349-3 : TMM may crash while processing SAML SLO traffic

Solution Article: K44808538


858229-5 : XML with sensitive data gets to the ICAP server

Solution Article: K22493037

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.


858197-2 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

Fix:
Remove function call to drop row from table on error path where row was not successfully added.


858189-3 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.

Component: Device Management

Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.

Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.

Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.

Workaround:
None.

Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.

Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:

restnoded.timeout
restjavad.timeout
icrd.timeout

The default value is 60 seconds for each of these.

A restart of restjavad and restnoded is required for the change to take effect.

tmsh restart /sys service restjavad
tmsh restart /sys service restnoded


858025-1 : Proactive Bot Defense does not validate redirected paths

Solution Article: K33440533

Component: Application Security Manager

Symptoms:
Under certain conditions, Proactive Bot Defense may redirect clients to an unvalidated path.

Conditions:
-Proactive Bot Defense enabled.

Impact:
Clients may be redirected to an unvalidated path.

Workaround:
None.

Fix:
Proactive Bot Defense now validates redirected paths as expected.


857845-1 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule

Component: Local Traffic Manager

Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.

Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.

Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.


857589-1 : On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'

Component: Access Policy Manager

Symptoms:
On the Citrix Workspace app, clicking 'Refresh Apps' after signing out fails with message "Refresh Failed" with v15.1.x

Conditions:
-- Running the Citrix Workspace all.
-- Clicking 'Refresh Apps' after signing out.
-- Running software v15.1.x.

Impact:
The system reports a 'Refresh failed' error, and the app must to be reset.

Workaround:
None.

Fix:
The system now shows a prompt/pop-up for credentials and signs-in successfully.


856961-7 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Solution Article: K17269881


854493-5 : Kernel page allocation failures messages in kern.log

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.


854177-5 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.


853613-4 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.

Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.


853545-1 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.

Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.


853325-1 : TMM Crash while parsing form parameters by SSO.

Component: Access Policy Manager

Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.

Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.

Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.

Workaround:
Do not use Passthrough mode with SSO.

Fix:
TMM does not crash when Passthrough mode is enabled in SSO, and SSO receives any valid form in a response.


852929-6 : AFM WebUI Hardening

Solution Article: K25160703


852873-2 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Component: Local Traffic Manager

Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.

Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.

Workaround:
None.

Fix:
Traffic with Destination MAC as PVST+ (01:00:0c:cc:cc:cd) or STP (01:80:c2:00:00:00) is sent to the BIG-IP system, egress traffic is monitored to check that MAC is dropped when either or both of the following db variables is enabled or vice-versa:
bcm56xxd.rules.badpdu_drop
bcm56xxd.rules.lldp_drop


852861-1 : TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario

Component: Local Traffic Manager

Symptoms:
TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL and httprouter profiles.
-- 0-RTT connection resumption in progress.

Impact:
TMM cores intermittently.

Workaround:
No workaround.

Fix:
Defer sending of early keys from SSL to QUIC. This results in delaying of ingress decryption. HTTP/3 is initialized before receiving decrypted data.


852437-3 : Overly aggressive file cleanup causes failed ASU installation

Solution Article: K25037027

Component: Application Security Manager

Symptoms:
Directory cleanup for for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.

Conditions:
An ASU runs at the same time as the file cleanup task.

Impact:
The ASU fails to complete successfully.

Workaround:
The default clean interval is 300 seconds (5 minutes).

1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles

2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles

3. Upgrade the ASU immediately.


If 5 minutes is not enough, you can increase the clean interval.

1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:

From:
[CleanFiles]
Interval=300

To:
[CleanFiles]
Interval=3000

Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.

2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>

3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles

4. Install the ASU; the temp files can stay in the folder for 50 minutes.

5. After the ASU is installed, change the interval back to 300 and restart asmcrond.

6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log

Fix:
The directory cleanup does not clean up files that are being actively used for an installation.


852373-3 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:

TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".

Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.

Impact:
HTTP/2 traffic is not passed to the serverside.

Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside

Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.


852313-4 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.

Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.


852289-4 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector

Solution Article: K23278332

Component: Advanced Firewall Manager

Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.

Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.

Impact:
DNS over TCP is DDoS attack is not mitigated correctly.

Workaround:
Using DNS DoS vector to mitigate the attack.

Fix:
The attack mitigation by sweep and flood vector is accurate.


852101-1 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.


852001-1 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously

Component: TMOS

Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.

Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.

Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.

Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.

Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.


851857-1 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.


851789-2 : SSL monitors flap with client certs with private key stored in FIPS

Component: Local Traffic Manager

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.

Fix:
Optimized FIPS API calls to improve performance of SSL monitors.


851745-3 : High cpu consumption due when enabling large number of virtual servers

Component: Advanced Firewall Manager

Symptoms:
Observed autodosd CPU burst

Conditions:
Enable autodosd and a large number of virtual servers

Impact:
High cpu utilization in autodosd

Workaround:
Disable autodosd

Fix:
Autodosd no longer excessively consumes CPU cycles.


851581-3 : Server-side detach may crash TMM

Component: Local Traffic Manager

Symptoms:
TMM crash with 'server drained' panic string.

Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.

Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.

Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.

-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.

Fix:
TMM does not crash no matter when the server-side detach is triggered.


851477-1 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.

Fix:
Memory allocation failures are now detected and virtual server ends up in DENY state. No connections are accepted in this state.


851445-1 : QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams

Component: Local Traffic Manager

Symptoms:
QUIC profile has a field for maximum uni-streams. This represents the number of concurrent uni-streams that the peer can create. If HTTP/3 is also configured on the virtual, then the value for uni-streams should ne >=3. The peer should be able to create at least 3 uni-streams, for control, encoder and decoder.

Conditions:
QUIC, HTTP/3, SSL and httprouter profiles are configured on the virtual. QUIC client tries to establish a connection with Big-IP. HTTP/3 is negotiated in ALPN.

Impact:
If fewer than 3 max uni-streams are configured, HTTP/3 transactions will not be successful.

Workaround:
Configure correct value of max uni-streams in QUIC profile.

Fix:
Validation added to prevent a value of less than 3 to be configured when HTTP/3 is also on the virtual.


851393-1 : Tmipsecd leaves a zombie rm process running after starting up

Component: TMOS

Symptoms:
After booting the system, you notice zombie 'rm' processes:

$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm

Restarting tmipsecd will kill the zombied process but will start a new one.

Conditions:
-- IPsec is enabled.
-- Booting up the system.

Impact:
A zombie 'rm' process exists. There should be no other impact.

Workaround:
None.


851345-1 : The TMM may crash in certain rare scenarios involving HTTP/2

Component: Local Traffic Manager

Symptoms:
The HTTP/2 Gateway configuration is used without the HTTP MRF Router.

The TMM may crash in rare scenarios when a stream is being torn down.

Conditions:
-- HTTP/2 is configured in the Gateway scenario.
-- The HTTP MRF Router is not used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes in rare scenarios when a stream is being torn down.


851045-1 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.


850973-1 : Improve QUIC goodput for lossy links

Component: Local Traffic Manager

Symptoms:
QUIC gets lower goodput compared to TCP when tested on lossy links.

Conditions:
The tested links are lossy (e.g, 0.1% loss probability).

Impact:
QUIC completes the data transfer in longer time.

Workaround:
N/A

Fix:
QUIC achieves similar or better goodput compared to TCP on lossy links.


850933-1 : Improve QUIC rate pacing functionality

Component: Local Traffic Manager

Symptoms:
QUIC rate pacing becomes dis-functional under some conditions.

Conditions:
- QUIC rate pacing is in use.
- Packet size becomes slightly larger than available rate pacing bytes.

Impact:
QUIC rate pacing becomes noneffective which leads to sending data more bursty.

Workaround:
N/A

Fix:
QUIC rate pacing does not become dis-functional under some conditions anymore.


850873-3 : LTM global SNAT sets TTL to 255 on egress.

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.


850777-3 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config

Component: TMOS

Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.

Errors similar to one below are seen in an LTM log:

err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.

Conditions:
- Static management IP address configuration.
- Instance is restarted.

Impact:
Instance is not operational after restart.

Workaround:
After instance is fully booted, reload the license with 'reloadlic'.

Fix:
In case of 1 NIC with static route, issuing "bigstart restart mcpd" will not be enough to bring system to the licensed state, issue "reboot" instead.


850677-4 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.

Fix:
This release supports REST access in non-UTF-8 policies.


850673-1 : BD sends bad ACKs to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.

-- The policy may be incomplete in the bd causing incorrect enforcement actions.

Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.

Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).

-- A partial policy may exist in bd causing improper enforcement.

Workaround:
-- Unassign and reassign the policy.

-- if unassign/reassign does not help, export and then reimport the policy.

Fix:
Fixed inconsistency scenario between bd and bd_agent.


850509-1 : 'Decryption of the field (privatekey) for object (13079) failed' message

Component: Global Traffic Manager (DNS)

Symptoms:
During config load or system start-up, you see the following error:

01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.

Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.

Impact:
Unable to view TSIG keys. Configuration cannot be loaded.

Workaround:
None.

Fix:
When master key changes, TSIG keys are now properly re-encrypted, so this problem no longer exists.


850277-1 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.


850145-1 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.

Fix:
If a connection to the server has been established, pipelined requests are now processed immediately and not queued.


849405-2 : LTM v14.1.2.1 does not log after upgrade

Component: TMOS

Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.

Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.

Impact:
Logs are not generated and sysstat.service is not running.

Workaround:
Once the BIG-IP system starts up, check for failed services:

systemctl list-units --failed

If results show sysstat.service as FAILED, run the following command:

restorecon -Rv /var/log/sa6 && systemctl start sysstat


849085-1 : Lines with only asterisks filling message and user.log file

Component: TMOS

Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.

For example:

Nov 12 10:40:57 bigip1 **********************************************

Conditions:
Snmp query an OID handled by sflow, for example:

snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1

Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.

Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.

Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.

=============================================
Solution #1 - Filter out all sflow_agent logs:

1) remount /usr as read+write:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl

4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

  For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only
    mount -o ro,remount /usr

=============================================
Solution #2 - Filter out all messages with \n or \r:

1) remount /usr as r+w:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl:

4a) Open syslog.tmpl for edit:
    vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

   For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':

tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only:
    mount -o ro,remount /usr

Fix:
The sflow log message that was a multiline message has been changed so that it is no longer multiline.


848445-1 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer

Solution Article: K86285055

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer


848405-2 : TMM may consume excessive resources while processing compressed HTTP traffic

Solution Article: K26244025


847325-3 : Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.

Component: Local Traffic Manager

Symptoms:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.

Conditions:
-- A OneConnect profile is combined with certain persist profiles on a virtual server.

-- The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

-- The persistence types that are affected are:
   - Source Address (but not hash-algorithm carp)
   - Destination Address (but not hash-algorithm carp)
   - Universal
   - Cookie (only cookie hash)
   - Host
   - SSL session
   - SIP
   - Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.

Workaround:
None.

Fix:
Changing a virtual server that uses a OneConnect profile no longer triggers incorrect persistence behavior.


846917-1 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354


846713-1 : Gtm_add does not restart named

Component: Global Traffic Manager (DNS)

Symptoms:
Running gtm_add failed to restart the named daemon.

Conditions:
Run gtm_add to completion.

Impact:
Named is not restarted. No BIND functionality.

Workaround:
Restart named:
bigstart start named

Fix:
Fixed an issue preventing 'named' from restarting after running the gtm_add script.


846441-2 : Flow-control is reset to default for secondary blade's interface

Component: TMOS

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.


846365-1 : TMM may crash while processing IP traffic

Solution Article: K35750231


846157-1 : TMM may crash while processing traffic on AWS

Solution Article: K01054113


846137-4 : The icrd returns incorrect route names in some cases

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.

Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.


846073-1 : Installation of browser challenges fails through Live Update

Component: Application Security Manager

Symptoms:
Live Update of Browser Challenges fails installation.

Live Update provides an interface on the F5 Downloads site to manually install or configure automatic installation of various updates to BIG-IP ASM components, including ASM Attack Signatures, Server Technologies, Browser Challenges, and others.

Conditions:
-- From the F5 Downloads side, select a software version.
-- Click BrowserChallengesUpdates.
-- Attempt to download and install Download BrowserChallenges<version_number>.im.

Note: Browser Challenges perform browser verification, device and bot identification, and proactive bot defense.

Impact:
Browser Challenges update file cannot be installed.

Workaround:
None.

Fix:
Browser Challenges update file can now be installed via Live Update.


844781-3 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection

Component: Access Policy Manager

Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.

Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384

Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.

Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/

Fix:
Fixed an issue with an SELinux policy blocking Portal Access from processing web applications traces.


844689-1 : Possible temporary CPU usage increase with unusually large named.conf file

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.

Fix:
ZoneRunner does not issue a reload command when zones are checked for updates, so no CPU usage increases occur.


844685-1 : Per-request policy is not exported if it contains HTTP Connector Agent

Component: Access Policy Manager

Symptoms:
Per-request policy cannot be exported if it contains an HTTP Connector agent.

Conditions:
-- Create a Per Request Policy.
-- In the sub-routine section, create a new sub-routine and
   attach HTTP Connector to that sub-routine.
-- After the policy creation is done, export the policy.

Impact:
Per-request policy cannot be exported and reports an error.

Workaround:
None.

Fix:
Create a valid HTTP Connector agent in tmsh and the per request policy gets exported as expected.


844573-1 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.

Component: Access Policy Manager

Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.

Conditions:
This is encountered when this message is logged by mcpd.

Impact:
Log message cannot be grouped with messages at the correct log level.

Workaround:
None.


844281-3 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.

Component: Access Policy Manager

Symptoms:
Java applets are not patched when accessed through APM Portal Access.

/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.

/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.

Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.

Impact:
Java applets cannot be patched by APM Portal Access rewriter.

Workaround:
None.

Fix:
Fixed an issue with SELinux policy blocking Portal Access code from reading Java Patcher certificates.


844085-1 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: TMOS

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any


843801-2 : Like-named previous Signature Update installations block Live Update usage after upgrade

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.


** Another Workaround incase the above does not solve the issue:
1. stop the tomcat server:
   > bigstart stop tomcat
2. clean the live update db :
   > cd /var/lib/hsqldb/live-update
   > rm -f liveupdatedb.*
3. remove all *.im files which are not genesis file (factory-default files):
   3.1 get the list of genesis files:
     > less /etc/live-update-genesis.yaml | grep genes | cut -d":" -f2
   3.2 go to update file directory:
     > cd /var/lib/hsqldb/live-update/update-files
   3.3 manually remove the *.im files that are not genesis
4. restart the tomcat server:
   > bigstart start tomcat


843597-1 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.

Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0

Fix:
We now ensure that the default setting for the vmxnet3 driver MTU is 9000.


842989-6 : PEM: tmm could core when running iRules on overloaded systems

Component: Policy Enforcement Manager

Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.

Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Reduce the load on tmm or modify the optimize the irule.


842937-6 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.

Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.


842865-2 : Add support for Auto MAC configuration (ixlv)

Component: TMOS

Symptoms:
Mac addresses are forced to be the same for ixlv trunks.

Conditions:
This happens when ixlv trunks are used.

Impact:
Mac addresses may not be as depicted on the device.

Workaround:
None.

Fix:
Unicast mac filters are used for ixlv trunks.


842717-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855

Solution Article: K55102004


842625-5 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.


842161-1 : Installation of Browser Challenges fails in 15.1.0

Component: Application Security Manager

Symptoms:
Browser Challenges default installation fails in 15.1.0 after upgrade or resetting back to default.

BIG-IP software v15.1.0 ships with a BrowserChallenges_20191121_043810.im file that does not have a proper encryption, and when trying to install the file via the Live Update page the following error occurs:

gpg: WARNING: unsafe ownership on homedir `/ts/share/negsig/gpg_asm_sigfile_installer'
gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20
      "asm_sigfile_installer"
gpg: Signature made Thu 21 Nov 2019 02:38:10 PM IST using RSA key ID BC67BA01
gpg: Can't check signature: No public key

Conditions:
Live Update file BrowserChallenges_20191121_043810.im has a different status than 'Currently Installed'.

Impact:
If the file 'BrowserChallenges_20191121_043810.im ' is the newest file then upgrade is not applicable.

Workaround:
None

Fix:
Browser Challenges update file can now be installed via Live Update.


842125-6 : Unable to reconnect outgoing SCTP connections that have previously aborted

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

Fix:
SCTP connections can now be halted and recreated to the same endpoint.


841953-7 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes under these conditions.


841649-4 : Hardware accelerated connection mismatch resulting in tmm core

Component: TMOS

Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.

Conditions:
A FastL4 virtual server that has hardware acceleration enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable hardware acceleration.


841581 : License activation takes a long time to complete on Google GCE platform

Component: TMOS

Symptoms:
The license installation and activation process takes a very long time to complete.

Conditions:
- BIG-IP Virtual Edition running on Google Compute Engine (GCE) Platform.
- Activating the BIG-IP license.

Impact:
It can take 2-3 minutes to report the device is licensed and 3-4 minutes for BIG-IP system to become Active after that.

Workaround:
None.


841577-2 : iControl REST hardening

Solution Article: K20606443


841333-7 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


841305-2 : HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log

Component: Application Visibility and Reporting

Symptoms:
The HTTP/2 version appears in charts, but when clicking on the chart reports, errors are reported in monpd log and the chart is empty in the GUI, with an error reported in the GUI and in the monpd log:

-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:mysql_query_safe:0209| Error (err-code 1054) executing SQL string :
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:runSqlQuery:0677| Error executing SQL query:
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/handlers/ReportRunnerHandler.cpp:runReport:0409| Results for query came back as NULL
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/ReporterUtils.cpp:throwInternalException:0105| throwing exception to client error code is 1 error msg is Internal error

Conditions:
-- Create a new policy or use an existing policy.
-- Go to Security :: Reporting : Application : Charts.
-- Select weekly charts.

Impact:
Charts are empty in the GUI, and the system logs errors in monpd.

Workaround:
None.

Fix:
Fixed an issue with HTTP stats database tables.


840821-1 : SCTP Multihoming not working within MRF Transport-config connections

Component: Service Provider

Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.

Conditions:
Usage of SCTP multi-homing with a MRF transport-config.

Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
THe system is now able to create outgoing SCTP multihoming connections using a transport-config to define the connection.


839761-1 : Response Body preview hardening

Solution Article: K12002065


839749-3 : Virtual server with specific address list might fail to create via GUI

Component: Local Traffic Manager

Symptoms:
When a user tries to create a virtual server with address list, it might fail with below shown error:

01b90011:3: Virtual Server /Common/VS1's Traffic Matching Criteria /Common/testvs1 illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/testvs2 destination address, source address, service port.

Conditions:
-- One or more virtual servers that were created via the GUI already exist on the BIG-IP system.
-- Attempt to use the GUI to create another virtual server with address list.

Impact:
Cannot create the virtual server.

Workaround:
Create the virtual server via tmsh:

-- First create the traffic matching criteria using the address list.
-- Then use the traffic matching criteria to create a virtual server.

Fix:
You can now create virtual servers with address lists directly from the GUI.


839597-6 : Restjavad fails to start if provision.extramb has large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad every few seconds typically due to failure to start and reports messages in daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
  + above ~2700-2800MB for v12.1.0 and earlier.
  + above ~2900-3000MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extramb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad


839453-6 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354


839401-1 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.

Fix:
GARPs are sent out as expected.


839245-3 : IPother profile with SNAT sets egress TTL to 255

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.

Fix:
TTL is now decremented by 1 on forwarded packets.


839145-3 : CVE-2019-10744: lodash vulnerability

Solution Article: K47105354


838909-3 : BIG-IP APM Edge Client vulnerability CVE-2020-5893

Solution Article: K97733133


838901-4 : TMM receives invalid rx descriptor from HSB hardware

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.


838881-1 : APM Portal Access Vulnerability: CVE-2020-5853

Solution Article: K73183618


838861-3 : TMM might crash once after upgrading SSL Orchestrator

Component: Access Policy Manager

Symptoms:
TMM might crash due to SIGABRT.

Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.

Impact:
TMM might crash once. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Session check agent now exits and terminates the flow.


838709-4 : Enabling DoS stats also enables page-load-time

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.


838685-4 : DoS report exist in per-widget but not under individual virtual

Component: Application Visibility and Reporting

Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.

Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.

Impact:
GUI widgets report errors and cannot show stats.

Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:

1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
   $ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/

2. Change permissions to allow modifying it:
   $ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

3. Change the file to include the fix:
   $ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
   $ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

4. Verify that the fix is as expected:
   $ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php

   (** You should see two lines modified:
       1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
       2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')

5. Revert permissions of the file:
   $ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

6. Log out and log back into the GUI, so that the new version of the file loads.

Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.


838677-1 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354


838297-2 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.


837837-2 : SSH Client Requirements Hardening

Solution Article: K43404629


837773-7 : Restjavad Storage and Configuration Hardening

Solution Article: K12936322


837637-1 : Orphaned bigip_gtm.conf can cause config load failure after upgrading

Component: Global Traffic Manager (DNS)

Symptoms:
Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
Before upgrading:

If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh restart sys service all


836357-5 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.


835381-3 : HTTP custom analytics profile 'not found' when default profile is modified

Component: Application Visibility and Reporting

Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:

-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.

Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.

Impact:
Loading configuration might fail.

Workaround:
None.

Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.


835309-1 : Some strings on BIG-IP APM Server pages are not localized

Component: Access Policy Manager

Symptoms:
Some text in APM Server pages, such as the logout page, are presented in English even when using a different language.

Conditions:
Use APM with a localized language, and certain strings for pages like logout, Webtop, or EPS, would still be in English.

Impact:
Some strings are displayed in English instead of localized language.

Workaround:
None.

Fix:
BIG-IP APM Server pages have been updated to include translations for all the affected strings.


834853 : Azure walinuxagent has been updated to v2.2.42

Component: TMOS

Symptoms:
Some onboarding features are not available in the current version of walinuxagent.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.42


834533-7 : Linux kernel vulnerability CVE-2019-15916

Solution Article: K57418558


834257-1 : TMM may crash when processing HTTP traffic

Solution Article: K25400442


833685-5 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.


833049-4 : Category lookup tool in GUI may not match actual traffic categorization

Component: Access Policy Manager

Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).

Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.

Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.

Workaround:
None.


832885-1 : Self-IP hardening

Solution Article: K05975972


832881-1 : F5 Endpoint Inspection helper app is not updated

Component: Access Policy Manager

Symptoms:
F5 Endpoint Inspection helper app is not updated, but other components such as F5 VPN helper App is auto updated.

Conditions:
Use a browser to establish VPN

Impact:
End users cannot to receive bug fixe or feature enhancement updates.

Workaround:
Download and install F5 Endpoint Inspection helper from BIG-IP.

https://APM_SERVER/public/download/f5epi_setup.exe

Fix:
F5 Endpoint Inspection helper app is auto updated.


832569-3 : APM end-user connection reset

Component: Access Policy Manager

Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.

Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.

Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:

-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.

Workaround:
None.


832021-3 : Port lockdown settings may not be enforced as configured

Solution Article: K73274382


832017-3 : Port lockdown settings may not be enforced as configured

Solution Article: K10251014


831781-4 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode

Component: Access Policy Manager

Symptoms:
Both AD Query and LDAP Auth/Query fails.

Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.

Impact:
Users may not be able to login to APM, and hence service is disrupted.

Workaround:
None.

Fix:
Users are now able to login to APM.


831293-5 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.


830797-3 : Standby high availability (HA) device passes traffic through virtual wire

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.

Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.


830717 : Appdata logical volume cannot be resized for some cloud images

Component: TMOS

Symptoms:
When resizing the appdata logical volume, the change may not be honored. This is because sometimes the disk metadata does not support the change without unmounting and remounting the disk.

Conditions:
This issue applies to deployments that provision multiple modules requiring a large appdata logical volume.

Impact:
The appdata logical volume cannot be resized, so you must reduce the number of modules and the associated provisioning level so that the existing appdata logical volume size does support them.

Workaround:
None.

Fix:
Logic was added to disk resizing to account for scenarios where the disk must be unmounted and then remounted to make the change. If the disk must be unmounted and remounted, this also requires a reboot (automatic).


830481-1 : SSL TMUI hardening

Solution Article: K29923912


830401-1 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228


830073-2 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.


829677-2 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker

The fix also includes automatic removal of unused tmp files.


829317-5 : Memory leak in icrd_child due to concurrent REST usage

Component: TMOS

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
Memory slowly leaks in icrd_child.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.


829193-4 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.


829121-1 : State mirroring default does not require TLS

Solution Article: K65720640


829117-1 : State mirroring default does not require TLS

Solution Article: K17663061


828937-1 : Some systems can experience periodic high IO wait due to AVR data aggregation

Solution Article: K45725467

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).


Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 20000. Set it to 2148 on systems with fewer than or equal to CPU 16 cores.


828873-3 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor

Component: TMOS

Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.

Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.

Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.

Workaround:
Steps:

1. Mount the drive:
mount -o rw,remount /usr

2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty

3. Reload the daemon:
systemctl daemon-reload

4. Restart the service:
systemctl restart f5-label

Fix:
The I/O device has been changed to the default input device '/dev/null' to resolve the issue.


828789-1 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.

This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.

Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.


828601-1 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

Fix:
IPv6 routes now prioritize TMM interfaces.


826905-3 : Host traffic via IPv6 route pool uses incorrect source address

Component: TMOS

Symptoms:
IPv6 route pool uses an incorrect source address rather than the self IP address. As a side symptom, if there are an even number of members in the pool, only half of the pool members are attempted during load balancing.

Conditions:
--IPv6 route pool is configured.

Impact:
Failed connections from the BIG-IP host that uses an IPv6 pool route.

Workaround:
None.

Fix:
IPv6 route pool uses the correct self IP address.


826265-5 : The SNMPv3 engineBoots value restarts at 1 after an upgrade

Component: TMOS

Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.

Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.

Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.

Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):

tmsh modify sys snmp include 'engineBoots n'

2. Restart SNMPD.

Fix:
This issue has been fixed: the engineBoots value is now kept as part of the configuration.


825013-1 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.

Fix:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands now return correct data.


824365-5 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.


824149-5 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.


823893-7 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649


822377-6 : CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability

Component: TMOS

Symptoms:
A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

Conditions:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. The following command can be used to search for possible vulnerable configurations:

    grep -R '^\s*Proxy' /etc/httpd/

Impact:
An attacker could cause the link on the error page to be malformed and instead point to a page of their choice.

Workaround:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. As a Mitigation/Workaround, exclude Proxy* directives in Apache Httpd configuration.

Fix:
Removed request data from many other in-built error messages.


822025 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.


821309-1 : After an initial boot, mcpd has a defunct child "systemctl" process

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.


820333-1 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.


819301-2 : Incorrect values in REST response for dos-l3 table

Component: Application Visibility and Reporting

Symptoms:
Some of the calculations in the AVR publisher are not performed, and incorrect values are shown in the REST response.

Conditions:
-- Device vector detection and mitigation thresholds are set to 10
-- The attack vector is triggered

Impact:
Wrong values appear in REST reponse

Fix:
Fixed an issue with incorrect values for mitigated attacks.


819197-2 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394


819189-1 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441


818853-1 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.


818253-3 : Generate signature files for logs

Component: TMOS

Symptoms:
The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) in an incorrect format.

Conditions:
Viewing the audit information stored in /var/log and other locations.

Impact:
Messages are stored in an incorrect format.

Workaround:
Disable local logging for audit logs and send them to remote syslog, for example:
tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "

Fix:
There is now a LogIntegrity utility provided to generate signature files for logs.

-- To enable the feature:
 tmsh modify sys db logintegrity.support value enable

-- To set the LogIntegrity loglevel:
 tmsh modify sys db logintegrity.loglevel value debug

You must create private key and store it in SecureVault before enabling this feature. To do so:

1. Generate a private key with the name logfile_integrity.key, for example:
 create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365

2. Generate RSA encrypted private SSL keys:

2a. Go to the filestore location on the BIG-IP system:
 cd /config/filestore/files_d/Common_d/certificate_key_d/

 ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2

 openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key

2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key):

2c. run command to list the generated files
 ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key

3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system:

 install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key


Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated.


If you want to verify Signatures, follow these steps:

1. Go to the filestore location on the BIG-IP system :
 cd /config/filestore/files_d/Common_d/certificate_d
 
2. Execute the following command to generate the public key.
 openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer

3.Verify the signature file using public key:
 openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1


818213-4 : CVE-2019-10639: KASLR bypass using connectionless protocols

Solution Article: K32804955


818177-6 : CVE-2019-12295 Wireshark Vulnerability

Solution Article: K06725231


817709-3 : IPsec: TMM cored with SIGFPE in racoon2

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue no longer occurs.


816881-2 : Serverside conection may use wrong VLAN when virtual wire is configured

Component: Local Traffic Manager

Symptoms:
Server syn is flowing on the wrong VLAN, when tmm tries to establish a server connection. The BIG-IP system sends RST packets of unmatched VLAN/MAC combination

Conditions:
-- Virtual wire is configured .
-- Clientside data and handshake come in on different VLANs.

Impact:
Some client connections fail to establish

Workaround:
None.


816413-5 : CVE-2019-1125: Spectre SWAPGS Gadget

Solution Article: K31085564


816233-1 : Session and authentication cookies should use larger character set

Component: TMOS

Symptoms:
The session and authentication cookies are created using a limited character set.

Conditions:
Creating session and authentication cookies.

Impact:
Cookies are created with a less broad character set than they could be.

Workaround:
None.

Fix:
JSESSIONIDs and AuthCookies are created using a wider character set.

Behavior Change:
This release changes the format of the BIGIPAuthCookie and JSESSIONID cookies to use a larger alphabet during encoding (case sensitive alphanumeric).


816229-3 : Kernel Log Messages Logged Twice

Component: TMOS

Symptoms:
You see duplicate log messages in /var/log/kern.log

Conditions:
This can be encountered when viewing /var/log/kern.log right after startup in BIG-IP versions dating back to 14.1.0

Impact:
Viewing ('cat'ing) kern.log results in duplicated log messages in the buffer.

Fix:
Fixed an issue with duplicated log messages in /var/log/kern.log.


815877-2 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.


814953 : TMUI dashboard hardening

Solution Article: K43310520


814585-1 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


814037-6 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.


813701-6 : Proxy ARP failure

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.


812981-6 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.


812493-4 : When engineID is reconfigured, snmp and alert daemons must be restarted

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd


811789-7 : Device trust UI hardening

Solution Article: K57214921


811701-3 : AWS instance using xnet driver not receiving packets on an interface.

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.

Use The following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed


811149-2 : Remote users are unable to authenticate via serial console.

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.


811053-6 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.


811041-7 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf

Component: TMOS

Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.

Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.

Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.

Workaround:
None.

Fix:
The HA table no longer leaks memory if an entry is reinitialized.


810821-3 : Management interface flaps after rebooting the device

Component: TMOS

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.

Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.


810381-2 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.


809701-7 : Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist

Component: Local Traffic Manager

Symptoms:
In BIG-IP GUI iRule definitions, when hovering over HTTP::proxy, the help text mentions 'HTTP::proxy dest', which is an invalid command.

Conditions:
The system displays incorrect information when the iRule help text is visible.

Impact:
The help text mentions 'HTTP::proxy dest', which is an invalid command option.

Workaround:
Do not use the invalid 'HTTP::proxy dest' command.

Fix:
The help text now shows 'HTTP::proxy', which is correct.


809597-5 : Memory leak in icrd_child observed during REST usage

Component: Local Traffic Manager

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.


809125-5 : CSRF false positive

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm


808409-4 : Unable to specify if giaddr will be modified in DHCP relay chain

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced

The default is :

sys db tmm.dhcp.relay.giaddr.overwrite {
    value "enable"
}

On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP

On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain


807337-5 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object (such as delete, create, modify).

Impact:
The GUI shows misleading info about the pool monitor.The monitor-related object may be unchanged, or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).


807005-5 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.


805417-3 : Unable to enable LDAP system auth profile debug logging

Component: TMOS

Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.

Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.

Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.

Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:

   systemctl stop nslcd
   nslcd -d

Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.

You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.

When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:

   systemctl start nslcd

Fix:
The nslcd logs are now visible on /var/log/secure file.


804309-1 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument

Component: TMOS

Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:

[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy

Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.

Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.

Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false

tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false


803825-5 : WebSSO does not support large NTLM target info length

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.


803809-4 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.


803233-1 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.


802685-2 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }


802421-6 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


802281-3 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state


801497-3 : Virtual wire with LACP pinning to one link in trunk.

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.


799749-2 : Asm logrotate fails to rotate

Component: Application Security Manager

Symptoms:
ASM logrotate reports errors in /var/log/asm.:

error: error creating output file /ts/log//bd.log.1: File exists

Conditions:
Files ending with .1 exists in the logs directories.

Impact:
Logrotate does not work. May fill disk with logs over time.

Workaround:
Remove or rename all of the .1 logs.


797829-6 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.


796601-2 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.


795649-5 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system


793121-5 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.


793017-3 : Files left behind by failed Attack Signature updates are not cleaned

Component: Application Security Manager

Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.

Conditions:
Attack Signature update encounters an error during installation.

Impact:
This can eventually lead to disk space issues.

Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.

Fix:
These directories are now included in the periodic file cleanup task.


793005-1 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.

Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.


790845-4 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.

Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.


789921-5 : TMM may restart while processing VLAN traffic

Solution Article: K03386032


789857 : "TCP half open' reports drops made by LTM syn-cookies mitigation.

Component: Advanced Firewall Manager

Symptoms:
'TCP half open' reports drops in logs/tmctl/AVR even though it is configured in detect-only mode.

Conditions:
-- 'TCP half open' attack is being actively detected.
-- LTM syn-cookie mitigation is enabled.
-- This is triggered when LTM syn-cookies mitigation begins.

Impact:
It will appear that 'TCP half open' is doing mitigation, but it is actually LTM syn-cookies dropping the connections.

Workaround:
If LTM syn-cookies are not needed, disable the option:

modify ltm global-settings connection default-vs-syn-challenge-threshold infinite global-syn-challenge-threshold infinite


789421-4 : Resource-administrator cannot create GTM server object through GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.

Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.

Impact:
Unable to create GTM server object via the GUI.

Workaround:
Use tmsh or iControl/REST.


789181-5 : Link Status traps are not issued on VE based BIG-IP systems

Component: TMOS

Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.

Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).

Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.

On a VE-based BIG-IP system, these logs and traps do not occur.

An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.

Workaround:
None.

Fix:
VE now issues link status messages (which will cause traps to be issued) when interfaces on VEs are administratively disabled and enabled. The underlying interface status impacted by cables being plugged/unplugged must be monitored on the underlying system (the hypervisor) and is not logged by VE. If an interface on VE is not configured, then it is in the uninitialized state. If the interface in that state is disabled/enabled, the Link status message issued on enable is Link DOWN.


788753-2 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.


788577-7 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.


788513-6 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.


788465-5 : DNS cache idx synced across HA group could cause tmm crash

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache idx conflicts and tmm crash.

Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.

Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.

Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm


788057-3 : MCPD may crash while processing syncookies

Solution Article: K00103216


786517-5 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.


785741-3 : Unable to login using LDAP with 'user-template' configuration

Solution Article: K19131357

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.


783165-1 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile

Component: Application Security Manager

Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.

Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.

Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.

Workaround:
Delete and add the whitelist after modifying the profile.

Fix:
Keep the whitelist as is when updating bot profile.


783125-1 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
    https://clouddocs.f5.com/api/irules/DNS__drop.html
    https://clouddocs.f5.com/api/irules/UDP__drop.html


779857-2 : Misleading GUI error when installing a new version in another partition

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.


778261-2 : CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate

Component: Application Security Manager

Symptoms:
CPB Connection (between BIG-IP and BIG-IQ logging node) is not refreshed to use the new certificate / new domain name to validate the certificate.

Conditions:
Either:
-- BIG-IQ logging node domain name updated.
-- BIG-IQ logging node webd certificate is replaced (and updated using webd restart).

Impact:
CPB Connection (between BIG-IP and BIG-IQ logging node) remains the same and is not refreshed to use the new certificate.

Workaround:
Restart Policy Builder on the BIG-IP system:

killall -s SIGHUP pabnagd

Fix:
Policy Builder now resets the connection upon update of BIG-IQ logging node certificate / domain name.


778049-2 : Linux Kernel Vulnerability: CVE-2018-13405

Solution Article: K00854051


774617-3 : SNMP daemon reports integer truncation error for values greater than 32 bits

Component: TMOS

Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.

Conditions:
Values greater than 32 bits sent to SNMP.

Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:

err snmpd[20680]: truncating integer value > 32 bits

Workaround:
No current workaround.


774257-4 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Component: Global Traffic Manager (DNS)

Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:

tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A

tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A

Conditions:
This occurs when running the following tmsh commands:

tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt

Impact:
The output type is printed twice

Workaround:
None.

Fix:
The output becomes like this after fix:

gtm pool a emptypool

gtm wideip a testwip.f5.com


773693-7 : CVE-2020-5892: APM Client Vulnerability

Solution Article: K15838353


771961-3 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core

Component: Access Policy Manager

Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.

Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm core related to deleting SSL Orchestrator.


767269-5 : Linux kernel vulnerability: CVE-2018-16884

Component: TMOS

Symptoms:
Linux kernel NFS41+ subsystem use-after-free vulnerability when node have NFSv41+ mounts inside several net namespaces.

Conditions:
NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic.

Impact:
BIG-IP is not exposed to this vulnerability. use-after-free causes system panic, subsequent system reset.

Workaround:
None.

Fix:
Updated kernel to include patches for CVE-2018-16884.


766017-6 : [APM][LocalDB] Local user database instance name length check inconsistencies

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

Fix:
Tmsh now enforces the length limit for localdb instance names.


761303-5 : Upgrade of standby BIG-IP system results in empty Local Database

Component: Access Policy Manager

Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.

Conditions:
This happens on standby device in a high availability (HA) setup.

Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.

Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, after rebooting into the volume with the upgraded installation, do the following:

1. Force stop the localdbmgr process:
bigstart stop localdbmgr
2. Wait at least 15 minutes.
3. Restart the localdbmgr:
bigstart restart localdbmgr


760622-5 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt

Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.


760471-1 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.


759988-2 : Geolocation information inconsistently formatted

Component: Fraud Protection Services

Symptoms:
The ${geo} pattern in the Logging Profile has only GeoIP data; however, in alerts that are sent to either the alert server or to BIG-IQ, the GEO data includes both GeoIP and GeoLocation information.

Conditions:
Configure ${geo} pattern in Logging Profile template and trigger a logging event.

Impact:
GeoLocation data is missing in logs written by Logging Profile when using ${geo} pattern.

Fix:
The ${geo} pattern in Logging Profile template now provides full GEO informaion, both GeoIP and GeoLocation, in the same format as in alerts.


759564-2 : GUI not available after upgrade

Component: TMOS

Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions

    Shell prompt may show logger[1234]: Re-starting named
    bigstart restart httpd fails
    bigstart start httpd fails

Conditions:
Installation over a previously used Boot Volume

Impact:
Corrupt install

Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.


758599-3 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.


757279-3 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.

Fix:
Firewall manager can now edit firewall policies.


756139-3 : Inconsistent logging of hostname files when hostname contains periods

Component: TMOS

Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:

-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.


Whereas other log files write the full name:

-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.

Conditions:
BIG-IP hostname contains periods or an FQDN:

[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
    hostname bigip1.example.com
}

Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.

Workaround:
None.

Fix:
Hostnames are now written consistently for all log files in /var/log directory.

Behavior Change:
Syslog-ng was using truncated hostname (without FQDN) while logging. This release adds fqdn use_fqdn(yes) in the syslog-ng template, so the system now logs the full hostname (FQDN).


755317-3 : /var/log logical volume may run out of space due to agetty error message in /var/log/secure

Component: TMOS

Symptoms:
An agetty error message is output to the /var/log/secure log fil every 10 seconds while the instance remains on:

 agetty[<process_id>]: /dev/tty0 ttyS0: No such file or directory.

Conditions:
This agetty error message is an issue on all BIG-IP Virtual Edition and Cloud instances. It is not configuration-dependent.

Impact:
This may fill the /var/log/secure log file. When /var/log is full, certain system services may degrade or become unresponsive (e.g., DNS).

Workaround:
Manually extend the /var/log logical volume.

For more information, see Increase disk space for BIG-IP VE :: https://clouddocs.f5.com/cloud/public/v1/shared/disk_space.html.

Fix:
The issue causing the agetty error message in /var/log/secure has been resolved.


755197-5 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.

Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.


754932-1 : New SNMP MIB, sysVlanIfcStat, for VLAN statistics.

Component: TMOS

Symptoms:
V16.0.0 and v15.1.2 have a new SNMP MIB, sysVlanIfcStat, for VLAN statistics. Previously there were no ways to retrieve PVA statistics for each VLAN.

Conditions:
Viewing VLAN statistics through SNMP queries.

Impact:
PVA stats are not displayed.

Fix:
The new MIB, sysVlanIfcStat, includes several new statistics, including PVA statistics.
Example:

snmpwalk -v2c -c public localhost F5-BIGIP-SYSTEM-MIB::sysVlanIfcStat
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatNumber.0 = INTEGER: 3
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/HA" = STRING: /Common/HA
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/external" = STRING: /Common/external
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatName."/Common/internal" = STRING: /Common/internal
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/HA" = Gauge32: 3
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/external" = Gauge32: 1
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInDiscards."/Common/internal" = Gauge32: 4
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInErrors."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatInUnknownProtos."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutDiscards."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/HA" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/external" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatOutErrors."/Common/internal" = Gauge32: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/HA" = Counter64: 498576
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/external" = Counter64: 4053194
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInOctets."/Common/internal" = Counter64: 499668
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/HA" = Counter64: 3892
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/external" = Counter64: 56086
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInUcastPkts."/Common/internal" = Counter64: 3898
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/HA" = Counter64: 3896
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/external" = Counter64: 3950
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInMulticastPkts."/Common/internal" = Counter64: 3896
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/external" = Counter64: 30
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcInBroadcastPkts."/Common/internal" = Counter64: 12
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/HA" = Counter64: 250558
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/external" = Counter64: 3792002
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutOctets."/Common/internal" = Counter64: 252154
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/external" = Counter64: 52115
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutUcastPkts."/Common/internal" = Counter64: 6
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/HA" = Counter64: 3906
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/external" = Counter64: 3944
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutMulticastPkts."/Common/internal" = Counter64: 3906
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/HA" = Counter64: 5
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/external" = Counter64: 8
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatHcOutBroadcastPkts."/Common/internal" = Counter64: 29
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/external" = Counter64: 53198
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInPkts."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/external" = Counter64: 9901246
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaInOctets."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/external" = Counter64: 53198
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutPkts."/Common/internal" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/HA" = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/external" = Counter64: 9901246
F5-BIGIP-SYSTEM-MIB::sysVlanIfcStatPvaOutOctets."/Common/internal" = Counter64: 0


754924-1 : New VLAN statistics added.

Component: TMOS

Symptoms:
The tmsh command 'show net vlan' only displays statistics for each VLAN's interface, and not each VLAN's statistics.

Conditions:
This is encountered when running the command 'tmsh show net vlan'.

Impact:
You are unable to view PVA statistics.

Fix:
The tmsh command 'show net vlan' now displays each VLAN's statistics, including PVA statistics.

Behavior Change:
Starting in v16.0.0, the command 'tmsh show net vlan' now outputs each vlan's stats retreived from TMM, including PVA stats, immediately following 'customer-tag' and right before the list of interfaces.
Example:

[root@localhost:Active:Standalone] config # tmsh sho net vlan

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) f4:15:63:52:10:84
MTU 1500
Tag 4094
Customer-Tag

  | Incoming Discard Packets 2
  | Incoming Error Packets 0
  | Incoming Unknown Proto Packets 0
  | Outgoing Discard Packets 0
  | Outgoing Error Packets 0
  | HC Incoming Octets 28.8M
  | HC Incoming Unicast Packets 121.2K
  | HC Incoming Multicast Packets 121.2K
  | HC Incoming Broadcast Packets 0
  | HC Outgoing Octets 14.4M
  | HC Outgoing Unicast Packets 8
  | HC Outgoing Multicast Packets 121.2K
  | HC Outgoing Broadcast Packets 45
  | PVA Incoming Packets 5
  | PVA Incoming Octets 443
  | PVA Outgoing Packets 7
  | PVA Outgoing Octets 3.2K

  -----------------------
  | Net::Vlan-Member: 1.1
  -----------------------
  | Tagged no
  | Tag-Mode none

     --------------------------------------------------------------------
     | Net::Interface
     | Name Status Bits Bits Pkts Pkts Drops Errs Media
     | In Out In Out
     --------------------------------------------------------------------
     | 1.1 up 133.5M 31.5K 129.3K 17 36 0 10000SR-FD

-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) f4:15:63:52:10:85
MTU 1500
Tag 4093
Customer-Tag

  | Incoming Discard Packets 0
  | Incoming Error Packets 0
  | Incoming Unknown Proto Packets 0
  | Outgoing Discard Packets 0
  | Outgoing Error Packets 0
  | HC Incoming Octets 28.8M
  | HC Incoming Unicast Packets 121.2K
  | HC Incoming Multicast Packets 121.2K
  | HC Incoming Broadcast Packets 1
  | HC Outgoing Octets 14.4M
  | HC Outgoing Unicast Packets 15
  | HC Outgoing Multicast Packets 121.2K
  | HC Outgoing Broadcast Packets 17
  | PVA Incoming Packets 7
  | PVA Incoming Octets 3.2K
  | PVA Outgoing Packets 5
  | PVA Outgoing Octets 443

  -----------------------
  | Net::Vlan-Member: 1.2
  -----------------------
  | Tagged no
  | Tag-Mode none

     --------------------------------------------------------------------
     | Net::Interface
     | Name Status Bits Bits Pkts Pkts Drops Errs Media
     | In Out In Out
     --------------------------------------------------------------------
     | 1.2 up 133.5M 14.0K 129.3K 22 16 0 10000SR-FD

This feature is also available as of v15.1.2 on an 'opt-in' basis; default output is unchanged. A new db variable is available on v15.1.2 for controlling the output format. To change the output of 'tmsh show net vlan' so that it provides the new stats, run the command:

tmsh modify sys db vlan.pva.stats value enable

Output can be changed back to the old format at any time by running:

tmsh modify sys db vlan.pva.stats value disable


754855-7 : TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile

Component: Protocol Inspection

Symptoms:
Under certain conditions, TMM may crash while processing traffic with a FastL4 virtual with the Protocol Inspection Profile attached.

Conditions:
-FastL4 Virtual
-Protocol Inspection Profile

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes FastL4 traffic with the Protocol Inspection Profile as expected.


751103-2 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop

Component: TMOS

Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.

Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config

Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)

Scripts are stopped until the prompt is answered.

Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).


In the case of this script, you can also delete the management route definitions to prevent the question from being asked.


748122-8 : BIG-IP Vulnerability CVE-2018-15333

Solution Article: K53620021


747020-2 : Requests that evaluate to same subsession can be processed concurrently

Component: Access Policy Manager

Symptoms:
Requests that evaluate to the same subsession can be processed concurrently in some cases

Conditions:
-- Per-Request policy with subroutines.
-- Duplicate requests are sent that match existing subsession gating criteria.

Impact:
The request gets aborted with error messages in /var/log/apm:
apmd_plugin.cpp func: "serialize_apmd_reply()" line: 495 Msg: AccessV2 agent execution error 4.

Workaround:
None.


746348-4 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.


746091-8 : TMSH Vulnerability: CVE-2019-19151

Solution Article: K21711352


745465-4 : The tcpdump file does not provide the correct extension

Component: TMOS

Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.

Conditions:
Whenever tcpdump is generated and downloaded.

Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.

Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.

Fix:
File name changed to support.tcpdump.tar.gz.

Behavior Change:
The tcpdump file has a different name and file extension - support.tcpdump.tar.gz


744407-1 : While the client has been closed, iRule function should not try to check on a closed session

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.

Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.


743234-6 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons

Component: TMOS

Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.

Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'

Impact:
The SNMPv3 value does not take effect.

Workaround:
Restart the daemons after changing the EngineID:

restart /sys service snmpd
restart /sys service alertd

Note: The SNMP daemon should be restarted before the Alert daemon.

Fix:
The new EngineID is used after being configured, and no longer requires daemon restart.


742628-1 : Tmsh session initiation adds increased control plane pressure

Solution Article: K53843889

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash


742549-3 : Cannot create non-ASCII entities in non-UTF ASM policy using REST

Component: Application Security Manager

Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.

Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.

Workaround:
Use UTF-8.


740589-4 : Mcpd crash with core after 'tmsh edit /sys syslog all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));


739618-3 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy

Component: Application Security Manager

Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF or MSP license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}

Fix:
Users can now create LTM rule in the BIG-IP Configuration Utility that controls ASM if have AWAF or MSP license.


739570-4 : Unable to install EPSEC package

Component: Access Policy Manager

Symptoms:
Installation of EPSEC package via tmsh fails with error 'Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images)"

Conditions:
-- EPSEC package was never installed on the BIG-IP machine.
-- Running 'tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso'

Impact:
First time installation of EPSEC package through tmsh fails.

Workaround:
You can do a first-time installation of EPSEC with the following commands:

tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso

Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.


739507-3 : Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check

Component: TMOS

Symptoms:
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check.

Console shows messages similar to:
  Starting System Logger Daemon...
  [ OK ] Started System Logger Daemon.
  [ 14.943495] System halted.

Conditions:
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license).
-- System element monitored by FIPS 140-2 integrity check has changed.
-- The device is rebooted.

Impact:
The device halts and cannot be used.

Workaround:
Workaround:
[1] Connect a terminal to the BIG-IP serial console port.
[2] From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.
[3] Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones.
[5] Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running:
   cat /dev/null > /mnt/test/f5_public/fipserr
[6] Reboot.

If the system still halts, repeat from Step [1] above, until this no longer happens.

Fix:
If your device is running a version where ID 739507 is fixed:

[1] Connect a terminal to the BIG-IP serial console port
[2] From the serial console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that starts with 'linux', or the first line that starts with 'module'.
[6] Add a space, followed by NO_FIPS_INTEGRITY=1 (do not press ENTER).
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.

The machine boots into the partition containing FIPS 140-2-enabled license.

[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:

Integrity Check Result: [ FAIL ]

If fatal errors persist, do not reboot (otherwise the system foes into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Rerun the test tool until no error is seen.

Note: You can find information on the sys-eicheck (FIPS) utility in the AskF5 Non-Diagnostic Article K00029945: Using the sys-eicheck (FIPS) utility :: https://support.f5.com/csp/article/K00029945.

[11] Truncate the file /config/f5_public/fipserr:
    cat /dev/null > /config/f5_public/fipserr


737098-1 : ASM Sync does not work when the configsync IP address is an IPv6 address

Component: TMOS

Symptoms:
If the configsync IP address of the device is configured to be an IPv6 address, changes in ASM configuration do not synchronize across the cluster.

Conditions:
Devices in a Device Group have an IPv6 address set as their configsync IP address.

Impact:
ASM configuration does not synchronize across the Device Group.

Workaround:
Set the configsync IP address to be an IPv4 address and restart the asm_config_server process. To restart the asm_config_server process, run the following command:
pkill -f asm_config_server


726518-1 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.


724824-1 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync

Component: Local Traffic Manager

Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.

Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.

Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.

Impact:
Monitor status on the peer devices is reported incorrectly.

Workaround:
Any of the following three options will correct reporting status on the peer devices:

-- Restart bigd

-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.

-- Disable and then re-enable the FQDN node

Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.


722337-2 : Always show violations in request log when post request is large

Component: Application Security Manager

Symptoms:
The system does not always show violations in request log when post request is large.

Conditions:
A large post request with many parameters is sent.

Impact:
Although the violations is handled correctly, it is not reported.

Workaround:
Disable learning mode.

The internal parameter pb_sampling_high_cpu_load can define what is seen as high CPU load above which sampling does not take place. The default is 60.

-- Using a lower value reduces the chances of sampling data.
-- Using 0 makes sampling never happen and thus this issue does not occur (this slows down automatic policy building).


722230-1 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.


720440-6 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.

Fix:
The maximum length of time that the radius probe will wait for has been increased from 6 seconds to 30 seconds.


719555-3 : Interface listed as 'disable' after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface


719338-1 : Concurrent management SSH connections are unlimited

Component: TMOS

Symptoms:
There is no limit to the number of users that can login concurrently onto a BIG-IP system.

Conditions:
Multiple users are logged into the BIG-IP device through SSH at the same time.

Impact:
System can potentially run out of memory.

Workaround:
Provide a way to limit the number of concurrent user SSH sessions.

Fix:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.

-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
   + Enables the feature; feature is functional with default values.
   + Defaults: feature is not enabled for admin/root privileged user.
   + Total session limit for all users is 10 sessions.


-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
   + Enables feature for admin/root privileged user.
   + Total session limit for all users is still 10 sessions.


-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
   + Changes the default global setting limit of 10 to the specified value.


-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
   + Sets the maximum session limit per user.
   + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.


-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
   + Sets the maximum number of sessions for a particular user.
   + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.

Behavior Change:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.

-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
   + Enables the feature; feature is functional with default values.
   + Defaults: feature is not enabled for admin/root privileged user.
   + Total session limit for all users is 10 sessions.


-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
   + Enables feature for admin/root privileged user.
   + Total session limit for all users is still 10 sessions.


-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
   + Changes the default global setting limit of 10 to the specified value.


-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
   + Sets the maximum session limit per user.
   + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.


-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
   + Sets the maximum number of sessions for a particular user.
   + Total sessions on the system are still enforced by the setting for ssh-max-session-limit.


717276-9 : TMM Route Metrics Hardening

Solution Article: K20622530


715032-1 : iRulesLX Hardening

Solution Article: K73302459

Component: Local Traffic Manager

Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.

Conditions:
-iRulesLX in use

Impact:
iRulesLX does not follow current best practices.

Workaround:
None.

Fix:
iRulesLX now follows current best practices.


714642-2 : Ephemeral pool-member state on the standby is down

Component: Local Traffic Manager

Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.

Conditions:
Re-enabling a forced-down FQDN node on the primary system.

Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).

Workaround:
None.


714502-3 : bigd restarts after loading a UCS for the first time

Component: Local Traffic Manager

Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.

Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check

Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.

Workaround:
System runs as expected after the bigd restart, and the user need not take any action.


714372-5 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.


714176-1 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Component: TMOS

Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.

Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.

Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.

Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.

1. Locate the dynad config in /config/bigip_base.conf file:

For example, the dynad config will look like:
sys dynad key {
    key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}

2. Modify the dynad configuration lines to:
sys dynad key {
    key "test"
}

3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config

Fix:
The log message is improved to provide the BIG-IP administrator with more specific detail that the dynad key failed to be decrypted.


713614-7 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Component: TMOS

Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.

Impact:
Virtual Server does not fail over with floating traffic group as expected.


706782-5 : Inefficient APM processing in large configurations.

Component: Access Policy Manager

Symptoms:
In configurations with large numbers of virtual servers or other entities, the apmd, oauth, and localdbmgr processes may consume large amounts of system resources.

Conditions:
-- Large configuration.
-- APM provisioned.
-- Multiple traffic groups exacerbate the effect.

Impact:
Heavy use of odd-numbered CPU cores may slow all control-plane operations, including user-interface response.

Workaround:
None known.


706521-2 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password

Component: TMOS

Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.

Conditions:
Configure TACACS+ auditing forwarder.

Impact:
Exposes sensitive information.

Workaround:
None.

Fix:
The sensitive data is not exposed, and this issue is fixed.


705768-2 : The dynconfd process may core and restart with multiple DNS name servers configured

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query when there are multiple DNS name servers configured, or when the list of DNS name servers is changed.

Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.

Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.

Workaround:
This issue occurs rarely. There is currently no known workaround.

Fix:
The dynconfd process no longer cores and restarts with multiple DNS name servers configured.


705112-6 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.


697331-2 : Some TMOS tools for querying various DBs fail when only a single TMM is running

Component: Service Provider

Symptoms:
Command returns "No route to host" error.

Conditions:
Running diadb, sipdb, genericmsgdb or lsndb when only a single TMM is running.

Impact:
Unable to query SIP, Diameter, Generic-Message and LSN information from its corresponded DB query tool.

Workaround:
N/A

Fix:
Tools for querying various DBs now work regardless of the number of TMMs.


696348-5 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option

Component: Service Provider

Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:

[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]

Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option

Impact:
The commands still be executed during runtime but the warning message may confuse user.

Fix:
There is no warning message when using "GTP::ie insert" and "GTP::ie append" without "-message" option.


693360-2 : A virtual server status changes to yellow while still available

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions a virtual server may change status to yellow despite proper function of pool members.

Conditions:
-- LTM virtual server
-- Connection Rate Limit Mode enabled

Impact:
Virtual server stops responding.

Workaround:
None.

Fix:
Virtual servers now respond as expected.


691499-5 : GTP::ie primitives in iRule to be certified

Component: Service Provider

Symptoms:
The following commands in iRules are created and available but not officially tested and approved:

GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove

Conditions:
Using the following iRule commands:

GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove

Impact:
Although you can use these iRule commands, their functionality has not been tested and approved.

Workaround:
None.

Fix:
GTP::ie primitives in iRule are now certified.

Behavior Change:
Certified pre-existing iRules:

-- GTP::ie set instance <ie-path> <instance>
  Assigns <instance> to the information element (IE) instance at <ie-path>.

-- GTP::ie set value <ie-path> <value>
  Assigns <value> to the IE value at <ie-path>.

-- GTP::ie insert <ie-path> <type> <instance> <value>
  Inserts a new IE of type <type> and instance <instance> with value <value> at <ie-path>

-- GTP::ie append [<ie-path>] <type> <instance> <value>
  Appends a new IE of type <type> and instance <instance> with value <value> to the end of embeded IE of grouped-IE specified by <ie-path> or to the end of message if the grouped-IE <ie-path> is absent.

-- GTP::ie remove <ie-path>
  Removes IE specified by <ie-path>.


681010-4 : 'Referer' is not masked when 'Query String' contains sensitive parameter

Solution Article: K33572148

Component: Application Security Manager

Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.

Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.

-- 'Query String' contains the defined sensitive parameter.

Impact:
"Referer" header contains unmasked value of the sensitive parameter.

Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.

Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.


679751-2 : Authorization header can cause a connection reset

Component: Access Policy Manager

Symptoms:
APM resets connections and reports an ERR_ARG from a simple web request.

Conditions:
-- APM profile with User Identification Method as HTTP.
-- APM profile with User Identification Method as OauthToken.
-- HTTP traffic arrives with certain types of Authorization headers.

Impact:
Connections are reset and APM logs ERR_ARG, which is not helpful for understanding the cause.

Workaround:
iRule workaround:

when HTTP_REQUEST {
    if { [HTTP::header "Authorization"] contains "Bearer" && [string tolower [HTTP::header "User-Agent"]] contains "onenote" } {
        HTTP::header replace Authorization [string map {"Bearer" ""} [HTTP::header Authorization]]
    }
  }

Fix:
APM no longer resets connections and reports an ERR_ARG from a simple web request.


644192-2 : Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN

Solution Article: K23022557

Component: Global Traffic Manager (DNS)

Symptoms:
Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN.

Conditions:
A CNAME wide IP and a dnx with parent zone.
For example, CNAME wide IP for www.siterequest.com and a dnx zone for siterequest.com.

Impact:
Cache resolvers will remember NXDOMAIN for the entire name. So clients talking to those caches asking for A/AAAA records may actually get NXDOMAIN responses until the negative cache expires.

Workaround:
Option 1: Create a related "www.siterequest.com" txt record in ZoneRunner
Option 2: Create a ltm virtual server iRule, similar to this:
when DNS_RESPONSE {
  if { [DNS::question name] eq "www.siterequest.com" } {
    if { [DNS::header rcode] eq "NXDOMAIN" } {
        DNS::header rcode NOERROR
        DNS::authority clear
        return
    }
  }
}


640842-5 : ASM end user using mobile might be blocked when CSRF is enabled

Component: Application Security Manager

Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.

Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.

Impact:
Client is blocked.

Workaround:
None.

Fix:
Enabling access for specific mobile application.


636400 : CPB (BIG-IP->BIGIQ log node) Hardening

Solution Article: K26462555


605675-6 : Sync requests can be generated faster than they can be handled

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.


593536-9 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Solution Article: K64445052

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.


583084-6 : iControl produces 404 error while creating records successfully

Solution Article: K15101680

Component: TMOS

Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.

Conditions:
Creating GTM topology record without using full path via iControl.

Impact:
Resulting code/information is not compatible with actual result.

For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.

Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.

Fix:
The system now compares both names, ignoring the partition '/Common' if the exact comparison fails.


579219-5 : Access keys missing from SessionDB after multi-blade reboot.

Component: Access Policy Manager

Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.

Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.

Impact:
Some Access subkeys may be missing after the reboot.

Workaround:
Reboot the primary blade.


489572-5 : Sync fails if file object is created and deleted before sync to peer BIG-IP

Solution Article: K60934489

Component: TMOS

Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:

Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.

Impact:
Sync fails.

Workaround:
When you create/add a file object, make sure to sync before deleting it.

If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.


405329-3 : The imish utility cores while checking help strings for OSPF6 vertex-threshold

Component: TMOS

Symptoms:
The imish (vtysh) utility dumps core while checking help strings for the OSPF6 vertex-threshold command from OSPF mode.

Conditions:
-- Routing enabled.
-- Configuring OSPF vertex-threshold for either IPv4 or IPv6.
-- Requesting help for the OSPF6 vertex-threshold command.

Impact:
There is an imish (vtysh) crash.

Workaround:
None.

Fix:
Updated with the proper help strings for the OSPF6 vertex-threshold command.



Known Issues in BIG-IP v15.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
913713-2 1-Blocking   Rebooting a blade causes MCPd to core as it rejoins the cluster
858173-3 1-Blocking   SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1
958281-1 2-Critical   REST API calls require “admin” user authentication.
957897-1 2-Critical   Unable to modify gateway-ICMP monitor fields
955929-2 2-Critical   Vlan can reference a deleted partition on the primary device
950673-3 2-Critical   Hardware Syncookie mode not cleared when deleting/changing virtual server config.
945925-1 2-Critical   tmm could be stuck in a restart loop when remote logging to a fqdn destination is configured
943109-2 2-Critical   Mcpd crash when bulk deleting Bot Defense profiles
942549-2 2-Critical   Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
942497-1 2-Critical   Declarative onboarding unable to download and install RPM
941893-3 2-Critical   VE performance tests in Azure causes loss of connectivity to objects in configuration
940021-3 2-Critical   Syslog-ng crash may lead to silent reboot
937481-2 2-Critical   Tomcat restarts with error java.lang.OutOfMemoryError
932437-2 2-Critical   Loading SCF file does not restore files from tar file
929133-2 2-Critical   TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
915305-5 2-Critical   Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
910325 2-Critical   DDoS Vector - TCP BAD ACK is not hardware-accelerated
908517-3 2-Critical   LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
894133-1 2-Critical   After ISO upgrade the SSLO guided configuration user interface is not available
888765-1 2-Critical   After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files
888341-7 2-Critical   HA Group failover may fail to complete Active/Standby state transition
886693-3 2-Critical   System may become unresponsive after upgrading
882757-1 2-Critical   sflow_agent crash SIGABRT in the cleanup flow
865329-1 2-Critical   WCCP crashes on "ServiceGroup size exceeded" exception
860349-3 2-Critical   Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
858877-3 2-Critical   SSL Orchestrator config sync issues between HA-pair devices
856713-3 2-Critical   IPsec crash during rekey
842669-3 2-Critical   Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
840769-2 2-Critical   Having more than one IKE-Peer version value results in upgrade failure
838713 2-Critical   LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test'
831821-1 2-Critical   Corrupted DAG packets causes bcm56xxd core on VCMP host
829277-2 2-Critical   A Large /config folder can cause memory exhaustion during live-install
808277-6 2-Critical   Root's crontab file may become empty
785017-3 2-Critical   Secondary blades go offline after new primary is elected
780437-6 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777389-5 2-Critical   In a corner case, for PostgreSQL monitor MCP process restarts
776393-3 2-Critical   Memory leak in restjavad causing restjavad to restart frequently with OOM
756830-5 2-Critical   BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
750588-3 2-Critical   While loading large configurations on BIG-IP systems, some daemons may core intermittently.
749332-2 2-Critical   Client-SSL Object's description can be updated using CLI but not REST
742419-4 2-Critical   BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
739505-3 2-Critical   Automatic ISO digital signature checking not required when FIPS license active
718573-3 2-Critical   Internal SessionDB invalid state
671545-2 2-Critical   MCPD core while booting up device with error "Unexpected exception caught"
382363-3 2-Critical K30588577 min-up-members and using gateway-failsafe-device on the same pool.
964125-2 3-Major   Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
963049-1 3-Major   Unexpected config lost when modifying protected object
963017-2 3-Major   Tpm-status-check service shows System Integrity Status: Invalid when EngHF installed
960029-2 3-Major   Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error
959629-2 3-Major   Logintegrity script for restjavad/restnoded fails
959057-3 3-Major   Unable to create additional login tokens for the default admin user account
958833-1 3-Major   After mgmt ip change via GUI, brower is not redirected to new address
958601-2 3-Major   In the GUI, searching for virtual server addresses does not match address lists
958465-2 3-Major   TMM may prematurely shut down during initialization
958093-3 3-Major   IPv6 routes missing after BGP graceful restart
957993-2 3-Major   Unable to set a port list in the GUI for an IPv6 address for a virtual server
956625-2 3-Major   Port and port-list type are both stored in a traffic-matching-criteria object
956589-1 3-Major   The tmrouted daemon restarts and produces a core file
956293-2 3-Major   High CPU from analytics-related REST calls - Dashboard TMUI
956109-2 3-Major   Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target
955953-2 3-Major   iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'
955897-2 3-Major   Upgrade failure with virtual-address in non-default route domain partition fails to load config
950849-4 3-Major   B4450N blades report page allocation failure.
950201 3-Major   Tmm core on GCP
948101 3-Major   Pair of phase 2 SAs missing after reboot of standby BIG-IP
947529-2 3-Major   Security tab in virtual server menu renders slowly
946745-2 3-Major   'System Integrity: Invalid' after EngHF installation
946185-1 3-Major   Unable to view iApp component view
946121-2 3-Major   SNMP user added with password less than 8 characters through tmsh is allowed but fails during snmpwalk.
946089-2 3-Major   BIG-IP might send excessive multicast/broadcast traffic.
945413-3 3-Major   Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
945265-4 3-Major   BGP may advertise default route with incorrect parameters
943793-2 3-Major   Neurond continuously restarting
943641-1 3-Major   IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfiguration
943577-2 3-Major   Full sync failure for traffic-matching-criteria with port list under certain conditions
943473-2 3-Major   LDAP monitor's test functionality has an incorrect and non-modifiable IP address field in GUI
943045-2 3-Major   Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.
940885-2 3-Major   Add support for Mellanox CX5 Ex adapter
940161 3-Major   iCall throws error: foreign key index (name_FK) do not point at an item that exists in the database
939541-2 3-Major   TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
938145-1 3-Major   DAG redirects packets to non-existent tmm
937601-2 3-Major   The ip-tos-to-client setting does not affect traffic to the server.
936125-2 3-Major   SNMP request times out after configuring IPv6 trap destination
936093-2 3-Major   Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
935177-2 3-Major   IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
934941-2 3-Major   Platform FIPS power-up self test failures not logged to console
934065-1 3-Major   The turboflex-low-latency and turboflex-dns are missing.
933329-2 3-Major   The process plane statistics do not accurately label some processes
932497-3 3-Major   Autoscale groups require multiple syncs of datasync-global-dg
931629-2 3-Major   External trunk fdb entries might end up with internal MAC addresses.
930905-4 3-Major   Management route lost after reboot.
930825-4 3-Major   System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
928697-2 3-Major   Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
928389-2 3-Major   GUI become inaccessible after importing certificate under import type 'certificate'
928353-2 3-Major   Error logged installing Engineering Hotfix: Argument isn't numeric
927941-5 3-Major   IPv6 static route BFD does not come up after OAMD restart
927485-4 3-Major   Restnoded memory leak while deploying telemetry
925797-2 3-Major   Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
923745-3 3-Major   Ctrl-Alt-Del reboots the system
922885-3 3-Major   BIG-IP Virtual Edition does not pass traffic on ESXi 6.5
922613-2 3-Major   Tunnels using autolasthop might drop traffic with ICMP route unreachable
922297-2 3-Major   TMM does not start when using more than 11 interfaces with more than 11 vCPUs
922185-1 3-Major   LDAP referrals not supported for "cert-ldap system-auth"
922153-2 3-Major   Tcpdump is failing on tmm 0.x interfaces
922069 3-Major   Increase iApp block configuration processor timeout
921149-1 3-Major   After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
921121-4 3-Major   Tmm crash with iRule and a PEM Policy with BWC Enabled
920893-1 3-Major   GUI banner for configuration issues frozen after repeated forced VIPRION blade failover
920761-2 3-Major   Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values
920517-2 3-Major   Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI
919401-2 3-Major   Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed
919317-5 3-Major   NSM consumes 100% CPU processing nexthops for recursive ECMP routes
919185-2 3-Major   Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed
918409-2 3-Major   BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
915829-2 3-Major   Particular Users unable to login with LDAP Authentication Provider
915557-2 3-Major   The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
915493-4 3-Major   imish command hangs when ospfd is enabled
914645-3 3-Major   Unable to apply LTM policies to virtual servers after running 'mount -a'
914081-1 3-Major   Engineering Hotfixes missing bug titles
913849-1 3-Major   Syslog-ng periodically logs nothing for 20 seconds
913829-4 3-Major   i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
913573-2 3-Major   Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.
913433-3 3-Major   On blade failure, some trunked egress traffic is dropped.
909505-3 3-Major   Creating LTM data group external object fails.
909485-3 3-Major   Deleting LTM data-group external object incorrectly reports 200 when object fails to delete
909197-3 3-Major   The mcpd process may become unresponsive
908753-3 3-Major   Password memory not effective even when password policy is configured
908601-2 3-Major   System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
908021-1 3-Major   Management and VLAN MAC addresses are identical
906505-2 3-Major   Display of LCD System Menu cannot be configured via GUI on iSeries platforms
905749-1 3-Major   imish crash while checking for CLI help string in BGP mode
904785-1 3-Major   Remotely authenticated users may experience difficulty logging in over the serial console
904401-1 3-Major   Guestagentd core
903265-3 3-Major   Single user mode faced sudden reboot
901989-2 3-Major   Boot_marker writes to /var/log/btmp
901529 3-Major   AFM Debug Reroute feature not supported
900933-1 3-Major   IPsec interoperability problem with ECP PFS
900485-2 3-Major   Syslog-ng 'program' filter does not work
899933-2 3-Major   Listing property groups in TMSH without specifying properties lists the entire object
899085-6 3-Major   Configuration changes made by Certificate Manager role do not trigger saving config
898577-2 3-Major   Executing a command in "mgmt tm" using iControl REST results in tmsh error
898389-1 3-Major   Traffic is not classified when adding port-list to virtual server from GUI
896817-2 3-Major   iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
896553-3 3-Major   On blade failure, some trunked egress traffic is dropped.
896473-2 3-Major   Duplicate internal connections can tear down the wrong connection
895845-5 3-Major   Implement automatic conflict resolution for gossip-conflicts in REST
895837-3 3-Major   Mcpd crash when a traffic-matching-criteria destination-port-list is modified
893885-3 3-Major   The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation
893341-3 3-Major   BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445
892445-2 3-Major   BWC policy names are limited to 128 characters
891337-1 3-Major   'save_master_key(master): Not ready to save yet' errors in the logs
891221-2 3-Major   Router bgp neighbor password CLI help string is not helpful
889029-2 3-Major   Unable to login if LDAP user does not have search permissions
888869-2 3-Major   GUI reports General Database Error when accessing Instances Tab of SSL Certificates
888081-4 3-Major   BIG-IP VE Migration feature fails for 1NIC
887117-2 3-Major   Invalid SessionDB messages are sent to Standby
886649-2 3-Major   Connections stall when dynamic BWC policy is changed via GUI and TMSH
886273-3 3-Major   Unanticipated restart of TMM due to heartbeat failure
884989-1 3-Major   IKE_SA's Not mirrored of on Standby device if it reboots
884729-2 3-Major   The vCMP CPU usage stats are incorrect
883149-1 3-Major   The fix for ID 439539 can cause mcpd to core.
882833-2 3-Major   SELinux issue cause zrd down
882609-1 3-Major   ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
881085-3 3-Major   Intermittent auth failures with remote LDAP auth for BIG-IP managment
880473-1 3-Major   Under certain conditions, the virtio driver may core during shutdown
880013-1 3-Major   Config load fails after changing the BIG-IP Master key which has an encrypted key in it's configuration
880009-1 3-Major   Tcpdump does not export the TLS1.3 early secret
879969-5 3-Major   FQDN node resolution fails if DNS response latency >5 seconds
879001-1 3-Major   LDAP data is not updated consistently which might affect authentication.
876937-3 3-Major   DNS Cache not functioning
876809-3 3-Major   GUI cannot delete a cert with a name that starts with * and ends with .crt
876805-3 3-Major   Modifying address-list resets the route advertisement on virtual servers.
873641-1 3-Major   Re-offloading of TCP flows to hardware does not work
871705-6 3-Major   Restarting bigstart shuts down the system
867793-1 3-Major   BIG-IP sending the wrong trap code for BGP peer state
867253-3 3-Major   Systemd not deleting user journals
867177-3 3-Major   Outbound TFTP and Active FTP no longer work by default over the management port
865177-4 3-Major   Cert-LDAP returning only first entry in the sequence that matches san-other oid
864321-3 3-Major   Default Apache testing page is reachable at <mgmt-ip>/noindex
862937-3 3-Major   Running cpcfg after first boot can result in daemons stuck in restart loop
862693-6 3-Major   PAM_RHOST not set when authenticating BIG-IP using iControl REST
862525-1 3-Major   GUI Browser Cache Timeout option is not available via tmsh
860245-1 3-Major   SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x
860181-1 3-Major   After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error
856953-4 3-Major   IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
853617-1 3-Major   Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
853161-4 3-Major   Restjavad has different behavior for error responses if the body is over 2k
852565-5 3-Major   On Device Management::Overview GUI page, device order changes
852265-1 3-Major   Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width
851785-3 3-Major   BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
851021-1 3-Major   Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
850997-1 3-Major   'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
849157-2 3-Major   An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck
846141-1 3-Major   Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.
844925-3 3-Major   Command 'tmsh save /sys config' fails to save the configuration and hangs
843661-1 3-Major   TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
842189-4 3-Major   Tunnels removed when going offline are not restored when going back online
841721-2 3-Major   BWC::policy detach appears to run, but BWC control is still enabled
841277-7 3-Major   C4800 LCD fails to load after annunciator hot-swap
839121-3 3-Major   A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade
838337-1 3-Major   The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
837481-7 3-Major   SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
830413-3 3-Major   Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure
829821-1 3-Major   Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
827209-4 3-Major   HSB transmit lockup on i4600
827021-7 3-Major   MCP update message may be lost when primary blade changes in chassis
826313-6 3-Major   Error: Media type is incompatible with other trunk members
824809-6 3-Major   bcm56xxd watchdog restart
820845-3 3-Major   Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
819457-1 3-Major   LTM high availability (HA) sync should not sync GTM zone configuration
819261-4 3-Major   Log HSB registers when parts of the device becomes unresponsive
818505-1 3-Major   Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
817089-3 3-Major   Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
814353-6 3-Major   Pool member silently changed to user-disabled from monitor-disabled
814273-1 3-Major   Multicast route entries are not populating to tmm after failover
810613-5 3-Major   GUI Login History hides informative message about max number of lines exceeded
809657-7 3-Major   HA Group score not computed correctly for an unmonitored pool when mcpd starts
807945-3 3-Major   Loading UCS file for the first time not updating MCP DB
807837-2 3-Major   Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.
806881-6 3-Major   Loading the configuration may not set the virtual server enabled status correctly
806073-1 3-Major   MySQL monitor fails to connect to MySQL Server v8.0
803833-7 3-Major   On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host
803457-3 3-Major   SNMP custom stats cannot access iStats
803237-2 3-Major   PVA does not validate interface MTU when setting MSS
803157-3 3-Major   LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
799001-1 3-Major   Sflow agent does not handle disconnect from SNMPD manager correctly
798885-4 3-Major   SNMP response times may be long due to processing burden of requests
796985-3 3-Major   Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'
791365-3 3-Major   Bad encryption password error on UCS save
791061-5 3-Major   Config load in /Common removes routing protocols from other partitions
788645-5 3-Major   BGP does not function on static interfaces with vlan names longer than 16 characters.
787885-2 3-Major   The device status is falsely showing as forced offline on the network map while actual device status is not.
786633-2 3-Major   Debug-level messages are being logged even when the system is not set up for debug logging
781733-5 3-Major   SNMPv3 user name configuration allows illegal names to be entered
780745-3 3-Major   TMSH allows creation of duplicate community strings for SNMP v1/v2 access
778513-1 3-Major   APM intermittently drops log messages for per-request policies
778041-3 3-Major   tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
776489-5 3-Major   Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
775845-1 3-Major   Httpd fails to start after restarting the service using the iControl REST API
775797-3 3-Major   Previously deleted user account might get authenticated
773577-5 3-Major   SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
773173-2 3-Major   LTM Policy GUI is not working properly
767737-4 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
767305-5 3-Major   If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
762097-3 3-Major   No swap memory available after upgrading to v14.1.0 and above
760932-1 3-Major   Part of audit log messages are also in other logs when strings are long
760354-4 3-Major   Continual mcpd process restarts after removing big logs when /var/log is full
759737-3 3-Major   Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests
759735-3 3-Major   OSPF ASE route calculation for new external-LSA delayed
759258-5 3-Major   Instances shows incorrect pools if the same members are used in other pools
757787-3 3-Major   Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI.
755976-4 3-Major   ZebOS might miss kernel routes after mcpd deamon restart
754335-3 3-Major   Install ISO does not boot on BIG-IP VE
751409-7 3-Major   MCP Validation does not detect when virtual servers differ only by overlapping VLANs
749757-1 3-Major   -s option in qkview help does not indicate maximum size
749007-1 3-Major   South Sudan, Sint Maarten, Curacao country missing in GTM region list
746861-3 3-Major   SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated
746758-1 3-Major   Qkview produces core file if interrupted while exiting
744924-2 3-Major   Bladed unit goes offline after UCS install
741702-2 3-Major   TMM crash
739820-7 3-Major   Validation does not reject IPv6 address for TACACS auth configuration
739118-5 3-Major   Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
737739-2 3-Major   Bash shell still accessible for admin even if disabled
730852-1 3-Major   The tmrouted repeatedly crashes and produces core when new peer device is added
725646-2 3-Major   The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
714216-4 3-Major   Folder in a partition may result in load sys config error
692218-1 3-Major   Audit log messages sent from the primary blade to the secondaries should not be logged.
690928-3 3-Major   System posts error message: 01010054:3: tmrouted connection closed
688231-3 3-Major   Unable to set VET, AZOT, and AZOST timezones
675911-12 3-Major   Different sections of the GUI can report incorrect CPU utilization
662301-2 3-Major   'Unlicensed objects' error message appears despite there being no unlicensed config
658850-3 3-Major   Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
654635-1 3-Major K34003145 FTP virtual server connections may rapidly reuse ephemeral ports
639606-1 3-Major   If mcpd fails to load DNSSEC keys then signing does not happen and no error logged
627760-7 3-Major   gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
615934-6 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615329-1 3-Major   Special Virtual IP configuration required for IPv6 connectivity on some Virtual Edition interfaces
587821-10 3-Major   vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
569859-7 3-Major   Password policy enforcement for root user when mcpd is not available
554506-1 3-Major K47835034 PMTU discovery from management does not work
538283-2 3-Major   iControl REST asynchronous tasks may block other tasks from running
499348-11 3-Major   System statistics may fail to update, or report negative deltas due to delayed stats merging
469724-3 3-Major   When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
431503-8 3-Major K14838 TMSH crashes in rare initial tunnel configurations
398683-4 3-Major K12304 Use of a # in a TACACS secret causes remote auth to fail
385013-2 3-Major   Certain user roles do not trigger a sync for a 'modify auth password' command
962605-4 4-Minor   BIG-IP may go offline after installing ASU file with insufficient disk space
959889-2 4-Minor   Cannot update firewall rule with ip-protocol property as 'any'
957461-2 4-Minor   Creating virtual server with IPv6 address or port list in destination, should display source address in IPv6 format
955593-2 4-Minor   "none" missing from the error string when snmp trap is configured with an invalid network type
955057-2 4-Minor   UCS archives containing a large number of DNS zone files may fail to restore.
947865-2 4-Minor   Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
944485-5 4-Minor   License activation through proxy server uses IP address in proxy CONNECT, not nameserver
943597-2 4-Minor   'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart
939757-4 4-Minor   Deleting a virtual server might not trigger route-injection update.
939517-4 4-Minor   DB variable scheduler.minsleepduration.ltm changes to default value after reboot
927441-3 4-Minor   Guest user not able to see virtual server details when ASM policy attached
921065 4-Minor   BIG-IP systems not responding to DPD requests from initiator after failover
919861-1 4-Minor   Tunnel Static Forwarding Table does not show entries per page
918013-1 4-Minor   Log message with large wchan value
915473-1 4-Minor   Accessing Dashboard page with AVR provisioned causes continuous audit logs
915141-2 4-Minor   Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
910645-1 4-Minor   Upgrade error 'Parsing default XML files. Failed to parse xml file'
908453-3 4-Minor   Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
906449-2 4-Minor   Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
905881 4-Minor   MTU assignment to non-existent interface
901985-6 4-Minor   Extend logging for incomplete HTTP requests
901669-4 4-Minor   Error status in "show cm failover-status" after MGMT-IP change
899097-2 4-Minor   Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking
896693-4 4-Minor   Patch installation is failing for iControl REST endpoint.
896689-4 4-Minor   Asynchronous tasks can be managed via unintended endpoints
893813-3 4-Minor   Modifying pool enables address and port translation in TMUI
893093-2 4-Minor   An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
887505-1 4-Minor   Coreexpiration script improvement
884953-3 4-Minor   IKEv1 IPsec daemon racoon goes into an endless restart loop
884165-3 4-Minor   Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG
879189-1 4-Minor   Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
869237-5 4-Minor   Management interface might become unreachable when alternating between DHCP/static address assignment.
860573-3 4-Minor   LTM iRule validation performance improvement by tracking procedure/event that have been validated
857045-1 4-Minor   LDAP system authentication may stop working
853101-2 4-Minor   ERROR: syntax error at or near 'FROM' at character 17
848681-7 4-Minor   Disabling the LCD on a VIPRION causes blade status lights to turn amber
846521-7 4-Minor   Config script does not refresh management address entry properly when alternating between dynamic and static
838925-7 4-Minor   Rewrite URI translation profile can cause connection reset while processing malformed CSS content
832665-1 4-Minor   The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
828625-3 4-Minor   User shouldn't be able to configure two identical traffic selectors
826189-3 4-Minor   The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
824205-3 4-Minor   GUI displays error when a virtual server is modified if it is using an address-list
822253-1 4-Minor   After starting up, mcpd may have defunct child "run" and "xargs" processes
819429-5 4-Minor   Unable to scp to device after upgrade: path not allowed
818737-3 4-Minor   Improve error message if user did not select a address-list or port list in the GUI
818297-3 4-Minor   OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
817989-1 4-Minor   Cannot change managemnet IP from GUI
816353-3 4-Minor   Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
809089-1 4-Minor   TMM crash after sessiondb ref_cnt overflow
808481-5 4-Minor   Hertfordshire county missing from GTM Region list
807309-3 4-Minor   Incorrect Active/Standby status in CLI Prompt after failover test
805325-6 4-Minor   tmsh help text contains a reference to bigpipe, which is no longer supported
795429-5 4-Minor   Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
759852-4 4-Minor   SNMP configuration for trap destinations can cause a warning in the log
759606-3 4-Minor   REST error message is logged every five minutes on vCMP Guest
759590-6 4-Minor   Creation of RADIUS authentication fails with service types other than 'authenticate only'
757167-3 4-Minor   TMM logs 'MSIX is not supported' error on vCMP guests
753536-3 4-Minor   iControl REST incorrectly allows remotely-authenticated users to use basic authentication
742753-5 4-Minor   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742105-3 4-Minor   Displaying network map with virtual servers is slow
713183-4 4-Minor   Malformed JSON files may be present on vCMP host
712241-3 4-Minor   A vCMP guest may not provide guest health stats to the vCMP host
696363-4 4-Minor   Unable to create SNMP trap in the GUI
689147-3 4-Minor   Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
675772-2 4-Minor   IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy
673573-1 4-Minor   tmsh logs boost assertion when running child process and reaches idle-timeout
658943-3 4-Minor   Errors when platform-migrate loading UCS using trunks on vCMP guest
646768-1 4-Minor K71255118 VCMP Guest CM device name not set to hostname when deployed
631083-5 4-Minor   Some files in home directory are overwritten on password change
603693-2 4-Minor K52239932 Brace matching in switch statement of iRules can fail if literal strings use braces
528894-6 4-Minor   Config sync after sub-partition config changes results extra lines in the partition's conf file
472645-2 4-Minor   Memory issues when there is a lot of data in /var/annotate (annotations for dashboard)
905893 5-Cosmetic   Modification of SmartNIC MTU not supported
832661 5-Cosmetic   Default provisioning for all instances is LTM nominal
818777-2 5-Cosmetic   MCPD error - Trouble allocating MAC address for VLAN object
353607-1 5-Cosmetic   cli global-settings { service number } appears to have no effect


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
926929-3 1-Blocking   RFC Compliance Enforcement lacks configuration availability
946481-1 2-Critical   Virtual Edition FIPS not compatible with TLS 1.3
945997-2 2-Critical   LTM policy applied to HTTP/2 traffic may crash TMM
944381 2-Critical   Dynamic CRL checking for client certificate is not working when TLS1.3 is used.
942185-2 2-Critical   Non-mirrored persistence records may accumulate over time
937777-2 2-Critical   The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.
937649-3 2-Critical   Flow fwd broken with statemirror.verify enabled and source-port preserve strict
935193-1 2-Critical   With APM and AFM provisioned, single logout ( SLO ) fails
927633-2 2-Critical   Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
926985-2 2-Critical   HTTP/3 aborts stream on incomplete frame headers
911041-3 2-Critical   Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
910653-5 2-Critical   iRule parking in clientside/serverside command may cause tmm restart
910213-2 2-Critical   LB::down iRule command is ineffective, and can lead to inconsistent pool member status
886045-2 2-Critical   Multi-NIC instances fail to come up when trying to use memory-mapped virtio device
882157-1 2-Critical   One thread of pkcs11d consumes 100% without any traffic.
864897-2 2-Critical   TMM may crash when using "SSL::extensions insert"
862885-2 2-Critical   Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error
851385-1 2-Critical   Failover takes too long when traffic blade failure occurs
846217-3 2-Critical   Translucent vlan-groups set local bit in destination MAC address
841469-6 2-Critical   Application traffic may fail after an internal interface failure on a VIPRION system.
835505-1 2-Critical   Tmsh crash potentially related to NGFIPS SDK
824437-7 2-Critical   Chaining a standard virtual server and an ipother virtual server together can crash TMM.
763145-2 2-Critical   TMM Crash when using certain HTTP iRules with HTTP Security Profile
758491-3 2-Critical   When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
625807-3 2-Critical   Tmm cores in bigproto_cookie_buffer_to_server
474797-8 2-Critical   Nitrox crypto hardware may attempt soft reset while currently resetting
962913-4 3-Major   The number of native open connections in the SSL profile is higher than expected
961653-2 3-Major   Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate
961001-2 3-Major   Arp requests not resolved for snatpool members when primary blade goes offline
958785-5 3-Major   FTP data transfer does not complete after QUIT signal
955617-2 3-Major   Cannot modify the destination address of monitor
953845-1 3-Major   After re-initializing the onboard FIPS HSM, may lose access after second MCPD restart
950005-2 3-Major   TCP connection is not closed when necessary after HTTP::respond iRule
947125-2 3-Major   Unable to delete monitors after certain operations
946953-1 3-Major   HTTP::close used in iRule might not close connection.
945601-4 3-Major   An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
945189-2 3-Major   HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA
944641-1 3-Major   HTTP2 send RST_STREAM when exceeding max streams
944173-2 3-Major   SSL monitor stuck does not change TLS version
944121-1 3-Major   Missing SNI information when using non-default domain https monitor running in tmm mode
942217-3 3-Major   Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
941481-2 3-Major   iRules LX - nodejs processes consuming more memory on vCMP guest secondary slot
941257-1 3-Major   Occasional Nitrox3 ZIP engine hang
940665-1 3-Major   DTLS 1.0 support for PFS ciphers
939209-1 3-Major   FIPS 140-2 SP800-56Arev3 compliance
938309-2 3-Major   In-TMM Monitors time out unexpectedly
936441-2 3-Major   Nitrox5 SDK driver logging messages
935793-2 3-Major   With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)
934697-3 3-Major   Route domain not reachable (strict mode)
932857-2 3-Major   Delays marking Nodes or Pool Members DOWN with in-TMM monitoring
932461-3 3-Major   Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
930005-2 3-Major   Recover previous QUIC cwnd value on spurious loss
928857-2 3-Major   Use of OCSP responder may leak X509 store instances
928805-2 3-Major   Use of OCSP responder may cause memory leakage
928789-2 3-Major   Use of OCSP responder may leak SSL handshake instances
928445-4 3-Major   HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2
927713-1 3-Major   Secondary blade IPsec SAs lost after standby reboot using clsh reboot
927569-2 3-Major   HTTP/3 rejects subsequent partial SETTINGS frames
926757-2 3-Major   ICMP traffic to a disabled virtual-address might be handled by a virtual-server.
926513-2 3-Major   HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.
922641-4 3-Major   Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
922413-2 3-Major   Excessive memory consumption with ntlmconnpool configured
921881-2 3-Major   Use of IPFIX log destination can result in increased CPU utilization
921721-1 3-Major   FIPS 140-2 SP800-56Arev3 compliance
921541-3 3-Major   When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
920789-2 3-Major   UDP commands in iRules executed during FLOW_INIT event fail
920285 3-Major   WS::disconnect may result in TMM crash under certain conditions
920205-4 3-Major   Rate shaping might suppress TCP RST
918277-2 3-Major   Slow Ramp does not take into account pool members' ratio weights
915773-1 3-Major   Restart of TMM after stale interface reference
913385-1 3-Major   TMM generates core while deleting iFiles
912517-2 3-Major   MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
912425-3 3-Major   Modification of in-tmm monitors may result in crash
912293-3 3-Major   Persistence might not work properly on virtual servers that utilize address lists
910905-1 3-Major   Unexpected tmm core
910673-4 3-Major   Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
910273-2 3-Major   SSL Certificate version always displays as '1' in the GUI
910105-1 3-Major   Partial HTTP/2 payload may freeze on the BIG-IP system
909997-3 3-Major   Virtual server status displays as unavailable when it is accepting connections
909677-2 3-Major   HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted
908465-2 3-Major   Need the ability to set LACP system priority manually
907177-2 3-Major   Priority of embedded APM iRules is ignored
905477-2 3-Major   The sdmd daemon cores during config sync when multiple devices configured for iRules LX
904625-2 3-Major   Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
904041-2 3-Major   Ephemeral pool members may be incorrect when modified via various actions
903581-1 3-Major   The pkcs11d process cannot recover under certain error condition
902377-2 3-Major   HTML profile forces re-chunk even though HTML::disable
901569-1 3-Major   Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
898733-3 3-Major   SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
898685-4 3-Major   Order of ciphers changes after updating cipher group
897185-2 3-Major   Resolver cache not using random port distribution
896245-3 3-Major   Inconsistency is observed in ARP behavior across releases
895649-2 3-Major   Improve TCP analytics goodput reports
895205-2 3-Major   A circular reference in rewrite profiles causes MCP to crash
895165-2 3-Major   Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
892801-2 3-Major   When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
892485-2 3-Major   A wrong OCSP status cache may be looked up and re-used during SSL handshake.
892073-3 3-Major   TLS1.3 LTM policy rule based on SSL SNI is not triggered
891373-2 3-Major   BIG-IP does not shut a connection for a HEAD request
891145-5 3-Major   TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
889165-3 3-Major   "http_process_state_cx_wait" errors in log and connection reset
888885-1 3-Major   BIG-IP Virtual Edition TMM restarts frequently without core
888517-2 3-Major   Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.
887045-1 3-Major   The session key does not get mirrored to standby.
885325-2 3-Major   Stats might be incorrect for iRules that get executed a large number of times
883049-2 3-Major   Statsd can deadlock with rrdshim if an rrd file is invalid
882725-5 3-Major   Mirroring not working properly when default route vlan names not match.
882709-4 3-Major   Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors in this release
882549-2 3-Major   Sock driver does not use multiple queues in unsupported environments
881065-1 3-Major   Adding port-list to Virtual Server changes the route domain to 0
881041-3 3-Major   BIG-IP system may forward IP broadcast packets back to the incoming VLAN interface via a forwarding virtual server.
878253-1 3-Major   LB::down no longer sends an immediate monitor probe
876145-3 3-Major   Nitrox5 failure on vCMP guest results in all crypto requests failing.
874877-1 3-Major   Bigd http monitor shows misleading 'down' reason when recv does not match
874317-1 3-Major   Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
873677-7 3-Major   LTM policy matching does not work as expected
872981-1 3-Major   MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction
872721-3 3-Major   SSL connection mirroring intermittent failure with TLS1.3
872685-1 3-Major   Some HTTP/3 streams terminate early
871045-1 3-Major   IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
870349-1 3-Major   Continuous restart of ntlmconnpool after license reinstall
868209-3 3-Major   Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
868033-1 3-Major   SSL option "passive-close" option is unused and should be removed
867985-4 3-Major   LTM policy with a 'shutdown' action incorrectly allows iRule execution
864649-4 3-Major   The client-side connection of a dhcpv4_fwd profile on Broadcast DHCP-Relay Virtual Server never expires from the connection table
863401-1 3-Major   QUIC congestion window sometimes increases inappropriately
863165-3 3-Major   Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
862069-1 3-Major   Using non-standard HTTPS and SSH ports fails under certain conditions
862001-1 3-Major   Improperly configured NTP server can result in an undisciplined clock stanza
860277-4 3-Major   Default value of TCP Profile Proxy Buffer High Low changed in 14.1
858701-1 3-Major   Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x
854129-2 3-Major   SSL monitor continues to send previously configured server SSL configuration after changes (removal/modification)
852953-1 3-Major   Accept Client Hello spread over multiple QUIC packets
852325-1 3-Major   HTTP2 does not support Global SNAT
851353-1 3-Major   Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request
851121-2 3-Major   Database monitor DBDaemon debug logging not enabled consistently
851101-4 3-Major   Unable to establish active FTP connection with custom FTP filter
850349-1 3-Major   Incorrect MAC when virtual wire is configured with FastL4
846977-1 3-Major   TCP:collect validation changed in 12.0.0: the first argument can no longer be zero
846873-4 3-Major   Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
845333-6 3-Major   An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
843317-3 3-Major   The iRules LX workspace imported with incorrect SELinux contexts
842517-2 3-Major   CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails
842425-1 3-Major   Mirrored connections on standby are never removed in certain configurations
842137-3 3-Major   Keys cannot be created on module protected partitions when strict FIPS mode is set
841369-3 3-Major   HTTP monitor GUI displays incorrect green status information
841341-6 3-Major   IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-1 3-Major   Update documented examples for REST::send to use valid REST endpoints
838353-1 3-Major   MQTT monitor is not working in route domain.
832133-1 3-Major   In-TMM monitors fail to match certain binary data in the response from the server.
825245-4 3-Major   SSL::enable does not work for server side ssl
824433-3 3-Major   Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
823825-7 3-Major   Renaming HA VLAN can disrupt state-mirror connection
818833-1 3-Major   TCP re-transmission during SYN Cookie activation results in high latency
818789-7 3-Major   Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
818109-1 3-Major   Certain plaintext traffic may cause SSL Orchestrator to hang
816953-1 3-Major   RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy
815405-6 3-Major   GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
810533-2 3-Major   SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
808017-5 3-Major   When using a variable as the only parameter to the iRule persist command, the iRule validation fails
803629-7 3-Major   SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
803109-3 3-Major   Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows
795933-7 3-Major   A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
794505-5 3-Major   OSPFv3 IPv4 address family route-map filtering does not work
794417-4 3-Major   Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
794385-3 3-Major   BGP sessions may be reset after CMP state change
793669-5 3-Major   FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
787973-1 3-Major   Potential memory leak when software crypto request is canceled.
785877-5 3-Major   VLAN groups do not bridge non-link-local multicast traffic.
785361-3 3-Major   In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
780857-2 3-Major   HA failover network disruption when cluster management IP is not
779137-5 3-Major   Using a source address list for a virtual server does not preserve the destination address prefix
778841-3 3-Major   Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother
778501-2 3-Major   LB_FAILED does not fire on failure of HTTP/2 server connection establishment
767341-1 3-Major   If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
767217-5 3-Major   Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-5 3-Major   RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
764969-2 3-Major   ILX no longer supports symlinks in workspaces as of v14.1.0
762137-3 3-Major   Ping6 with correctly populated NDP entry fails
760406-1 3-Major   HA connection might stall on Active device when the SSL session cache becomes out-of-sync
758041-1 3-Major   Pool Members may not be updated accurately when multiple identical database monitors configured
757029-6 3-Major   Ephemeral pool members may not be created after config load or reboot
756812-3 3-Major   Nitrox 3 instruction/request logger may fail due to SELinux permission error
756313-6 3-Major   SSL monitor continues to mark pool member down after restoring services
755791-6 3-Major   UDP monitor not behaving properly on different ICMP reject codes.
755631-5 3-Major   UDP / DNS monitor marking node down
754604-4 3-Major   iRule : [string first] returns incorrect results when string2 contains null
753526-7 3-Major   IP::addr iRule command does not allow single digit mask
751451-2 3-Major   When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
738045-7 3-Major   HTTP filter complains about invalid action in the LTM log file.
724327-3 3-Major   Changes to a cipher rule do not immediately have an effect
723306-7 3-Major   Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
723112-8 3-Major   LTM policies does not work if a condition has more than 127 matches
722657-2 3-Major   Mcpd and bigd montior states are getting out-of-sync intermittently
709952-4 3-Major   Disallow DHCP relay traffic to traverse between route domains
705387-3 3-Major   HTTP/2, ALPN and SSL
700639-2 3-Major   The default value for the syncookie threshold is not set to the correct value
699758-2 3-Major   Intermittent connection resets are seen in HTTP/2 gateway when HTTP/2 preface is sent to server
696755-5 3-Major   HTTP/2 may truncate a response body when served from cache
574762-2 3-Major   Forwarding flows leak when a routing update changes the egress vlan
512490-11 3-Major   Increased latency during connection setup when using FastL4 profile and connection mirroring.
315765-2 3-Major   The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.
962433-4 4-Minor   HTTP::retry for a HEAD request fails to create new connection
956025-2 4-Minor   HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header
949721-2 4-Minor   QUIC does not send control frames in PTO packets
947937-2 4-Minor   HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field.
947745-1 4-Minor   Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error
943945 4-Minor   Incorrect Error message in /var/log/ltm when HTTP::respond is used in ADAPT_REQUEST_RESULT iRule event
942793-1 4-Minor   BIG-IP system cannot accept STARTTLS command with trailing white space
940837-2 4-Minor   The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.
936557-2 4-Minor   Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
932553-4 4-Minor   An HTTP request is not served when a remote logging server is down
932045-3 4-Minor   Memory leak with umem_alloc_80 through creating/deleting LTM node object
931469-7 4-Minor   Redundant socket close when half-open monitor pings
929429-2 4-Minor   Oracle database monitor uses excessive CPU when Platform FIPS is licensed
922005-3 4-Minor   Stats on a certain counter for web-acceleration profile may show excessive value
921477-2 4-Minor   Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.
916485-2 4-Minor   Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object
915969-1 4-Minor   Truncated QUIC connection close reason
914589-2 4-Minor   VLAN Failsafe timeout is not always respected
910965-2 4-Minor   Overflow of Multicast table filling the tmm log
907045-2 4-Minor   QUIC HANDSHAKE_DONE is sent at the end of first flight
898753-5 4-Minor   Multicast control-plane traffic requires handling with AFM policies
898201-2 4-Minor   Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
895557-2 4-Minor   NTLM profile logs error when used with profiles that do redirect
890881-4 4-Minor   ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
880697-1 4-Minor   URI::query command returning fragment part, instead of query part
869565-1 4-Minor   Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN
869553-1 4-Minor   HTTP2::disable fails for server side allowing HTTP/2 traffic
858309-4 4-Minor   Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart
851757-1 4-Minor   Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION
851425-1 4-Minor   Update QLOG to draft-01
845545 4-Minor   Potential name collision for client-ssl profile named 'clientssl-quic'
844337-4 4-Minor   Tcl error log improvement for node command
838405-3 4-Minor   Listener traffic-group may not be updated properly when spanning is in use.
838305-7 4-Minor   BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-7 4-Minor   Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-1 4-Minor   The iRule regexp command issues an incorrect warning
829021-3 4-Minor   BIG-IP does not account a presence of http2 profile when response payload is modified
822245-2 4-Minor   Large number of in-TMM monitors results in some monitors being marked down
818721-3 4-Minor   Virtual address can be deleted while it is in use by an address-list.
807397-3 4-Minor   IRules ending with a comment cause config verification to fail
804157-3 4-Minor   ICMP replies are forwarded with incorrect checksums causing them to be dropped
802721-4 4-Minor   Virtual Server iRule does not match an External Data Group key that's 128 characters long
788257-2 4-Minor   Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart
773253-5 4-Minor   The BIG-IP may send VLAN failsafe probes from a disabled blade
760590-3 4-Minor   TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server
758435-2 4-Minor   Ordinal value in LTM policy rules sometimes do not work as expected
751586-3 4-Minor   Http2 virtual does not honour translate-address disabled
750705-3 4-Minor   LTM logs are filled with error messages while creating/deleting virtual wire configuration
743253-2 4-Minor   TSO in software re-segments L3 fragments.
742603-5 4-Minor   WebSocket Statistics are updated to differentiate between client and server sides
738032-3 4-Minor   BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
640374-2 4-Minor   DHCP statistics are incorrect
926085 5-Cosmetic   GUI: Node/port monitor test not possible in the GUI, but works in tmsh
898929-4 5-Cosmetic   Tmm might crash when ASM, AVR, and pool connection queuing are in use
897437-5 5-Cosmetic   First retransmission might happen after syn-rto-base instead of minimum-rto.
873249-1 5-Cosmetic   Switching from fast_merge to slow_merge can result in incorrect tmm stats


Performance Issues

ID Number Severity Solution Article(s) Description
948417-2 3-Major   Network Management Agent (Azure NMAgent) updates causes Kernel Panic


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
953393-2 1-Blocking   TMM crashes when performing iterative DNS resolutions.
933405-2 1-Blocking K34257075 Zonerunner GUI hangs when attempting to list Resource Records
960437-2 2-Critical   The BIG-IP system may initially fail to resolve some DNS queries
940733-3 2-Critical   Downgrading a FIPS-enabled BIG-IP system results in a system halt
931149-1 2-Critical   Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
918597-5 2-Critical   Under certain conditions, deleting a topology record can result in a crash.
887681-3 2-Critical   Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c
744743-2 2-Critical   Rolling DNSSEC Keys may stop generating after BIG-IP restart
264701-5 2-Critical K10066 GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
958325-1 3-Major   Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB
958157-3 3-Major   Hash collisions in fastDNS packet processing
940469-4 3-Major   Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration
936777-2 3-Major   Old local config is synced to other devices in the sync group.
936417-3 3-Major   DNS/GTM daemon big3d does not accept ECDH or DH ciphers
936361-1 3-Major   IPv6-based bind (named) views do not work
935945-1 3-Major   GTM HTTP/HTTPS monitors cannot be modified via GUI
935249-2 3-Major   GTM virtual servers have the wrong status
921625-2 3-Major   The certs extend function does not work for GTM/DNS sync group
920817-6 3-Major   DNS Resource Records can be lost in certain circumstances
918693-4 3-Major   Wide IP alias validation error during sync or config load
913917-2 3-Major   Unable to save UCS
912761-2 3-Major   Link throughput statistics are different
912001-3 3-Major   TMM cores on secondary blades of the Chassis system.
911241-6 3-Major   The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
908829-1 3-Major   The iqsyncer utility may not write the core file for system signals
908801-1 3-Major   SELinux policies may prevent from iqsh/iqsyncer dumping core
903521-2 3-Major   TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'
899253-6 3-Major   [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
894081-2 3-Major   The Wide IP members view in the WebUI may report the incorrect status for a virtual server.
891093-1 3-Major   iqsyncer does not handle stale pidfile
887921-1 3-Major   iRule command “RESOLVER::name_lookup” returns null for responses more than 512 bytes
880125-5 3-Major   WideIP (A) created together with aliases (CNAME) causes missing A records in ZoneRunner
879301-1 3-Major   When importing a BIND zone file, SRV/DNAME/NAPTR RRs do not have correct $ORIGIN appended
879169-2 3-Major   RESOLV::lookup @<virtual server name> may not work
876677-1 3-Major   When running a debug version of TMM, an assertion may be triggered due to and expired DNS lookup
874221-1 3-Major   DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd
872037-2 3-Major   DNS::header rd does not set the Recursion desired
864797-2 3-Major   Cached results for a record are sent following region modification
863917-2 3-Major   The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
862949-3 3-Major   Zonerunner GUI is unable to display CAA records
858973-1 3-Major   DNS request matches less specific WideIP when adding new wildcard wideips
847105-2 3-Major   The bigip_gtm.conf is reverted to default after rebooting with license expired
835209-3 3-Major   External monitors mark objects down
821589-1 3-Major   DNSSEC does not insert NSEC3 records for NXDOMAIN responses
813221-5 3-Major   Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
781985-2 3-Major   DNSSEC zone SEPS records may be wiped out from running configuration
774225-4 3-Major   mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
760835-2 3-Major   Static generation of rolling DNSSEC keys may be missing when the key generator is changed
760833-2 3-Major   BIG-IP GTM might not always sync a generation of a DNSSEC key from its partner
760615-6 3-Major   Virtual Server discovery may not work after a GTM device is removed from the sync group
757464-7 3-Major   DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
739553-5 3-Major   Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
726164-2 3-Major   Rolling DNSSEC Keys can stop regenerating after a length of time on the standby system
718230-8 3-Major   Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
716701-4 3-Major   In iControl REST: Unable to create Topology when STATE name contains space
959613-2 4-Minor   SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason
947217-5 4-Minor   Fix of ID722682 prevents GTM config load when the virtual server name contains a colon
889801-1 4-Minor   Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
886145-2 4-Minor   The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.
885869-2 4-Minor   Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
885201-2 4-Minor   BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
853585-1 4-Minor   REST WideIP object presents an inconsistent lastResortPool value
839361-6 4-Minor   iRule 'drop' command does not drop packets when used in DNS_RESPONSE
822393-3 4-Minor   Prober pool selected on server or data center not being displayed after selection in Internet Explorer
790113-6 4-Minor   Cannot remove all wide IPs from GTM distributed application via iControl REST
708680-3 4-Minor   TMUI is unable to change the Alias Address of DNS/GTM Monitors


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
962341 2-Critical   BD crash on JSON payload
956889-2 2-Critical   /var fills up very quickly
947373 2-Critical   BD sometimes crashes when handling HTTP traffic
898365-1 2-Critical   XML Policy cannot be imported
887621-2 2-Critical   ASM virtual server names configuration CRC collision is possible
865981-1 2-Critical   ASM GUI and REST become unresponsive upon license change
865289-1 2-Critical   TMM crash following DNS resolve with Bot Defense profile
857677-3 2-Critical   Security policy changes are applied automatically after asm process restart
854001-2 2-Critical   TMM might crash in case of trusted bot signature and API protected url
846057-3 2-Critical   UCS backup archive may include unnecessary files
825413-4 2-Critical   /var/lib/mysql disk is full
791669-2 2-Critical   TMM might crash when Bot Defense is configured for multiple domains
963485-1 3-Major   Performance issue after masking data with * due to data guard
963461-1 3-Major   ASM performance drop on the response side
962589-2 3-Major   Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
962497 3-Major   BD crash after ICAP response
962493-5 3-Major   Request is not logged
962489-5 3-Major   False positive enforcement of parameters with specific configuration
961509-2 3-Major   ASM blocks websocket frames with signature matched but Transparent policy
956373-2 3-Major   ASM sync files not cleaned up immediately after processing
955017-2 3-Major   Excessive CPU consumption by asm_config_event_handler
950917-1 3-Major   Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
948805-1 3-Major   False positive "Null in Request"
947341-1 3-Major   Mysql generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files
946081-1 3-Major   Getcrc tool help displays directory structure instead of version
945789-1 3-Major   Live update cannot resolve hostname if ipv6 is configured
943441-2 3-Major   Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK
937445-1 3-Major   Incorrect signature context logged in remote logger violation details field
937213 3-Major   Virtual Server is not created when a new HTTPS virtual server is defined with a new security policy
929077-2 3-Major   Bot Defense Whitelist does not apply when using default Route Domain and XFF header
929005-2 3-Major   TS cookie is set in all responses
928717-3 3-Major   [ASM - AWS] - ASU fails to sync
926845-5 3-Major   Inactive ASM policies are deleted upon upgrade
923221-4 3-Major   BD does not use all the CPU cores
922261-2 3-Major   WebSocket server messages are logged even it is not configured
921677-2 3-Major   Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
920197-3 3-Major   Brute force mitigation can stop mitigating without a notification
920149-1 3-Major   Live Update default factory file for Server Technologies cannot be reinstalled
914277-2 3-Major   [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
913757-1 3-Major   Error viewing security policy settings for virtual server with FTP Protocol Security
912089-2 3-Major   Some roles are missing necessary permission to perform Live Update
910253-2 3-Major   BD error on HTTP response after upgrade
907337-2 3-Major   BD crash on specific scenario
907025-3 3-Major   Live update error" 'Try to reload page'
902445-2 3-Major   ASM Policy Event Logging stops working after 'No space in shmem' error disconnection mitigation
898825-2 3-Major   Attack signatures are enforced on excluded headers under some conditions
891181-2 3-Major   Wrong date/time treatment in logs in Turkey/Istambul timezone
890825-2 3-Major   Attack Signatures and Threat Campaigns filter incorrect behaviour
890169-2 3-Major   URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
888289-1 3-Major   Add option to skip percent characters during normalization
887265-2 3-Major   BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration
887261-1 3-Major   JSON schema validation files created from swagger should support "draft-04" only
884425-2 3-Major   Creation of new allowed HTTP URL is not possible
883853-2 3-Major   Bot Defense Profile with staged signatures prevents signature update
882377-3 3-Major   ASM Application Security Editor Role User can update/install ASU
871881-2 3-Major   Apply Policy action is not synchronized after making bulk signature changes
868053-3 3-Major   Live Update service indicates update available when the latest update was already installed
867825-4 3-Major   Export/Import on a parent policy leaves children in an inconsistent state
867777-3 3-Major   Remote syslog server cannot parse violation detail buffers as UTF-8.
867373-4 3-Major   Methods Missing From ASM Policy
864677-1 3-Major   ASM causes high mcpd CPU usage
862793-1 3-Major   ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation
862413-1 3-Major   Broken layout in Threat Campaigns and Brute Force Attacks pages
857633-7 3-Major   Attack Type (SSRF) appears incorrectly in REST result
853989-1 3-Major   DOSL7 Logs breaks CEF connector by populating strings into numeric fields
853565-2 3-Major   VCMP host primary blade reboot causes security policy loss in the VCMP guest primary blade
853269-1 3-Major   Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages in case of complex role user
853177-1 3-Major   'Enforcement Mode' in security policy list is shown without value
852429-1 3-Major   "ASM subsystem error" logged when creating policies
850633-1 3-Major   Policy with % in name cannot be exported
849349-5 3-Major   Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
849269-1 3-Major   High CPU usage after Inheritance page opened
848921-1 3-Major   Config sync failure when importing a Json policy
848757-1 3-Major   Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload
846181-3 3-Major   Request samples for some of the learning suggestions are not visible
845933-1 3-Major   Unused parameters remain after modifying the swagger file of a policy
844373-1 3-Major   Learning suggestion details layout broken in some browsers
841285-1 3-Major   Sometimes apply policy is stuck in Applying state
839509-1 3-Major   Incorrect inheritance treatment in Response and Blocking Pages page
839141-1 3-Major   Issue with 'Multiple of' validation of numeric values
837341-1 3-Major   Response and Blocking Pages page: Deception Response pages should not be shown in parent policy
829029-1 3-Major   Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
802873-2 3-Major   Manual changes to policy imported as XML may introduce corruption for Login Pages
785873-3 3-Major   ASM should treat 'Authorization: Negotiate TlR' as NTLM
753715-2 3-Major   False positive JSON max array length violation
703678-3 3-Major   Cannot add 'secure' attributes to several ASM cookies
580715-2 3-Major   ASM is not sending 64 KB remote logs over UDP
957321-1 4-Minor   When BIG-IP contains an invalid DNS Resolver, Bot Defense might wrongly classify search engines as malicious
956105-2 4-Minor   Websocket URLs content profiles are not created as expected during JSON Policy import
950953-1 4-Minor   Browser Challenges update file cannot be installed after upgrade
945821-1 4-Minor   Remote logging conditions adjustments
941929-2 4-Minor   Google Analytics shows incorrect stats, when Google link is redirected.
941249-2 4-Minor   Improvement to getcrc tool to print cookie names when cookie attributes are involved
937541-2 4-Minor   Wrong display of signature references in violation details
935293-2 4-Minor   'Detected Violation' Field for event logs not showing
932893-2 4-Minor   Content profile cannot be updated after redirect from violation details in Request Log
931033-1 4-Minor   Device ID Deletions anomaly might be raised in case of browser/hardware change
923233-1 4-Minor   Incorrect encoding in 'Logout Page' for non-UTF8 security policy
922785-2 4-Minor   Live Update scheduled installation is not installing on set schedule
918097-3 4-Minor   Cookies set in the URI on Safari
915133-3 4-Minor   Single Page Application can break the page, when hooking is done by the end server application.
911729-2 4-Minor   Redundant learning suggestion to set a Maximum Length when parameter is already at that value
905669-2 4-Minor   CSRF token expired message for AJAX calls is displayed incorrectly
893905-2 4-Minor   Wrong redirect from Charts to Requests Log when request status selected in filter
887625-3 4-Minor   Note should be bold back, not red
886865-1 4-Minor   P3P header is added for all browsers, but required only for Internet Explorer
885789-1 4-Minor   Clicking 'Fix Automatically' on PCI Compliance page does not replace non-PCI-compliant-profile with complaint one on HTTP/2 virtual servers
885785-1 4-Minor   Clicking 'Fix Automatically' in PCI Compliance page does not attach a PCI-compliant-profile on HTTP/2 virtual servers
882729-3 4-Minor   Applied Blocking Masks discrepancy between local/remote event log
875373-3 4-Minor   Unable to add domain with leading '.' through webUI, but works with tmsh.
864989-2 4-Minor   Remote logger violation_details field content appears as "N/A" when violations field is not selected.
858445-1 4-Minor   Missing confirmation dialog for apply policy in new policy pages
842265-1 4-Minor   Create policy: trusted IP addresses from template are not shown
841985-5 4-Minor   TSUI GUI stuck for the same session during long actions
824093-5 4-Minor   Parameters payload parser issue
807569-2 4-Minor   Requests fail to load when backend server overrides request cookies and Bot Defense is used
765365-2 4-Minor   ASM tries to send response cookies after response headers already forwarded - makes CSRF false positive
759671-2 4-Minor   Unescaped slash in RE2 in user-defined signature should not be allowed
758336-5 4-Minor   Incorrect recommendation in Online Help of Proactive Bot Defense
757486-1 4-Minor   Errors in IE11 console appearing with Bot Defense profile
746984-5 4-Minor   False positive evasion violation


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
934721-2 2-Critical   TMM core due to wrong assert
949593-3 3-Major   Unable to load config if AVR widgets were created under '[All]' partition
933777-1 3-Major   Context use and syntax changes clarification
924945-3 3-Major   Fail to detach HTTP profile from virtual server
913085-1 3-Major   Avrd core when avrd process is stopped or restarted
898333-2 3-Major   Unable to collect statistics from BIG-IP system after BIG-IQ restart
869049-4 3-Major   Charts discrepancy in AVR reports
852577-5 3-Major   [AVR] Analytic goodput graph between different time period has big discrepancy
832805-2 3-Major   AVR should make sure file permissions are correct (tmstat_tables.xml)
808801-4 3-Major   AVRD crash when configured to send data externally
787677-5 3-Major   AVRD stays at 100% CPU constantly on some systems
743826-2 3-Major   Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)
648242-6 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports
950305-2 4-Minor   Analytics data not displayed for Pool Names
915005-1 4-Minor   AVR core files have unclear names


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
904441-2 2-Critical   APM vs_score for GTM-APM load balancing is not calculated correctly
903257-1 2-Critical   GUI issues for Access :: Profiles/Policies : Customization : General Customization or Advanced Customization
896709-3 2-Critical   Add support for Restart Desktop for webtop in VMware VDI
894565-1 2-Critical   autodosd.default crash with SIGFPE
891505-3 2-Critical   TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
882545-1 2-Critical   Multiple rate-limiting agents sharing the same rate-limiting key config may not function properly
880073-1 2-Critical   Memory leak on every DNS query made for "HTTP Connector" agent
879401-1 2-Critical   Memory corruption during APM SAML SSO
874949-1 2-Critical   TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.
860617-3 2-Critical   Radius sever pool without attaching the load balancing algorithm will result into core
856909-3 2-Critical   Apmd core occurs when it fails to retrieve agentInfo
817137-1 2-Critical   SSO setting for Portal Access resources in webtop sections cannot be updated.
964037 3-Major   Error: Exception response while loading properties from server
956645-2 3-Major   Per-request policy execution may timeout.
949477-1 3-Major   NTLM RPC exception: Failed to verify checksum of the packet
949105-2 3-Major   Error log seen on Category Lookup SNI requests for same connection
946125-2 3-Major   Tmm restart adds 'Revoked' tokens to 'Active' token count
944029-1 3-Major   Support challenge response agent to handle Access-Challenge when Logon agent is not in policy
942729-2 3-Major   Export of big Access Policy config from GUI can fail
933129-2 3-Major   Portal Access resources are visible when they should not be
932213-2 3-Major   Local user db not synced to standby device when it is comes online after forced offline state
926973-1 3-Major   APM / OAuth issue with larger JWT validation
925573-6 3-Major   SIGSEGV: receiving a sessiondb callback response after the flow is aborted
924929-2 3-Major   Logging improvements for VDI plugin
924697-2 3-Major   VDI data plane performance degraded during frequent session statistic updates
924521-2 3-Major   OneConnect does not work when WEBSSO is enabled/configured.
920541-3 3-Major   Incorrect values in 'Class Attribute' in Radius-Acct STOP request
918053-1 3-Major   [Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile.
915509-1 3-Major   RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
907873-2 3-Major   Authentication tab is missing in VPE for RDG-RAP Access Policy type
903573 3-Major   AD group cache query performance
903501-2 3-Major   VPN Tunnel establishment fails with some ipv6 address
891613-1 3-Major   RDP resource with user-defined address cannot be launched from webtop with modern customization
888145-2 3-Major   When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property
883577-4 3-Major   ACCESS::session irule command does not work in HTTP_RESPONSE event
881641 3-Major   Errors on VPN client status window in non-English environment
874941-2 3-Major   HTTP authentication in the access policy times out after 60 seconds
866109-2 3-Major   JWK keys frequency does not support fewer than 60 minutes
842149-2 3-Major   Verified Accept for SSL Orchestrator
835285-1 3-Major   Client browser traffic through APM SWG transparent proxy using captive portal might get reset.
831517-2 3-Major   TMM may crash when Network Access tunnel is used
827325-1 3-Major   JWT token verification failure
825493-1 3-Major   JWT token verification failure
788473-3 3-Major   Email sent from APM is not readable in some languages
760629-5 3-Major   Remove Obsolete APM keys in BigDB
752077-1 3-Major   Kerberos replay cache leaks file descriptors
744316-6 3-Major   Config sync of APM policy fails with Cannot update_indexes validation error.
738865-6 3-Major   MCPD might enter into loop during APM config validation
738547-4 3-Major   SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
597955-3 3-Major   APM can generate seemingly spurious error log messages
554228-9 3-Major   OneConnect does not work when WEBSSO is enabled/configured.
470916-3 3-Major   Using native View clients, cannot launch desktops and applications from multiple VMware back-ends
470346-3 3-Major   Some IPv6 client connections get RST when connecting to APM virtual
952801 4-Minor   Changing access policy from multi-domain to single domain does not send domain cookies
949957 4-Minor   RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android)
944093-2 4-Minor   Maximum remaining session's time on user's webtop can flip/flop
943033-2 4-Minor   APM PRP LDAP Group Lookup agent has a syntax error in built in VPE expression
886841-1 4-Minor   Allow LDAP Query and HTTP Connector for API Protection policies
872105 4-Minor   APM Hosted Content feature incorrectly guesses content type for CSS files
867705-4 4-Minor   URL for IFRAME element may not be normalized in some cases
866953-5 4-Minor   Portal Access: F5_Inflate_onclick wrapper functionality needs refining
848217-4 4-Minor   Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend
847109-1 4-Minor   Very large policies could have problems with re-import
840257-4 4-Minor   Portal Access: HTML iframe sandbox attribute is not supported
840249-2 4-Minor   With BIG-IP as a SAML IdP, important diagnostic information is not logged
819233-3 4-Minor   Ldbutil utility ignores '--instance' option if '--list' option is specified
747234-7 4-Minor   Macro policy does not find corresponding access-profile directly
712542-5 4-Minor   Network Access client caches the response for /pre/config.php
707294-4 4-Minor   When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear
438684-1 4-Minor   Access Profile Type of SSO requires SSO configuration at create time


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
900825 3-Major   WAM image optimization can leak entity reference when demoting to unoptimized image
890573 3-Major   BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart
890401 3-Major   Restore correct handling of small object when conditions to change cache type is satisfied
833213-1 3-Major   Conditional requests are served incorrectly with AAM policy in webacceleration profile
489960 4-Minor   Memory type stats is incorrect


Service Provider Issues

ID Number Severity Solution Article(s) Description
901033-2 2-Critical   TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window
839389-1 2-Critical   TMM can crash when connecting to IVS under extreme overload
952545-2 3-Major   'Current Sessions' statistics of HTTP2 pool may be incorrect
939529-2 3-Major   Branch parameter not parsed properly when topmost via header received with comma separated values
921441-2 3-Major   MR_INGRESS iRules that change diameter messages corrupt diam_msg
917637-2 3-Major   Tmm crash with ICAP filter
913373-2 3-Major   No connection error after failover with MRF, and no connection mirroring
908477-2 3-Major   Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request
895801-2 3-Major   Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
831105-2 3-Major   Session timeout in diadb entry is updated to 180 on unsuccessful transaction
817369-2 3-Major   TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.
755033-1 3-Major   Dynamic Routes stats row does not appear in the UI
753501-5 3-Major   iRule commands (such as relate_server) do not work with MRP SIP
749528-8 3-Major   IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
748355-5 3-Major   MRF SIP curr_pending_calls statistic can show negative values.
916781-1 4-Minor   Validation error while attaching DoS profile to GTP virtual
862337-2 4-Minor   Message Routing Diameter profile fails to forward messages with zero length AVPs
844169-1 4-Minor   TMSH context-sensitive help for diameter session profile is missing some descriptions


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
870381-1 2-Critical   Network Firewall Active Rule page does not load
850117-2 2-Critical   Autodosd crash after assigning dos profile with custom signatures to a virtual server
963237-3 3-Major   Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.
953425-3 3-Major   Hardware syncookie mode not cleared when changing dos-device-vector enforcement
937749-3 3-Major   The 'total port blocks' value for NAT stats is limited to 64 bits of range
935769-3 3-Major   Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time
926549-1 3-Major   AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'
918905-2 3-Major   PCCD restart loop when using more than 256 FQDN entries in Firewall Rules
915221-4 3-Major   DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
905153-1 3-Major   HW offload of vector 22 (IPv6 Duplicate Extension Headers) not operational
903561-3 3-Major   Autodosd returns small bad destination detection value when the actual traffic is high
887017-3 3-Major   The dwbl daemon consumes a large amount of memory
881985-4 3-Major   AFM FQDN rule matching is broken when multiple FQDN's in firewall policies resolve to the same IP address
874797-1 3-Major   Cannot use GUI to configure FQDN in device DNS NXDOMAIN QUERY Vector
870385-5 3-Major   TMM may restart under very heavy traffic load
867321-3 3-Major   Error: Invalid self IP, the IP address already exists.
857897-2 3-Major   Address and port lists are not searchable within the GUI
844597-4 3-Major   AVR analytics is reporting null domain name for a dns query
837233-3 3-Major   Application Security Administrator user role cannot use GUI to manage DoS profile
818705-1 3-Major   BIG-IP CPU utilization is very high (>90%)
813969-5 3-Major   Network DoS reporting events as 'not dropped' while in fact, events are dropped
716746-3 3-Major   Possible tmm restart when disabling single endpoint vector while attack is ongoing
685904-1 3-Major   Firewall Rule hit counts are not auto-updated after a Reset is done
663946-7 3-Major   The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
942665-2 4-Minor   Rate limit and threshold configuration checks are inconsistent when applied to Basic DoS Vectors and Bad Actors DoS vectors
935865-5 4-Minor   Rules that share the same name return invalid JSON via REST API
928665-2 4-Minor   Kernel nf_conntrack table might get full with large configurations.
928177-2 4-Minor   Syn-cookies might get enabled when performing multiple software upgrades.
803149-2 4-Minor   Flow Inspector cannot filter on IP address with non-default route_domain
748561-2 4-Minor   Network Firewall : Active Rules page does not list active rule entries for firewall policy associated with Virtual Servers
906885-1 5-Cosmetic   Spelling mistake on AFM GUI Flow Inspector screen


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
845313-3 2-Critical   Tmm crash under heavy load
941169-4 3-Major   Subscriber Management is not working properly with IPv6 prefix flows.
924589-1 3-Major   PEM ephemeral listeners with source-address-translation may not count subscriber data
886653-2 3-Major   Flow lookup on subsequent packets fail during CMP state change.
875401-2 3-Major   PEM subcriber lookup can fail for internet side new connections
911585-3 4-Minor   PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
928553-3 2-Critical   LSN64 with hairpinning can lead to a tmm core in rare circumstances
888625 3-Major   CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks
812705-3 3-Major   'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
922665-2 3-Major   The admd process is terminated by watchdog on some heavy load configuration process
922597-2 3-Major   BADOS default sensitivity of 50 creates false positive attack on some sites
914293-3 3-Major   TMM SIGSEGV and crash
915489-2 4-Minor   LTM Virtual Server Health is not affected by iRule Requests dropped


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
913453-5 2-Critical   URL Categorization: wr_urldbd cores while processing urlcat-query
901041-3 2-Critical   CEC update using incorrect method of determining number of blades in VIPRION chassis
887609-5 2-Critical   TMM crash when updating urldb blacklist
874677-1 2-Critical   Traffic Classification auto signature update fails from GUI
949861-4 3-Major   Wr_urldbd returns unknown results for customdb on some blades
948573-4 3-Major   wr_urldbd list of valid TLDs needs to be updated


Device Management Issues

ID Number Severity Solution Article(s) Description
718796-5 2-Critical   IControl REST token issue after upgrade
942521-7 3-Major   Certificate Managers are unable to move certificates to BIG-IP via REST
880565-1 3-Major   Audit Log: "cmd_data=list cm device recursive" is been generated continuously
835517-1 3-Major   After upgrading BIG-IP software and resetting HA, gossip may show 'UNPAIRED'
760752-3 3-Major   Internal sync-change conflict after update to local users table
717174-3 3-Major   WebUI shows error: Error getting auth token from login provider


iApp Technology Issues

ID Number Severity Solution Article(s) Description
842193-1 3-Major   Scriptd coring while running f5.automated_backup script
818069-6 3-Major   GUI hangs when iApp produces error message
768085-4 4-Minor   Error in python script /usr/libexec/iAppsLX_save_pre line 79


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
825501-3 3-Major   IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.
778225-5 3-Major   vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
760740-3 4-Minor   Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running


Guided Configuration Issues

ID Number Severity Solution Article(s) Description
960133-1 1-Blocking   AGC 8.0 installation failure

 

Known Issue details for BIG-IP v15.1.x

964125-2 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.


964037 : Error: Exception response while loading properties from server

Component: Access Policy Manager

Symptoms:
The General Customization interface for Endpoint Security in the GUI cannot be used for Access Profile with modern customization due to interface error.

Conditions:
-- Access Profile with modern customization
-- General Customization interface for Endpoint Security

Impact:
You are unable to modify Endpoint Security interface strings


963485-1 : Performance issue after masking data with * due to data guard

Component: Application Security Manager

Symptoms:
ASM clients encounter poor network performance.

Conditions:
A replacement of data with * happens due to data guard.

Impact:
Slow responses.

Workaround:
Disable data guard or block the data instead of masking it.


963461-1 : ASM performance drop on the response side

Component: Application Security Manager

Symptoms:
Clients encounter a longer time to respond from the BIG-IP

Conditions:
-- One of the following features is enabled:
   - convictions
   - csrf
   - ajax.
-- The response is HTML
-- The response has many tags

Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.


963237-3 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.

Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server

Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.


963049-1 : Unexpected config lost when modifying protected object

Component: TMOS

Symptoms:
A virtual server configuration is changed unexpectedly

Conditions:
- create virtual server with two client-ssl profiles
- modify same virtual server in Protected Objects panel

Impact:
Virtual servers client-ssl profiles getting removed if you have more then one profile


963017-2 : Tpm-status-check service shows System Integrity Status: Invalid when EngHF installed

Component: TMOS

Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):

err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid

In addition, a message similar to the following may appear on the serial console while the system is booting:

[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid

Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:

# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
   Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since <...>
 Main PID: #### (code=exited, status=1/FAILURE)

<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.


However, checking the System Integrity Status using the "tpm-status" or "tmsh run sys integrity status-check" command shows "System Integrity Status: Valid"

Conditions:
This may occur:
-- running affected BIG-IP v14.1.0 or later releases with an Engineering Hotfix containing fixes for ID893885 and ID946745
-- on hardware platforms that include a Trusted Platform Module (TPM), including:
  -- BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
  -- VIPRION B4450 blades

Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.
This is incorrect, and conflicts with the accurate System Integrity Status provided by the "tpm-status" utility and "tmsh run sys integrity status-check" command.

Workaround:
Use the "tpm-status" utility or "tmsh run sys integrity status-check" command to observe the correct System Integrity Status.


962913-4 : The number of native open connections in the SSL profile is higher than expected

Component: Local Traffic Manager

Symptoms:
The number of native open connections in the SSL profile shows a value that is higher than expected.

Conditions:
SSL renegotiation is enabled. Other conditions are unknown.

Impact:
The SSL stats are incorrectly reading higher than expected.

Workaround:
Disable SSL renegotiation.


962605-4 : BIG-IP may go offline after installing ASU file with insufficient disk space

Component: TMOS

Symptoms:
When installing an ASU file, if there is not enough disk space in /var, the clntcp update file might become corrupted, causing datasyncd to be offline (and thus cause the entire BIG-IP offline)

Conditions:
-- ASM/FPS provisioned.
-- Installing ASU file.
-- Not enough space in /var partition.

Impact:
Device goes offline.

Workaround:
Delete the update file:
tmsh delete security datasync update-file /Common/datasync-global/update-file-clntcap_update_ (auto complete)


962589-2 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.


962497 : BD crash after ICAP response

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A


962493-5 : Request is not logged

Component: Application Security Manager

Symptoms:
A request is not logged in the local and/or remote logs.

Conditions:
A request has evasions detected on very large parameters.

Impact:
A missing request in the log.

Workaround:
N/A


962489-5 : False positive enforcement of parameters with specific configuration

Component: Application Security Manager

Symptoms:
False positive parameters are being detected in the payload and enforced wrongly.

Conditions:
The URL is not defined (also not as wildcard - not defined at all) and the request has a payload.

Impact:
False positive enforcement - may lead to wrong violations and wrong blocking of requests.

Workaround:
None.


962433-4 : HTTP::retry for a HEAD request fails to create new connection

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.


962341 : BD crash on JSON payload

Component: Application Security Manager

Symptoms:
BD crashes when handling JSON payloads that does not conform with JSON content profile

Conditions:
JSON content profile is used in BD

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A


961653-2 : Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate

Component: Local Traffic Manager

Symptoms:
Unable to retrieve link statistics via SNMP OID gtmLinkStatRate

config # snmpwalk -c public localhost F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate
F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate = No Such Object available on this agent at this OID

Conditions:
A BIG-IP DNS/LC system configured with link objects.

Try to do an snmpwalk for F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate which is not successful.

Impact:
BIG-IP DNS system link statistics cannot be retrieved via SNMP.

Workaround:
No workaround.


961509-2 : ASM blocks websocket frames with signature matched but Transparent policy

Component: Application Security Manager

Symptoms:
Websocket frames receive a close frame

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- Websocket profile attached to a virtual server
-- ASM policy transparent mode enabled

Impact:
Websocket frame blocked in transparent mode

Workaround:
Change signatures blocking settings to Learn = Yes, Alarm=Yes, Block=No


961001-2 : Arp requests not resolved for snatpool members when primary blade goes offline

Component: Local Traffic Manager

Symptoms:
Arp requests not resolved for snatpool members and traffic does not go through when the primary blade becomes offline.

Conditions:
-- VIPRION platforms serving as AAA and Diameter virtual server to load-balance.
-- route-domain configured other than 0.
-- Radius authentication pool and snatpool are configured.
-- Primary blade goes offline and new Primary is not elected.

Impact:
Traffic failure when primary became offline.

Workaround:
Disable primary blade which is offline.


960437-2 : The BIG-IP system may initially fail to resolve some DNS queries

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure cascades to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSLO, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.


960133-1 : AGC 8.0 installation failure

Component: Guided Configuration

Symptoms:
Attempting to install the AGC 8.0 results in the following error:

"Failed to load IApp artifacts from f5-iappslx-waf-bot-protection: java.lang.IllegalStateException: Failed to post template to block collection: ..."

Conditions:
The AGC is upgraded to a newer version via the "Access >> Guided Configuration" -> " Upgrade Guided Configuration".

Impact:
AGC 8.0 package is not installed.

Workaround:
Important: This workaround will delete all existing iApp configurations.

1. Download the latest AGC 8.0 package.
2. Open a new browser tab (first) and navigate to "Access >> Guided Configuration"
3. Open a new browser tab (second) and navigate to iApps >> Templates: Templates LX. Select all templates and click “Delete”.
4. In the second tab navigate to iApps >> Package Management LX. Select all existing packages and click “Uninstall”.
5. In the first tab click "Upgrade Guided Configuration" click and install the downloaded package.


960029-2 : Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error

Component: TMOS

Symptoms:
While attempting to view the properties for pool members via the Statistics page in the GUI, you see an error:

Instance not found: /Common/1234:80

Conditions:
-- A pool with at least one pool member with an IPv6 address.
-- Attempting to view the IPv6 pool member's properties via the Statistics page in the GUI.

Impact:
Unable to see the pool member's properties.

Workaround:
Use TMSH to view pool member properties:

# tmsh show ltm pool <pool name> members {<pool members>}


959889-2 : Cannot update firewall rule with ip-protocol property as 'any'

Component: TMOS

Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.

Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update

Impact:
Cannot update the firewall rule from GUI.


959629-2 : Logintegrity script for restjavad/restnoded fails

Component: TMOS

Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:
find: '14232restnoded_log_pattern': No such file or directory

Conditions:
Logintegrity is enabled.

Impact:
If logintegrity is enabled, the signature files for restnoded will not be in sync.

Workaround:
None.


959613-2 : SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason

Component: Global Traffic Manager (DNS)

Symptoms:
When you double-monitor a Generic Host Virtual Server (pool level + virtual server level) using the same SIP/HTTPS monitor, the 'Reason' is omitted from the output. 'tmsh show gtm server <server> virtual-servers' shows a "blank" reason for monitoring failure/success.

Conditions:
Double-monitor a Generic Host virtual server (pool level + virtual server level) using the same SIP/HTTPS monitor.

Impact:
Impedes your ability to identify the failure/success reason quickly.

Workaround:
Do not use the same monitor on both the virtual server and the pool level.


959057-3 : Unable to create additional login tokens for the default admin user account

Component: TMOS

Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.

Conditions:
Remote Authentication is configured

Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured


958833-1 : After mgmt ip change via GUI, brower is not redirected to new address

Component: TMOS

Symptoms:
After changing the management IP address via the GUI, the browser is not redirected, and reports Unable to connect BIG-IP device.

Conditions:
Change the Management IP address from the GUI and submit the change.

Impact:
Browser does not get redirected to the new address

Workaround:
Access the GUI by manually going to the new Management IP.


958785-5 : FTP data transfer does not complete after QUIT signal

Component: Local Traffic Manager

Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.

Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.

Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.

Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.


958601-2 : In the GUI, searching for virtual server addresses does not match address lists

Component: TMOS

Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.

Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.

Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.

Impact:
Virtual servers that should match a search are not found.

Workaround:
None.


958465-2 : TMM may prematurely shut down during initialization

Component: TMOS

Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):

MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.


958325-1 : Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB

Component: Global Traffic Manager (DNS)

Symptoms:
Dangling monitor rule after pool deletion.

# tmsh delete gtm monitor tcp tcp_test
01070083:3: Monitor /Common/tcp_test is in use

Conditions:
Using transaction to delete pool and create pool of same name with different monitor.

Impact:
Unable to delete the remaining monitor.

Workaround:
Run:
1. # bigstart restart mcpd
Or
2. Do not combine deletion and re-create pool in the same transaction.


958281-1 : REST API calls require “admin” user authentication.

Component: TMOS

Symptoms:
REST API calls will fail authentication for all users except an “admin” user.

Conditions:
REST API calls made by users other than “admin” user.

Impact:
REST API call will fail with a 401 code: “authorization failure” message.

Workaround:
For successful authentication, use an “admin” user for executing REST API calls.


958157-3 : Hash collisions in fastDNS packet processing

Component: Global Traffic Manager (DNS)

Symptoms:
FastDNS packet processing might cause unexpected traffic drops.

Conditions:
-- FastDNS is in use.

The problem is more likely to occur on a systems with a low number of TMMs.

Impact:
Unexpected traffic drops


958093-3 : IPv6 routes missing after BGP graceful restart

Component: TMOS

Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.

Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.

Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.


957993-2 : Unable to set a port list in the GUI for an IPv6 address for a virtual server

Component: TMOS

Symptoms:
When creating a virtual server in the GUI with an IPv6 destination address and a port list (shared object), the system returns an error similar to:

"0107028f:3: The destination (0.0.0.0) address and mask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) for virtual server (vs1) must be be the same type (IPv4 or IPv6)."

Conditions:
-- Creating or updating a virtual server.
-- Attempting to use an IPv6 Host address with a Port List shared object.

Impact:
Unable to create/modify virtual server.

Workaround:
Create an Address List shared object with the IPv6 address in it and use that instead of the Host address.


957897-1 : Unable to modify gateway-ICMP monitor fields

Component: TMOS

Symptoms:
While modifying a gateway-ICMP monitor you see the following error:

"01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>."

Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor
-- The monitor is attached with a pool that has one or more pool members.

Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.

Workaround:
Modify from tmsh using the following command: "tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]"

Eg, To update description of a monitor named gw_icmp, use command: "modify ltm monitor gateway-icmp gw_icmp description new_description"


957461-2 : Creating virtual server with IPv6 address or port list in destination, should display source address in IPv6 format

Component: TMOS

Symptoms:
In the GUI, while creating a virtual server with IPv6 address or port list in destination, BIG-IP should display the source address in IPv6 format rather than IPv4 format 0.0.0.0/0

Conditions:
This is encountered while creating a Virtual server with IPv6 address or port list in destination.

Impact:
An IPv6 address list is displayed in IPv4 notation


957321-1 : When BIG-IP contains an invalid DNS Resolver, Bot Defense might wrongly classify search engines as malicious

Component: Application Security Manager

Symptoms:
When the first DNS resolver is invalid, Bot Defense is unable to verify trusted bots, and is classifying them as malicious bots.

Conditions:
-- First DNS resolver in the list is invalid.
-- Bot Defense profile is attached to a virtual server.
-- Request from a search engine arrives.

Impact:
Bot Defense wrongly classifies valid search engines as malicious bots (and might block them if enforcement is enabled).

Workaround:
Fix the first DNS resolver in the list. It's possible that the first DNS resolver is the built in DNS resolver "f5-aws-dns".


956889-2 : /var fills up very quickly

Component: Application Security Manager

Symptoms:
Policy history files fill /var disk partition

Conditions:
Very large configuration with substantial history and config sync enabled

Impact:
ASM sync fails due to /var being full

Workaround:
The properties in '/etc/ts/tools/policy_history.cfg' file, for cleaning as a file-based configuration option, are a Support-oriented configuration option aimed to help in these cases.


956645-2 : Per-request policy execution may timeout.

Component: Access Policy Manager

Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.

Impact:
Some clients will fail to connect to their destination.

Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).

Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.


956625-2 : Port and port-list type are both stored in a traffic-matching-criteria object

Component: TMOS

Symptoms:
Using "tmsh load sys config replace file ..." to change a traffic matching criteria's port type from port to port-list (or vice-versa) results in both types ending up in the traffic matching criteria object.

Conditions:
-- Using traffic-matching-criteria.
-- Using "tmsh load sys config replace file ..." or "tmsh load sys config merge file ..." to change the port to a port-list (or vice-versa).

Impact:
-- System does not load the desired configuration.
-- Virtual servers may match/process more traffic than expected.


956589-1 : The tmrouted daemon restarts and produces a core file

Component: TMOS

Symptoms:
The tmrouted daemon restarts and produces a core file.

Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover

Impact:
Traffic disrupted while tmrouted restarts.

Workaround:
None


956373-2 : ASM sync files not cleaned up immediately after processing

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.


956293-2 : High CPU from analytics-related REST calls - Dashboard TMUI

Component: TMOS

Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.

Conditions:
Leaving UI dashboard page left open.

Impact:
System performance is impacted if the dashboard page is kept open.


956109-2 : Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target

Component: TMOS

Symptoms:
In a device service cluster, changing a traffic-matching-criteria object's port configuration and then performing a full-sync will cause the sync target's traffic-matching-criteria ports to be modified incorrectly.

Once systems are in this state, further ConfigSyncs may result in these error messages:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 250 6869100131892804718 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
-- Two or more BIG-IPs in a DSC.
-- Using traffic-matching-criteria, and making changes.

Impact:
BIG-IP configurations are out of sync (even though they show "In Sync"). Affected virtual servers will process more traffic than configured.

Workaround:
On an affected system, perform one of the two procedures to correct MCPD's in-memory configuration:

1. Remove the traffic-matching criteria from all virtual servers (or only affected virtual servers, if known), and then re-add the traffic-matching criteria.

2. Save the configuration and then follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot


956105-2 : Websocket URLs content profiles are not created as expected during JSON Policy import

Component: Application Security Manager

Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import

Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.

Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.

Workaround:
The content profiles can be manually associated after the import process using REST or GUI.


956025-2 : HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header

Component: Local Traffic Manager

Symptoms:
When the HTTP profile response-chunking option is set to "unchunk", chunked responses will be unchunked and the Transfer-Encoding header is removed.

If the server sends a chunked response with both Transfer-Encoding and Content-Length headers, Transfer-Encoding is removed but Content-Length is not. This causes the client to receive a response with an erroneous Content-Length header.

Conditions:
- HTTP virtual server with response-chunking set to "unchunk"
- Server response with both Transfer-Encoding and Content-Length headers present

Impact:
Malformed HTTP response received by client as length of response should be determined by closure of connection, not erroneous Content-Length header.

Workaround:
Implement iRule: at HTTP_RESPONSE time, remove the Content-Length header if the Transfer-Encoding header is also present.


955953-2 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'

Component: TMOS

Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.

Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled

Impact:
Traffic processing halts (no crash)


955929-2 : Vlan can reference a deleted partition on the primary device

Component: TMOS

Symptoms:
Vlan information references a deleted partition on the primary device and configuration load fails giving an error:

emerg load_config_files[8487]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 01070277:3: The requested vlan, vlangroup or tunnel (/autoprov/pcs-autoprov-core-lb-link) was not found.

Conditions:
-- High availability (HA) environment
-- A VLAN is created in a partition on one device
-- The partition is deleted on the other device

Impact:
After config sync, the VLAN may point to the deleted partition. Configuration load will fail, and upgrade will also fail.

Workaround:
-- Remove the config from bigip_base.conf and load the config again (tmsh load sys config)
-- Run both create and delete for VLAN on both units and then only sync it (For both auto and manual sync)


955897-2 : Upgrade failure with virtual-address in non-default route domain partition fails to load config

Component: TMOS

Symptoms:
BIG-IP throws an error while upgrading:

The source (0.0.0.0%100) and destination (0.0.0.0) addresses for virtual server (/Common/test) must be in the same route domain.
Unexpected Error: Loading configuration process failed.

Conditions:
- non-default route-domain partition
- A virtual-address is using the same tmsh command that AS3 uses.

Example:
tmsh create net route-domain 100
tmsh create ltm virtual-address test address any%100
tmsh create ltm virtual test destination any%100:0
tmsh save sys config

Impact:
The configuration will not load when the device is rebooted, or when mcpd is restarted.


955617-2 : Cannot modify the destination address of monitor

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.


955593-2 : "none" missing from the error string when snmp trap is configured with an invalid network type

Component: TMOS

Symptoms:
When you try to configure an SNMP trap with an invalid network type, you get a confusing error:

01070911:3: The requested enumerated (aaa) is invalid (, mgmt, other) for network in /Common/snmpd trapsess (/Common/i2_2_2_1_1)

Conditions:
SNMP trap is configured with an invalid network enum type.

Impact:
The word 'none' is not shown in the error string.


955057-2 : UCS archives containing a large number of DNS zone files may fail to restore.

Component: TMOS

Symptoms:
This issue can manifest in the following ways:

- Failure to restore a UCS archive to the currently active boot location (i.e. restoring a backup).

- Failure to restore a UCS archive to a different boot location by means of using the cpcfg utility (or the the "Install Configuration" option when changing boot locations in the Web UI).

- Failure to restore a UCS archive as part of a software upgrade (if rolling forward the configuration was requested, which is the default BIG-IP behavior).

In all cases, error messages similar to the following example are returned to the user:

/bin/sh: /bin/rm: Argument list too long
Fatal: executing: /bin/sh -c rm -fr /var/named/config/namedb/*
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

Conditions:
This issue occurs when a large number of DNS zone files are already present in the /var/named/config/namedb directory of the boot location to which the UCS archive is being restored.

Impact:
The UCS archive fails to restore. Additionally:

- If the UCS archive was being restored on the currently active boot location, the named and zrd daemons may not be running after the failure, leading to traffic outages.

- If the UCS archive was being restored as part of an upgrade, the installation will fail and the destination boot location will be marked as failed (thus preventing a BIG-IP Administrator from activating it).

Workaround:
Depending on the failure mode, perform one of the following workarounds:


- If you were restoring a UCS archive on the currently active boot location, run the following command, and then attempt the UCS archive restore operation again:

find /var/named/config/namedb -mindepth 1 -delete

- If you encountered the failure during an upgrade, it should mean you were installing an Engineering Hotfix (otherwise the /var/named/config/namedb directory on the destination boot location would have been empty).

Installing an Engineering Hotfix will actually perform two separate installations - first the base version, and then the hotfix on top of that. Each installation restores the source location's UCS archive.

The UCS installation performed during the base installation will work, and the one performed during the hotfix installation will fail (because DNS zone files are already in place now, and they will fail to be deleted).

In this case, you can work around the issue by performing two distinct installations (to the same destination boot location). First the base version by itself, and then the hotfix installation by itself:

Perform the first installation with the liveinstall.moveconfig and liveinstall.saveconfig db keys disabled. Perform the second installation after enabling the liveinstall.moveconfig and liveinstall.saveconfig db keys again.

- If you encountered the failure while using the cpcfg utility (or equivalent WebUI functionality), take a UCS archive instead, download it off of the BIG-IP or save it in a shared directory (e.g. /var/tmp), boot the system into the destination boot location, run the below command, and then restore the UCS archive:

find /var/named/config/namedb -mindepth 1 -delete


955017-2 : Excessive CPU consumption by asm_config_event_handler

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.


953845-1 : After re-initializing the onboard FIPS HSM, may lose access after second MCPD restart

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }


953425-3 : Hardware syncookie mode not cleared when changing dos-device-vector enforcement

Component: Advanced Firewall Manager

Symptoms:
Changing DOS vector enforcement configuration can cause BIG-IP to get stuck in hardware syncookie mode.

Conditions:
- Changing DOS vector enforcement configuration when device is in global syncookie mode.

For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779

Impact:
Device is stuck in hardware syncookie mode and generates syncookies.

Workaround:
Run the following command:
tmsh restart sys service tmm

Impact of workaround: restarting tmm disrupts traffic.


953393-2 : TMM crashes when performing iterative DNS resolutions.

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes and produces a core file.

Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.

To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.

The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).


952801 : Changing access policy from multi-domain to single domain does not send domain cookies

Component: Access Policy Manager

Symptoms:
The BIG-IP system sends cookies with no "domain" attribute set.

Conditions:
- Configure a Multidomain access profile
- Change the profile to single domain

Impact:
The BIG-IP system sends cookies with no "domain" attribute set. This causes the cookie to be not associated to a particular domain.

Workaround:
Manually remove the domain-groups config from the access profile by editing the bigip.conf.


952545-2 : 'Current Sessions' statistics of HTTP2 pool may be incorrect

Component: Service Provider

Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552

Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.

Workaround:
None.


950953-1 : Browser Challenges update file cannot be installed after upgrade

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP, the Browser Challenges factory default update file cannot be installed, and you see this error:

Installation error: gpg: WARNING: unsafe ownership on homedir `/usr/share/live-update/share/gpg/browser_challenges_genesis_load'gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20 "asm_sigfile_installer"gpg: Signature made Mon Aug 2

Conditions:
The new file that comes with the installation is ready to install

Impact:
New updated cannot be installed

Workaround:
There are 2 options:
1. download a new version of the update file (if exists)
2.
   2.1 download a copy of that file from the machine to your locale machine
   2.2 rename it :
       > cp BrowserChallenges_20200722_072935.im BrowserChallenges_<CURRENT_DATE>_<CURRENT_TIME>.im
       ## the date and time are for tracking and the have to be in a specific format DATE : YYYYMMDD, TIME: HHMMSS
   2.3 upload the file and install it manually from the LiveUpdate screen.


950917-1 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Component: Application Security Manager

Symptoms:
Following Signature Update (ASM-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

----------------------------------------------------------------------
Sep 25 18:54:24 bigip1 crit g_server_rpc_handler_async.pl[16921]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
----------------------------------------------------------------------

Conditions:
Signature Update ASM-SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
WORKAROUND 1:
- Install older signature update ASM-SignatureFile_20200917_175034

WORKAROUND 2:
- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

WORKAROUND 3:
- Run the following SQL to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------


950849-4 : B4450N blades report page allocation failure.

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This occurs on B4450N blades regardless of configuration.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You must perform the workaround on each blade installed in the system.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands:

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


950673-3 : Hardware Syncookie mode not cleared when deleting/changing virtual server config.

Component: TMOS

Symptoms:
Modifying a virtual server can cause BIG-IP to get stuck in hardware syncookie mode.

Conditions:
-- A virtual server is in hardware syncookie mode.
-- Modifying or deleting the virtual server

For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779

Impact:
Device is stuck in hardware syncookie mode and generates syncookies.

Workaround:
tmsh restart sys service tmm

Impact of workaround: restarting tmm disrupts traffic.


950305-2 : Analytics data not displayed for Pool Names

Component: Application Visibility and Reporting

Symptoms:
You cannot see reports (statistics->analytics->pool) when you choose to view by pool names.

Conditions:
This is encountered in the statistics screen.

Impact:
You can't see the statistics->analytics->pool report when you choose view by pool names.


950201 : Tmm core on GCP

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition is running on GCP with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up which prevents the whole system from recovering.

Conditions:
- BIG-IP Virtual Edition running on GCP.
- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.


950005-2 : TCP connection is not closed when necessary after HTTP::respond iRule

Component: Local Traffic Manager

Symptoms:
HTTP does not close the TCP connection on the client if response is sent via HTTP::respond.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE_RELEASE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
None


949957 : RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android)

Component: Access Policy Manager

Symptoms:
When user connects to the virtual server using Browser on their iPhone or Android device, webtop displays RDP resource. When they click on it, if SSO is not enabled, Remote Desktop Client App pops up with username pre-filled with string starting with f5_apm.

Conditions:
-- APM Webtop is configured with Single Sign-on disabled RDP resource.
-- Access the RDP resource from iOS or Android using RDP client.

Impact:
Remote Desktop Client App pops up with username pre-filled with string starting with f5_apm.

Workaround:
User needs to clear the username field and enter the actual username.


949861-4 : Wr_urldbd returns unknown results for customdb on some blades

Component: Traffic Classification Engine

Symptoms:
Some blades return 'Unknown' for newly added URLs in a custom database

Conditions:
This might occur under when feedlist updates are done quickly in a loop

Impact:
BIG-IP is unable to classify using url categories defined in the custom database.

Workaround:
Restart wr_urldbd


949721-2 : QUIC does not send control frames in PTO packets

Component: Local Traffic Manager

Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.

Conditions:
A control frame is in-flight when the PTO timer fires.

Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.

Workaround:
None.


949593-3 : Unable to load config if AVR widgets were created under '[All]' partition

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.


949477-1 : NTLM RPC exception: Failed to verify checksum of the packet

Component: Access Policy Manager

Symptoms:
NTLM authentication fails with the error "RPC exception: Failed to verify checksum of the packet".

Conditions:
-- Start nlad process with "encryption".
-- Configure a user and map that user to a huge number of groups.
-- Configure NTLM front end authentication.

Impact:
User authentication fails

Workaround:
Run "nlad" process with "-encrypt no" in the file /etc/bigstart/startup/nlad.


949105-2 : Error log seen on Category Lookup SNI requests for same connection

Component: Access Policy Manager

Symptoms:
Client connections are reset and you see an error in /var/log/apm : "(ERR_NOT_FOUND) Category Lookup failed or a Category Lookup agent is not present in the policy before Response Analytics"

Conditions:
-- Category Lookup agent (lookup type SNI) in the per-request policy before Request or Response Analytics agent
-- Multiple requests sent in the same SSL connection.

Impact:
Connections are reset or they follow the fallback branch for subsequent requests in the same SSL connection


948805-1 : False positive "Null in Request"

Component: Application Security Manager

Symptoms:
A false positive violation "Null in Request" is thrown erroneously.

Conditions:
-- BIG-IP receives a query string in the "Referrer" header

Impact:
False positive violation "Null in Request" is thrown

Workaround:
None


948573-4 : wr_urldbd list of valid TLDs needs to be updated

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.


948417-2 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic

Component: Performance

Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)

Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking

Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)

Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)

     Individual VMs & VMs in an availability set
     First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
           Azure CLI
                az vm deallocate \
                --resource-group myResourceGroup \
                --name myVM
    Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
    the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
    the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.

    Once stopped, disable Accelerated Networking on the NIC of your VM:
           Azure CLI
                az network nic update \
                --name myNic \
                --resource-group myResourceGroup \
                --accelerated-networking false
    Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
           Azure CLI
                az vm start --resource-group myResourceGroup \
                --name myVM


948101 : Pair of phase 2 SAs missing after reboot of standby BIG-IP

Component: TMOS

Symptoms:
In case of traffic selector narrow-down, SA's do not come up after reboot on standby.

Conditions:
A traffic-selector mismatch occurs between initiator and responder.

Impact:
Tunnel will not come up on standby.

Workaround:
Configure exactly matching traffic selector on both initiator and responder.


947937-2 : HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system can redirect a request to a fallback host when the target pool is unavailable. If the configured fallback host within the HTTP profile contains HTTP iRule commands such as HTTP::host or HTTP::uri, the corresponding HTTP request can fail. A connection reset may be encountered instead.

Conditions:
- HTTP profile with "fallback-host" profile option configured containing an HTTP iRule command.

Impact:
When utilizing the HTTP profile with "fallback-host" profile option with HTTP iRule commands, incorrect connection resets can be seen by the client instead of the correct HTTP response.

Workaround:
Attaching an iRule containing HTTP::redirect or similar command to the virtual server can be used instead of the fallback host-profile option to redirect traffic to another virtual server.


947865-2 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read

Component: TMOS

Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:

err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer

Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.

Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.


947745-1 : Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error

Component: Local Traffic Manager

Symptoms:
Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error message:
hud_tcp_serverside_handler/3676: 6.0.0.20.21 - 6.6.6.1.51147: unexpected serverside message HUDEVT_CHILD_CONNECTE

Conditions:
FTP profile is in use

Impact:
Logs entries in the log file

Workaround:
None


947529-2 : Security tab in virtual server menu renders slowly

Component: TMOS

Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.

Conditions:
Large number of virtual servers using the same ASM policy

Impact:
Loading of Security tab of a virtual server takes a long time

Workaround:
NA


947373 : BD sometimes crashes when handling HTTP traffic

Component: Application Security Manager

Symptoms:
BD sometimes crashes when handling HTTP traffic

Conditions:
High memory utilization

Impact:
Traffic disrupted while bd restarts.

Workaround:
N/A


947341-1 : Mysql generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries containing:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
Mysql out of resources when opening files
PRX.REQUEST_LOG Corrupt

Workaround:
0) in case /appdata partition is filled up to 100% and mysql restarts continuously -
    https://support.f5.com/csp/article/K14956
    https://support.f5.com/csp/article/K42497314

1) Look into -
    SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G
to identify all the empty partitions.

2) Manually (or via shell script) execute this sql -
   ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where "empty_partition_name" is the partition name as "p100001" for every partition that is empty.

4) increase 'open_files_limit' to '10000'.
--------------------------------
In /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5) pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.


947217-5 : Fix of ID722682 prevents GTM config load when the virtual server name contains a colon

Component: Global Traffic Manager (DNS)

Symptoms:
GTM is unable to load the configuration.

Conditions:
-- GTM has been upgraded to a version with fix for ID722682 from a version that does not have the fix for ID722682
-- A GTM server has a name with no colon
-- That GTM server has a virtual server with colon in the name
-- That virtual server is added to a pool

Impact:
GTM config file cannot be loaded successfully after upgrade.

Workaround:
Edit bigip_gtm.conf manually to delete "\\" or replace colon ":" with other non-reserved char. such as "-".


947125-2 : Unable to delete monitors after certain operations

Component: Local Traffic Manager

Symptoms:
Unable to delete monitor with an error similar to:

01070083:3: Monitor /Common/my-mon is in use.

Conditions:
-- HTTP monitors are attached directly to pool members, or node-level monitors exist.
-- Performing an operation that causes the configuration to get rebuilt implicitly, such as "reloadlic".

Impact:
Unable to delete object(s) no longer in use.

Workaround:
When the system gets into this state, save and reload the configuration:
tmsh save sys config && tmsh load sys config


946953-1 : HTTP::close used in iRule might not close connection.

Component: Local Traffic Manager

Symptoms:
HTTP::close used in iRule might not close connection. For example:

when HTTP_REQUEST {
    HTTP::close
    HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
  }

Conditions:
Using HTTP::close along with HTTP::respond

Impact:
HTTP connection can be re-used.

Workaround:
Explicitly add close header in the HTTP::respond. For example:

HTTP::respond 200 content "OK" Connection close


946745-2 : 'System Integrity: Invalid' after EngHF installation

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885
-- The Engineering Hotfix contains an updated 'sirr-tmos' package

Impact:
Incorrect presentation of system software status.

Workaround:
None.


946481-1 : Virtual Edition FIPS not compatible with TLS 1.3

Component: Local Traffic Manager

Symptoms:
A TLS 1.3 handshake failure occurs when using openssl's AES-GCM cipher in FIPS mode.

Conditions:
FIPS mode and attempting TLS 1.3 with cipher AES-GCM

Impact:
Handshake failure for TLS 1.3

Workaround:
Disable FIPS mode, or alternately use non AES-GCM cipher for TLS 1.3.


946185-1 : Unable to view iApp component view

Component: TMOS

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.

Conditions:
-- Upgrade to v15.1.x.
-- Change partition
-- Navigate to GUI iApps ›› Application Services : Applications, try to view any custom iApp.

Impact:
Unable to view/modify iApps via GUI iApps ›› Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List.
2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.


946125-2 : Tmm restart adds 'Revoked' tokens to 'Active' token count

Component: Access Policy Manager

Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)

Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm

Impact:
User is denied access even though token limit per user is not reached


946121-2 : SNMP user added with password less than 8 characters through tmsh is allowed but fails during snmpwalk.

Component: TMOS

Symptoms:
Whenever snmp user is added with short password (less than 8 characters), tmsh allows this during creation but throws an error when snmpwalk is done. But in GUI it throws error "Password must have at least 8 characters." during creation itself.

Conditions:
Configuring snmp user from tmsh with password less than 8 characters leads to this problem of getting error during snmp walk.

Impact:
snmpwalk fails

Workaround:
Configure snmp user with password greater than or equal to 8 characters.


946089-2 : BIG-IP might send excessive multicast/broadcast traffic.

Component: TMOS

Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.

Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.

Impact:
Excessive multicast/broadcast traffic.


946081-1 : Getcrc tool help displays directory structure instead of version

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.


945997-2 : LTM policy applied to HTTP/2 traffic may crash TMM

Component: Local Traffic Manager

Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.

Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.


945925-1 : tmm could be stuck in a restart loop when remote logging to a fqdn destination is configured

Component: TMOS

Symptoms:
- TMM is stuck restarting on a bigip device or VE instance
- Unable to process application traffic
- /var/log/tmm logfile may contain the notice "MCP connection aborted, exiting"

Conditions:
- Remote logging destination is configured (System-Logs-Configuration-Remote logging) and pointing to a FQDN hostname
- FQDN hostname temporarily or permanently fails to resolve (e.g. DNS failure or congestion)
- Reboot or upgrade of a bigip instance or other conditions leading to tmm restart

Impact:
- Unable to process application traffic since the required component cannot be brought up

Workaround:
- Perform audit of DNS server(s), make sure FQDN destination resolves successfully, OR
- Use IP address as remote logging destination, OR
- Disable remote logging feature


945821-1 : Remote logging conditions adjustments

Component: Application Security Manager

Symptoms:
When "Null in multi-part" violation is detected, BIG-IP logs it to remote log even when the violation is not set to blocked in Learning and Blocking settings

Conditions:
This happens when "Null in multi-part" violation is detected

Impact:
Incorrect logging to remote logs

Workaround:
None


945789-1 : Live update cannot resolve hostname if ipv6 is configured

Component: Application Security Manager

Symptoms:
Live update is not working when BIG-IP DNS is configured to use IPv6

Conditions:
BIG-IP DNS uses IPv6

Impact:
-- Unable to install latest updates to signatures.
-- Unable to import user-defined signatures.

Workaround:
If possible, use IPv4 for DNS.


945601-4 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.

Component: Local Traffic Manager

Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omited.

Conditions:
Policy contains multiple rules which employ TCP address matching condition.

Impact:
Inocorrect LTM policy is applied.


945413-3 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync

Component: TMOS

Symptoms:
BIG-IP systems in a device group do not stay in sync if config sync is manual and constantly syncs if config sync is automatic.

The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.

Conditions:
The CA-bundle manager is configured.

Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.


945265-4 : BGP may advertise default route with incorrect parameters

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>


945189-2 : HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA

Component: Local Traffic Manager

Symptoms:
After upgrade, the 'DEFAULT' cipher in the serverssl profile attached to the HTTPS monitor does not include "ECDHE-RSA-AES256-CBC-SHA" cipher suite in the Client Hello.

Conditions:
After upgrade, HTTPS monitor cipherlist is read from serverssl profile ciphers and set to DEFAULT after upgrade.

Impact:
Upgrade breaks the SSL pool monitoring.

Workaround:
Set ciphers as DEFAULT:+SHA:+3DES:+EDH for profile server-ssl


944641-1 : HTTP2 send RST_STREAM when exceeding max streams

Component: Local Traffic Manager

Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.

Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.

Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.

Workaround:
None.


944485-5 : License activation through proxy server uses IP address in proxy CONNECT, not nameserver

Component: TMOS

Symptoms:
License activation http/https request has the license server IP address instead of license server domain name.

Conditions:
When the proxy server and proxy port are configured and delete default management route.

Impact:
This causes your proxy server to disallow the connection

Workaround:
None.


944381 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.

Component: Local Traffic Manager

Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.

Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.

Impact:
The handshake should fail but complete successfully


944173-2 : SSL monitor stuck does not change TLS version

Component: Local Traffic Manager

Symptoms:
The SSL monitor remains in the current TLS version and does not switch to another version when a server changes.

Conditions:
-- SSL monitor configured.
-- Server configuration changes from TLSv1.2 to TLSv1.

Impact:
Pool members marked down.

Workaround:
Use the In-TMM monitor.


944121-1 : Missing SNI information when using non-default domain https monitor running in tmm mode

Component: Local Traffic Manager

Symptoms:
In-tmm https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

Conditions:
-- SNI is configured in serverssl profile a
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

Impact:
The TLS connection might fail.

Workaround:
None


944093-2 : Maximum remaining session's time on user's webtop can flip/flop

Component: Access Policy Manager

Symptoms:
When an Access Policy is configured with Maximum Session Timeout, the rendered value of maximum remaining session's time can flip/flop in seconds on a user's webtop

Conditions:
Access Policy is configured with Maximum Session Timeout >= 60000 secs

Impact:
End users will see the remaining time being continually reset.


944029-1 : Support challenge response agent to handle Access-Challenge when Logon agent is not in policy

Component: Access Policy Manager

Symptoms:
In case of Multi-Factor Authentication (MFA), the challenge response is handled by the 401 response agent, in the following scenario:
-- The policy does not have logon page agent.
-- AAA/Radius server action is configured to send challenge response to the client.
-- The policy has a 401 response logon agent.

The APM end user client sees the credentials popup for 401 response.

After entering and sending credentials (challenge response code received from RSA server via email or SMS), the Access Policy action fails.

Conditions:
-- Challenge response via RSA server or other.
-- Logon Page logon agent not implemented.

Impact:
Unable to use challenge response sent by RSA (or AAA RADIUS server).

Workaround:
None


943945 : Incorrect Error message in /var/log/ltm when HTTP::respond is used in ADAPT_REQUEST_RESULT iRule event

Component: Local Traffic Manager

Symptoms:
When HTTP::respond is used in ADAPT_REQUEST_RESULT in iRule event, an error message "http_process_state_prepend - Invalid action:0x10a071 clientside" is observed in /var/log/ltm log.

Since HTTP::respond is not supported in ADAPT_REQUEST_RESULT, a better tcl error should be shown in /var/log/ltm like "TCL error: /Common/AVScan_Content <ADAPT_REQUEST_RESULT > - Illegal argument. Can't execute in the current context"

Conditions:
This can occur when HTTP::respond is used in ADAPT_REQUEST_RESULT:

when ADAPT_REQUEST_RESULT {
    if {[ADAPT::result] contains "respond"} {
        HTTP::respond 403 -version auto ...
    }
}

Impact:
TCL error messages don't give adequate information to explain what triggered the TCL error.


943793-2 : Neurond continuously restarting

Component: TMOS

Symptoms:
Neurond continuously restarts.

Conditions:
-- BIG-IP iSeries hardware platform
-- issuing the command "service --status-all"

Impact:
Neuron communications will be impacted


943641-1 : IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfiguration

Component: TMOS

Symptoms:
After changing an element of the ike-peer configuration, such as the pre-shared secret, the related IPsec interface mode tunnel can no longer forward packets into the tunnel.

Conditions:
-- IKEv1.
-- IPsec policy in interface mode.
-- Configuration change or a new configuration.

Impact:
When the problem is exhibited on a BIG-IP Initiator, ISAKMP negotiation fails to start when interesting traffic arrives. No messages are written to /var/log/racoon.log.

When the problem is exhibited on a BIG-IP Responder, the IPsec tunnel successfully establishes, but the BIG-IP fails to forward any interesting traffic into the established tunnel. No useful log messages are seen.

Note: 'Interesting traffic' is packets that match a traffic-selector.

Workaround:
Run 'bigstart restart tmm' or reboot.


943597-2 : 'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart

Component: TMOS

Symptoms:
On the dashboard, the line chart of 'Throughput', 'CPU Usage', and 'Memory Usage' can show the line of thresholds that indicates 'Upper Bound' and 'Lower Bound', but there is no line of thresholds on the line chart of 'Connections'.

Conditions:
Create a custom line chart for 'Connections' that includes 'Upper Bound' and 'Lower Bound'.

Impact:
Line Chart of 'Connections' does not display 'Upper Bound' and 'Lower Bound' thresholds.

Workaround:
None.


943577-2 : Full sync failure for traffic-matching-criteria with port list under certain conditions

Component: TMOS

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
   - a traffic-matching-criteria is attached to a virtual server
   - the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
   - the same traffic-matching-criteria is attached to the same virtual server
   - the original port-list is modified (e.g. a description is changed)
   - the TMC is changed to reference a _different_ port-list

Impact:
Unable to sync configurations.

Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.

If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.

1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:

tmsh save sys config

(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
    cat /config{/partitions/*,}/bigip{_base,}.conf |
    awk '
        BEGIN { p=0 }
        /^(ltm traffic-matching-criteria|net port-list) / { p=1 }
        /^}/ { if (p) { p=0; print } }
        { if (p) print; }
    ' ) > /var/tmp/portlists-and-tmcs.txt

2. Copy /var/tmp/portlists-and-tmcs.txt to the target system

3. On the target system, load that file:

    tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt

3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot

4. On the source system, force a full-load sync to the device-group:

    tmsh run cm config-sync force-full-load-push to-group <name of sync-group>


943473-2 : LDAP monitor's test functionality has an incorrect and non-modifiable IP address field in GUI

Component: TMOS

Symptoms:
While trying to use the monitor test page in the GUI for an LDAP monitor, the destination address field contains the value *.*(asterisk-dot-asterisk), and it is not editable.

Conditions:
-- Create an LDAP monitor.
-- Go to the Test page.

Impact:
You are unable to modify the test destination address for the LDAP monitor.

Workaround:
Use TMSH.

-- To run the test:
tmsh run /ltm monitor ldap <LDAP-Monitor-Name> destination <IP-Address>

Example: tmsh run /ltm monitor ldap myldap destination 10.10.10.10:389

-- To check test results:
tmsh show /ltm monitor ldap <LDAP-Monitor-Name> test-result
tmsh show /ltm monitor ldap myldap test-result


943441-2 : Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK

Component: Application Security Manager

Symptoms:
Verification may be incomplete when using the F5 Anti-Bot Mobile SDK with the Bot Defense profile.

Conditions:
-- Using the Bot Defense profile together with the F5 Anti-Bot Mobile SDK.
-- Enabling the Mobile Applications section in the profile.

Impact:
Mobile application verification may be incomplete.

Workaround:
None


943109-2 : Mcpd crash when bulk deleting Bot Defense profiles

Component: TMOS

Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.

Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.

Impact:
Crash of mcpd causing failover.

Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.


943045-2 : Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.

Component: TMOS

Symptoms:
When using Ansible to create a pool that contains an IPv6 pool member, you get an error:

0107003a:3: Pool member node and existing node cannot use the same IP Address.

Conditions:
-- Creating a new pool via Ansible.
-- A new IPv6 pool member is used.
-- The IPv6 pool member's name is not included.

Impact:
Pool creation fails.

Workaround:
If you are unable to specify the pool member name, you can use other available configuration tools like tmsh, the GUI, or AS3.


943033-2 : APM PRP LDAP Group Lookup agent has a syntax error in built in VPE expression

Component: Access Policy Manager

Symptoms:
PRP LDAP Group Lookup agent, the expression incorrectly places the 'string tolower' outside the square brackets. This causes an issue in the GUI of the LDAP Group Lookup object where the 'Simple' branch rules do not show up. You see this 'Warning':

Warning, this expression was made manually and couldn't be parsed, please use advanced tab.

Conditions:
Configure PRP with the LDAP Group Lookup agent in the Visual Policy Editor (VPE).

Impact:
Tcl expression containing a syntax error prevents the LDAP Group Lookup agent from functioning properly.

Workaround:
Go to the LDAP Group Lookup agent advanced tab and change this:
expr {[string tolower [mcget {session.ldap.last.attr.memberOf}]] contains string tolower["CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN"]}

To this:
expr {[string tolower [mcget {session.ldap.last.attr.memberOf}]] contains [string tolower "CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN"]}

Click finish.

Now you can click 'change', and use the 'Simple' tab and the 'Add an expression using presets' option.


942793-1 : BIG-IP system cannot accept STARTTLS command with trailing white space

Component: Local Traffic Manager

Symptoms:
When an SMTPS profile is applied on a virtual server and the SMTP client sends a STARTTLS command containing trailing white space, the BIG-IP system replies with '501 Syntax error'. The command is then forwarded to the pool member, which can result in multiple error messages being sent to the SMTP client.

Conditions:
-- A virtual server is configured with an SMTPS profile.
-- The SMTP client sends a STARTTLS command with trailing spaces.

Impact:
The SMTP client is unable to connect to the SMTP server.

Workaround:
Use an SMTP client that does not send a command containing trailing white space.


942729-2 : Export of big Access Policy config from GUI can fail

Component: Access Policy Manager

Symptoms:
Export of Access Policy times out after five minutes and fails via the GUI

Conditions:
Exact conditions are unknown, but it occurs while handling a large access policy.

Impact:
Unable to redeploy configuration

Workaround:
Use thge cli to export the access policy:

K30575107: Overview of the ng_export, ng_import and ng_profile commands
https://support.f5.com/csp/article/K30575107


942665-2 : Rate limit and threshold configuration checks are inconsistent when applied to Basic DoS Vectors and Bad Actors DoS vectors

Component: Advanced Firewall Manager

Symptoms:
Inconsistent configuration checks may result in configuration not being applied correctly.

Conditions:
DoS vectors configured on the BIG-IP

Impact:
Configuration changes may not be accepted by the BIG-IP.


942549-2 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Component: TMOS

Symptoms:
During boot of a i15xxx system you see the message:

Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Conditions:
There are no specific conditions that cause the failure.
This can occur on any i15xxx device, although some devices exhibit the failure consistently around 50% of boots and others never exhibit the issue.

Impact:
When this failure occurs in a system, the system is inoperable.

Workaround:
There is no workaround for systems that do not have software capable of resetting the hardware device during the HSB load process.


942521-7 : Certificate Managers are unable to move certificates to BIG-IP via REST

Component: Device Management

Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account

Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager

Impact:
Unable to upload certificates as Certificate Manager

Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys


942497-1 : Declarative onboarding unable to download and install RPM

Component: TMOS

Symptoms:
Installation of declarative onboarding RPM fails.

Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.

Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.

Workaround:
RPMs must be installed manually.


942217-3 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'

Component: Local Traffic Manager

Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.

Conditions:
Required Configuration:

-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.

-- The pool member has rate-limit enabled.

Required Conditions:

-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.

-- At that time, one of the above events occur, the pool member's rate-limit is active.

Impact:
Virtual server keeps rejecting connections.

Workaround:
Delete one of the conditions.

Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.


942185-2 : Non-mirrored persistence records may accumulate over time

Component: Local Traffic Manager

Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.

Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.

Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.

Workaround:
None


941929-2 : Google Analytics shows incorrect stats, when Google link is redirected.

Component: Application Security Manager

Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
-- Google link is responded to (by the server) with a redirect.

-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
None


941893-3 : VE performance tests in Azure causes loss of connectivity to objects in configuration

Component: TMOS

Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.

Conditions:
Running performance tests of VE in Azure.

Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.

Workaround:
Reboot from the Azure console to restore functionality.


941481-2 : iRules LX - nodejs processes consuming more memory on vCMP guest secondary slot

Component: Local Traffic Manager

Symptoms:
Certain long-running iRule LX nodejs processes consume considerably more memory on the secondary blade than on the primary blade of the same cluster. The problem is present only on the Standby BIG-IP. On the Active the restjavad processes consume the same amount of memory on the primary and on the secondary slot.

Conditions:
-- VIPRION with multiple blades and vCMP configured
-- iRulesLX in use

Impact:
Higher memory consumption on the secondary blades, but the memory consumption does not increase, so the impact to system performance is negligible.


941257-1 : Occasional Nitrox3 ZIP engine hang

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.

You can check if your platform has the nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable http compression


941249-2 : Improvement to getcrc tool to print cookie names when cookie attributes are involved

Component: Application Security Manager

Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server

Conditions:
This is applicable when domain and path cookie attributes are present in response from server

Impact:
ASM cookie name which is displayed is incorrect

Workaround:
None


941169-4 : Subscriber Management is not working properly with IPv6 prefix flows.

Component: Policy Enforcement Manager

Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.

Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).

Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.

Workaround:
None.


940885-2 : Add support for Mellanox CX5 Ex adapter

Component: TMOS

Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP.

Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters.

Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.


940837-2 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.

Component: Local Traffic Manager

Symptoms:
The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node.

Conditions:
-- A node command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.

Impact:
With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node.

Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.


940733-3 : Downgrading a FIPS-enabled BIG-IP system results in a system halt

Component: Global Traffic Manager (DNS)

Symptoms:
After upgrading a FIPS-enabled BIG-IP system, booting to a partition running an earlier software version, which results in a libcrypto validation error and system halt.

Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into an partition running an earlier version of the software.

Impact:
System boots to a halted state.

Workaround:
Before booting to the partition with the earlier version, delete /shared/bin/big3d.

Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified.


940665-1 : DTLS 1.0 support for PFS ciphers

Component: Local Traffic Manager

Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.

* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA

Conditions:
DTLS 1.0 is configured in an SSL profile.

Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.


940469-4 : Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration

Component: Global Traffic Manager (DNS)

Symptoms:
The 'gtm_add' script fail to sync configuration information from the peer when 'options inet6' is present in /etc/resolv.conf.

Conditions:
The option 'options inet6' is used in /etc/resolv.conf.

Impact:
The 'gtm_add' script removes the current config and attempts to copy over the config from the remote GTM. When the remote copy fails, the local device is left without any config.

Workaround:
Remove the 'options inet6' from /etc/resolv.conf.


940161 : iCall throws error: foreign key index (name_FK) do not point at an item that exists in the database

Component: TMOS

Symptoms:
Reconfiguring existing iapp results in an error:
01070712:3: Values (ICALL_SCRIPT_/Common/my_send_stats) specified for tcl user proc graph
(ICALL_SCRIPT_/Common/my_send_stats ICALL_SCRIPT_/Common/my_send_stats:escape_json): foreign key index
(name_FK) do not point at an item that exists in the database.

Conditions:
Reconfigure existing application while iCall is in use

Impact:
Modification of a running iCall script results in an error

Workaround:
None.


940021-3 : Syslog-ng crash may lead to silent reboot

Component: TMOS

Symptoms:
The BIG-IP device silently reboots. After rebooting, you see the following in /var/log/messages:

info kernel: lasthop-ingress-v4: tcp non-syn packet
info kernel: syslog-ng[13461]: segfault at 0 ip 00002b17f748cc9c sp 00007fffedf7df78 error 4 in libc-2.17.so[2b17f740a000+1be000]
info kernel: syslog-ng[29749]: segfault at 2 ip 00002ba26ed77030 sp 00007ffc945207b8 error 4 in libglib-2.0.so.0.5000.3[2ba26ed3d000+10f000]
info kernel: audit_forwarder[31495]: segfault at 7a2da208 ip 0000000056e97be8 sp 00000000ffa9bc80 error 4 in libc-2.17.so[56e66000+1bf000]

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server. Indication that this is occurring is the following entry from syslog-ng in /var/log/messages:

notice syslog-ng[3515]: Syslog connection broken; fd='54', server='AF_INET(10.220.79.129:514)', time_reopen='60'

Impact:
Syslog-ng crash/restart. Sometimes, this may lead to a silent reboot of BIG-IP also. Traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.


939757-4 : Deleting a virtual server might not trigger route-injection update.

Component: TMOS

Symptoms:
When using multiple virtual-servers sharing the same destination address (virtual-address), deleting a single virtual-server that contributes to a virtual-address status might not trigger a route-injection update.

Conditions:
-- Multiple virtual-servers sharing the same destination address.
-- Virtual-server is deleted.

Impact:
Route remains in a routing table and/or Route is not removed from a routing table.

Workaround:
Disable and re-enable the virtual-address after deleting a virtual-server.


939541-2 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE

Component: TMOS

Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.


939529-2 : Branch parameter not parsed properly when topmost via header received with comma separated values

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.


939517-4 : DB variable scheduler.minsleepduration.ltm changes to default value after reboot

Component: TMOS

Symptoms:
Running the command 'tmsh list /sys db scheduler.minsleepduration.ltm'
shows that the value is -1.

The db variable 'scheduler.minsleepduration.ltm' is set to -1 on mcpd startup.

This overwrites a custom value.

Conditions:
-- The db variable 'scheduler.minsleepduration.ltm' has a non-default value set.
-- A reboot occurs.

Impact:
The db variable 'scheduler.minsleepduration.ltm' reverts to the default value. When the db variable reverts to the default value of unset -1, tmm uses more CPU cycles when idle.

Workaround:
None


939209-1 : FIPS 140-2 SP800-56Arev3 compliance

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.


938309-2 : In-TMM Monitors time out unexpectedly

Component: Local Traffic Manager

Symptoms:
When using the in-TMM monitoring feature, monitored targets (nodes/pool members) may be marked DOWN unexpectedly if there is a delay in responding to ping attempts.
Specifically, if the ping response from the target is delayed by more than the 'interval' value configured for the monitor, but less than the 'timeout' value configured for the monitor, the target may be marked DOWN.

Conditions:
This may occur when either:
-- In-TMM monitoring is enabled (sys db bigd.tmm = enable) and the monitor type uses in-TMM monitoring; OR
-- Bigd is configured to NOT reuse the same socket across consecutive ping attempts (sys db bigd.reusesocket = disable)
AND:
-- The monitored target does not respond to ping attempts within the 'interval' value configured for the monitor.

Impact:
The monitored target may be marked DOWN if it does not respond to ping attempts within the 'interval' value configured for the monitor, instead of within the 'timeout' value configured for the monitor.

Workaround:
To work around this issue, use one of the following methods:
-- Disable in-TMM monitoring and enable bigd socket reuse (sys db bigd.tmm = disable, and sys db bigd.reusesocket = enable).
-- Configure the monitor with an 'interval' value longer than the expected response time for the monitored target(s).


938145-1 : DAG redirects packets to non-existent tmm

Component: TMOS

Symptoms:
-- Connections to self-IP addresses may fail.
-- SYNs packets arrive but are never directed to the Linux host.

Conditions:
-- Provision as vCMP dedicated host.
-- Create a self-IP address with appropriate allow-service.

Impact:
Repeated attempts to connect to the self-IP (e.g., via ssh) fail.

Workaround:
None


937777-2 : The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.

Component: Local Traffic Manager

Symptoms:
The iRule command HTTP::payload is not supported for use within Policy Enforcement Manager (PEM) policies. Attempting to use this within your configuration may result in the TMM crashing.

Conditions:
-- Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload

Impact:
Traffic disrupted while the TMM restarts.

Workaround:
Do not use the iRule command HTTP::payload within Policy Enforcement Manager (PEM) policies.


937749-3 : The 'total port blocks' value for NAT stats is limited to 64 bits of range

Component: Advanced Firewall Manager

Symptoms:
The 'total port blocks' value, which can be found in PBA 'tmctl' tables, 'tmsh show', and SNMP, is limited to 64 bits of range. The upper 64 bits of the value are not taken into account.

Conditions:
This always occurs, but affects only systems whose configuration makes the 'total port blocks' value exceed 64 bits of range.

Impact:
Incorrect statistics.

Workaround:
None.

Note: For those who really need this value, it is still possible to manually calculate it, but that is not a true workaround.


937649-3 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict

Component: Local Traffic Manager

Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.

Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.

Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.

Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.

Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.

-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes


937601-2 : The ip-tos-to-client setting does not affect traffic to the server.

Component: TMOS

Symptoms:
The ip-tos-to-client setting is intended to apply to client traffic only. Server traffic IP ToS values are configured on the pool using the ip-tos-to-server property.

This is a change in behavior in that previously ip-tos-to-client was loosely interpreted to apply to server traffic as well if not overwritten by the pool.

Conditions:
The ip-tos-to-client value is set in the L4/L7 profile.

Impact:
IP ToS values in traffic to the server is unmodified.

Workaround:
Use the ip-tos-to-server property on pools to change IP ToS values to the server.

Alternatively, use an iRule to set the IP ToS to the server. For example:
when SERVER_CONNECTED {
    IP::tos 63
}


937541-2 : Wrong display of signature references in violation details

Component: Application Security Manager

Symptoms:
The number '1' is added to the signature reference in violation details in the Request Log.

Conditions:
You click the '?' icon near signature name to view signature details and there are references for this signature

Impact:
The number 1 is shown before the link


937481-2 : Tomcat restarts with error java.lang.OutOfMemoryError

Component: TMOS

Symptoms:
In the GUI, while trying to list a large configuration, tomcat restarts with error java.lang.OutOfMemoryError: Java heap space due to a large read operation.

Conditions:
-- From the GUI, navigate to Local Traffic :: Pools :: Pool List.
-- The configuration contains approximately 10,000 objects (objects include pools, nodes, virtual servers, etc.).

Impact:
When the system attempts to list the large configuration, tomcat restarts, resulting in 503 error.

Workaround:
Use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process.

Impact of workaround: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Technical Support after considering the impact to Linux host memory resources.

-- Using a utility such as free or top, determine if you have enough free memory available to use this procedure.

For example, the following output from the free utility shows 686844 kilobytes available:
total used free shared buffers cachedMem:
16472868 15786024 686844 807340 827748 2543836
-/+ buffers/cache: 12414440 4058428
Swap: 1023996 0 1023996

-- View the current amount of memory allocated to the tomcat process by typing one of the following commands:
ps | grep " -client" | egrep -o Xmx'[0-9]{1,5}m'

The command output appears similar to the following example:

Xmx260m
Xmx260m

-- View the current value of the provision.tomcat.extramb database variable by typing the following command
tmsh list /sys db provision.tomcat.extramb

-- Set the provision.tomcat.extramb database variable to the desired amount of additional memory to be allocated using the following command syntax:
modify /sys db provision.tomcat.extramb value <MB>

-- If the device is part of a high availability (HA) configuration, the provision.tomcat.extramb database value should be synchronized to the peer devices from the command line. To run the ConfigSync process, use the following command syntax:
tmsh run /cm config-sync <sync_direction> <sync_group>

For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group:

tmsh run /cm config-sync to-group Syncfailover

-- Restart the tomcat process by typing the following command:
restart /sys service tomcat


937445-1 : Incorrect signature context logged in remote logger violation details field

Component: Application Security Manager

Symptoms:
An incorrect context (request) is logged for URL signatures in the violation details field.

Conditions:
-- ASM is running with a remote logger that has the violation_details field assigned.
-- A URL signature is matched.

Impact:
The logs do not provide the correct information, which might result in confusion or the inability to use the logged information as intended.

Workaround:
None.


937213 : Virtual Server is not created when a new HTTPS virtual server is defined with a new security policy

Component: Application Security Manager

Symptoms:
Virtual Server is not created when a new HTTPS virtual server is defined with a new security policy using GUI page.

Conditions:
- In GUI open "create new policy" page
- Assign a policy name in "Policy Name"
- Assign "Fundamental" for "Policy Template"
- Choose "Configure new virtual server" in "Virtual Server"
- Select "HTTPS" for "What type of protocol does your application use?"
- Choose an IP address and port 443 for "HTTPS Virtual Server Destination"
- Choose an IP address and port 443 for "HTTPS Pool Member"
- "clientssl" for "SSL Profile (Client)"
- "serverssl" for "SSL Profile (Server)"
- click on "Save" button to create new policy

Impact:
The virtual server is not created when you create the policy, and HTTPS security will not be applied to this newly created security policy.

Workaround:
Go to the Local Traffic section and create a HTTPS Virtual Server manually. After that, assign the security policy to the Virtual Server.


936777-2 : Old local config is synced to other devices in the sync group.

Component: Global Traffic Manager (DNS)

Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.

Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.

Impact:
Config on other DNS/GTM devices in the sync group are lost.

Workaround:
You can use either of the following workarounds:

-- Make a small DNS/GTM configuration change before adding new devices to the sync group.

-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.


936557-2 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.

Component: Local Traffic Manager

Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.

Conditions:
This issue occurs when the following conditions are true:

-- Standard TCP virtual server.

-- TCP profile with Verified Accept enabled.

-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.

Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.

Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.


936441-2 : Nitrox5 SDK driver logging messages

Component: Local Traffic Manager

Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):

Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1

The above set of messages seems to be logged at about 2900-3000 times a second.

These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.

Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.

Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.


936417-3 : DNS/GTM daemon big3d does not accept ECDH or DH ciphers

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS/GTM big3d daemon does not accept ECDH or DH ciphers.

Conditions:
Connections to big3d with ECDH or DH ciphers.

Impact:
ECDH/DH ciphers do not work with big3d.

Workaround:
Do not use ECDH/DH ciphers.


936361-1 : IPv6-based bind (named) views do not work

Component: Global Traffic Manager (DNS)

Symptoms:
Bind does not match IPv6 addresses configured for a zone view, and returns REFUSED responses, rather than the
expected answers.

After enabling debug logging in bind (see K14680), the apparent source address of the IPv6 DNS requests shows as being in the fe80::/96 range, rather than the IPv6 source address that sent the request.

For example:

debug 1: client @0x579bf188 fe80::201:23ff:fe45:6701%10#4299: no matching view in class 'IN'

Conditions:
- BIG-IP DNS is provsioned
- One or more ZoneRunner views is defined using IPv6 addresses.
- A DNS query is sent from an IPv6 source address

Impact:
You cannot use DNS views in bind (zonerunner) based on IPv6 addresses.

Workaround:
If possible, use only IPv4 addresses to define views for DNS queries


936125-2 : SNMP request times out after configuring IPv6 trap destination

Component: TMOS

Symptoms:
SNMP request is times out.

Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.

Impact:
No response is returned for SNMP request.

Workaround:
Restart SNMP daemon by running the following TMSH command:

restart sys service snmpd


936093-2 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr


935945-1 : GTM HTTP/HTTPS monitors cannot be modified via GUI

Component: Global Traffic Manager (DNS)

Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:

01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.

Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.

Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.

Workaround:
If 'recv-status-code' has never been set, use tmsh instead.

Note: You can set 'recv-status-code' using tmsh, for example:

   tmsh modify gtm monitor http http-default recv-status-code 200


935865-5 : Rules that share the same name return invalid JSON via REST API

Component: Advanced Firewall Manager

Symptoms:
When retrieving rule stats on a firewall policy, if two rules that share the same name but one of which is directly attached to the policy while the other is attached via a rule list, then a invalid JSON is returned. The JSON has identical keys for each entry associated with the rule. This is an invalid JSON structure that cannot be parsed correctly (Or data for one of the rules is lost)

Conditions:
A firewall policy that has one of rule directly attached to the policy while the other is attached via a rule list, and both rules share the same name.

Impact:
Invalid JSON structure returned for stat REST API call

Workaround:
Ensure that no rule shares its name with another rule.


935793-2 : With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)

Component: Local Traffic Manager

Symptoms:
When a virtual server with a SIP profile has mirroring enabled, connections on the standby unit will be removed shortly after being created. If tm.rstcause.log is enabled the reset cause message appears similar to the following:

-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.208:5080 to 10.2.207.201:31597, [0x2c1c820:1673] MBLB internal error (Routing problem).
-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.209:51051 to 10.2.207.202:5080, [0x2c1c820:931] MBLB internal error.

Conditions:
-- BIG-IP Virtual Edition (VE) running on 2000/4000 platforms using RSS hash.
-- Platforms with more than 1 tmm.

Impact:
Mirrored connections on the standby unit are removed.

Workaround:
-- On BIG-IP VE, add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes


935769-3 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Attempt upgrade / reboot of the platform.

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.


935293-2 : 'Detected Violation' Field for event logs not showing

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.


935249-2 : GTM virtual servers have the wrong status

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).

Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.


935193-1 : With APM and AFM provisioned, single logout ( SLO ) fails

Component: Local Traffic Manager

Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:

-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message

Conditions:
Failures occur with Redirect SLO.

Impact:
SAML single logout does not work.

Workaround:
Use POST binding SLO requests.


935177-2 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm

Component: TMOS

Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.

Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.

The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.


934941-2 : Platform FIPS power-up self test failures not logged to console

Component: TMOS

Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.

Conditions:
A FIPS failure occurs during the power-up self test.

Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.

Workaround:
None.


934721-2 : TMM core due to wrong assert

Component: Application Visibility and Reporting

Symptoms:
TMM crashes with a core

Conditions:
AFM and AVR provisioned and collecting ACL statistics.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.


934697-3 : Route domain not reachable (strict mode)

Component: Local Traffic Manager

Symptoms:
Network flows are reset and errors are found in /var/log/ltm:

Route domain not reachable (strict mode).

Conditions:
Either:
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.
Or:
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.

Impact:
Traffic is not sent to the node that is in a route domain.

The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.

Workaround:
Specify the node along with Route domain ID.

For iRules, change from this:

when HTTP_REQUEST {
 node 10.10.10.10 80
}

To this (assuming route domain 1):

when HTTP_REQUEST {
 node 10.10.10.10%1 80
}

For LTM policies, change from this:

actions {
    0 {
        forward
        select
        node 10.2.35.20
    }
}


To this (assuming route domain 1):

actions {
    0 {
        forward
        select
        node 10.2.35.20%1
    }
}


934065-1 : The turboflex-low-latency and turboflex-dns are missing.

Component: TMOS

Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.

Conditions:
The turboflex-low-latency or turboflex-dns in use.

Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.

Workaround:
None.


933777-1 : Context use and syntax changes clarification

Component: Application Visibility and Reporting

Symptoms:
There are 2 issues:
1) tmsh analytics commands related to server side connections changed in 14.x
2)"max-tps" is non-cumulative and cannot be used in this context

Conditions:
Using tmsh analytics commands in BIG-IP v14.x and higher

Impact:
1) tmsh commands (related to server side connections) should be written differently in 14.x+
2)The "max-tps" measure is not applicable in the 'client-ip' context

Workaround:
There are 2 issues:
1)tmsh display name changed from total-server-side-conns to server-side-conns etc (14.x+)
2)Change the "max-tps" attribute "commutative" from false to true and change the merge formula from SUM to MAX


933405-2 : Zonerunner GUI hangs when attempting to list Resource Records

Solution Article: K34257075

Component: Global Traffic Manager (DNS)

Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.

Conditions:
Attempt to list Resource Records in Zonerunner GUI.

Impact:
Zonerunner hangs.

Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.


933329-2 : The process plane statistics do not accurately label some processes

Component: TMOS

Symptoms:
The plane process statistics can be used to track the statistics of processes even though the process ID has changed over time. The processes are characterized as belonging to the control plane, data plane, or analysis plane. Some of the processes are incorrectly labeled.

Conditions:
Viewing the plane process statistics when diagnosing plane usage on the BIG-IP system.

Impact:
The percentage of usage of each plane can be confusing or incorrect.

Workaround:
None.


933129-2 : Portal Access resources are visible when they should not be

Component: Access Policy Manager

Symptoms:
For Access Policy created with Customization type: modern, Portal Access resource is still present on user's webtop after the checkbox "Publish on Webtop" is disabled in config

Conditions:
-- Access Policy created with Customization type: modern
-- Disable the checkbox "Publish on Webtop" for any Portal Access resource

Impact:
Disabled Portal Access resource visible on the webtop when it should be hidden.

Workaround:
Re-create Access Policy with Customization type: standard


932893-2 : Content profile cannot be updated after redirect from violation details in Request Log

Component: Application Security Manager

Symptoms:
BIG-IP issues a redirect to the content profile form that contains relevant violation details in the Request Log. If you follow this redirect and try to update profile, the action fails.

Conditions:
This occurs if you follow the redirect to the content profile page from the violation details page in the Request Log, and then try to update the profile

Impact:
You are unable to update the content profile.

Workaround:
Go to the list content profile page, and update the content profile from there.


932857-2 : Delays marking Nodes or Pool Members DOWN with in-TMM monitoring

Component: Local Traffic Manager

Symptoms:
When configured with a large number of in-TMM monitors, Nodes or Pool Members may not be marked DOWN immediately after the configured timeout period once the target stops responding to pings.

Conditions:
This may occur when:
-- In-TMM monitoring is enabled (via sys db bigd.tmm).
-- A large number of Nodes and/or Pool Members (several hundreds or thousands) are configured and monitored.

Impact:
Nodes or Pool Members which are not responsive may not be marked DOWN in a timely fashion.

Workaround:
You can work around this issue by disabling in-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).


932553-4 : An HTTP request is not served when a remote logging server is down

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.


932497-3 : Autoscale groups require multiple syncs of datasync-global-dg

Component: TMOS

Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.

Conditions:
Browser Challenges update image is automatically downloaded.

Impact:
Peers are not synced.

Workaround:
Manually sync datasync-global-db group.


932461-3 : Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.

Component: Local Traffic Manager

Symptoms:
If you overwrite the certificate that is configured on the server SSL profile and used with the HTTPS monitor, the BIG-IP system still uses an old certificate.

After you update the certificate, the stored certificate is incremented, but monitor logging indicates it is still using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with cert and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate via GUI or tmsh.

Impact:
The monitor still tries to use the old certificate, even after the update.

Workaround:
Use either of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile cert key, set it to 'none', and switch back to the original cert key name.

The bigd utility successfully loads the new certificate file.


932437-2 : Loading SCF file does not restore files from tar file

Component: TMOS

Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.

Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:

01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.

Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles

Impact:
Restoring SCF does not restore contents of file objects.

Workaround:
None.


932213-2 : Local user db not synced to standby device when it is comes online after forced offline state

Component: Access Policy Manager

Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.

Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.

Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.

Workaround:
None


932045-3 : Memory leak with umem_alloc_80 through creating/deleting LTM node object

Component: Local Traffic Manager

Symptoms:
Memory leak in umem_alloc_80 through creating/deleting an LTM node object.

Conditions:
-- Create a node object.
-- Delete the node object.

Impact:
This gradually causes tmm memory pressure, and eventually severe outcome is possible such as aggressive swiper and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Refrain continuous creation/deletion of LTM nodes.


931629-2 : External trunk fdb entries might end up with internal MAC addresses.

Component: TMOS

Symptoms:
The vCMP host might have external trunk with internal MAC addresses. This is visible via 'tmsh show net fdb'.

Conditions:
-- vCMP is provisioned and has guests deployed on it.
-- vCMP host uses trunks.
-- Create VLANs using trunks and assign it to guests.
-- Guests need to be in high availability (HA) configuration.

Impact:
Traffic processing is disrupted.

Workaround:
None.


931469-7 : Redundant socket close when half-open monitor pings

Component: Local Traffic Manager

Symptoms:
Sockets and log files are closed and re-opened twice instead of one time when the half-open TCP monitor pings successfully.

Conditions:
This occurs when the half-open monitor pings successfully.

Impact:
Minor performance impact.

Workaround:
None.


931149-1 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr


931033-1 : Device ID Deletions anomaly might be raised in case of browser/hardware change

Component: Application Security Manager

Symptoms:
-- Valid users complain they are unable to connect, or they are required to do CAPTCHA frequently.
-- On the BIG-IP device, 'Device ID Deletion' violations are being raised.

Conditions:
-- Bot Defense Profile with 'Device ID' mode set to 'Generate After Access' is attached to the virtual server.
-- Some change in the browser or computer hardware occurs.
-- Surfing to multiple qualified pages at the same time.

Impact:
Valid requests might be mitigated.

Workaround:
Raise the threshold of 'Device ID Deletion' anomaly (recommended value according to the webserver, is approximately 4).


930905-4 : Management route lost after reboot.

Component: TMOS

Symptoms:
Management route lost after reboot, leading to no access to BIG-IP via management address.

Conditions:
This occurs in the following scenario:

1) Deploy 2NIC BIG-IP Virtual Edition (VE) in GCP (e.g., by following the steps described in Deploying the BIG-IP VE in Google Cloud - 2 NIC: Existing Stack with BYOL Licensing :: https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).

2) Once VE deployment completes, connect to the BIG-IP mgmt address and check the BIG-IP routing table. (There should be two default routes in it.) Enable SSH on an external self IP (to be able to connect to BIG-IP system after the reboot).

3) Reboot BIG-IP VE.

4) After reboot completes, SSH connect to the external self IP and check the BIG-IP routing table.

Impact:
The default route via mgmt interface no longer exists in the routing table. Inability to connect to BIG-IP VE via management address after reboot. No management access to BIG-IP.

Workaround:
Use either of the following workarounds:

-- Delete the route completely and reinstall the route.

-- Restart mcpd:
bigstart restart mcpd


930825-4 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors

Component: TMOS

Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the current behavior is to failover to the peer unit and go-offline and down links.

This can be seen the TMM logs:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice HA failover action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice HA failover action is cleared.

Followed by a failover event.

Conditions:
It is unknown under what conditions the XLMAC errors occur.

Impact:
The BIG-IP system fails over.

Workaround:
Modify the default high availability (HA) action for the switchboard-failsafe to reboot instead of go offline and down links.


930005-2 : Recover previous QUIC cwnd value on spurious loss

Component: Local Traffic Manager

Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.

Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.

Impact:
Inefficient use of bandwidth in the presence of packet reordering.

Workaround:
None.


929429-2 : Oracle database monitor uses excessive CPU when Platform FIPS is licensed

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle LTM monitor.
-- Add a pool member to the Oracle monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.


929133-2 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'

Component: TMOS

Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.

Conditions:
Vlan name that starts with "eth"

Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.

Workaround:
Rename all vlans that start with "eth"


929077-2 : Bot Defense Whitelist does not apply when using default Route Domain and XFF header

Component: Application Security Manager

Symptoms:
When configuring an IP address whitelist in Bot Defense Profile, using a default Route Domain, and sending a request with an X-Forwarded-For header the request might not be whitelisted.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address whitelist configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from a whitelisted IP address is blocked.

Workaround:
Whitelist the IP address using an iRule.


929005-2 : TS cookie is set in all responses

Component: Application Security Manager

Symptoms:
ASM sends a new cookie in every response, even though there is no change to the cookie name-plus-value.

Conditions:
-- ASM enabled.
-- Hostname is configured in the ASM policy.
-- The pool member sends different cookie values each time.

Impact:
ASM sends a Set-Cookie in every response, and it always sets the same cookie value.

Workaround:
None.


928857-2 : Use of OCSP responder may leak X509 store instances

Component: Local Traffic Manager

Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


928805-2 : Use of OCSP responder may cause memory leakage

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


928789-2 : Use of OCSP responder may leak SSL handshake instances

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.

Workaround:
No workaround.


928717-3 : [ASM - AWS] - ASU fails to sync

Component: Application Security Manager

Symptoms:
Live Update configuration is not updated.

Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.

Impact:
Automatic signature updates (ASU) fail to sync.

Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:

1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.


928697-2 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT

Component: TMOS

Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.

Conditions:
The initiator sends more than one proposal.

Impact:
Diagnosing connection issues is more difficult.

Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.


928665-2 : Kernel nf_conntrack table might get full with large configurations.

Component: Advanced Firewall Manager

Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:

warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.

Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15 KB active entries.

Impact:
Monitors are unstable/not working at all.

Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:

options nf_conntrack hashsize=262144

2. Save the file.
3. Reboot the system.


928553-3 : LSN64 with hairpinning can lead to a tmm core in rare circumstances

Component: Carrier-Grade NAT

Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.

Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.

Impact:
Tmm cores. Traffic disrupted while tmm restarts.

Workaround:
Disable full proxy config of hairpinning.


928445-4 : HTTPS monitor is down when server_ssl profile cipher string is configured to TLSv1_2

Component: Local Traffic Manager

Symptoms:
HTTPS monitor state is down when server_ssl profile cipher string has the value 'TLSv1_2'.
 -- configured cipherstring TLSv1_2/TLSv1_1 is rejected by OpenSSL.

Conditions:
-- Pool member is attached with HTTPS monitor.
-- Monitor is configured with an SSL profile.
-- The configured server_ssl profile has cipher string as DEFAULT:!TLSv1_2.

Impact:
Pool status is down.

Workaround:
-- Enable 'in-tmm' monitoring.
-- Use SSL options available in the server SSL profile to disable TLSv1_2 or TLSv1_1 instead of cipher string.
-- Use the same cipher string with cipher group / cipher rule that is attached to the SSL profile.


928389-2 : GUI become inaccessible after importing certificate under import type 'certificate'

Component: TMOS

Symptoms:
Current implementation causes httpd down and makes the GUI inaccessible as soon as you import a new cert.

Conditions:
Upload new cert using Import-type 'Certificate' option.

Impact:
The GUI inaccessible as soon as you import a cert using import-type 'Certificate'.

Workaround:
Manually copy the correct key.


928353-2 : Error logged installing Engineering Hotfix: Argument isn't numeric

Component: TMOS

Symptoms:
When installing an Engineering Hotfix, the following error may be logged in /var/log/liveinstall.log:

Argument "" isn't numeric in numeric eq (==) at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/Hotfix.pm line 651.

Conditions:
This error may occur when installing an Engineering Hotfix, if the Engineering Hotfix does not include an update to the nash-initrd component.

Impact:
The error message gives a mistaken impression that the Engineering Hotfix did not install successfully. However, it does install correctly, and the system operates without issue. You can safely ignore this message.

Workaround:
None.


928177-2 : Syn-cookies might get enabled when performing multiple software upgrades.

Component: Advanced Firewall Manager

Symptoms:
Syn-cookie protection of FastL4/TCP profile might get enabled when performing multiple software upgrades.

Conditions:
-- Performing an upgrade from version earlier than 14.0.0 to a version higher than or equal to 14.0.0.
-- Then performing another upgrade.

Impact:
Value of profile attribute syn-cookie-enable might be changed during an upgrade.

Workaround:
Save configuration before starting each upgrade.


927941-5 : IPv6 static route BFD does not come up after OAMD restart

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted


927713-1 : Secondary blade IPsec SAs lost after standby reboot using clsh reboot

Component: Local Traffic Manager

Symptoms:
-- When 'clsh reboot' is executed on the primary blade, it internally calls ssh reboot on all secondary blades and then reboots the primary blade. The 'clsh reboot' script hangs, and there is a delay in rebooting the primary blade.
-- Running 'ssh reboot' on secondary blades hangs due to sshd sessions getting killed after network interface down.

Conditions:
-- Running 'clsh reboot' on the primary blade.
-- Running 'ssh reboot' on secondary blades.

Impact:
Secondary blade IPSec Security Associations (SAs) are lost, resulting in SA sync issues.

Workaround:
Perform a reboot from the GUI.


927633-2 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic

Component: Local Traffic Manager

Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.

Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.

Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.

Workaround:
None.


927569-2 : HTTP/3 rejects subsequent partial SETTINGS frames

Component: Local Traffic Manager

Symptoms:
HTTP/3 aborts the connection upon receipt of a 'second' SETTINGS frame.

Conditions:
HTTP/3 first receives an incomplete SETTINGS frame, followed by more SETTINGS frame bytes.

Impact:
Connection fails to complete.

Workaround:
None.


927485-4 : Restnoded memory leak while deploying telemetry

Component: TMOS

Symptoms:
While deploying telemetry, restnoded uses excessive memory and restarts, and the telemetry consumer server is down.

Conditions:
Telemetry is deployed according to https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/prereqs.html

Impact:
Restnoded restarts and is not available


927441-3 : Guest user not able to see virtual server details when ASM policy attached

Component: TMOS

Symptoms:
When ASM is attached to a Virtual Server, a BIG-IP user account configured with the Guest role cannot see virtual server details. An error message is printed instead:
01070823:3: Read Access Denied: user (guestuser) type (GTM virtual score).

Conditions:
-- ASM Policy attached to virtual server.
-- Logging onto the BIG-IP system using an account configured with the guest user role.
-- Running the command:
tmsh show ltm virtual detail

Impact:
Cannot view virtual server details.

Workaround:
None.


926985-2 : HTTP/3 aborts stream on incomplete frame headers

Component: Local Traffic Manager

Symptoms:
HTTP/3 streams abort at seemingly arbitrary times when BIG-IP is receiving large amounts of data.

Conditions:
HTTP/3 receives an incomplete frame header on a given stream.

Impact:
Data transfer is incomplete.

Workaround:
None


926973-1 : APM / OAuth issue with larger JWT validation

Component: Access Policy Manager

Symptoms:
When the access profile type is OAuth-RS or ALL, and sends a request with a Bearer token longer than 4080 bytes in the Authorization header to the virtual server, OAuth fails with ERR_NOT_SUPPORTED.

Conditions:
Bearer token longer than 4080 bytes

Impact:
APM oauth fails with ERR_NOT_SUPPORTED.

Workaround:
None.


926929-3 : RFC Compliance Enforcement lacks configuration availability

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP requests and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that allows certain constructions after a header name may not function.

Workaround:
None.


926845-5 : Inactive ASM policies are deleted upon upgrade

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.


926757-2 : ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Component: Local Traffic Manager

Symptoms:
ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Conditions:
Virtual-server with an address space overlapping with a self-IP, capable of handling ICMP traffic, for example:
ip-forward wildcard 0.0.0.0/0 virtual-server

Impact:
ICMP traffic to a virtual-address might be handled by a virtual-server.

Workaround:
There is no workaround.


926549-1 : AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'

Component: Advanced Firewall Manager

Symptoms:
With some configurations, executing a command such as 'tmsh show security firewall global-rules active' loops continuously, causing stat counters to rise, and possibly log messages to be written to /var/log/ltm.

Conditions:
-- AFM is routing traffic to a Virtual Server through the 'Send to Virtual' option.
-- The target Virtual Server uses the 'LB_FAILED' iRule to select a new Virtual Server through virtual command and 'LB::reselect'.

Impact:
The iRule loops continuously, causing stat counters to rise, and possibly logging messages in /var/log/ltm.

Workaround:
This configuration should be avoided, but if it is used, and if this does happen, you can restart tmm:
bigstart restart tmm

This stops the current looping, until it is triggered again.

Impact of workaround: Traffic disrupted while tmm restarts.


926513-2 : HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.

Component: Local Traffic Manager

Symptoms:
HTTP/2 Clone pools are not working when the Clone Pool (Server) option is selected. This issue occurs when a HTTP/2 profile (Server) or HTTP/2 full-proxy configuration is enabled and an HTTP/2 clone pool is set on a virtual server. This issue prevents traffic from being copied to the appropriate clone pool member.

Conditions:
A virtual server provisioned with the following configuration:

--HTTP/2 default pool.
--HTTP/2 clone pool (server).
--HTTP/2 profile (server) or HTTP/2 profile full-proxy configuration.

Impact:
Clone pools (server) do not mirror HTTP/2 traffic.

Workaround:
None.


926085 : GUI: Node/port monitor test not possible in the GUI, but works in tmsh

Component: Local Traffic Manager

Symptoms:
Node address field is disabled when trying to create custom HTTP monitor, so you cannot enter a node address This prevents you from using the Test operation to test this type of monitor in the GUI.

Conditions:
-- In a new monitor derived from HTTP, click the Test tab.
-- View the Address field, and then try to run the test.

Impact:
The Address field is disabled, with *.* in the field. You cannot enter a node address. The test fails with a message:
invalid monitor destination of *.*:80.

Workaround:
Use tmsh instead of the GUI.


925797-2 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members

Component: TMOS

Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.

The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.

One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.

Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.

Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.

Workaround:
None.


925573-6 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted

Component: Access Policy Manager

Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.

Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.

Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue.

Workaround:
None.


924945-3 : Fail to detach HTTP profile from virtual server

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.


924929-2 : Logging improvements for VDI plugin

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.


924697-2 : VDI data plane performance degraded during frequent session statistic updates

Component: Access Policy Manager

Symptoms:
Data plane performance for VDI use cases (Citrix/VMware proxy) is degraded during frequent access session statistic updates.

Conditions:
APM is used as VDI proxy for Citrix or VMware.

Impact:
APM's VDI proxy does not perform to its full capacity.

Workaround:
None.


924589-1 : PEM ephemeral listeners with source-address-translation may not count subscriber data

Component: Policy Enforcement Manager

Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.

Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)

Impact:
Inaccurate subscriber traffic reporting and classification.

Workaround:
None.


924521-2 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.

Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.

Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.


923745-3 : Ctrl-Alt-Del reboots the system

Component: TMOS

Symptoms:
A device reboot occurs when pressing Ctrl-Alt-Del.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.

Impact:
Accidental reboots are possible. You should not reboot VE using Ctrl-Alt-Del.

Workaround:
Run the following command:

systemctl mask ctrl-alt-del.target


923233-1 : Incorrect encoding in 'Logout Page' for non-UTF8 security policy

Component: Application Security Manager

Symptoms:
Fields in 'Logout Page' for a non-UTF8 security policy has incorrect encoding for values, including non-English characters in the GUI and iControl REST.

Conditions:
This can be encountered while creating a non-UTF8 security policy via iControl REST, where the 'expected' and 'unexpected' fields contain non-UTF8 content.

Impact:
Logout Page field values are displayed with the wrong encoding.

Workaround:
None.


923221-4 : BD does not use all the CPU cores

Component: Application Security Manager

Symptoms:
Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
1. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm

Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF'

To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

2. Restart the asm process:
   bigstart restart asm.


922885-3 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.5

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.5 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

'tmsh show net interface' indicates that one or more interfaces are not initialized.

Conditions:
-- BIG-IP VE running on VMware ESXi 6.5 hypervisor.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
-- On the BIG-IP systems, you can switch to the 'sock' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.

1, At the command prompt, run the following command to enable the sock driver in tmm_init.tcl:

echo "device driver vendor_dev 15ad:07b0 sock" >> tmm_init.tcl

2. Restart tmm:

tmsh restart sys service tmm

-- After restarting, the sock driver should be listed in the 'driver_in_use' column when running the following command.

tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- --------------------- -------------
0000:03:00.0 F5DEV_PCI xnet, vmxnet3, sock,
0000:0b:00.0 1.1 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:13:00.0 1.2 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:1b:00.0 1.3 F5DEV_PCI xnet, vmxnet3, sock, sock


922785-2 : Live Update scheduled installation is not installing on set schedule

Component: Application Security Manager

Symptoms:
A scheduled live update does not occur at the scheduled time.

Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.

Impact:
Automated installation does not initiate

Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14


922665-2 : The admd process is terminated by watchdog on some heavy load configuration process

Component: Anomaly Detection Services

Symptoms:
The watchdog process in the BIG-IP ASM monitors terminates the admd process.

Conditions:
On some heavy load configuration process, such as version upgrade.

Impact:
Restart of admd daemon. The restarts may be continuous. No stress-based anomaly detection or behavioral statistics aggregation until admd restarts.

Workaround:
For the case of continuous restarts, a partial solution is to disable admd during busy periods such as upgrades. To do so, issue the following two commands, in sequence, after the upgrade is complete:

bigstart stop admd
bigstart start admd


922641-4 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow

Component: Local Traffic Manager

Symptoms:
iRule commands issued after a clientside or serverside command operate on the wrong peer flow.

Conditions:
An iRule contains a script that parks in a clientside or serverside command.

Examples of parking commands include 'table' and 'persist'.

Impact:
The iRule commands operate on the wrong peer flow.

Workaround:
Avoid using commands that park inside the clientside or serverside command.


922613-2 : Tunnels using autolasthop might drop traffic with ICMP route unreachable

Component: TMOS

Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.

Conditions:
No route exists to the other end of the tunnel.

Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.

Workaround:
Create a route towards the other remote end of the tunnel.


922597-2 : BADOS default sensitivity of 50 creates false positive attack on some sites

Component: Anomaly Detection Services

Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.

Conditions:
This can occur for some requests that have high latency and low TPS.

Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.

Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500

For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.

The results is that the attack is declared later than for the default value, but it is declared and the site is protected.


922413-2 : Excessive memory consumption with ntlmconnpool configured

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.


922297-2 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

In /var/log/tmm it can be seen that tmm0 is waiting for another TMM, e.g.:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, it can be seen that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.


922261-2 : WebSocket server messages are logged even it is not configured

Component: Application Security Manager

Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.

Impact:
Remote logging server overloaded with unexpected WebSocket messages.

Workaround:
Set response-logging=illegal in all remote logging profiles.


922185-1 : LDAP referrals not supported for "cert-ldap system-auth"

Component: TMOS

Symptoms:
Admin users are unable to log in.

Conditions:
-- Remote ldap auth enabled
-- Administrative users are authenticated with the "cert-ldap" source.
-- The admin user tries to log in

Impact:
The cert-ldap authentication does not work.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.


922153-2 : Tcpdump is failing on tmm 0.x interfaces

Component: TMOS

Symptoms:
The tcpdump command exits immediately with an error:
 errbuf ERROR:TMM side closing: Aborted
tcpdump: pcap_loop: TMM side closing: Aborted

Conditions:
Capturing the packets on tmm interfaces.

Impact:
Unable to capture the packets on specific tmm interfaces.

Workaround:
There are two possible workarounds:

-- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command:

TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16


-- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20.<slot>.<tmmnumber+1> (e.g. 127.20.1.1 == slot1/tmm0, 127.20.2.16 == slot2/tmm15):

TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16


922069 : Increase iApp block configuration processor timeout

Component: TMOS

Symptoms:
Attempting to configure and deploy an SSL Orchestrator configuration may result in a configuration processor timeout error.

Conditions:
When the TMOS control plane is taking a relatively high amount of CPU processing due to intense REST framework management workflows, any attempt to configure and deploy an SSL Orchestrator configuration using the guided configuration user interface, might take longer than the default 30 seconds timeout.

Impact:
The operation fails, resulting in a configuration processor timeout error. The BIG-IP administrator cannot configure and deploy an SSL Orchestrator configuration.

Workaround:
1. Edit the /var/config/rest/iapps/f5-iappslx-ssl-orchestrator/nodejs/gc/orchestratorConfigProcessor.js file:

vi /var/config/rest/iapps/f5-iappslx-ssl-orchestrator/nodejs/gc/orchestratorConfigProcessor.js

2. Locate the var _createComponentBlock = function(...) and locate the following line inside the function body (line ~1290):

requestBody.state = "BINDING";

3. Add the following after the 'requestBody.state' line:
requestBody.configProcessorTimeoutSeconds = 120;

4. Save the edited file.

5. Restart the restnoded daemon:
bigstart restart restnoded


922005-3 : Stats on a certain counter for web-acceleration profile may show excessive value

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is configured to use the RAM Cache feature, a corresponding profile may report an excessively large value for the cache_misses_all counter under certain conditions.

Conditions:
-- The BIG-IP system has a virtual server with web-acceleration profile without an application (RAM Cache feature).
-- The virtual receives uncacheable requests which are interrupted by a client or are not served by a server.

Impact:
A value for cache_misses_all incurs an arithmetic overflow, and shows an excessive number comparable with 1.8e19. The issue has no functional impact; the system operates as normal.

Workaround:
None.


921881-2 : Use of IPFIX log destination can result in increased CPU utilization

Component: Local Traffic Manager

Symptoms:
-- Increased baseline CPU.

- The memory_usage_stats table shows a continuous increase in mds_* rows.

Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.

Impact:
Increased baseline CPU may result in exhaustion of CPU resources.

Workaround:
Limiting changes to associated configuration can slow the effects of this issue.


921721-1 : FIPS 140-2 SP800-56Arev3 compliance

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.

Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.


921677-2 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.

Component: Application Security Manager

Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:

Bot defense profile <profile full name> error: match-order should be unique.

Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot whitelist items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.

2. Delete item with the value: match-order 2 (in tmsh), and save.

3. Switch to the GUI, add new whitelist item, and save.

Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.

Workaround:
Drag between two items, and then drag back.


921625-2 : The certs extend function does not work for GTM/DNS sync group

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.


921541-3 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.


921477-2 : Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.

Component: Local Traffic Manager

Symptoms:
With the HTTP RFC enforcement profile option enabled, incoming health monitor requests without an HTTP version in the request line (HTTP/0.9) may fail to produce the correct result for dual BIG-IP configurations. This can result in incoming health monitor traffic being incorrectly blocked when traveling through a virtual server. These health monitors will be unable to provide the correct availability of the intended resource. The default HTTP and HTTPS monitors as well as any custom monitors with a missing HTTP version in their requests could see this issue.

Conditions:
A dual BIG-IP configuration may provisioned with the following considerations.

-- One or more BIG-IP systems are in the network path for monitor traffic.

-- The first BIG-IP system uses a health monitor that initiates a health check request (without an HTTP version) in the request line (HTTP/0.9) against a second BIG-IP system.

-- The second (downstream) BIG-IP system has a virtual server that is the endpoint for the monitor. The virtual server is configured with an HTTP profile with the HTTP RFC Compliance profile option selected.

Impact:
Rather than receiving the correct health check result, the original BIG-IP system can fail to report whether the second BIG-IP is available.

Workaround:
You can use http_head_f5 monitor to perform health checks.


921441-2 : MR_INGRESS iRules that change diameter messages corrupt diam_msg

Component: Service Provider

Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.

There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found

Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:

ltm rule Diameter - iRule {
  when MR_INGRESS {
    DIAMETER:: host origin "hostname.realm.example"
  }
}

-- Traffic arrives containing CER and ULR messages.

Impact:
Using the iRule to change the host origin corrupts the diameter message.

Workaround:
None.


921149-1 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.


921121-4 : Tmm crash with iRule and a PEM Policy with BWC Enabled

Component: TMOS

Symptoms:
Tmm crashes while passing traffic through PEM.

Conditions:
-- PEM policy with bandwidth controller.
-- iRule makes a traffic decision based on certain unique PEM sessions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


921065 : BIG-IP systems not responding to DPD requests from initiator after failover

Component: TMOS

Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.

Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.

Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.

Workaround:
None.


920893-1 : GUI banner for configuration issues frozen after repeated forced VIPRION blade failover

Component: TMOS

Symptoms:
Repeatedly forcing VIPRION blade failover can cause the GUI to get stuck displaying:

This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. Failover occurs as expected, and the device is operational.

Conditions:
Repeatedly forcing blade failover triggers this issue, with commands such as the following issued in rapid succession:

- tmsh modify sys cluster default members { 2 { disabled } }
- tmsh modify sys cluster default members { 2 { enabled } }
- tmsh modify sys cluster default members { 1 { disabled } }
- tmsh modify sys cluster default members { 1 { enabled } }

Impact:
The GUI continuously displays the banner the device-not-operational banner. However, the device is operational.

Workaround:
You can use either of the following workarounds to return the GUI to normal operation:
-- Restart mcpd by running the following command:
bigstart restart mcpd

-- Reboot the VIPRION system.


920817-6 : DNS Resource Records can be lost in certain circumstances

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Zone syncing is missing Resource Records.

Conditions:
This occurs when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group.

Impact:
DNS Resource Records can be missing from the BIND DNS database.

The impact of this is that if GSLB Load Balancing falls back to BIND, the DNS Resource Records may not be present.

Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group.

Note: It is also possible to turn off Zone Syncing. GTM/DNS configuration is still synced, but the you lose the ability to sync non-Wide IP changes to the BIND DB. If you do not utilize ZoneRunner to add additional non-Wide IP records, this is a problem only when GSLB resorts to Fallback to BIND. This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records.


920789-2 : UDP commands in iRules executed during FLOW_INIT event fail

Component: Local Traffic Manager

Symptoms:
UDP commands in iRules executed during FLOW_INIT event fail.

Conditions:
An iRule that contains UDP commands is executed on the FLOW_INIT event.

Impact:
UDP commands in iRules executed during FLOW_INIT event fail.

Workaround:
None.


920761-2 : Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values

Component: TMOS

Symptoms:
In the GUI if you change a virtual server from one type to another, there may be changes automatically applied to some of the settings. If you change the type back to its original value, those changes remain, and are saved when you click Update.

Conditions:
-- Modifying a virtual server from one type to another, and then changing it back to the original type.
-- Clicking Update.

Impact:
Unexpected configuration changes, which can lead to unexpected behavior of the BIG-IP system.

Workaround:
To prevent unwanted changes, when you change a virtual server's type and then change it back within the same session, click Cancel instead of Update.


920541-3 : Incorrect values in 'Class Attribute' in Radius-Acct STOP request

Component: Access Policy Manager

Symptoms:
'Class Attribute' value in the Radius-Acct STOP request from the BIG-IP APM system does not match the 'Class Attribute' value in the Radius-Acct START request from the RADIUS server.

Conditions:
-- Access policy is configured with RADIUS Acct VPE item to send accounting messages to RADIUS server when users log on and off.

Impact:
RADIUS server does not log accounting information properly.

Workaround:
This workaround textually describes reconfiguring an access policy in the Visual Policy Editor (VPE). Descriptions may not be as straightforward as in regular GUI workarounds.

This is a description of the visual layout of the policy:

Start --+-- Logon Page --+-- RADIUS Auth --+-- RADIUS Acct --+-- Variable Assign (1) --+-- Advanced Resource Assign --+-- Variable Assign --+-- Allow

1. Decode the class attribute and save it in a temporary variable:

   -- Click Variable Assign (1); in the two sub-areas, enter the following:

      temp.radius.last.attr.class.decoded
      expr { [mcget -decode {session.radius.last.attr.class}] }

2. Copy the temporary variable into the class session var:

   -- Click Variable Assign; in the two sub-areas, enter the following:

   session.radius.last.attr.class,
   expr { [mcget {temp.radius.last.attr.class.decoded}] }

In this way, when you log out, and APM sends the RADIUS Stop accounting message, it uses the decoded value that is saved in the session.radius.last.attr.class variable.


920517-2 : Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI

Component: TMOS

Symptoms:
When creating a Rate Shaping Rate Class in the GUI, the default values for 'Queue Method' and 'Drop Policy' are not correct.

Conditions:
-- Creating a Rate Shaping Rate Class in the GUI.
-- Leaving 'Queue Method' and 'Drop Policy' settings as their defaults.

Impact:
Unexpected values in the configuration: 'Queue Method' is 'sfq' and 'Drop Policy' is 'tail'.

Workaround:
You can use either of the following workarounds:

-- Manually set the 'Queue Method' and 'Drop Policy' when creating a Rate Shaping Rate Class object. These settings are available in the 'Advanced' view of the 'General Properties' section. 'Queue Method' should be 'pfifo' and 'Drop Policy' should be 'fred'.

-- Use TMSH to create Rate Shaping Rate Class objects.


920285 : WS::disconnect may result in TMM crash under certain conditions

Component: Local Traffic Manager

Symptoms:
The WebSocket profile allows use of the WS::disconnect iRule command to gracefully terminate a connection with a client or a server. Use of this command may result in crash if tmm parts the iRule before execution completes.

Conditions:
-- BIG-IP has a virtual server configured with a WebSocket profile.
-- An iRule the includes the WS::disconnect command is attached to the virtual server.
-- BIG-IP is under heavy load and/or the iRule requires an extended time to execute, which might happen, for example, during execution on an iRule, tmm might park the iRule execution because the operation takes more CPU cycle than tmm can allocate to complete the iRule execution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


920205-4 : Rate shaping might suppress TCP RST

Component: Local Traffic Manager

Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.

Conditions:
Rate shaping is configured.

Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.

Workaround:
Do not use rate-shaping.


920197-3 : Brute force mitigation can stop mitigating without a notification

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.


920149-1 : Live Update default factory file for Server Technologies cannot be reinstalled

Component: Application Security Manager

Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.

Conditions:
This occurs:

-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.

Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.

Workaround:
None.


919861-1 : Tunnel Static Forwarding Table does not show entries per page

Component: TMOS

Symptoms:
On the Network :: Tunnels page of the GUI, if the Tunnel Static Forwarding Table contains more than one page of data, you are unable to advance past the first page.

Conditions:
Tunnel Static Forwarding Table contains a large number of configured tunnels.

Impact:
The content displayed on screen and does not conform to the system preference for Records Per Screen.

Workaround:
None.


919401-2 : Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed

Component: TMOS

Symptoms:
If ICAP is not licensed, the system does not prevent you from adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in the CLI. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.


919317-5 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.


919185-2 : Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed

Component: TMOS

Symptoms:
The Request Adapt Profile and Response Adapt Profile settings are visible when creating or editing a virtual server in the GUI on systems that do not have ICAP licensed. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.


918905-2 : PCCD restart loop when using more than 256 FQDN entries in Firewall Rules

Component: Advanced Firewall Manager

Symptoms:
PCCD enters a restart loop, until the configuration is changed such that 256 or fewer FQDN entries are in use.

Conditions:
Greater than 256 FQDN entries are in use in Firewall Rules.

Impact:
PCCD restart loop. PCCD is not functional until there are 256 or fewer entries.

Workaround:
Use 256 or fewer FQDN entries in Firewall Rules.

To aid in the removal of extra rules when using tmsh, you can prevent PCCD restart messages from flooding the console:
1. Stop PCCD to halt the restart messages:
bigstart stop pccd
2. Modify the configuration.
3. Bring PCCD back up:
bigstart start pccd


918693-4 : Wide IP alias validation error during sync or config load

Component: Global Traffic Manager (DNS)

Symptoms:
DB validation exception occurs during sync or config load:

01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.

Conditions:
-- Wide IP has an alias associated with it.
-- Sync or load the config.

Impact:
You are unable to load config or full sync from peer GNS/GTM.

Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.


918597-5 : Under certain conditions, deleting a topology record can result in a crash.

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.


918409-2 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures

Component: TMOS

Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.

Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.

Impact:
Traffic disrupted on the tmm process that is looping indefinitely.

Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.

Note: The change does not persist across software installs.

    a. mount -o remount,rw /usr
    b. Edit /defaults/daemon.conf and put these contents at the top of the file:

sys daemon-ha tmm24 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm25 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm26 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm27 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}

    c. mount -o remount,ro /usr

2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:

    tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm


918277-2 : Slow Ramp does not take into account pool members' ratio weights

Component: Local Traffic Manager

Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.

Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.

Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.

Workaround:
None.


918097-3 : Cookies set in the URI on Safari

Component: Application Security Manager

Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.

Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.

Impact:
A cookie is set on the URL.

Workaround:
None.


918053-1 : [Win][EdgeClient] 'Enable Always Connected mode' is checked for all connectivity profiles with same Parent profile.

Component: Access Policy Manager

Symptoms:
The default value of 'Enable Always Connected' becomes enabled for connectivity profiles after adding 'Server List' to one of the connectivity profiles with the same Parent profile.

Conditions:
-- Add 'Server List' to one of the connectivity profiles with the same Parent profile.
-- Enable the 'Always Connected mode' setting for one of the connectivity profiles.

Impact:
This change affects all of the connectivity profiles. The parent-child inheritance logic is broken.

Workaround:
Manually uncheck the setting in all new profiles where 'Enable Always Connected' is not needed.


918013-1 : Log message with large wchan value

Component: TMOS

Symptoms:
A message is logged with a very large wchan (waiting channel, WCHAN :: Sleeping in Function) value that corresponds to -1 when read as signed instead of unsigned.

Conditions:
This happens in normal operation.

Impact:
The message is not accurately reporting the wchan value

Workaround:
Look at the /proc/PID/stack file for the correct wchan value.


917637-2 : Tmm crash with ICAP filter

Component: Service Provider

Symptoms:
Tmm crashes while passing traffic.

Conditions:
-- Per-request policies configured.
-- ICAP is configured.

This is rare condition that occurs intermittently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


916781-1 : Validation error while attaching DoS profile to GTP virtual

Component: Service Provider

Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.

Conditions:
Attach DoS security profile to GTP virtual server.

Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.

Workaround:
None.


916485-2 : Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object

Component: Local Traffic Manager

Symptoms:
Running 'tmsh install sys crypto key' command for SafeNet keys creates a new mcp object with the keyname as the label name in HSM, and with the duplicate key-id.

Conditions:
This happens when trying to install the key using the key-label as the argument.

Impact:
Even after deleting the tmsh key (tmsh delete sys crypto key), the BIG-IP system can still pass traffic because there's a duplicate key pointing to the same key in the HSM.

Workaround:
None.


915969-1 : Truncated QUIC connection close reason

Component: Local Traffic Manager

Symptoms:
The connection close reason in QUIC is limited to 5 bytes prior to the path being validated. This makes it difficult to debug early connection failures.

Conditions:
A connection close is sent in QUIC before the path is validated.

Impact:
Connection close reason is limited to 5 bytes before the path is validated.

Workaround:
None


915829-2 : Particular Users unable to login with LDAP Authentication Provider

Component: TMOS

Symptoms:
With LDAP as authentication provider, some administrative users are unable to login to BIG-IP.

Conditions:
-- LDAP remote authentication.
-- Certain users, whose characteristics have not been identified.

Impact:
Certain client users cannot login to administer the BIG-IP system.

Workaround:
None.


915773-1 : Restart of TMM after stale interface reference

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


915557-2 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.

Component: TMOS

Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:

General database error retrieving information.

Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.

Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.

Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.


915509-1 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true

Component: Access Policy Manager

Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).

Conditions:
RADIUS Auth with 'show-extended-error' enabled.

Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.

Workaround:
None.


915493-4 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
Running the imish command hangs when ospfd is enabled.

Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.

Impact:
The imish operation hangs.

Workaround:
Restart the ospfd daemon.


915489-2 : LTM Virtual Server Health is not affected by iRule Requests dropped

Component: Anomaly Detection Services

Symptoms:
Virtual Server Health should not take into account deliberate drop requests.

Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.

Impact:
Server Health reflects it is overloading status more precisely.

Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.


915473-1 : Accessing Dashboard page with AVR provisioned causes continuous audit logs

Component: TMOS

Symptoms:
Navigating to Statistics -> Dashboard in the GUI with AVR or APM provisioned causes continuous audit logging and restjavad logs.

Conditions:
-- AVR provisioned
-- An administrator navigates to Statistics -> Dashboard.

Impact:
The continuous extra logs will lead to confusion and may not be helpful


915305-5 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.


915221-4 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.


915141-2 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'

Component: TMOS

Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.

Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.

Impact:
Inconsistent availability status of pool and virtual server.

Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.


915133-3 : Single Page Application can break the page, when hooking is done by the end server application.

Component: Application Security Manager

Symptoms:
When the end server application hooks some of the XHR callback functions (onload, onreadystate, send, open..), and a Single Page Application is used, the application page may malfunction.

Conditions:
This may occur when a server application hooks some XHR callbacks, and one of the following:

-- Bot Defense Profile with 'Single Page Application' enabled and attached to the virtual server.

-- ASM Policy with 'Single Page Application' enabled and a JS feature is attached to the virtual server.

-- DoS Profile with Application Security and 'Single Page Application' enabled and is attached to the virtual server.

Impact:
Web page does not render properly. It might result in a blank page, missing functionality, etc.

Workaround:
Run the command:
tmsh modify sys db dosl7.parse_html_inject_tags value "after,body"


915005-1 : AVR core files have unclear names

Component: Application Visibility and Reporting

Symptoms:
If avrd fails a core file created in this case is named accordung to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz

Conditions:
Avrd fails with a core

Impact:
It is inconvenient for identifying the process that caused the core.


914645-3 : Unable to apply LTM policies to virtual servers after running 'mount -a'

Component: TMOS

Symptoms:
After attempting to assign an LTM policy to a virtual server, you may get an error in the GUI:

010716d8:3: Compilation of ltm policies for virtual server /Common/VS failed; Couldn't publish shared memory segment.

You may also see this logged in /var/log/ltm:

 err mcpd[6905]: 010716d5:3: Failed to publish LOIPC object for (loipc_VS.1589526000.777142413). Call to (shm_open) failed with errno (13) errstr (Permission denied).

Conditions:
-- Run the command:
mount -a
-- Attempt to assign an LTM policy to a virtual server.

Impact:
Unable to apply LTM policies.

Workaround:
Run the following command to enable assigning an LTM policy to a virtual server:
umount -l /dev/shm


914589-2 : VLAN Failsafe timeout is not always respected

Component: Local Traffic Manager

Symptoms:
VLAN Failsafe timeout is triggered later than its configured interval.

Conditions:
-- Rarely happen on first failover. More commonly occurs on 3rd/4th failover.
-- Specific conditions that cause this issue are not known.

Impact:
VLAN Failsafe timeout might be triggered later than it is configured.

The exact impact varies based on the configuration and traffic activity.

Workaround:
Use another form of automatic failover if needed (gateway failsafe, ha-groups, etc.).


914293-3 : TMM SIGSEGV and crash

Component: Anomaly Detection Services

Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.

Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.

Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.


914277-2 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.

Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable

In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.


914081-1 : Engineering Hotfixes missing bug titles

Component: TMOS

Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).

-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.

Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.

Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.

Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).

Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.

For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.


913917-2 : Unable to save UCS

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to create a backup UCS.

You see a warning in /var/log/restjavad.0.log:

[WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/.

Conditions:
Named has some Slave zones configured and is going through frequent zone transfer.

Impact:
You are unable to create a UCS file.

Workaround:
Stop named zone transfer while doing UCS backup.


913849-1 : Syslog-ng periodically logs nothing for 20 seconds

Component: TMOS

Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.

Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)

Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.

Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.

Workaround:
None.


913829-4 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.

Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.


913757-1 : Error viewing security policy settings for virtual server with FTP Protocol Security

Component: Application Security Manager

Symptoms:
The system reports an error message when trying to navigate to 'Security :: Policies' under virtual server properties:

An error has occurred while trying to process your request.

Conditions:
-- An FTP or SMTP profile with protocol security enabled is attached to a virtual server.
-- Attempt to navigate to 'Security :: Policies'.

Impact:
-- No policies appear. You cannot perform any operations on the 'Security :: Policies' screen.
-- The following error message appears instead:

An error has occurred while trying to process your request.

Workaround:
As long as an FTP or SMTP profile with protocol security enabled is defined under virtual server properties (in another words, it is attached to a virtual server), this issue recurs. There are no true workarounds, but you can avoid the issue by using any of the following:

-- Use another profile, such as HTTP.
-- Set the FTP/SMTP profile under the virtual server settings to None.
-- Remove the profile via the GUI or the CLI (e.g., you can remove the profile from the virtual server in tmsh using this command:

 tmsh modify ltm virtual /Common/test-vs { profiles delete { ftp_security } }


913713-2 : Rebooting a blade causes MCPd to core as it rejoins the cluster

Component: TMOS

Symptoms:
Tmm and mcpd cores for slot2

Conditions:
On the standby chassis, reboot the primary blade and wait for it to rejoin the cluster. Once it does, mcpd will core.

Impact:
Traffic disrupted while tmm and mcpd mcpd restarts.

Workaround:
N/A


913573-2 : Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.

Component: TMOS

Symptoms:
When REST API PUT request is call to modify LTM data-group internal without 'type' field in body-content, it fails intermittently with a 400 error.

--{"code":400,"message":"invalid property value \"type\":\"\"","errorStack":[],"apiError":26214401}

The 'type' field is not getting populated with default value and is set to null string "" instead.

Conditions:
-- PUT REST API request used to modify LTM data-group internal.
-- Type field is not specified in the body-content.

Impact:
Unable to update the configuration object (LTM data-group internal) with REST API PUT.

Workaround:
Include 'type' field inside PUT request body content for the operation to succeed.

Example Curl Command:
-- curl -isku <username>:<password> -H "Content-Type: application/json" -X PUT -d '{"records":[{"name":"1.1.1.1"}, {"name":"1.1.1.2"}], "type":"ip"}' https://localhost/mgmt/tm/ltm/data-group/internal/~Common~<Name>


913453-5 : URL Categorization: wr_urldbd cores while processing urlcat-query

Component: Traffic Classification Engine

Symptoms:
The webroot daemon (wr_urldbd) cores.

Conditions:
This can occur while passing traffic when webroot is enabled.

Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.

Workaround:
None.


913433-3 : On blade failure, some trunked egress traffic is dropped.

Component: TMOS

Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.

Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)

Workaround:
None.


913385-1 : TMM generates core while deleting iFiles

Component: Local Traffic Manager

Symptoms:
While deleting iFiles, TMM might crash and generates a core.

Conditions:
-- There is any ifile command in an iRule where you are giving a list object to the file name argument instead of to a string object, for example:

The 2nd line returns a list object, and the 3rd line is giving it to ifile command:

set ifile_name tcl.1
set ifile_name [lsearch -glob -inline [ifile listall] "*$ifile_name"]
ifile get $ifile_name

-- A request is processed by the iRule.
-- Attempt to delete the file in which the issue occurred.

Impact:
TMM crashes and restarts, triggering failover in high availability (HA) configurations. Traffic disruption while TMM restarts on a standalone configuration.

Workaround:
Ensure that the iRule gives a string object to ifile commands. Here is a sample iRule that implements the workaround:

set ifile_name tcl.1
set ifile_name [lsearch -glob -inline [ifile listall] &qu