Applies To:
Show Versions
BIG-IP AAM
- 15.1.4
BIG-IP APM
- 15.1.4
BIG-IP Link Controller
- 15.1.4
BIG-IP Analytics
- 15.1.4
BIG-IP LTM
- 15.1.4
BIG-IP AFM
- 15.1.4
BIG-IP PEM
- 15.1.4
BIG-IP DNS
- 15.1.4
BIG-IP FPS
- 15.1.4
BIG-IP ASM
- 15.1.4
BIG-IP Release Information
Version: 15.1.4.1
Build: 15.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Known Issues in BIG-IP v15.1.x
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 988549-5 | CVE-2020-29573 | K27238230 | CVE-2020-29573: glibc vulnerability |
| 966901-2 | CVE-2020-14364 | K09081535 | CVE-2020-14364: Qemu Vulnerability |
| 940317-4 | CVE-2020-13692 | K23157312 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability |
| 1032405-3 | CVE-2021-23037 | K21435974 | TMUI XSS vulnerability CVE-2021-23037 |
| 1012365-2 | CVE-2021-20305 | K33101555 | Nettle cryptography library vulnerability CVE-2021-20305 |
| 988589-5 | CVE-2019-25013 | K68251873 | CVE-2019-25013 glibc vulnerability: buffer over-read in iconv |
| 975589-4 | CVE-2020-8277 | K07944249 | CVE-2020-8277 Node.js vulnerability |
| 973409-5 | CVE-2020-1971 | K42910051 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference |
| 941649-2 | CVE-2021-23043 | K63163637 | Local File Inclusion Vulnerability |
| 1001369-2 | CVE-2020-12049 | K16729408 | D-Bus vulnerability CVE-2020-12049 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 754335-3 | 3-Major | Install ISO does not boot on BIG-IP VE★ | |
| 985953-3 | 4-Minor | GRE Transparent Ethernet Bridging inner MAC overwrite |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1042993-2 | 1-Blocking | K19272127 | Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' |
| 1039049 | 1-Blocking | Installing EHF on particular platforms fails with error "RPM transaction failure" | |
| 997313-3 | 2-Critical | Unable to create APM policies in a sync-only folder★ | |
| 942549-2 | 2-Critical | Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 | |
| 897509-1 | 2-Critical | IPsec SAs are missing on HA standby, leading to packet drops after failover | |
| 831821-1 | 2-Critical | Corrupted DAG packets causes bcm56xxd core on VCMP host | |
| 1043277-3 | 2-Critical | K06520200 | 'No access' error page displays for APM policy export and apply options |
| 992053-1 | 3-Major | Pva_stats for server side connections do not update for redirected flows | |
| 989701-5 | 3-Major | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | |
| 965205-2 | 3-Major | BIG-IP dashboard downloads unused widgets | |
| 958093-3 | 3-Major | IPv6 routes missing after BGP graceful restart | |
| 947529-2 | 3-Major | Security tab in virtual server menu renders slowly | |
| 940885-2 | 3-Major | Add embedded SR-IOV support for Mellanox CX5 Ex adapter | |
| 922185-1 | 3-Major | LDAP referrals not supported for 'cert-ldap system-auth'★ | |
| 909197-3 | 3-Major | The mcpd process may become unresponsive | |
| 900933-1 | 3-Major | IPsec interoperability problem with ECP PFS | |
| 887117-2 | 3-Major | Invalid SessionDB messages are sent to Standby | |
| 881085-3 | 3-Major | Intermittent auth failures with remote LDAP auth for BIG-IP managment | |
| 873641-1 | 3-Major | Re-offloading of TCP flows to hardware does not work | |
| 856953-4 | 3-Major | IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 | |
| 809657-7 | 3-Major | HA Group score not computed correctly for an unmonitored pool when mcpd starts | |
| 1045421-2 | 3-Major | K16107301 | No Access error when performing various actions in the TMOS GUI |
| 1032737-1 | 3-Major | IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate | |
| 1032077-2 | 3-Major | TACACS authentication fails with tac_author_read: short author body | |
| 1028669-5 | 3-Major | Python vulnerability: CVE-2019-9948 | |
| 1028573-5 | 3-Major | Perl vulnerability: CVE-2020-10878 | |
| 1027713 | 3-Major | SELinux avc: denied { signull } for pid=6207 comm="useradd" on vCMP guest during its deployment | |
| 1026549-3 | 3-Major | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | |
| 1024877-2 | 3-Major | Systemd[]: systemd-ask-password-serial.service failed | |
| 1019429-3 | 3-Major | CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated | |
| 1018309-3 | 3-Major | Loading config file with imish removes the last character | |
| 1015093-3 | 3-Major | The "iq" column is missing from the ndal_tx_stats table | |
| 1010245-1 | 3-Major | Duplicate ipsec-sa SPI values shown by tmsh command | |
| 1009949-2 | 3-Major | High CPU usage when upgrading from previous version★ | |
| 1009725-3 | 3-Major | Excessive resource usage when ixlv drivers are enabled | |
| 1003257-4 | 3-Major | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | |
| 988533-1 | 4-Minor | GRE-encapsulated MPLS packet support | |
| 966073-1 | 4-Minor | GENEVE protocol support | |
| 884165-3 | 4-Minor | Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG | |
| 1030845-2 | 4-Minor | Time change from TMSH not logged in /var/log/audit | |
| 1028497-5 | 4-Minor | libexpat vulnerability: CVE-2019-15903 |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 999933-3 | 2-Critical | TMM may crash while processing DNS traffic on certain platforms | |
| 991421-3 | 2-Critical | TMM may crash while processing TLS traffic | |
| 989637-3 | 2-Critical | TMM may crash while processing SSL traffic | |
| 862885-2 | 2-Critical | Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error | |
| 1020645-1 | 2-Critical | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | |
| 1008077-5 | 2-Critical | TMM may crash while processing TCP traffic with a FastL4 VS | |
| 1007489-5 | 2-Critical | TMM may crash while handling specific HTTP requests★ | |
| 985433-2 | 3-Major | Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset. | |
| 978833-2 | 3-Major | Use of CRL-based Certificate Monitoring Causes Memory Leak | |
| 965037-1 | 3-Major | SSL Orchestrator does not send HTTP CONNECT tunnel payload to services | |
| 963705-3 | 3-Major | Proxy ssl server response not forwarded | |
| 915773-1 | 3-Major | Restart of TMM after stale interface reference | |
| 910517-1 | 3-Major | TMM may crash while processing HTTP traffic | |
| 904041-2 | 3-Major | Ephemeral pool members may be incorrect when modified via various actions | |
| 803629-7 | 3-Major | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | |
| 758041-1 | 3-Major | Pool Members may not be updated accurately when multiple identical database monitors are configured | |
| 723112-8 | 3-Major | LTM policies does not work if a condition has more than 127 matches | |
| 550928-5 | 3-Major | TMM may crash when processing HTTP traffic with a FastL4 virtual server | |
| 1023365-1 | 3-Major | SSL server response could be dropped on immediate shutdown | |
| 1018577-3 | 3-Major | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | |
| 1012009-1 | 3-Major | MQTT Message Routing virtual may result in TMM crash | |
| 1008017-5 | 3-Major | Validation failure on Enforce TLS Requirements and TLS Renegotiation | |
| 1006781-1 | 3-Major | Server SYN is sent on VLAN 0 when destination MAC is multicast | |
| 949721-2 | 4-Minor | QUIC does not send control frames in PTO packets | |
| 936773-2 | 4-Minor | Improve logging for "double flow removal" TMM Oops | |
| 936557-2 | 4-Minor | Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. | |
| 890881-4 | 4-Minor | ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address | |
| 1031901-1 | 4-Minor | In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked | |
| 1002945-2 | 4-Minor | Some connections are dropped on chained IPv6 to IPv4 virtual servers. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 933405-2 | 1-Blocking | K34257075 | Zonerunner GUI hangs when attempting to list Resource Records |
| 1009037-3 | 2-Critical | Tcl resume on invalid connection flow can cause tmm crash | |
| 847105-2 | 3-Major | The bigip_gtm.conf is reverted to default after rebooting with license expired★ | |
| 1021417-3 | 3-Major | Modifying GTM pool members with replace-all-with results in pool members with order 0 |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 997137-3 | 2-Critical | CSRF token removal may allow WAF bypass on GET requests | |
| 912149-5 | 2-Critical | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | |
| 879841-4 | 2-Critical | Domain cookie same-site option is missing the "None" as value in GUI and rest | |
| 1019853-2 | 2-Critical | Some signatures are not matched under specific conditions | |
| 1011065-2 | 2-Critical | Certain attack signatures may not match in multipart content | |
| 1011061-2 | 2-Critical | Certain attack signatures may not match in multipart content | |
| 974341-2 | 3-Major | REST API: File upload | |
| 948805-1 | 3-Major | False positive "Null in Request" | |
| 945789-1 | 3-Major | Live update cannot resolve hostname if ipv6 is configured | |
| 932133-2 | 3-Major | Payloads with large number of elements in XML take a lot of time to process | |
| 920149-1 | 3-Major | Live Update default factory file for Server Technologies cannot be reinstalled | |
| 914277-2 | 3-Major | [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU | |
| 904133-1 | 3-Major | Creating a user-defined signature via iControl REST occasionally fails with a 400 response code | |
| 882377-3 | 3-Major | ASM Application Security Editor Role User can update/install ASU | |
| 857633-7 | 3-Major | Attack Type (SSRF) appears incorrectly in REST result | |
| 842013-3 | 3-Major | ASM Configuration is Lost on License Reactivation★ | |
| 753715-2 | 3-Major | False positive JSON max array length violation | |
| 1042069-2 | 3-Major | Some signatures are not matched under specific conditions | |
| 1017153-2 | 3-Major | Asmlogd suddenly deletes all request log protobuf files and records from the database | |
| 1039805 | 4-Minor | Save button in Response and Blocking Pages section is enabled when there are no changes to save. | |
| 1003765-1 | 4-Minor | Authorization header signature triggered even when explicitly disabled |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 932137-5 | 3-Major | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | |
| 922105-3 | 3-Major | Avrd core when connection to BIG-IQ data collection device is not available | |
| 832805-2 | 3-Major | AVR should make sure file permissions are correct (tmstat_tables.xml) | |
| 787677-5 | 3-Major | AVRD stays at 100% CPU constantly on some systems | |
| 1035133-3 | 3-Major | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | |
| 948113-3 | 4-Minor | User-defined report scheduling fails |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 860617-3 | 2-Critical | Radius sever pool without attaching the load balancing algorithm will result into core | |
| 817137-1 | 2-Critical | SSO setting for Portal Access resources in webtop sections cannot be updated. | |
| 1006893-2 | 2-Critical | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | |
| 998473-2 | 3-Major | NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL) | |
| 993457-2 | 3-Major | TMM core with ACCESS::policy evaluate iRule | |
| 969317-3 | 3-Major | "Restrict to Single Client IP" option is ignored for vmware VDI | |
| 968893-2 | 3-Major | TMM crash when processing APM traffic | |
| 964037 | 3-Major | Error: Exception response while loading properties from server | |
| 949477-1 | 3-Major | NTLM RPC exception: Failed to verify checksum of the packet | |
| 933129-2 | 3-Major | Portal Access resources are visible when they should not be | |
| 932213-2 | 3-Major | Local user db not synced to standby device when it is comes online after forced offline state | |
| 918717-2 | 3-Major | Exception at rewritten Element.innerHTML='<a href></a>' | |
| 915509-1 | 3-Major | RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true | |
| 891613-1 | 3-Major | RDP resource with user-defined address cannot be launched from webtop with modern customization | |
| 1021485-2 | 3-Major | VDI desktops and apps freeze with Vmware and Citrix intermittently | |
| 1017233-1 | 3-Major | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | |
| 1007677-1 | 3-Major | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | |
| 1007629-1 | 3-Major | APM policy configured with many ACL policies can create APM memory pressure | |
| 1002557-2 | 3-Major | Tcl free object list growth | |
| 1001337-1 | 3-Major | Cannot read single sign-on configuration from GUI when logged in as guest |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1012721-1 | 2-Critical | Tmm may crash with SIP-ALG deployment in a particular race condition | |
| 1012533-1 | 2-Critical | `HTTP2::disable serverside` can cause cores | |
| 1007113-1 | 2-Critical | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | |
| 1030689-2 | 3-Major | TMM may consume excessive resources while processing Diameter traffic | |
| 1025529-1 | 3-Major | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | |
| 1018285-1 | 4-Minor | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | |
| 1003633-3 | 4-Minor | There might be wrong memory handling when message routing feature is used |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 968533 | 2-Critical | Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector. | |
| 1049229-2 | 2-Critical | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | |
| 997169 | 3-Major | AFM rule not triggered | |
| 995433 | 3-Major | IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT | |
| 1032329 | 3-Major | A user with role "Firewall Manager" cannot open the Rule List editor in UI | |
| 1031909-1 | 3-Major | NAT policies page unusable due to the page load time | |
| 987345-1 | 5-Cosmetic | Disabling periodic-refresh-log has no effect |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 981693-1 | 2-Critical | TMM may consume excessive resources while processing IPSec ALG traffic | |
| 981689-2 | 2-Critical | TMM memory leak with IPsec ALG |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 984657-3 | 3-Major | Sysdb variable not working from tmsh | |
| 686783-2 | 4-Minor | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | |
| 1032689-3 | 4-Minor | UlrCat Custom db feedlist is not working for www.croupiest.com with attached feedlist file |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 929213-1 | 3-Major | iAppLX packages not rolled forward after BIG-IP upgrade★ |
iApp Technology Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 946185-1 | 3-Major | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ |
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 949933-1 | CVE-2021-22980 | K29282483 | BIG-IP APM CTU vulnerability CVE-2021-22980 |
| 1017973-2 | CVE-2021-25215 | K96223611 | BIND Vulnerability CVE-2021-25215 |
| 1017965-2 | CVE-2021-25214 | K11426315 | BIND Vulnerability CVE-2021-25214 |
| 981273-2 | CVE-2021-23054 | K41997459 | APM webtop hardening |
| 965485-3 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL |
| 949889-3 | CVE-2019-3900 | K04107324 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() |
| 803965-7 | CVE-2018-20843 | K51011533 | Expat Vulnerability: CVE-2018-20843 |
| 797797-4 | CVE-2019-11811 | K01512680 | CVE-2019-11811 kernel: use-after-free in drivers |
| 797769-9 | CVE-2019-11599 | K51674118 | Linux vulnerability : CVE-2019-11599 |
| 968733-6 | CVE-2018-1120 | K42202505 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service |
| 939421-2 | CVE-2020-10029 | K38481791 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 913729-5 | 2-Critical | Support for DNSSEC Lookaside Validation (DLV) has been removed. | |
| 907765-1 | 2-Critical | BIG-IP system does not respond to ARP requests if it has a route to the source IP address | |
| 1014433 | 2-Critical | Time stamp format is not the same for all LTM logs | |
| 948073-2 | 3-Major | Dual stack download support for IP Intelligence Database | |
| 923301-2 | 3-Major | ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group | |
| 911141-3 | 3-Major | GTP v1 APN is not decoded/encoded properly | |
| 876937-3 | 3-Major | DNS Cache not functioning | |
| 866073-2 | 3-Major | Add option to exclude stats collection in qkview to avoid very large data files | |
| 1001865-2 | 3-Major | No platform trunk information passed to tenant | |
| 751032-5 | 4-Minor | TCP receive window may open too slowly after zero-window |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1032761 | 1-Blocking | HA mirroring may not function correctly | |
| 1004833-2 | 1-Blocking | NIST SP800-90B compliance | |
| 1002109-3 | 1-Blocking | Xen binaries do not follow security best practices | |
| 988645 | 2-Critical | Traffic may be affected after tmm is aborted and restarted | |
| 987113-1 | 2-Critical | CMP state degraded while under heavy traffic | |
| 980325-5 | 2-Critical | Chmand core due to memory leak from dossier requests. | |
| 974241-1 | 2-Critical | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | |
| 967905-2 | 2-Critical | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | |
| 944513-2 | 2-Critical | Apache configuration file hardening | |
| 941893-3 | 2-Critical | VE performance tests in Azure causes loss of connectivity to objects in configuration | |
| 928029-2 | 2-Critical | Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis | |
| 1027637 | 2-Critical | System controller failover may cause dropped requests | |
| 1004517-2 | 2-Critical | BIG-IP tenants on VELOS cannot install EHFs | |
| 1000973-3 | 2-Critical | Unanticipated restart of TMM due to heartbeat failure | |
| 998221-3 | 3-Major | Accessing pool members from configuration utility is slow with large config | |
| 996593-2 | 3-Major | Password change through REST or GUI not allowed if the password is expired | |
| 992865 | 3-Major | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | |
| 988793 | 3-Major | SecureVault on BIG-IP tenant does not store unit key securely | |
| 985537-1 | 3-Major | Upgrade Microsoft Hyper-V driver★ | |
| 976505-2 | 3-Major | Rotated restnoded logs will fail logintegrity verification. | |
| 975809-1 | 3-Major | Rotated restjavad logs fail logintegrity verification. | |
| 973201-2 | 3-Major | F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★ | |
| 969713-1 | 3-Major | IPsec interface mode tunnel may fail to pass packets after first IPsec rekey | |
| 969105-2 | 3-Major | HA failover connections via the management address do not work on vCMP guests running on VIPRION | |
| 964941-1 | 3-Major | IPsec interface-mode tunnel does not initiate or respond after config change | |
| 959629-2 | 3-Major | Logintegrity script for restjavad/restnoded fails | |
| 958353-2 | 3-Major | Restarting the mcpd messaging service renders the PAYG VE license invalid. | |
| 956293-2 | 3-Major | High CPU from analytics-related REST calls - Dashboard TMUI | |
| 946089-2 | 3-Major | BIG-IP might send excessive multicast/broadcast traffic. | |
| 932497-3 | 3-Major | Autoscale groups require multiple syncs of datasync-global-dg | |
| 928697-2 | 3-Major | Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT | |
| 919305-2 | 3-Major | Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS | |
| 913849-1 | 3-Major | Syslog-ng periodically logs nothing for 20 seconds | |
| 908601-2 | 3-Major | System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option | |
| 895781-2 | 3-Major | Round Robin disaggregation does not disaggregate globally | |
| 889045-3 | 3-Major | Virtual server may stop responding while processing TCP traffic | |
| 880289 | 3-Major | FPGA firmware changes during configuration loads★ | |
| 850193-4 | 3-Major | Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues | |
| 849157-2 | 3-Major | An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck | |
| 841277-7 | 3-Major | C4800 LCD fails to load after annunciator hot-swap | |
| 827033-1 | 3-Major | Boot marker is being logged before shutdown logs | |
| 746861-3 | 3-Major | SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★ | |
| 1029105 | 3-Major | Hardware SYN cookie mode state change logs bogus virtual server address | |
| 1024853 | 3-Major | Platform Agent logs to ERROR severity on success | |
| 1013649-4 | 3-Major | Leftover files in /var/run/key_mgmt after key export | |
| 1010393-4 | 3-Major | Unable to relax AS-path attribute in multi-path selection | |
| 1008837-2 | 3-Major | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | |
| 1002761-1 | 3-Major | SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure | |
| 962249-2 | 4-Minor | Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm | |
| 921365-1 | 4-Minor | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | |
| 921065 | 4-Minor | BIG-IP systems not responding to DPD requests from initiator after failover | |
| 898441-1 | 4-Minor | Enable logging of IKE keys | |
| 819053 | 4-Minor | CVE-2019-13232 unzip: overlapping of files in ZIP container | |
| 1004417-3 | 4-Minor | Provisioning error message during boot up★ |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1029357 | 1-Blocking | Performance drop during traffic test on VIPRION (B2250, C2400) platforms | |
| 945997-2 | 2-Critical | LTM policy applied to HTTP/2 traffic may crash TMM | |
| 943101-2 | 2-Critical | Tmm crash in cipher group delete. | |
| 942185-2 | 2-Critical | Non-mirrored persistence records may accumulate over time | |
| 934461-2 | 2-Critical | Connection error with server with TLS1.3 single-dh-use. | |
| 1039145-3 | 2-Critical | Tenant mirroring channel disconnects with peer and never reconnects after failover | |
| 1005489-2 | 2-Critical | iRules with persist command might result in tmm crash. | |
| 997929-3 | 3-Major | Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic | |
| 969637-2 | 3-Major | Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★ | |
| 963713-1 | 3-Major | HTTP/2 virtual server with translate-disable can core tmm | |
| 956133-3 | 3-Major | MAC address might be displayed as 'none' after upgrading★ | |
| 944641-1 | 3-Major | HTTP2 send RST_STREAM when exceeding max streams | |
| 941481-2 | 3-Major | iRules LX - nodejs processes consuming excessive memory | |
| 941257-1 | 3-Major | Occasional Nitrox3 ZIP engine hang | |
| 940665-1 | 3-Major | DTLS 1.0 support for PFS ciphers | |
| 930385-3 | 3-Major | SSL filter does not re-initialize when an OCSP object is modified | |
| 912425-3 | 3-Major | Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash | |
| 891373-2 | 3-Major | BIG-IP does not shut a connection for a HEAD request | |
| 887965-1 | 3-Major | Virtual server may stop responding while processing TCP traffic | |
| 882549-2 | 3-Major | Sock driver does not use multiple queues in unsupported environments | |
| 819329-4 | 3-Major | Specific FIPS device errors will not trigger failover | |
| 818833-1 | 3-Major | TCP re-transmission during SYN Cookie activation results in high latency | |
| 760050-8 | 3-Major | "cwnd too low" warning message seen in logs | |
| 1020941-2 | 3-Major | HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags | |
| 1016113-3 | 3-Major | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | |
| 962433-4 | 4-Minor | HTTP::retry for a HEAD request fails to create new connection | |
| 962177-2 | 4-Minor | Results of POLICY::names and POLICY::rules commands may be incorrect | |
| 912945-2 | 4-Minor | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | |
| 895557-2 | 4-Minor | NTLM profile logs error when used with profiles that do redirect | |
| 751586-3 | 4-Minor | Http2 virtual does not honour translate-address disabled | |
| 1018493-2 | 4-Minor | Response code 304 from TMM Cache always closes TCP connection. |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 910633-1 | 2-Critical | Continuous 'neurond restart' message on console | |
| 1004633-3 | 2-Critical | Performance degradation on KVM and VMware platforms. | |
| 948417-2 | 3-Major | Network Management Agent (Azure NMAgent) updates causes Kernel Panic |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1039069-2 | 1-Blocking | Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★ | |
| 995853-2 | 2-Critical | Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. | |
| 918597-5 | 2-Critical | Under certain conditions, deleting a topology record can result in a crash. | |
| 993489-3 | 3-Major | GTM daemon leaks memory when reading GTM link objects | |
| 973261-2 | 3-Major | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | |
| 937333-2 | 3-Major | Incomplete validation of input in unspecified forms | |
| 912001-3 | 3-Major | TMM cores on secondary blades of the Chassis system. | |
| 864797-2 | 3-Major | Cached results for a record are sent following region modification | |
| 857953-2 | 4-Minor | Non-functional disable/enable buttons present in GTM wide IP members page |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 996381-3 | 2-Critical | ASM attack signature may not match as expected | |
| 970329-3 | 2-Critical | ASM hardening | |
| 965229-2 | 2-Critical | ASM Load hangs after upgrade★ | |
| 957965-1 | 2-Critical | Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent' | |
| 898365-1 | 2-Critical | XML Policy cannot be imported | |
| 854001-2 | 2-Critical | TMM might crash in case of trusted bot signature and API protected url | |
| 791669-2 | 2-Critical | TMM might crash when Bot Defense is configured for multiple domains | |
| 1017645-2 | 2-Critical | False positive HTTP compliance violation | |
| 986937-1 | 3-Major | Cannot create child policy when the signature staging setting is not equal in template and parent policy | |
| 981785-3 | 3-Major | Incorrect incident severity in Event Correlation statistics | |
| 981069-1 | 3-Major | Reset cause: "Internal error ( requested abort (payload release error))" | |
| 964245-2 | 3-Major | ASM reports and enforces username always | |
| 963485-1 | 3-Major | Performance issue with data guard | |
| 963461-1 | 3-Major | ASM performance drop on the response side | |
| 962589-2 | 3-Major | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | |
| 962497 | 3-Major | BD crash after ICAP response | |
| 955017-2 | 3-Major | Excessive CPU consumption by asm_config_event_handler | |
| 954425-2 | 3-Major | Hardening of Live-Update | |
| 951133-2 | 3-Major | Live Update does not work properly after upgrade★ | |
| 950917-1 | 3-Major | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | |
| 946081-1 | 3-Major | Getcrc tool help displays directory structure instead of version | |
| 928717-3 | 3-Major | [ASM - AWS] - ASU fails to sync | |
| 922261-2 | 3-Major | WebSocket server messages are logged even it is not configured | |
| 920197-3 | 3-Major | Brute force mitigation can stop mitigating without a notification | |
| 912089-2 | 3-Major | Some roles are missing necessary permission to perform Live Update | |
| 907337-2 | 3-Major | BD crash on specific scenario | |
| 888289-1 | 3-Major | Add option to skip percent characters during normalization | |
| 883853-2 | 3-Major | Bot Defense Profile with staged signatures prevents signature update★ | |
| 867825-4 | 3-Major | Export/Import on a parent policy leaves children in an inconsistent state | |
| 862793-1 | 3-Major | ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation | |
| 846181-3 | 3-Major | Request samples for some of the learning suggestions are not visible | |
| 837333-1 | 3-Major | User cannot update blocking response pages after upgrade★ | |
| 830341-2 | 3-Major | False positives Mismatched message key on ASM TS cookie | |
| 802873-2 | 3-Major | Manual changes to policy imported as XML may introduce corruption for Login Pages | |
| 673272-2 | 3-Major | Search by "Signature ID is" does not return results for some signature IDs | |
| 1022269-2 | 3-Major | False positive RFC compliant violation | |
| 1005105-1 | 3-Major | Requests are missing on traffic event logging | |
| 1000741-3 | 3-Major | Fixing issue with input normalization | |
| 952509-2 | 4-Minor | Cross origin AJAX requests are blocked in case there is no Origin header | |
| 944441-2 | 4-Minor | BD_XML logs memory usage at TS_DEBUG level | |
| 941929-2 | 4-Minor | Google Analytics shows incorrect stats, when Google link is redirected. | |
| 941625-1 | 4-Minor | BD sometimes encounters errors related to TS cookie building | |
| 941249-2 | 4-Minor | Improvement to getcrc tool to print cookie names when cookie attributes are involved | |
| 911729-2 | 4-Minor | Redundant learning suggestion to set a Maximum Length when parameter is already at that value | |
| 1004537-1 | 4-Minor | Traffic Learning: Accept actions for multiple suggestions not localized |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 965581-2 | 2-Critical | Statistics are not reported to BIG-IQ | |
| 932485-3 | 3-Major | Incorrect sum(hits_count) value in aggregate tables | |
| 913085-1 | 3-Major | Avrd core when avrd process is stopped or restarted | |
| 909161-3 | 3-Major | A core file is generated upon avrd process restart or stop | |
| 833113-6 | 3-Major | Avrd core when sending large messages via https |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 934393-2 | 1-Blocking | APM authentication fails due to delay in sessionDB readiness | |
| 995029-3 | 2-Critical | Configuration is not updated during auto-discovery | |
| 891505-3 | 2-Critical | TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. | |
| 874949-1 | 2-Critical | TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent. | |
| 997641 | 3-Major | APM policy ending with redirection results in policy execution failure | |
| 984765-1 | 3-Major | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★ | |
| 946125-2 | 3-Major | Tmm restart adds 'Revoked' tokens to 'Active' token count | |
| 924521-2 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. | |
| 903573 | 3-Major | AD group cache query performance | |
| 896125-2 | 3-Major | Reuse Windows Logon Credentials feature does not work with modern access policies | |
| 894885-3 | 3-Major | [SAML] SSO crash while processing client SSL request | |
| 881641 | 3-Major | Errors on VPN client status window in non-English environment | |
| 869653-1 | 3-Major | VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction | |
| 866109-2 | 3-Major | JWK keys frequency does not support fewer than 60 minutes | |
| 827325-1 | 3-Major | JWT token verification failure | |
| 825493-1 | 3-Major | JWT token verification failure | |
| 738865-6 | 3-Major | MCPD might enter into loop during APM config validation | |
| 470346-3 | 3-Major | Some IPv6 client connections get RST when connecting to APM virtual | |
| 1001041-3 | 3-Major | Reset cause 'Illegal argument' | |
| 939877-1 | 4-Minor | OAuth refresh token not found | |
| 747234-7 | 4-Minor | Macro policy does not find corresponding access-profile directly |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 993913-2 | 2-Critical | TMM SIGSEGV core in Message Routing Framework | |
| 974881-2 | 2-Critical | Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic | |
| 1007821-1 | 2-Critical | SIP message routing may cause tmm crash | |
| 996113-1 | 3-Major | SIP messages with unbalanced escaped quotes in headers are dropped | |
| 989753-2 | 3-Major | In HA setup, standby fails to establish connection to server | |
| 957029-1 | 3-Major | MRF Diameter loop-detection is enabled by default | |
| 805821-3 | 3-Major | GTP log message contains no useful information | |
| 788625-1 | 3-Major | A pool member is not marked up by the inband monitor even after successful connection to the pool member | |
| 1008561-1 | 3-Major | In very rare condition, BIG-IP may crash when SIP ALG is deployed | |
| 919301-3 | 4-Minor | GTP::ie count does not work with -message option | |
| 916781-1 | 4-Minor | Validation error while attaching DoS profile to GTP virtual | |
| 913413-3 | 4-Minor | 'GTP::header extension count' iRule command returns 0 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 987637-2 | 1-Blocking | DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware | |
| 1016633 | 2-Critical | iprep.protocol with auto-detect fails when DNS takes time to resolve | |
| 992213-2 | 3-Major | Protocol Any displayed as HOPTOPT in AFM policy view | |
| 988761-1 | 3-Major | Cannot create Protected Object in GUI | |
| 988005-1 | 3-Major | Zero active rules counters in GUI | |
| 987605-2 | 3-Major | DDoS: ICMP attacks are not hardware-mitigated | |
| 759799-3 | 3-Major | New rules cannot be compiled | |
| 685904-1 | 3-Major | Firewall Rule hit counts are not auto-updated after a Reset is done | |
| 1016309-1 | 3-Major | When two policies with the same properties are configured with geo property, the geo for the second policy is ignored. | |
| 1012521-2 | 3-Major | BIG-IP UI file permissions | |
| 1012413-3 | 3-Major | Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled | |
| 1000405-2 | 3-Major | VLAN/Tunnels not listed when creating a new rule via GUI | |
| 977005-1 | 4-Minor | Network Firewall Policy rules-list showing incorrect 'Any' for source column | |
| 1014609 | 4-Minor | Tunnel_src_ip support for dslite event log for type field list |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1019481 | 2-Critical | Unable to provision PEM on VELOS platform |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 994985-2 | 3-Major | CGNAT GUI shows blank page when applying SIP profile |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 968741-1 | 2-Critical | Traffic Intelligence pages not visible | |
| 913453-5 | 2-Critical | URL Categorization: wr_urldbd cores while processing urlcat-query | |
| 901041-3 | 2-Critical | CEC update using incorrect method of determining number of blades in VIPRION chassis★ | |
| 893721-2 | 2-Critical | PEM-provisioned systems may suffer random tmm crashes after upgrading★ | |
| 958085-3 | 3-Major | IM installation fails with error: Spec file not found★ | |
| 948573-4 | 3-Major | Wr_urldbd list of valid TLDs needs to be updated | |
| 846601-4 | 3-Major | Traffic classification does not update when an inactive slot becomes active after upgrade★ | |
| 974205-3 | 4-Minor | Unconstrained wr_urldbd size causing box to OOM |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 970829-5 | 2-Critical | K03310534 | iSeries LCD incorrectly displays secure mode |
Protocol Inspection Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1018145-1 | 3-Major | Firewall Manager user role is not allowed to configure/view protocol inspection profiles |
Guided Configuration Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1013569 | 3-Major | Hardening of iApps processing |
In-tmm monitors Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 822245-2 | 4-Minor | Large number of in-TMM monitors results in some monitors being marked down |
SSL Orchestrator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 947925-1 | 3-Major | TMM may crash when executing L7 Protocol Lookup per-request policy agent | |
| 918317-2 | 3-Major | SSL Orchestrator resets subsequent requests when HTTP services are being used. |
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 989317-12 | CVE-2021-23023 | K33757590 | Windows Edge Client does not follow best practice |
| 989009-3 | CVE-2021-23033 | K05314769 | BD daemon may crash while processing WebSocket traffic |
| 981461-4 | CVE-2021-23032 | K45407662 | Unspecified DNS responses cause TMM crash |
| 980125-3 | CVE-2021-23030 | K42051445 | BD Daemon may crash while processing WebSocket traffic |
| 962341 | CVE-2021-23028 | K00602225 | BD crash while processing JSON content |
| 946377-2 | CVE-2021-23027 | K24301698 | HSM WebUI Hardening |
| 1007049-3 | CVE-2021-23034 | K30523121 | TMM may crash while processing DNS traffic |
| 996753-2 | CVE-2021-23050 | K44553214 | ASM BD process may crash while processing HTML traffic |
| 984613-11 | CVE-2021-23022 | K08503505 | CVE-2020-5896 - Edge Client Installer Vulnerability |
| 968349 | CVE-2021-23048 | K19012930 | TMM crashes with unspecified message |
| 962069-3 | CVE-2021-23047 | K79428827 | Excessive resource consumption while processing OSCP requests via APM |
| 950017-2 | CVE-2021-23045 | K94941221 | TMM may crash while processing SCTP traffic |
| 942701-2 | CVE-2021-23044 | K35408374 | TMM may consume excessive resources while processing HTTP traffic |
| 906377-2 | CVE-2021-23038 | K61643620 | iRulesLX hardening |
| 1015381-5 | CVE-2021-23022 | K08503505 | Windows Edge Client does not follow best practices while installing |
| 1009773 | CVE-2021-23051 | K01153535 | AWS deployments of TMM may crash while processing traffic |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 737692-4 | 2-Critical | Handle x520 PF DOWN/UP sequence automatically by VE | |
| 1024421-1 | 3-Major | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 994801-3 | 3-Major | SCP file transfer system | |
| 958465-2 | 3-Major | in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization | |
| 950849-4 | 3-Major | B4450N blades report page allocation failure.★ | |
| 948717-3 | 3-Major | F5-pf_daemon_cond_restart uses excessive CPU★ | |
| 1032001-1 | 3-Major | Statemirror address can be configured on management network or clusterd restarting | |
| 1006345-1 | 3-Major | Static mac entry on trunk is not programmed on CPU-only blades |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1019081-3 | 2-Critical | K97045220 | HTTP/2 hardening |
| 980821-2 | 3-Major | Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 943913-3 | 2-Critical | K30150004 | ASM attack signature does not match |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1020705-1 | 4-Minor | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 999317-8 | 2-Critical | K03544414 | Running Diagnostics report for Edge Client on Windows does not follow best practice |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 1019453-3 | 3-Major | Core generated for autodosd daemon when synchronization process is terminated |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 976365 | 3-Major | Traffic Classification hardening★ |
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 980809-2 | CVE-2021-23031 | K41351250 | ASM REST Signature Rule Keywords Tool Hardening |
| 959121-4 | CVE-2021-23015 | K74151369 | Not following best practices in Guided Configuration Bundle Install worker |
| 943081-3 | CVE-2021-23009 | K90603426 | Unspecified HTTP/2 traffic may cause TMM to crash |
| 935433-2 | CVE-2021-23026 | K53854428 | iControl SOAP |
| 882633-2 | CVE-2021-23008 | K51213246 | Active Directory authentication does not follow current best practices |
| 990333-5 | CVE-2021-23016 | K75540265 | APM may return unexpected content when processing HTTP requests |
| 975465-2 | CVE-2021-23049 | K65397301 | TMM may consume excessive resources while processing DNS iRules |
| 954429-2 | CVE-2021-23014 | K23203045 | User authorization changes for live update |
| 948769-5 | CVE-2021-23013 | K05300051 | TMM panic with SCTP traffic |
| 945109-2 | CVE-2015-9382 | K46641512 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 |
| 938233-2 | CVE-2021-23042 | K93231374 | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization |
| 937637-3 | CVE-2021-23002 | K71891773 | BIG-IP APM VPN vulnerability CVE-2021-23002 |
| 937365-2 | CVE-2021-23041 | K42526507 | LTM UI does not follow best practices |
| 907245-1 | CVE-2021-23040 | K94255403 | AFM UI Hardening |
| 907201-2 | CVE-2021-23039 | K66782293 | TMM may crash when processing IPSec traffic |
| 877109-1 | CVE-2021-23012 | K04234247 | Unspecified input can break intended functionality in iHealth proxy |
| 842829-1 | CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 | K04367730 | Multiple tcpdump vulnerabilities |
| 832757 | CVE-2017-18551 | K48073202 | Linux kernel vulnerability CVE-2017-18551 |
| 803933-7 | CVE-2018-20843 | K51011533 | Expat XML parser vulnerability CVE-2018-20843 |
| 718189-9 | CVE-2021-23011 | K10751325 | Unspecified IP traffic can cause low-memory conditions |
| 1003557-3 | CVE-2021-23015 | K74151369 | Not following best practices in Guided Configuration Bundle Install worker |
| 1003105-3 | CVE-2021-23015 | K74151369 | iControl Hardening |
| 1002561-5 | CVE-2021-23007 | K37451543 | TMM vulnerability CVE-2021-23007 |
| 825413-4 | CVE-2021-23053 | K36942191 | ASM may consume excessive resources when matching signatures |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 933777-1 | 3-Major | Context use and syntax changes clarification | |
| 930005-2 | 3-Major | Recover previous QUIC cwnd value on spurious loss | |
| 913829-4 | 3-Major | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | |
| 794417-4 | 3-Major | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★ | |
| 918097-3 | 4-Minor | Cookies set in the URI on Safari |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 995629-3 | 2-Critical | Loading UCS files may hang if ASM is provisioned★ | |
| 990849-2 | 2-Critical | Loading UCS with platform-migrate option hangs and requires exiting from the command★ | |
| 908517-3 | 2-Critical | LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' | |
| 888341-7 | 2-Critical | HA Group failover may fail to complete Active/Standby state transition | |
| 886693-3 | 2-Critical | System may become unresponsive after upgrading★ | |
| 860349-3 | 2-Critical | Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication | |
| 785017-3 | 2-Critical | Secondary blades go offline after new primary is elected | |
| 776393-3 | 2-Critical | Restjavad restarts frequently due to insufficient memory with relatively large configurations | |
| 969213-1 | 3-Major | VMware: management IP cannot be customized via net.mgmt.addr property | |
| 963049-1 | 3-Major | Unexpected config loss when modifying protected object | |
| 963017-2 | 3-Major | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed | |
| 946745-2 | 3-Major | 'System Integrity: Invalid' after Engineering Hotfix installation | |
| 945265-4 | 3-Major | BGP may advertise default route with incorrect parameters | |
| 939541-2 | 3-Major | TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE | |
| 936125-2 | 3-Major | SNMP request times out after configuring IPv6 trap destination | |
| 934941-2 | 3-Major | Platform FIPS power-up self test failures not logged to console | |
| 934065-1 | 3-Major | The turboflex-low-latency and turboflex-dns are missing. | |
| 927941-5 | 3-Major | IPv6 static route BFD does not come up after OAMD restart | |
| 922297-2 | 3-Major | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | |
| 914245-2 | 3-Major | Reboot after tmsh load sys config changes sys FPGA firmware-config value | |
| 914081-1 | 3-Major | Engineering Hotfixes missing bug titles | |
| 913433-3 | 3-Major | On blade failure, some trunked egress traffic is dropped. | |
| 908021-1 | 3-Major | Management and VLAN MAC addresses are identical | |
| 896553-3 | 3-Major | On blade failure, some trunked egress traffic is dropped. | |
| 896473-2 | 3-Major | Duplicate internal connections can tear down the wrong connection | |
| 893885-3 | 3-Major | The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation | |
| 891337-1 | 3-Major | 'save_master_key(master): Not ready to save yet' errors in the logs | |
| 889029-2 | 3-Major | Unable to login if LDAP user does not have search permissions | |
| 879829-2 | 3-Major | HA daemon sod cannot bind to ports numbered lower than 1024 | |
| 876805-3 | 3-Major | Modifying address-list resets the route advertisement on virtual servers. | |
| 862937-3 | 3-Major | Running cpcfg after first boot can result in daemons stuck in restart loop★ | |
| 839121-3 | 3-Major | K74221031 | A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★ |
| 829821-1 | 3-Major | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | |
| 820845-3 | 3-Major | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | |
| 809205-6 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | |
| 803237-2 | 3-Major | PVA does not validate interface MTU when setting MSS | |
| 799001-1 | 3-Major | Sflow agent does not handle disconnect from SNMPD manager correctly | |
| 787885-2 | 3-Major | The device status is falsely showing as forced offline on the network map while actual device status is not. | |
| 749007-1 | 3-Major | South Sudan, Sint Maarten, and Curacao country missing in GTM region list | |
| 692218-1 | 3-Major | Audit log messages sent from the primary blade to the secondaries should not be logged. | |
| 675911-12 | 3-Major | K13272442 | Different sections of the GUI can report incorrect CPU utilization |
| 615934-6 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
| 569859-7 | 3-Major | Password policy enforcement for root user when mcpd is not available | |
| 966277-1 | 4-Minor | BFD down on multi-blade system | |
| 959889-2 | 4-Minor | Cannot update firewall rule with ip-protocol property as 'any' | |
| 947865-2 | 4-Minor | Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read | |
| 887505-1 | 4-Minor | Coreexpiration script improvement | |
| 879189-1 | 4-Minor | Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 910653-5 | 2-Critical | iRule parking in clientside/serverside command may cause tmm restart | |
| 882157-1 | 2-Critical | One thread of pkcs11d consumes 100% without any traffic. | |
| 738964-4 | 2-Critical | Instruction logger debugging enhancement | |
| 1001509 | 2-Critical | K11162395 | Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates |
| 968641-2 | 3-Major | Fix for zero LACP priority | |
| 953845-1 | 3-Major | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | |
| 946953-1 | 3-Major | HTTP::close used in iRule might not close connection. | |
| 928857-2 | 3-Major | Use of OCSP responder may leak X509 store instances | |
| 928805-2 | 3-Major | Use of OCSP responder may cause memory leakage | |
| 928789-2 | 3-Major | Use of OCSP responder may leak SSL handshake instances | |
| 921881-2 | 3-Major | Use of IPFIX log destination can result in increased CPU utilization | |
| 921721-1 | 3-Major | FIPS 140-2 SP800-56Arev3 compliance | |
| 889601-3 | 3-Major | K14903688 | OCSP revocation not properly checked |
| 889165-3 | 3-Major | "http_process_state_cx_wait" errors in log and connection reset | |
| 888517-2 | 3-Major | Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★ | |
| 858701-1 | 3-Major | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★ | |
| 845333-6 | 3-Major | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | |
| 842517-2 | 3-Major | CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails | |
| 785877-5 | 3-Major | VLAN groups do not bridge non-link-local multicast traffic. | |
| 767341-1 | 3-Major | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | |
| 756812-3 | 3-Major | Nitrox 3 instruction/request logger may fail due to SELinux permission error | |
| 696755-5 | 3-Major | HTTP/2 may truncate a response body when served from cache | |
| 804157-3 | 4-Minor | ICMP replies are forwarded with incorrect checksums causing them to be dropped | |
| 748333-5 | 4-Minor | DHCP Relay does not retain client source IP address for chained relay mode | |
| 743253-2 | 4-Minor | TSO in software re-segments L3 fragments. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 960749-2 | 1-Blocking | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | |
| 960437-2 | 2-Critical | The BIG-IP system may initially fail to resolve some DNS queries | |
| 971297-2 | 3-Major | DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★ | |
| 921625-2 | 3-Major | The certs extend function does not work for GTM/DNS sync group | |
| 863917-2 | 3-Major | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | |
| 858973-1 | 3-Major | DNS request matches less specific WideIP when adding new wildcard wideips | |
| 835209-3 | 3-Major | External monitors mark objects down | |
| 896861-2 | 4-Minor | PTR query enhancement for RESOLVER::name_lookup | |
| 885201-2 | 4-Minor | BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 846057-3 | 2-Critical | UCS backup archive may include unnecessary files | |
| 960369-2 | 3-Major | Negative value suggested in Traffic Learning as max value | |
| 956373-2 | 3-Major | ASM sync files not cleaned up immediately after processing | |
| 947341-1 | 3-Major | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | |
| 941621-2 | 3-Major | K91414704 | Brute Force breaks server's Post-Redirect-Get flow |
| 929077-2 | 3-Major | Bot Defense allow list does not apply when using default Route Domain and XFF header | |
| 929001-3 | 3-Major | K48321015 | ASM form handling improvements |
| 928685-2 | 3-Major | K49549213 | ASM Brute Force mitigation not triggered as expected |
| 921677-2 | 3-Major | Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. | |
| 910253-2 | 3-Major | BD error on HTTP response after upgrade★ | |
| 884425-2 | 3-Major | Creation of new allowed HTTP URL is not possible | |
| 868053-3 | 3-Major | Live Update service indicates update available when the latest update was already installed | |
| 867373-4 | 3-Major | Methods Missing From ASM Policy | |
| 864677-1 | 3-Major | ASM causes high mcpd CPU usage | |
| 856725-1 | 3-Major | Missing learning suggestion for "Illegal repeated parameter name" violation | |
| 964897-2 | 4-Minor | Live Update - Indication of "Update Available" when there is no available update | |
| 962817-2 | 4-Minor | Description field of a JSON policy overwrites policy templates description | |
| 956105-2 | 4-Minor | Websocket URLs content profiles are not created as expected during JSON Policy import | |
| 935293-2 | 4-Minor | 'Detected Violation' Field for event logs not showing | |
| 922785-2 | 4-Minor | Live Update scheduled installation is not installing on set schedule | |
| 824093-5 | 4-Minor | Parameters payload parser issue |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 981385-3 | 3-Major | AVRD does not send HTTP events to BIG-IQ DCD | |
| 949593-3 | 3-Major | Unable to load config if AVR widgets were created under '[All]' partition★ | |
| 924945-3 | 3-Major | Fail to detach HTTP profile from virtual server | |
| 869049-4 | 3-Major | Charts discrepancy in AVR reports |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 894565-1 | 2-Critical | Autodosd.default crash with SIGFPE | |
| 879401-1 | 2-Critical | K90423190 | Memory corruption during APM SAML SSO |
| 976501-2 | 3-Major | Failed to establish VPN connection | |
| 952557-2 | 3-Major | Azure B2C Provider OAuth URLs are updated for B2Clogin.com | |
| 925573-6 | 3-Major | SIGSEGV: receiving a sessiondb callback response after the flow is aborted | |
| 916969-3 | 3-Major | Support of Microsoft Identity 2.0 platform | |
| 888145-2 | 3-Major | When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property | |
| 883577-4 | 3-Major | ACCESS::session irule command does not work in HTTP_RESPONSE event | |
| 831517-2 | 3-Major | TMM may crash when Network Access tunnel is used |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 833213-1 | 3-Major | Conditional requests are served incorrectly with AAM policy in webacceleration profile |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 982869-1 | 3-Major | With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 | |
| 977053-2 | 3-Major | TMM crash on standby due to invalid MR router instance | |
| 966701-2 | 3-Major | Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP | |
| 952545-2 | 3-Major | 'Current Sessions' statistics of HTTP2 pool may be incorrect | |
| 913373-2 | 3-Major | No connection error after failover with MRF, and no connection mirroring |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 945853-2 | 2-Critical | Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession | |
| 969509-4 | 3-Major | Possible memory corruption due to DOS vector reset | |
| 965617-3 | 3-Major | HSB mitigation is not applied on BDoS signature with stress-based mitigation mode | |
| 963237-3 | 3-Major | Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. | |
| 937749-3 | 3-Major | The 'total port blocks' value for NAT stats is limited to 64 bits of range | |
| 903561-3 | 3-Major | Autodosd returns small bad destination detection value when the actual traffic is high | |
| 887017-3 | 3-Major | The dwbld daemon consumes a large amount of memory | |
| 837233-3 | 3-Major | Application Security Administrator user role cannot use GUI to manage DoS profile | |
| 716746-3 | 3-Major | Possible tmm restart when disabling single endpoint vector while attack is ongoing | |
| 967889-1 | 4-Minor | Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) | |
| 748561-2 | 4-Minor | Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 928553-3 | 2-Critical | LSN64 with hairpinning can lead to a tmm core in rare circumstances | |
| 966681-1 | 3-Major | NAT translation failures while using SP-DAG in a multi-blade chassis |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 998085-1 | 3-Major | BIG-IP DataSafe GUI does not save changes |
Anomaly Detection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 932737-2 | 2-Critical | DNS & BADOS high-speed logger messages are mixed | |
| 922597-2 | 3-Major | BADOS default sensitivity of 50 creates false positive attack on some sites | |
| 914293-3 | 3-Major | TMM SIGSEGV and crash |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 874677-1 | 2-Critical | Traffic Classification auto signature update fails from GUI★ |
iApp Technology Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 768085-4 | 4-Minor | Error in python script /usr/libexec/iAppsLX_save_pre line 79 |
Protocol Inspection Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 964585-3 | 3-Major | "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update | |
| 825501-3 | 3-Major | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★ | |
| 964577-3 | 4-Minor | IPS automatic IM download not working as expected |
BIG-IP Risk Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 969385-2 | 3-Major | Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers. |
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 975233-2 | CVE-2021-22992 | K52510511 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 |
| 973333-5 | CVE-2021-22991 | K56715231 | TMM buffer-overflow vulnerability CVE-2021-22991 |
| 955145-2 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
| 954381-2 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
| 953677-2 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
| 951705-2 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
| 950077-2 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
| 981169-2 | CVE-2021-22994 | K66851119 | F5 TMUI XSS vulnerability CVE-2021-22994 |
| 953729-2 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 |
| 931837-1 | CVE-2020-13817 | K55376430 | NTP has predictable timestamps |
| 976925-2 | CVE-2021-23002 | K71891773 | BIG-IP APM VPN vulnerability CVE-2021-23002 |
| 935401-2 | CVE-2021-23001 | K06440657 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 |
| 743105-2 | CVE-2021-22998 | K31934524 | BIG-IP SNAT vulnerability CVE-2021-22998 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 867793-1 | 3-Major | BIG-IP sending the wrong trap code for BGP peer state |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 942497-1 | 2-Critical | Declarative onboarding unable to download and install RPM | |
| 940021-3 | 2-Critical | Syslog-ng hang may lead to unexpected reboot | |
| 932437-2 | 2-Critical | Loading SCF file does not restore files from tar file★ | |
| 915305-5 | 2-Critical | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | |
| 838713 | 2-Critical | LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test' | |
| 829277-2 | 2-Critical | A Large /config folder can cause memory exhaustion during live-install★ | |
| 739505-3 | 2-Critical | Automatic ISO digital signature checking not required when FIPS license active★ | |
| 967745 | 3-Major | Last resort pool error for the modify command for Wide IP | |
| 956589-1 | 3-Major | The tmrouted daemon restarts and produces a core file | |
| 930905-4 | 3-Major | Management route lost after reboot. | |
| 904785-1 | 3-Major | Remotely authenticated users may experience difficulty logging in over the serial console | |
| 896817-2 | 3-Major | iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb | |
| 895837-3 | 3-Major | Mcpd crash when a traffic-matching-criteria destination-port-list is modified | |
| 865177-4 | 3-Major | Cert-LDAP returning only first entry in the sequence that matches san-other oid | |
| 842189-4 | 3-Major | Tunnels removed when going offline are not restored when going back online | |
| 830413-3 | 3-Major | Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure★ | |
| 806073-1 | 3-Major | MySQL monitor fails to connect to MySQL Server v8.0 | |
| 767737-4 | 3-Major | Timing issues during startup may make an HA peer stay in the inoperative state | |
| 853101-2 | 4-Minor | ERROR: syntax error at or near 'FROM' at character 17 |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 926929-3 | 1-Blocking | RFC Compliance Enforcement lacks configuration availability | |
| 911041-3 | 2-Critical | Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash | |
| 846217-3 | 2-Critical | Translucent vlan-groups set local bit in destination MAC address | |
| 841469-6 | 2-Critical | Application traffic may fail after an internal interface failure on a VIPRION system. | |
| 812525-1 | 2-Critical | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
| 974501-1 | 3-Major | Excessive memory usage by mirroring subsystem when remirroring | |
| 903581-1 | 3-Major | The pkcs11d process cannot recover under certain error condition | |
| 868209-3 | 3-Major | Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection | |
| 863401-1 | 3-Major | QUIC congestion window sometimes increases inappropriately | |
| 858301-1 | 3-Major | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
| 858297-1 | 3-Major | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
| 858289-1 | 3-Major | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
| 858285-1 | 3-Major | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
| 818109-1 | 3-Major | Certain plaintext traffic may cause SSL Orchestrator to hang | |
| 773253-5 | 4-Minor | The BIG-IP may send VLAN failsafe probes from a disabled blade | |
| 738032-3 | 4-Minor | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 953393-2 | 1-Blocking | TMM crashes when performing iterative DNS resolutions. | |
| 891093-1 | 3-Major | iqsyncer does not handle stale pidfile | |
| 853585-1 | 4-Minor | REST Wide IP object presents an inconsistent lastResortPool value |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 968421-2 | 2-Critical | K30291321 | ASM attack signature doesn't matched |
| 865289-1 | 2-Critical | TMM crash following DNS resolve with Bot Defense profile | |
| 913757-1 | 3-Major | Error viewing security policy settings for virtual server with FTP Protocol Security | |
| 758336-5 | 4-Minor | Incorrect recommendation in Online Help of Proactive Bot Defense |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 934721-2 | 2-Critical | TMM core due to wrong assert | |
| 743826-2 | 3-Major | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) | |
| 648242-6 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 896709-3 | 2-Critical | Add support for Restart Desktop for webtop in VMware VDI | |
| 924929-2 | 3-Major | Logging improvements for VDI plugin | |
| 899009 | 3-Major | Azure Active Directory deployment fails on BIG-IP 15.1 | |
| 760629-5 | 3-Major | Remove Obsolete APM keys in BigDB |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 939529-2 | 3-Major | Branch parameter not parsed properly when topmost via header received with comma separated values |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 870381-1 | 2-Critical | Network Firewall Active Rule page does not load | |
| 919381-1 | 3-Major | Extend AFM subscriber aware policy rule feature to support multiple subscriber groups | |
| 870385-5 | 3-Major | TMM may restart under very heavy traffic load | |
| 906885-1 | 5-Cosmetic | Spelling mistake on AFM GUI Flow Inspector screen |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 845313-3 | 2-Critical | Tmm crash under heavy load | |
| 941169-4 | 3-Major | Subscriber Management is not working properly with IPv6 prefix flows. | |
| 875401-2 | 3-Major | PEM subcriber lookup can fail for internet side new connections |
Anomaly Detection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 915489-2 | 4-Minor | LTM Virtual Server Health is not affected by iRule Requests dropped |
BIG-IP Risk Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 921181 | 3-Major | Wrong error message upon bad credential stuffing configuration |
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 943125-2 | CVE-2021-23010 | K18570111 | ASM bd may crash while processing WebSocket traffic |
| 941449-2 | CVE-2021-22993 | K55237223 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 |
| 921337-2 | CVE-2021-22976 | K88230177 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 |
| 916821-2 | CVE-2021-22974 | K68652018 | iControl REST vulnerability CVE-2021-22974 |
| 882189-6 | CVE-2020-5897 | K20346072 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 |
| 882185-6 | CVE-2020-5897 | K20346072 | BIG-IP Edge Client Windows ActiveX |
| 881317-6 | CVE-2020-5896 | K15478554 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 |
| 881293-6 | CVE-2020-5896 | K15478554 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 |
| 939845-2 | CVE-2021-23004 | K31025212 | BIG-IP MPTCP vulnerability CVE-2021-23004 |
| 939841-2 | CVE-2021-23003 | K43470422 | BIG-IP MPTCP vulnerability CVE-2021-23003 |
| 924961-2 | CVE-2019-20892 | K45212738 | CVE-2019-20892: SNMP Vulnerability |
| 919989-2 | CVE-2020-5947 | K64571774 | TMM does not follow TCP best practices |
| 881445-7 | CVE-2020-5898 | K69154630 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 |
| 880361-1 | CVE-2021-22973 | K13323323 | iRules LX vulnerability CVE-2021-22973 |
| 842717-6 | CVE-2020-5855 | K55102004 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 |
| 693360-2 | CVE-2020-27721 | K52035247 | A virtual server status changes to yellow while still available |
| 773693-7 | CVE-2020-5892 | K15838353 | CVE-2020-5892: APM Client Vulnerability |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 920961-2 | 3-Major | Devices incorrectly report 'In Sync' after an incremental sync | |
| 756139-3 | 3-Major | Inconsistent logging of hostname files when hostname contains periods | |
| 754924-1 | 3-Major | New VLAN statistics added. | |
| 921421-3 | 4-Minor | iRule support to get/set UDP's Maximum Buffer Packets |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 957337-1 | 2-Critical | Tab complete in 'mgmt' tree is broken | |
| 933409-2 | 2-Critical | Tomcat upgrade via Engineering Hotfix causes live-update files removal★ | |
| 927033-2 | 2-Critical | Installer fails to calculate disk size of destination volume★ | |
| 910201-3 | 2-Critical | OSPF - SPF/IA calculation scheduling might get stuck infinitely | |
| 829677-2 | 2-Critical | .tmp files in /var/config/rest/ may cause /var directory exhaustion | |
| 796601-2 | 2-Critical | Invalid parameter in errdefsd while processing hostname db_variable | |
| 943669-1 | 3-Major | B4450 blade reboot | |
| 935801-4 | 3-Major | HSB diagnostics are not provided under certain types of failures | |
| 932233-2 | 3-Major | '@' no longer valid in SNMP community strings | |
| 930741-2 | 3-Major | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | |
| 920301-1 | 3-Major | Unnecessarily high number of JavaScript Obfuscator instances when device is busy | |
| 911809-2 | 3-Major | TMM might crash when sending out oversize packets. | |
| 902401-5 | 3-Major | OSPFd SIGSEGV core when 'ospf clear' is done on remote device | |
| 898705-5 | 3-Major | IPv6 static BFD configuration is truncated or missing | |
| 889041-3 | 3-Major | Failover scripts fail to access resolv.conf due to permission issues | |
| 879405-1 | 3-Major | Incorrect value in Transparent Nexthop property | |
| 867181-1 | 3-Major | ixlv: double tagging is not working | |
| 865241-1 | 3-Major | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | |
| 860317-3 | 3-Major | JavaScript Obfuscator can hang indefinitely | |
| 858197-2 | 3-Major | Merged crash when memory exhausted | |
| 846441-2 | 3-Major | Flow-control is reset to default for secondary blade's interface | |
| 846137-4 | 3-Major | The icrd returns incorrect route names in some cases | |
| 843597-1 | 3-Major | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | |
| 841649-4 | 3-Major | Hardware accelerated connection mismatch resulting in tmm core | |
| 838901-4 | 3-Major | TMM receives invalid rx descriptor from HSB hardware | |
| 826905-3 | 3-Major | Host traffic via IPv6 route pool uses incorrect source address | |
| 816229-3 | 3-Major | Kernel Log Messages Logged Twice | |
| 811053-6 | 3-Major | REBOOT REQUIRED prompt appears after failover and clsh reboot | |
| 811041-7 | 3-Major | Out of shmem, increment amount in /etc/ha_table/ha_table.conf | |
| 810821-3 | 3-Major | Management interface flaps after rebooting the device | |
| 789181-5 | 3-Major | Link Status traps are not issued on VE based BIG-IP systems | |
| 755197-5 | 3-Major | UCS creation might fail during frequent config save transactions | |
| 754932-1 | 3-Major | New SNMP MIB, sysVlanIfcStat, for VLAN statistics. | |
| 737098-1 | 3-Major | ASM Sync does not work when the configsync IP address is an IPv6 address | |
| 933461-4 | 4-Minor | BGP multi-path candidate selection does not work properly in all cases. | |
| 924429-2 | 4-Minor | Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values | |
| 892677-1 | 4-Minor | Loading config file with imish adds the newline character | |
| 882713-3 | 4-Minor | BGP SNMP trap has the wrong sysUpTime value | |
| 583084-6 | 4-Minor | K15101680 | iControl produces 404 error while creating records successfully |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 941089-3 | 2-Critical | TMM core when using Multipath TCP | |
| 915957-1 | 2-Critical | The wocplugin may get into a restart loop when AAM is provisioned | |
| 908873-1 | 2-Critical | Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core | |
| 908621-2 | 2-Critical | Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core | |
| 891849-1 | 2-Critical | Running iRule commands while suspending iRule commands that are running can lead to a crash | |
| 876801-5 | 2-Critical | Tmm crash: invalid route type | |
| 866481-2 | 2-Critical | TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode | |
| 851345-1 | 2-Critical | The TMM may crash in certain rare scenarios involving HTTP/2 | |
| 850873-3 | 2-Critical | LTM global SNAT sets TTL to 255 on egress. | |
| 726518-1 | 2-Critical | Tmsh show command terminated with CTRL-C can cause TMM to crash. | |
| 705768-2 | 2-Critical | The dynconfd process may core and restart with multiple DNS name servers configured | |
| 949145-5 | 3-Major | Improve TCP's response to partial ACKs during loss recovery | |
| 948757-2 | 3-Major | A snat-translation address responds to ARP requests but not to ICMP ECHO requests. | |
| 940209 | 3-Major | Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. | |
| 939961-2 | 3-Major | TCP connection is closed when necessary after HTTP::respond iRule. | |
| 934993-2 | 3-Major | BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams | |
| 932033 | 3-Major | Chunked response may have DATA frame with END_STREAM prematurely | |
| 915605-6 | 3-Major | K56251674 | Image install fails if iRulesLX is provisioned and /usr mounted read-write★ |
| 913249-2 | 3-Major | Restore missing UDP statistics | |
| 901929-2 | 3-Major | GARPs not sent on virtual server creation | |
| 892941-2 | 3-Major | K20105555 | F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) |
| 888113-3 | 3-Major | TMM may core when the HTTP peer aborts the connection | |
| 879413-1 | 3-Major | Statsd fails to start if one or more of its *.info files becomes corrupted | |
| 878925-2 | 3-Major | SSL connection mirroring failover at end of TLS handshake | |
| 860005-1 | 3-Major | Ephemeral nodes/pool members may be created for wrong FQDN name | |
| 857845-1 | 3-Major | TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule | |
| 850145-1 | 3-Major | Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed | |
| 820333-1 | 3-Major | LACP working member state may be inconsistent when blade is forced offline | |
| 809701-7 | 3-Major | Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist | |
| 803233-1 | 3-Major | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | |
| 790845-4 | 3-Major | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | |
| 724824-1 | 3-Major | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | |
| 714642-2 | 3-Major | Ephemeral pool-member state on the standby is down | |
| 935593-4 | 4-Minor | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | |
| 895153 | 4-Minor | HTTP::has_responded returns incorrect values when using HTTP/2 | |
| 883105-1 | 4-Minor | HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect | |
| 808409-4 | 4-Minor | Unable to specify if giaddr will be modified in DHCP relay chain | |
| 859717-2 | 5-Cosmetic | ICMP-limit-related warning messages in /var/log/ltm |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 918169-1 | 2-Critical | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | |
| 916753-2 | 2-Critical | RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core | |
| 905557-1 | 2-Critical | Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure | |
| 850509-1 | 2-Critical | Zone Trusted Signature inadequately maintained, following change of master key | |
| 837637-1 | 2-Critical | K02038650 | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ |
| 926593-2 | 3-Major | GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' | |
| 852101-1 | 3-Major | Monitor fails. | |
| 844689-1 | 3-Major | Possible temporary CPU usage increase with unusually large named.conf file | |
| 746348-4 | 3-Major | On rare occasions, gtmd fails to process probe responses originating from the same system. | |
| 644192-2 | 3-Major | K23022557 | Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 940249-2 | 2-Critical | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | |
| 927617-2 | 2-Critical | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | |
| 941853-1 | 3-Major | Logging Profiles do not disassociate from virtual server when multiple changes are made | |
| 940897-3 | 3-Major | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | |
| 918933-2 | 3-Major | K88162221 | The BIG-IP ASM system may not properly perform signature checks on cookies |
| 913137-1 | 3-Major | No learning suggestion on ASM policies enabled via LTM policy | |
| 904053-2 | 3-Major | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | |
| 893061-2 | 3-Major | Out of memory for restjavad | |
| 882769-1 | 3-Major | Request Log: wrong filter applied when searching by Response contains or Response does not contain | |
| 919001-2 | 4-Minor | Live Update: Update Available notification is shown twice in rare conditions | |
| 896285-2 | 4-Minor | No parent entity in suggestion to add predefined-filetype as allowed filetype |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 924301-1 | 3-Major | Incorrect values in REST response for DNS/SIP |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 910097-2 | 2-Critical | Changing per-request policy while tmm is under traffic load may drop heartbeats | |
| 924857-1 | 3-Major | Logout URL with parameters resets TCP connection | |
| 914649-3 | 3-Major | Support USB redirection through VVC (VMware virtual channel) with BlastX | |
| 739570-4 | 3-Major | Unable to install EPSEC package★ | |
| 833049-4 | 4-Minor | Category lookup tool in GUI may not match actual traffic categorization | |
| 766017-6 | 4-Minor | [APM][LocalDB] Local user database instance name length check inconsistencies★ |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 942581-1 | 1-Blocking | Timestamp cookies do not work with hardware accelerated flows | |
| 938165-1 | 2-Critical | TMM Core after attempted update of IP geolocation database file | |
| 938149-1 | 3-Major | Port Block Update log message is missing the "Start time" field | |
| 910417-2 | 3-Major | TMM core may be seen when reattaching a vector to a DoS profile | |
| 872049-1 | 3-Major | Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command | |
| 871985-1 | 3-Major | No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection | |
| 851745-3 | 3-Major | High cpu consumption due when enabling large number of virtual servers | |
| 840809-2 | 3-Major | If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 842989-6 | 3-Major | PEM: tmm could core when running iRules on overloaded systems |
Anomaly Detection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 944785-2 | 3-Major | Admd restarting constantly. Out of memory due to loading malformed state file | |
| 923125-2 | 3-Major | Huge amount of admd processes caused oom |
SSL Orchestrator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 927993-1 | 1-Blocking | K97501254 | Built-in SSL Orchestrator RPM installation failure |
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 935721-5 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 |
| 935029-3 | CVE-2020-27720 | K04048104 | TMM may crash while processing IPv6 NAT traffic |
| 933741-2 | CVE-2021-22979 | K63497634 | BIG-IP FPS XSS vulnerability CVE-2021-22979 |
| 932065-2 | CVE-2021-22978 | K87502622 | iControl REST vulnerability CVE-2021-22978 |
| 931513-3 | CVE-2021-22977 | K14693346 | TMM vulnerability CVE-2021-22977 |
| 928321-1 | CVE-2020-27719 | K19166530 | K19166530: XSS vulnerability CVE-2020-27719 |
| 917509-3 | CVE-2020-27718 | K58102101 | BIG-IP ASM vulnerability CVE-2020-27718 |
| 911761-2 | CVE-2020-5948 | K42696541 | F5 TMUI XSS vulnerability CVE-2020-5948 |
| 908673-5 | CVE-2020-27717 | K43850230 | TMM may crash while processing DNS traffic |
| 904165-1 | CVE-2020-27716 | K51574311 | BIG-IP APM vulnerability CVE-2020-27716 |
| 879745-4 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic |
| 876353-1 | CVE-2020-5941 | K03125360 | iRule command RESOLV::lookup may cause TMM to crash |
| 839453-6 | CVE-2019-10744 | K47105354 | lodash library vulnerability CVE-2019-10744 |
| 834257-1 | CVE-2020-5931 | K25400442 | TMM may crash when processing HTTP traffic |
| 814953 | CVE-2020-5940 | K43310520 | TMUI dashboard hardening |
| 754855-7 | CVE-2020-27714 | K60344652 | TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile |
| 928037-2 | CVE-2020-27729 | K15310332 | APM Hardening |
| 919841-3 | CVE-2020-27728 | K45143221 | AVRD may crash while processing Bot Defense traffic |
| 917469-2 | CVE-2020-5946 | K53821711 | TMM may crash while processing FPS traffic |
| 912969-2 | CVE-2020-27727 | K50343630 | iAppsLX REST vulnerability CVE-2020-27727 |
| 910017-2 | CVE-2020-5945 | K21540525 | Security hardening for the TMUI Interface page |
| 905125-2 | CVE-2020-27726 | K30343902 | Security hardening for APM Webtop |
| 904937-2 | CVE-2020-27725 | K25595031 | Excessive resource consumption in zxfrd |
| 889557-1 | CVE-2019-11358 | K20455158 | jQuery Vulnerability CVE-2019-11358 |
| 880001-1 | CVE-2020-5937 | K58290051 | TMM may crash while processing L4 behavioral DoS traffic |
| 870273-5 | CVE-2020-5936 | K44020030 | TMM may consume excessive resources when processing SSL traffic |
| 868349-1 | CVE-2020-5935 | K62830532 | TMM may crash while processing iRules with MQTT commands |
| 858349-3 | CVE-2020-5934 | K44808538 | TMM may crash while processing SAML SLO traffic |
| 848405-2 | CVE-2020-5933 | K26244025 | TMM may consume excessive resources while processing compressed HTTP traffic |
| 839761-1 | CVE-2020-5932 | K12002065 | Response Body preview hardening |
| 778049-2 | CVE-2018-13405 | K00854051 | Linux Kernel Vulnerability: CVE-2018-13405 |
| 887637-2 | CVE-2019-3815 | K22040951 | Systemd-journald Vulnerability: CVE-2019-3815 |
| 852929-6 | CVE-2020-5920 | K25160703 | AFM WebUI Hardening |
| 818213-4 | CVE-2019-10639 | K32804955 | CVE-2019-10639: KASLR bypass using connectionless protocols |
| 818177-6 | CVE-2019-12295 | K06725231 | CVE-2019-12295 Wireshark Vulnerability |
| 858537-2 | CVE-2019-1010204 | K05032915 | CVE-2019-1010204: Binutilis Vulnerability |
| 834533-7 | CVE-2019-15916 | K57418558 | Linux kernel vulnerability CVE-2019-15916 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 912289-1 | 2-Critical | Cannot roll back after upgrading on certain platforms★ | |
| 890229-1 | 3-Major | Source port preserve setting is not honored | |
| 858189-3 | 3-Major | Make restnoded/restjavad/icrd timeout configurable with sys db variables. | |
| 719338-1 | 4-Minor | Concurrent management SSH connections are unlimited |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 864513-1 | 1-Blocking | K48234609 | ASM policies may not load after upgrading to 14.x or later from a previous major version★ |
| 896217-2 | 2-Critical | BIG-IP GUI unresponsive | |
| 876957-1 | 2-Critical | Reboot after tmsh load sys config changes sys FPGA firmware-config value | |
| 871561-5 | 2-Critical | Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★ | |
| 860517-1 | 2-Critical | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | |
| 818253-3 | 2-Critical | Generate signature files for logs | |
| 805417-3 | 2-Critical | Unable to enable LDAP system auth profile debug logging | |
| 706521-2 | 2-Critical | K21404407 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password |
| 593536-9 | 2-Critical | K64445052 | Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations |
| 924493-2 | 3-Major | VMware EULA has been updated | |
| 921361-2 | 3-Major | SSL client and SSL server profile names truncated in GUI | |
| 915825-2 | 3-Major | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | |
| 904845-2 | 3-Major | VMware guest OS customization works only partially in a dual stack environment. | |
| 904705-2 | 3-Major | Cannot clone Azure marketplace instances. | |
| 898461-2 | 3-Major | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | |
| 886689-6 | 3-Major | Generic Message profile cannot be used in SCTP virtual | |
| 880625-3 | 3-Major | Check-host-attr enabled in LDAP system-auth creates unusable config | |
| 880165-2 | 3-Major | Auto classification signature update fails | |
| 867013-2 | 3-Major | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | |
| 850777-3 | 3-Major | BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config | |
| 838297-2 | 3-Major | Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication | |
| 828789-1 | 3-Major | Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters | |
| 807337-5 | 3-Major | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | |
| 788577-7 | 3-Major | BFD sessions may be reset after CMP state change | |
| 759564-2 | 3-Major | GUI not available after upgrade | |
| 740589-4 | 3-Major | Mcpd crash with core after 'tmsh edit /sys syslog all-properties' | |
| 719555-3 | 3-Major | Interface listed as 'disable' after SFP insertion and enable | |
| 489572-5 | 3-Major | K60934489 | Sync fails if file object is created and deleted before sync to peer BIG-IP |
| 431503-8 | 3-Major | K14838 | TMSH crashes in rare initial tunnel configurations |
| 921369 | 4-Minor | Signature verification for logs fails if the log files are modified during log rotation | |
| 914761-3 | 4-Minor | Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. | |
| 906889-4 | 4-Minor | Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. | |
| 902417-2 | 4-Minor | Configuration error caused by Drafts folder in a deleted custom partition★ | |
| 890277-3 | 4-Minor | Full config sync to a device group operation takes a long time when there are a large number of partitions. | |
| 864757-3 | 4-Minor | Traps that were disabled are enabled after configuration save | |
| 822377-6 | 4-Minor | CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability | |
| 779857-2 | 4-Minor | Misleading GUI error when installing a new version in another partition★ | |
| 751103-2 | 4-Minor | TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop | |
| 849085-1 | 5-Cosmetic | Lines with only asterisks filling message and user.log file | |
| 714176-1 | 5-Cosmetic | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 889209-2 | 2-Critical | Sflow receiver configuration may lead to egress traffic dropped after TMM starts. | |
| 879409-3 | 2-Critical | TMM core with mirroring traffic due to unexpected interface name length | |
| 858429-3 | 2-Critical | BIG-IP system sending ICMP packets on both virtual wire interface | |
| 851857-1 | 2-Critical | HTTP 100 Continue handling does not work when it arrives in multiple packets | |
| 851581-3 | 2-Critical | Server-side detach may crash TMM | |
| 842937-6 | 2-Critical | TMM crash due to failed assertion 'valid node' | |
| 932825-2 | 3-Major | Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device | |
| 915713-2 | 3-Major | Support QUIC and HTTP3 draft-29 | |
| 915689-1 | 3-Major | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | |
| 915281-2 | 3-Major | Do not rearm TCP Keep Alive timer under certain conditions | |
| 892385 | 3-Major | HTTP does not process WebSocket payload when received with server HTTP response | |
| 883529-1 | 3-Major | HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path | |
| 851789-2 | 3-Major | SSL monitors flap with client certs with private key stored in FIPS | |
| 851477-1 | 3-Major | Memory allocation failures during proxy initialization are ignored leading to TMM cores | |
| 851045-1 | 3-Major | LTM database monitor may hang when monitored DB server goes down | |
| 830797-3 | 3-Major | Standby high availability (HA) device passes traffic through virtual wire | |
| 825689-1 | 3-Major | Enhance FIPS crypto-user storage | |
| 816881-2 | 3-Major | Serverside conection may use wrong VLAN when virtual wire is configured | |
| 801497-3 | 3-Major | Virtual wire with LACP pinning to one link in trunk. | |
| 932937-2 | 4-Minor | HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. | |
| 926997-1 | 4-Minor | QUIC HANDSHAKE_DONE profile statistics are not reset | |
| 852373-3 | 4-Minor | HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error | |
| 814037-6 | 4-Minor | No virtual server name in Hardware Syncookie activation logs. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 919553-2 | 2-Critical | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | |
| 788465-5 | 2-Critical | DNS cache idx synced across HA group could cause tmm crash | |
| 783125-1 | 2-Critical | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | |
| 898093-2 | 3-Major | Removing one member from a WideIP removes it from all WideIPs. | |
| 869361-1 | 3-Major | Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 868641-3 | 2-Critical | Possible TMM crash when disabling bot profile for the entire connection | |
| 843801-2 | 2-Critical | Like-named previous Signature Update installations block Live Update usage after upgrade★ | |
| 918081-1 | 3-Major | Application Security Administrator role cannot create parent policy in the GUI | |
| 913761-2 | 3-Major | Security - Options section in navigation menu is visible for only Administrator users | |
| 903357-2 | 3-Major | Bot defense Profile list is loads too slow when there are 750 or more Virtual servers | |
| 901061-2 | 3-Major | Safari browser might be blocked when using Bot Defense profile and related domains. | |
| 898741-2 | 3-Major | Missing critical files causes FIPS-140 system to halt upon boot | |
| 892637-1 | 3-Major | Microservices cannot be added or modified | |
| 888285-1 | 3-Major | K18304067 | Sensitive positional parameter not masked in 'Referer' header value |
| 888261-1 | 3-Major | Policy created with declarative WAF does not use updated template. | |
| 881757-1 | 3-Major | Unnecessary HTML response parsing and response payload is not compressed | |
| 880753-3 | 3-Major | K38157961 | Possible issues when using DoSL7 and Bot Defense profile on the same virtual server |
| 879777-3 | 4-Minor | Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 908065-2 | 3-Major | Logrotation for /var/log/avr blocked by files with .1 suffix | |
| 819301-2 | 3-Major | Incorrect values in REST response for dos-l3 table | |
| 866613-4 | 4-Minor | Missing MaxMemory Attribute |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 886729-2 | 2-Critical | Intermittent TMM crash in per-request-policy allow-ending agent | |
| 838861-3 | 2-Critical | TMM might crash once after upgrading SSL Orchestrator★ | |
| 579219-5 | 2-Critical | Access keys missing from SessionDB after multi-blade reboot. | |
| 892937-2 | 3-Major | K20105555 | F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) |
| 857589-1 | 3-Major | On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed' | |
| 771961-3 | 3-Major | While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core | |
| 747020-2 | 3-Major | Requests that evaluate to same subsession can be processed concurrently | |
| 679751-2 | 4-Minor | Authorization header can cause a connection reset |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 868781-1 | 2-Critical | TMM crashes while processing MRF traffic | |
| 898997-2 | 3-Major | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | |
| 891385-2 | 3-Major | Add support for URI protocol type "urn" in MRF SIP load balancing | |
| 697331-2 | 3-Major | Some TMOS tools for querying various DBs fail when only a single TMM is running | |
| 924349-2 | 4-Minor | DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 872645-2 | 3-Major | Protected Object Aggregate stats are causing elevated CPU usage | |
| 852289-4 | 3-Major | K23278332 | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector |
| 789857 | 3-Major | "TCP half open' reports drops made by LTM syn-cookies mitigation. | |
| 920361-2 | 4-Minor | Standby device name sent in Traffic Statistics syslog/Splunk messages |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 876581-2 | 3-Major | JavaScript engine file is empty if the original HTML page cached for too long | |
| 891729-2 | 4-Minor | Errors in datasyncd.log★ | |
| 759988-2 | 4-Minor | Geolocation information inconsistently formatted | |
| 940401-2 | 5-Cosmetic | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' |
SSL Orchestrator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 937281-3 | 3-Major | SSL Orchestrator pool members are limited to 20 with Standalone license |
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 912221-1 | CVE-2020-12662 CVE-2020-12663 |
K37661551 | CVE-2020-12662 & CVE-2020-12663 |
| 900905-3 | CVE-2020-5926 | K42830212 | TMM may crash while processing SIP data |
| 888417-5 | CVE-2020-8840 | K15320518 | Apache Vulnerability: CVE-2020-8840 |
| 883717-1 | CVE-2020-5914 | K37466356 | BD crash on specific server cookie scenario |
| 841577-2 | CVE-2020-5922 | K20606443 | iControl REST hardening |
| 838677-1 | CVE-2019-10744 | K47105354 | lodash library vulnerability CVE-2019-10744 |
| 837773-7 | CVE-2020-5912 | K12936322 | Restjavad Storage and Configuration Hardening |
| 788057-3 | CVE-2020-5921 | K00103216 | MCPD may crash while processing syncookies |
| 917005-5 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 |
| 909837-1 | CVE-2020-5950 | K05204103 | TMM may consume excessive resources when AFM is provisioned |
| 902141-1 | CVE-2020-5919 | K94563369 | TMM may crash while processing APM data |
| 898949-1 | CVE-2020-27724 | K04518313 | APM may consume excessive resources while processing VPN traffic |
| 888489-2 | CVE-2020-5927 | K55873574 | ASM UI hardening |
| 886085-5 | CVE-2020-5925 | K45421311 | BIG-IP TMM vulnerability CVE-2020-5925 |
| 872673-1 | CVE-2020-5918 | K26464312 | TMM can crash when processing SCTP traffic |
| 856961-7 | CVE-2018-12207 | K17269881 | INTEL-SA-00201 MCE vulnerability CVE-2018-12207 |
| 837837-2 | CVE-2020-5917 | K43404629 | F5 SSH server key size vulnerability CVE-2020-5917 |
| 832885-1 | CVE-2020-5923 | K05975972 | Self-IP hardening |
| 830481-1 | CVE-2020-5916 | K29923912 | SSL TMUI hardening |
| 816413-5 | CVE-2019-1125 | K31085564 | CVE-2019-1125: Spectre SWAPGS Gadget |
| 811789-7 | CVE-2020-5915 | K57214921 | Device trust UI hardening |
| 888493-2 | CVE-2020-5928 | K40843345 | ASM GUI Hardening |
| 748122-8 | CVE-2018-15333 | K53620021 | BIG-IP Vulnerability CVE-2018-15333 |
| 746091-8 | CVE-2019-19151 | K21711352 | TMSH Vulnerability: CVE-2019-19151 |
| 717276-9 | CVE-2020-5930 | K20622530 | TMM Route Metrics Hardening |
| 839145-3 | CVE-2019-10744 | K47105354 | CVE-2019-10744: lodash vulnerability |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 816233-1 | 2-Critical | Session and authentication cookies should use larger character set | |
| 890421-2 | 3-Major | New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★ | |
| 691499-5 | 3-Major | GTP::ie primitives in iRule to be certified | |
| 745465-4 | 4-Minor | The tcpdump file does not provide the correct extension |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 934241-2 | 1-Blocking | TMM may core when using FastL4's hardware offloading feature | |
| 891477-3 | 2-Critical | No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server | |
| 890513-2 | 2-Critical | MCPD fails to load configuration from binary database | |
| 849405-2 | 2-Critical | LTM v14.1.2.1 does not log after upgrade★ | |
| 842865-2 | 2-Critical | Add support for Auto MAC configuration (ixlv) | |
| 739507-3 | 2-Critical | Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check | |
| 927901-4 | 3-Major | After BIG-IP reboot, vxnet interfaces come up as uninitialized | |
| 915497-2 | 3-Major | New Traffic Class Page shows multiple question marks. | |
| 907549-1 | 3-Major | Memory leak in BWC::Measure | |
| 891721-3 | 3-Major | Anti-Fraud Profile URLs with query strings do not load successfully | |
| 888497-2 | 3-Major | Cacheable HTTP Response | |
| 887089-1 | 3-Major | Upgrade can fail when filenames contain spaces | |
| 877145-4 | 3-Major | Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException | |
| 871657-1 | 3-Major | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | |
| 844085-1 | 3-Major | GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address | |
| 842125-6 | 3-Major | Unable to reconnect outgoing SCTP connections that have previously aborted | |
| 821309-1 | 3-Major | After an initial boot, mcpd has a defunct child "systemctl" process | |
| 814585-1 | 3-Major | PPTP profile option not available when creating or modifying virtual servers in GUI | |
| 807005-5 | 3-Major | Save-on-auto-sync is not working as expected with large configuration objects | |
| 802685-2 | 3-Major | Unable to configure performance HTTP virtual server via GUI | |
| 797829-6 | 3-Major | The BIG-IP system may fail to deploy new or reconfigure existing iApps | |
| 785741-3 | 3-Major | K19131357 | Unable to login using LDAP with 'user-template' configuration |
| 760622-5 | 3-Major | Allow Device Certificate renewal from BIG-IP Configuration Utility | |
| 405329-3 | 3-Major | The imish utility cores while checking help strings for OSPF6 vertex-threshold | |
| 919745-2 | 4-Minor | CSV files downloaded from the Dashboard have the first row with all 'NaN | |
| 918209-3 | 4-Minor | GUI Network Map icons color scheme is not section 508 compliant | |
| 851393-1 | 4-Minor | Tmipsecd leaves a zombie rm process running after starting up | |
| 804309-1 | 4-Minor | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | |
| 713614-7 | 4-Minor | Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) | |
| 767269-5 | 5-Cosmetic | Linux kernel vulnerability: CVE-2018-16884 |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 925989 | 2-Critical | Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4★ | |
| 839749-3 | 2-Critical | Virtual server with specific address list might fail to create via GUI | |
| 715032-1 | 2-Critical | K73302459 | iRulesLX Hardening |
| 916589-2 | 3-Major | QUIC drops 0RTT packets if CID length changes | |
| 910521-2 | 3-Major | Support QUIC and HTTP draft-28 | |
| 893281-3 | 3-Major | Possible ssl stall on closed client handshake | |
| 813701-6 | 3-Major | Proxy ARP failure | |
| 788753-2 | 3-Major | GATEWAY_ICMP monitor marks node down with wrong error code | |
| 786517-5 | 3-Major | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | |
| 720440-6 | 3-Major | Radius monitor marks pool members down after 6 seconds | |
| 914681-2 | 4-Minor | Value of tmm.quic.log.level can differ between TMSH and GUI | |
| 714502-3 | 4-Minor | bigd restarts after loading a UCS for the first time |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 789421-4 | 3-Major | Resource-administrator cannot create GTM server object through GUI | |
| 774257-4 | 5-Cosmetic | tmsh show gtm pool and tmsh show gtm wideip print duplicate object types |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 904593-1 | 2-Critical | Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled | |
| 865461-1 | 2-Critical | BD crash on specific scenario | |
| 850641-2 | 2-Critical | Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies | |
| 900797-2 | 3-Major | Brute Force Protection (BFP) hash table entry cleanup | |
| 900793-1 | 3-Major | K32055534 | APM Brute Force Protection resources do not scale automatically |
| 900789-2 | 3-Major | Alert before Brute Force Protection (BFP) hash are fully utilized | |
| 892653-1 | 3-Major | Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI | |
| 880789-3 | 3-Major | ASMConfig Handler undergoes frequent restarts | |
| 874753-3 | 3-Major | Filtering by Bot Categories on Bot Requests Log shows 0 events | |
| 871905-2 | 3-Major | K02705117 | Incorrect masking of parameters in event log |
| 868721-1 | 3-Major | Transactions are held for a long time on specific server related conditions | |
| 863609-4 | 3-Major | Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies | |
| 854177-5 | 3-Major | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | |
| 850677-4 | 3-Major | Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy | |
| 848445-1 | 3-Major | K86285055 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★ |
| 833685-5 | 3-Major | Idle async handlers can remain loaded for a long time doing nothing | |
| 809125-5 | 3-Major | CSRF false positive | |
| 799749-2 | 3-Major | Asm logrotate fails to rotate | |
| 783165-1 | 3-Major | Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile | |
| 742549-3 | 3-Major | Cannot create non-ASCII entities in non-UTF ASM policy using REST | |
| 722337-2 | 3-Major | Always show violations in request log when post request is large | |
| 640842-5 | 3-Major | ASM end user using mobile might be blocked when CSRF is enabled |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 828937-1 | 2-Critical | K45725467 | Some systems can experience periodic high IO wait due to AVR data aggregation |
| 902485-3 | 3-Major | Incorrect pool member concurrent connection value | |
| 841305-2 | 3-Major | HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log | |
| 838685-4 | 3-Major | DoS report exist in per-widget but not under individual virtual |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 884797-4 | 3-Major | Portal Access: in some cases data is not delivered via WebSocket connection |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 904373-3 | 3-Major | MRF GenericMessage: Implement limit to message queues size | |
| 876953-2 | 3-Major | Tmm crash while passing diameter traffic | |
| 876077-1 | 3-Major | MRF DIAMETER: stale pending retransmission entries may not be cleaned up | |
| 868381-1 | 3-Major | MRF DIAMETER: Retransmission queue unable to delete stale entries | |
| 866021-1 | 3-Major | Diameter Mirror connection lost on the standby due to "process ingress error" | |
| 824149-5 | 3-Major | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | |
| 815877-2 | 3-Major | Information Elements with zero-length value are rejected by the GTP parser | |
| 696348-5 | 3-Major | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | |
| 788513-6 | 4-Minor | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | |
| 793005-1 | 5-Cosmetic | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 802421-6 | 2-Critical | The /var partition may become 100% full requiring manual intervention to clear space | |
| 757279-3 | 3-Major | LDAP authenticated Firewall Manager role cannot edit firewall policies | |
| 896917 | 4-Minor | The fw_zone_stat 'Hits' field may not increment in some scenarios |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 839597-6 | 3-Major | Restjavad fails to start if provision.extramb has a large value |
SSL Orchestrator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 886717-1 | 3-Major | TMM crash while using SSL Orchestrator | |
| 886713-1 | 4-Minor | Error log seen in case of SSL Orchestrator configured with http service during connection close. |
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 900757-2 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
| 895525-2 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
| 909237-6 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability |
| 909233-6 | CVE-2020-8616 | K97810133 | DNS Hardening |
| 905905-1 | CVE-2020-5904 | K31301245 | TMUI CSRF vulnerability CVE-2020-5904 |
| 895993-2 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
| 895981-2 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
| 895881-1 | CVE-2020-5903 | K43638305 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 |
| 891457-2 | CVE-2020-5939 | K75111593 | NIC driver may fail while transmitting data |
| 859089-7 | CVE-2020-5907 | K00091341 | TMSH allows SFTP utility access |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 909673 | 2-Critical | TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms | |
| 882557-2 | 3-Major | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | |
| 878893-3 | 3-Major | During system shutdown it is possible the for sflow_agent to core | |
| 858769-6 | 3-Major | K82498430 | Net-snmp library must be upgraded to 5.8 in order to support SHA-2 |
| 829193-4 | 3-Major | REST system unavailable due to disk corruption | |
| 826265-5 | 3-Major | The SNMPv3 engineBoots value restarts at 1 after an upgrade | |
| 812493-4 | 3-Major | When engineID is reconfigured, snmp and alert daemons must be restarted★ | |
| 810381-2 | 3-Major | The SNMP max message size check is being incorrectly applied. | |
| 743234-6 | 3-Major | Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons | |
| 774617-3 | 4-Minor | SNMP daemon reports integer truncation error for values greater than 32 bits |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 910177 | 2-Critical | Poor HTTP/3 throughput | |
| 848777-3 | 3-Major | Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 892621-1 | 3-Major | Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software |
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 889505 | 3-Major | Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available | |
| 888569 | 3-Major | Added PBA stats for total number of free PBAs, and percent free PBAs |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 795649-5 | 3-Major | Loading UCS from one iSeries model to another causes FPGA to fail to load |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 883513-1 | 3-Major | Support for QUIC and HTTP/3 draft-27 | |
| 828601-1 | 3-Major | IPv6 Management route is preferred over IPv6 tmm route | |
| 758599-3 | 3-Major | IPv6 Management route is preferred over IPv6 tmm route |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 846713-1 | 2-Critical | Gtm_add does not restart named |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 903905-2 | 2-Critical | BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances | |
| 889477-1 | 2-Critical | Modern customization does not enforce validation at password changing |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 888625 | 3-Major | CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks |
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 879025-2 | CVE-2020-5913 | K72752002 | When processing TLS traffic, LTM may not enforce certificate chain restrictions |
| 871633-1 | CVE-2020-5859 | K61367237 | TMM may crash while processing HTTP/3 traffic |
| 846917-1 | CVE-2019-10744 | K47105354 | lodash Vulnerability: CVE-2019-10744 |
| 846365-1 | CVE-2020-5878 | K35750231 | TMM may crash while processing IP traffic |
| 830401-1 | CVE-2020-5877 | K54200228 | TMM may crash while processing TCP traffic with iRules |
| 819197-2 | CVE-2019-13135 | K20336394 | BIGIP: CVE-2019-13135 ImageMagick vulnerability |
| 819189-1 | CVE-2019-13136 | K03512441 | BIGIP: CVE-2019-13136 ImageMagick vulnerability |
| 636400 | CVE-2019-6665 | K26462555 | CPB (BIG-IP->BIGIQ log node) Hardening |
| 873469-2 | CVE-2020-5889 | K24415506 | APM Portal Access: Base URL may be set to incorrectly |
| 864109-1 | CVE-2020-5889 | K24415506 | APM Portal Access: Base URL may be set to incorrectly |
| 858025-1 | CVE-2021-22984 | K33440533 | BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 |
| 838881-1 | CVE-2020-5853 | K73183618 | APM Portal Access Vulnerability: CVE-2020-5853 |
| 832021-3 | CVE-2020-5888 | K73274382 | Port lockdown settings may not be enforced as configured |
| 832017-3 | CVE-2020-5887 | K10251014 | Port lockdown settings may not be enforced as configured |
| 829121-1 | CVE-2020-5886 | K65720640 | State mirroring default does not require TLS |
| 829117-1 | CVE-2020-5885 | K17663061 | State mirroring default does not require TLS |
| 789921-5 | CVE-2020-5881 | K03386032 | TMM may restart while processing VLAN traffic |
| 868097-3 | CVE-2020-5891 | K58494243 | TMM may crash while processing HTTP/2 traffic |
| 846157-1 | CVE-2020-5862 | K01054113 | TMM may crash while processing traffic on AWS |
| 838909-3 | CVE-2020-5893 | K97733133 | BIG-IP APM Edge Client vulnerability CVE-2020-5893 |
| 823893-7 | CVE-2020-5890 | K03318649 | Qkview may fail to completely sanitize LDAP bind credentials |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 870389-3 | 3-Major | Increase size of /var logical volume to 1.5 GiB for LTM-only VE images | |
| 858229-5 | 3-Major | K22493037 | XML with sensitive data gets to the ICAP server |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 854493-5 | 2-Critical | Kernel page allocation failures messages in kern.log | |
| 841953-7 | 2-Critical | A tunnel can be expired when going offline, causing tmm crash | |
| 841581 | 2-Critical | License activation takes a long time to complete on Google GCE platform | |
| 841333-7 | 2-Critical | TMM may crash when tunnel used after returning from offline | |
| 817709-3 | 2-Critical | IPsec: TMM cored with SIGFPE in racoon2 | |
| 811701-3 | 2-Critical | AWS instance using xnet driver not receiving packets on an interface. | |
| 811149-2 | 2-Critical | Remote users are unable to authenticate via serial console. | |
| 866925-5 | 3-Major | The TMM pages used and available can be viewed in the F5 system stats MIB | |
| 865225-1 | 3-Major | 100G modules may not work properly in i15000 and i15800 platforms | |
| 852001-1 | 3-Major | High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously | |
| 830717 | 3-Major | Appdata logical volume cannot be resized for some cloud images★ | |
| 829317-5 | 3-Major | Memory leak in icrd_child due to concurrent REST usage | |
| 828873-3 | 3-Major | Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor | |
| 812981-6 | 3-Major | MCPD: memory leak on standby BIG-IP device | |
| 802281-3 | 3-Major | Gossip shows active even when devices are missing | |
| 793121-5 | 3-Major | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | |
| 742628-1 | 3-Major | A tmsh session initiation adds increased control plane pressure | |
| 605675-6 | 3-Major | Sync requests can be generated faster than they can be handled | |
| 831293-5 | 4-Minor | SNMP address-related GET requests slow to respond. | |
| 755317-3 | 4-Minor | /var/log logical volume may run out of space due to agetty error message in /var/log/secure | |
| 722230-1 | 4-Minor | Cannot delete FQDN template node if another FQDN node resolves to same IP address |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 860881-3 | 2-Critical | TMM can crash when handling a compressed response from HTTP server | |
| 839401-1 | 2-Critical | Moving a virtual-address from one floating traffic-group to another does not send GARPs out. | |
| 837617-1 | 2-Critical | Tmm may crash while processing a compression context | |
| 872965-1 | 3-Major | HTTP/3 does not support draft-25 | |
| 862597-7 | 3-Major | Improve MPTCP's SYN/ACK retransmission handling | |
| 853613-4 | 3-Major | Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp | |
| 852873-2 | 3-Major | Proprietary Multicast PVST+ packets are forwarded instead of dropped | |
| 852861-1 | 3-Major | TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario | |
| 851445-1 | 3-Major | QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams | |
| 850973-1 | 3-Major | Improve QUIC goodput for lossy links | |
| 850933-1 | 3-Major | Improve QUIC rate pacing functionality | |
| 847325-3 | 3-Major | Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. | |
| 818853-1 | 3-Major | Duplicate MAC entries in FDB | |
| 809597-5 | 3-Major | Memory leak in icrd_child observed during REST usage | |
| 714372-5 | 3-Major | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | |
| 705112-6 | 3-Major | DHCP server flows are not re-established after expiration | |
| 859113-1 | 4-Minor | Using "reject" iRules command inside "after" may causes core | |
| 839245-3 | 4-Minor | IPother profile with SNAT sets egress TTL to 255 | |
| 824365-5 | 4-Minor | Need informative messages for HTTP iRule runtime validation errors | |
| 822025 | 4-Minor | HTTP response not forwarded to client during an early response |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 760471-1 | 3-Major | GTM iQuery connections may be reset during SSL key renegotiation. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 852437-3 | 2-Critical | K25037027 | Overly aggressive file cleanup causes failed ASU installation |
| 846073-1 | 2-Critical | Installation of browser challenges fails through Live Update | |
| 850673-1 | 3-Major | BD sends bad ACKs to the bd_agent for configuration | |
| 842161-1 | 3-Major | Installation of Browser Challenges fails in 15.1.0 | |
| 793017-3 | 3-Major | Files left behind by failed Attack Signature updates are not cleaned | |
| 778261-2 | 3-Major | CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate | |
| 739618-3 | 3-Major | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | |
| 681010-4 | 3-Major | K33572148 | 'Referer' is not masked when 'Query String' contains sensitive parameter |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 838709-4 | 2-Critical | Enabling DoS stats also enables page-load-time | |
| 870957-4 | 3-Major | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | |
| 863161-1 | 3-Major | Scheduled reports are sent via TLS even if configured as non encrypted | |
| 835381-3 | 3-Major | HTTP custom analytics profile 'not found' when default profile is modified | |
| 830073-2 | 3-Major | AVRD may core when restarting due to data collection device connection timeout | |
| 865053-3 | 4-Minor | AVRD core due to a try to load vip lookup when AVRD is down | |
| 863069-1 | 4-Minor | Avrmail timeout is too small |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 876393-1 | 2-Critical | General database error while creating Access Profile via the GUI | |
| 871761-1 | 2-Critical | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | |
| 871653-1 | 2-Critical | Access Policy cannot be created with 'modern' customization | |
| 866685-1 | 3-Major | Empty HSTS headers when HSTS mode for HTTP profile is disabled | |
| 866161-1 | 3-Major | Client port reuse causes RST when the security service attempts server connection reuse. | |
| 853325-1 | 3-Major | TMM Crash while parsing form parameters by SSO. | |
| 852313-4 | 3-Major | VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured | |
| 850277-1 | 3-Major | Memory leak when using OAuth | |
| 844781-3 | 3-Major | [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection | |
| 844685-1 | 3-Major | Per-request policy is not exported if it contains HTTP Connector Agent | |
| 844573-1 | 3-Major | Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret. | |
| 844281-3 | 3-Major | [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. | |
| 835309-1 | 3-Major | Some strings on BIG-IP APM Server pages are not localized | |
| 832881-1 | 3-Major | F5 Endpoint Inspection helper app is not updated | |
| 832569-3 | 3-Major | APM end-user connection reset | |
| 831781-4 | 3-Major | AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode | |
| 803825-5 | 3-Major | WebSSO does not support large NTLM target info length | |
| 761303-5 | 3-Major | Upgrade of standby BIG-IP system results in empty Local Database | |
| 744407-1 | 3-Major | While the client has been closed, iRule function should not try to check on a closed session | |
| 706782-5 | 3-Major | Inefficient APM processing in large configurations. |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 853545-1 | 3-Major | MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event | |
| 842625-5 | 3-Major | SIP message routing remembers a 'no connection' failure state forever | |
| 840821-1 | 3-Major | SCTP Multihoming not working within MRF Transport-config connections | |
| 825013-1 | 3-Major | GENERICMESSAGE::message's src and dst may get cleared in certain scenarios | |
| 803809-4 | 3-Major | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | |
| 859721-1 | 4-Minor | Using GENERICMESSAGE create together with reject inside periodic after may cause core | |
| 836357-5 | 4-Minor | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 |
SSL Orchestrator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 852557-3 | 2-Critical | Tmm core while using service chaining for SSL Orchestrator | |
| 864329-3 | 3-Major | Client port reuse causes RST when the backend server-side connection is open | |
| 852481-3 | 3-Major | Failure to check virtual-server context when closing server-side connection | |
| 852477-3 | 3-Major | Tmm core when SSL Orchestrator is enabled |
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 834853 | 3-Major | Azure walinuxagent has been updated to v2.2.42 |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 862557-1 | 3-Major | Client-ssl profiles derived from clientssl-quic fail validation |
Cumulative fix details for BIG-IP v15.1.4.1 that are included in this release
999933-3 : TMM may crash while processing DNS traffic on certain platforms
Component: Local Traffic Manager
Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge (HSB) may crash while processing DNS traffic.
Conditions:
-DNS profile enabled
-Hardware system (or vCMP guests) with a High-Speed Bridge (HSB)
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes DNS traffic as expected.
999317-8 : Running Diagnostics report for Edge Client on Windows does not follow best practice
Solution Article: K03544414
Component: Access Policy Manager
Symptoms:
Running Diagnostics report for Edge Client on Windows does not follow best practice
Conditions:
Running Diagnostics report for Edge client on Windows system
Impact:
Edge client does not follow best practice
Workaround:
No workaround.
Fix:
Edge Client on Windows now follows best practice
998473-2 : NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Component: Access Policy Manager
Symptoms:
NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Conditions:
1. NTLM front-end authentication is enabled.
2. Active Directory users are subscribed to more than one hundred groups.
Impact:
NTLM authentication for Active Directory users which are subscribed to more than hundred groups will fail.
Workaround:
None
Fix:
A fix has been provided to the sequence number handling which is used to calculate the RPC checksum as part of ID 949477.
998221-3 : Accessing pool members from configuration utility is slow with large config
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
998085-1 : BIG-IP DataSafe GUI does not save changes
Component: Fraud Protection Services
Symptoms:
Due to a JavaScript error, the BIG-IP DataSafe GUI does not save changes.
Conditions:
-- Provision FPS.
-- License DataSafe.
-- Configure the system using the GUI.
Impact:
Configurations made for DataSafe using the BIG-IP Configuration Utility GUI cannot be saved.
Workaround:
Use tmsh to configure the BIG-IP system.
Fix:
BIG-IP DataSafe GUI is working properly and configurations are now saved.
997929-3 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
Component: Local Traffic Manager
Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.
If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.
Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.
-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.
Impact:
The virtual server stops processing traffic.
Workaround:
To recover, you can do either of the following:
-- Restart tmm:
bigstart restart tmm
-- Change the virtual server's port back to 'any' (0).
997641 : APM policy ending with redirection results in policy execution failure
Component: Access Policy Manager
Symptoms:
After successful authentication, the APM end user client connection gets reset.
/var/log/apm shows errors:
err tmm2[18140]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_rewrite_pdp_response_to_302, Line: 19766
Conditions:
Access policy has a path ending with a redirect.
Impact:
APM end user clients cannot access the backend resources protected by the policy.
Workaround:
None
Fix:
Fixed an issue with APM policies not working when they ended with redirect.
997313-3 : Unable to create APM policies in a sync-only folder★
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
997169 : AFM rule not triggered
Component: Advanced Firewall Manager
Symptoms:
An AFM rule is not triggered when it should be.
Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route
Impact:
A firewall rule is not triggered and the default deny rule is used.
Workaround:
Alter the route to use an IP address and not a pool.
Fix:
Firewall rules are now triggered when gateway pools are used.
997137-3 : CSRF token removal may allow WAF bypass on GET requests
Component: Application Security Manager
Symptoms:
Under certain conditions the "csrt" parameter is not processed as expected.
Conditions:
1. CSRF feature is configured
2. Request contains a crafted "csrt" parameter
Impact:
Malicious request will bypass signatures and will not raise any attack signature violation
Workaround:
N/A
Fix:
"csrt" parameter is now processed as expected.
996753-2 : ASM BD process may crash while processing HTML traffic
Solution Article: K44553214
996593-2 : Password change through REST or GUI not allowed if the password is expired
Component: TMOS
Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:
Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.
Impact:
Expired password cannot be updated through REST or the GUI.
Workaround:
Update password using tmsh:
tmsh modify auth password <username>
Fix:
You can now change an expired password through REST or the GUI.
996381-3 : ASM attack signature may not match as expected
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
996113-1 : SIP messages with unbalanced escaped quotes in headers are dropped
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
995853-2 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.
Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.
Impact:
GSLB Server object creation fails.
Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.
Fix:
GSLB Server object creation no longer fails.
995629-3 : Loading UCS files may hang if ASM is provisioned★
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.
Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.
Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html
Fix:
Loading UCS files no longer hangs if ASM is provisioned.
995433 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT
Component: Advanced Firewall Manager
Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.
Conditions:
This is encountered when viewing PPTP log entries.
Impact:
IPV6 addresses in PPTP logs are truncated.
Workaround:
None
Fix:
The full IPv6 address is now logged in PPTP logs.
995029-3 : Configuration is not updated during auto-discovery
Component: Access Policy Manager
Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:
-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token
Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).
Impact:
JWT auto-discovery fails and the configuration is not updated.
Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.
Fix:
Fixed an issue with auto-discovery and JWKs.
994985-2 : CGNAT GUI shows blank page when applying SIP profile
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
Fix:
The GUI shows virtual server config page with all config values
994801-3 : SCP file transfer system
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.
Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.
Workaround:
None
Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.
993913-2 : TMM SIGSEGV core in Message Routing Framework
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
993489-3 : GTM daemon leaks memory when reading GTM link objects
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
993457-2 : TMM core with ACCESS::policy evaluate iRule
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
992865 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
992213-2 : Protocol Any displayed as HOPTOPT in AFM policy view
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
992053-1 : Pva_stats for server side connections do not update for redirected flows
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
Fix:
Updated pva_stats to reflect server side flow.
991421-3 : TMM may crash while processing TLS traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing TLS traffic
Conditions:
- Forward proxy configured
- Forward proxy passthrough
- TLS1.3 traffic
Impact:
Traffic disrupted while TMM restarts.
Workaround:
N/A
Fix:
TMM now processes TLS traffic as expected.
990849-2 : Loading UCS with platform-migrate option hangs and requires exiting from the command★
Component: TMOS
Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:
Platform migrate loaded successfully. Saving configuration.
Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate
Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html
Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.
Workaround:
None.
Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.
990333-5 : APM may return unexpected content when processing HTTP requests
Solution Article: K75540265
989753-2 : In HA setup, standby fails to establish connection to server
Component: Service Provider
Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:
err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config
Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.
Impact:
Standby BIG-IP system fails to establish a connection to the server.
Workaround:
None.
Fix:
Standby is now able to establish a connection to the server.
989701-5 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
Component: TMOS
Symptoms:
A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response allow for local memory corruption and possibly privilege escalation.
Conditions:
Mounting an unauthenticated server can cause this flaw
Impact:
Can cause local memory corruption and possibly privilege escalation.
Workaround:
While there is no known mitigation to this flaw, configuring authentication and only mounting authenticated NFSv4 servers will significantly reduce the risk of this flaw being successfully exploited.
Fix:
Kernel patched to resolve CVE-2020-25212
989637-3 : TMM may crash while processing SSL traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing SSL traffic
Conditions:
-SSL profile enabled
-Client authentication enabled
Impact:
TMM consumes excessive resources, potentially leading to a crash and failover event.
Workaround:
N/A
Fix:
TMM now processes SSL traffic as expected.
989317-12 : Windows Edge Client does not follow best practice
Solution Article: K33757590
989009-3 : BD daemon may crash while processing WebSocket traffic
Solution Article: K05314769
988793 : SecureVault on BIG-IP tenant does not store unit key securely
Component: TMOS
Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.
Conditions:
BIG-IP tenant running on the VELOS platform.
Impact:
The BIG-IP tenant does not utilize secure storage for unit key.
Workaround:
None
Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.
988761-1 : Cannot create Protected Object in GUI
Component: Advanced Firewall Manager
Symptoms:
GUI Page stuck in loading phase and never completes the Protected Object creation step
Conditions:
This occurs in normal operation
Impact:
Cannot create Protected Objects using the GUI
Workaround:
Use tmsh to create Protected Objects
Fix:
GUI Page no longer gets stuck in loading phase and completes the Protected Object creation step.
988645 : Traffic may be affected after tmm is aborted and restarted
Component: TMOS
Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.
Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.
Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.
Workaround:
Reboot the tenant
Fix:
Fixed system behavior when tmm is aborted and restarted.
988589-5 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv
Solution Article: K68251873
988549-5 : CVE-2020-29573: glibc vulnerability
Solution Article: K27238230
988533-1 : GRE-encapsulated MPLS packet support
Component: TMOS
Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).
Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.
Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.
Workaround:
None
Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.
988005-1 : Zero active rules counters in GUI
Component: Advanced Firewall Manager
Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).
Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules
Impact:
Incorrect information on active rules count is seen in the UI.
Workaround:
Disable firewall inline editor.
Fix:
The active rules count column now displays the correct number of times a rule has been hit.
987637-2 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.
Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server
Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.
Workaround:
None
987605-2 : DDoS: ICMP attacks are not hardware-mitigated
Component: Advanced Firewall Manager
Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.
Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.
Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.
Workaround:
None
Fix:
Until the hardware is fixed, the software uses the SPVA in hardware to mitigate these attacks.
987345-1 : Disabling periodic-refresh-log has no effect
Component: Advanced Firewall Manager
Symptoms:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is not honored. You might see messages similar to the following logged in /var/log/ltm or sent to remote logging destinations:
info tmm[6215]: 23003168 "Port Block Periodic Log","10.10.10.10","0","","10.10.10.10","0","1024","1031","16164968240","","unknown".
Conditions:
PBA periodic-refresh-log set to '0'.
Impact:
System provides unnecessary, excessive logging.
Workaround:
None
Fix:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is now honored."Port Block Periodic Log" messages are no longer logged with this configuration setting.
987113-1 : CMP state degraded while under heavy traffic
Component: TMOS
Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.
Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.
Impact:
System performance drops dramatically.
Workaround:
Lower traffic load.
Fix:
Fixed an inconsistent CMP state.
986937-1 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
Fix:
The error no longer occurs on child policy creation.
985953-3 : GRE Transparent Ethernet Bridging inner MAC overwrite
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
985537-1 : Upgrade Microsoft Hyper-V driver★
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host.
When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.
Conditions:
-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.
-- Running performance tests of VE in Azure.
Impact:
The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.
Workaround:
None.
Fix:
The Microsoft Hyper-V driver has been updated to v4.3.5.
985433-2 : Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset.
Component: Local Traffic Manager
Symptoms:
Some client connections are being reset with rst-cause 'Unknown reason'.
Conditions:
--- Standard virtual server with the TCP and HTTP profiles.
--- The HTTP profile is configured to insert the X-Forwarded-For header.
--- The client supplies an empty X-Forwarded-For header in the HTTP request.
Impact:
Affected client connections are reset, leading to application failures.
Workaround:
You can work around this issue by disabling the header insertion in the HTTP profile and instead using an iRule similar to the following example:
when HTTP_REQUEST {
HTTP::header replace X-Forwarded-For [IP::remote_addr]
}
Fix:
Insertion of the X-Forwarded-For header now works as expected, regardless of input client data.
984765-1 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★
Component: Access Policy Manager
Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.
Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.
Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.
Workaround:
To resolve the issue temporarily, use either of the following:
-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.
-- Run the command:
bigstart restart nlad
The problem can reappear after a week, so you must repeat these steps each time the issue occurs.
984657-3 : Sysdb variable not working from tmsh
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
Fix:
After the fix able to verify sysdb variables from tmsh
984613-11 : CVE-2020-5896 - Edge Client Installer Vulnerability
Solution Article: K08503505
982869-1 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0
Component: Service Provider
Symptoms:
Tmm may crash.
Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes under these conditions.
981785-3 : Incorrect incident severity in Event Correlation statistics
Component: Application Security Manager
Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".
Conditions:
Usually happens for the first incident after ASM startup.
Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.
Workaround:
Use severity info from the Incidents list.
Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.
981693-1 : TMM may consume excessive resources while processing IPSec ALG traffic
Component: Carrier-Grade NAT
Symptoms:
When processing IPSec ALG traffic, TMM may consume excessive resources.
Conditions:
-- IPsec ALG virtual server with ALG logging profile.
-- IPsec traffic is passed.
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes IPSec traffic as expected.
981689-2 : TMM memory leak with IPsec ALG
Component: Carrier-Grade NAT
Symptoms:
TMM crash due to out of memory.
Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.
Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm memory leak related to IPsec ALG connections.
981461-4 : Unspecified DNS responses cause TMM crash
Solution Article: K45407662
981385-3 : AVRD does not send HTTP events to BIG-IQ DCD
Component: Application Visibility and Reporting
Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).
Conditions:
This happens under normal operation.
Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.
Workaround:
None.
981273-2 : APM webtop hardening
Solution Article: K41997459
981169-2 : F5 TMUI XSS vulnerability CVE-2021-22994
Solution Article: K66851119
981069-1 : Reset cause: "Internal error ( requested abort (payload release error))"
Component: Application Security Manager
Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"
Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type
Impact:
Traffic is affected.
Workaround:
Any of the following actions can resolve the issue:
1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Fix:
Fixed an issue that was triggering resets on traffic.
980821-2 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.
Component: Local Traffic Manager
Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.
Conditions:
There are two virtual servers configured:
- One with a specific port and ip-protocol 'any'
- One with port any and a specific ip-protocol
Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.
Workaround:
Create individual listeners for specific protocols.
For example, given the configuration:
ltm virtual vs-port80-protoAny {
destination 10.1.1.1:80
ip-protocol any
...
}
ltm virtual vs-portAny-protoTCP {
destination 10.1.1.1:0
ip-protocol TCP
...
}
Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
ltm virtual vs-port80-protoTCP {
destination 10.1.1.1:80
ip-protocol TCP
...
}
ltm virtual vs-port80-protoUDP {
destination 10.1.1.1:80
ip-protcol UDP
...
}
Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.
980809-2 : ASM REST Signature Rule Keywords Tool Hardening
Solution Article: K41351250
980325-5 : Chmand core due to memory leak from dossier requests.
Component: TMOS
Symptoms:
Chmand generates a core file when get_dossier is run continuously.
Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.
Conditions:
Repeated/continuous dossier requests during licensing operations.
Impact:
Chmand crashes; potential traffic impact while chmand restarts.
Workaround:
None.
980125-3 : BD Daemon may crash while processing WebSocket traffic
Solution Article: K42051445
978833-2 : Use of CRL-based Certificate Monitoring Causes Memory Leak
Component: Local Traffic Manager
Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.
Conditions:
CRL certificate validator is configured.
Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.
Workaround:
None.
Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.
977053-2 : TMM crash on standby due to invalid MR router instance
Component: Service Provider
Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.
Conditions:
-- HA environment.
-- Connection mirroring is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM on the standby device no longer crashes under these conditions.
977005-1 : Network Firewall Policy rules-list showing incorrect 'Any' for source column
Component: Advanced Firewall Manager
Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.
Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.
Impact:
GUI shows 'Any' extra text under the source column
Workaround:
None
Fix:
The GUI no longer shows extra text
976925-2 : BIG-IP APM VPN vulnerability CVE-2021-23002
Solution Article: K71891773
976505-2 : Rotated restnoded logs will fail logintegrity verification.
Component: TMOS
Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restnoded logs fail logintegrity verification.
Workaround:
None
Fix:
Restnoded logs are now verified successfully by the logintegrity utility.
976501-2 : Failed to establish VPN connection
Component: Access Policy Manager
Symptoms:
VPN client exits with message "Failed to establish VPN connection"
Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser
Impact:
Client will be unable to launch the VPN tunnel from the browser.
Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.
976365 : Traffic Classification hardening★
Component: Traffic Classification Engine
Symptoms:
Traffic Classification IM packages do not follow current best practices.
Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user
Impact:
Traffic Classification IM packages do not follow current best practices.
Workaround:
No Workaround
Fix:
Traffic Classification IM packages now follow current best practices.
975809-1 : Rotated restjavad logs fail logintegrity verification.
Component: TMOS
Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restjavad logs fail logintegrity verification.
Workaround:
None
Fix:
Restjavad logs are now verified successfully by the logintegrity utility.
975589-4 : CVE-2020-8277 Node.js vulnerability
Solution Article: K07944249
975465-2 : TMM may consume excessive resources while processing DNS iRules
Solution Article: K65397301
975233-2 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
Solution Article: K52510511
974881-2 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic
Component: Service Provider
Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.
Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to handling certain events in an iRule.
974501-1 : Excessive memory usage by mirroring subsystem when remirroring
Component: Local Traffic Manager
Symptoms:
Aggressive sweeper messages are seen in /var/log/ltm similar to the following:
Dec 31 02:35:44 bigip1 warning tmm[25306]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory). (26227799/30854144 pages)
In severe cases, tmm might restart and generate a core file due to an out of memory condition.
Conditions:
The active BIG-IP has a large number of mirrored fastL4 connections.
The active BIG-IP reconnects the statemirror connection to the standby BIG-IP. This is indicated by messages similar to the following in /var/log/ltm:
Dec 31 02:35:37 bigip1 err tmm[25306]: 01340001:3: high availability (HA) Connection with peer 10.25.0.11:1029 for traffic-group /Common/traffic-group-1 established.
Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections. In severe cases, tmm might restart causing traffic interruption.
Fix:
The memory utilization when remirroring fastL4 flows has been improved to allow remirroring to handle a larger number of connections.
974341-2 : REST API: File upload
Component: Application Security Manager
Symptoms:
Under certain conditions, the REST API does not process file uploads as expected
Conditions:
- REST API access
- File uploaded
Impact:
File uploads are not processed as expected.
Workaround:
N/A
Fix:
The REST API now handles file uploads as expected
974241-1 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
Component: TMOS
Symptoms:
Mcpd exists with error similar to:
01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'
Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled
Impact:
Mcpd restarts leading to failover.
Workaround:
Use standard customization and not modern customization.
974205-3 : Unconstrained wr_urldbd size causing box to OOM
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
973409-5 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference
Solution Article: K42910051
973333-5 : TMM buffer-overflow vulnerability CVE-2021-22991
Solution Article: K56715231
973261-2 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:
err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.
Conditions:
GTM HTTPS monitor with non-default cert/key.
Impact:
Unable to use HTTPs monitor.
973201-2 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★
Component: TMOS
Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.
Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.
Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.
Workaround:
None
Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.
971297-2 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.
Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded
Impact:
The keys are stored locally following the upgrade.
Workaround:
None.
970829-5 : iSeries LCD incorrectly displays secure mode
Solution Article: K03310534
Component: Device Management
Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.
Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.
Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:
-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.
The restjavad-audit.*.log may contain similar messages
[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}
Workaround:
None
Fix:
The LCD now functions normally, and no authentication errors appear in the logs.
970329-3 : ASM hardening
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
969713-1 : IPsec interface mode tunnel may fail to pass packets after first IPsec rekey
Component: TMOS
Symptoms:
IPsec tunnel initially works until the IPsec (ESP) SA is re-negotiated.
Conditions:
-- IKEv2
-- IPsec tunnel uses interface mode ipsec-policy
-- IPsec SAs are re-negotiated, for example after the SA lifetime expires
-- Traffic selector narrowing occurs due to the BIG-IP and remote peer having different selectors configured
Impact:
IPsec tunnel suddenly stops forwarding packets across the tunnel
Workaround:
-- Configure the traffic-selectors to be identical on both the BIG-IP and remote IPsec peer.
Fix:
IPsec tunnel forwards packets after IPsec SAs are re-established.
969637-2 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"
Conditions:
-- A small subset of the following BIG-IP platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
Configuration load fails and the device does not come online.
969509-4 : Possible memory corruption due to DOS vector reset
Component: Advanced Firewall Manager
Symptoms:
Unpredictable result due to possible memory corruption
Conditions:
DOS vector configuration change
Impact:
Memory corruption
Fix:
Added correct logic to reset DOS vector.
969385-2 : Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers.
Component: BIG-IP Risk Engine
Symptoms:
Automatic attach/detach BeWAF policy to a virtual server stops working for all virtual servers if at least one virtual server has a regular ASM policy with TAP profile
Conditions:
Define Virtual Servers with DOS profiles, along with Virtual Servers that are managed by cloud (Cortex)
Impact:
Detaching virtual servers from DOS can cause the attach option to be disabled.
Workaround:
Do not define virtual servers with cloud along with virtual servers managed by cloud (Applications).
Fix:
None
969317-3 : "Restrict to Single Client IP" option is ignored for vmware VDI
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.
969213-1 : VMware: management IP cannot be customized via net.mgmt.addr property
Component: TMOS
Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.
Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.
Impact:
Management IP cannot be customized in VMware during the VM setup.
969105-2 : HA failover connections via the management address do not work on vCMP guests running on VIPRION
Component: TMOS
Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.
BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.
HA failover connections using self IPs are unaffected.
Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)
Impact:
Failover state determination over the management port is permanently down.
Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).
To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid
The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.
Add this line to the end of /config/startup:
(sleep 120; touch /var/run/chmand.pid) &
Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.
Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:
#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready
# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.
You may also request an Engineering Hotfix from F5.
968893-2 : TMM crash when processing APM traffic
Component: Access Policy Manager
Symptoms:
Under certain conditions, TMM may crash while processing APM traffic that generates DNS lookups
Conditions:
- APM provisioned
- Undisclosed conditions
Impact:
TMM crash leading to traffic interruption and a failover event
Workaround:
N/A
Fix:
TMM now processes APM traffic as expected
968741-1 : Traffic Intelligence pages not visible
Component: Traffic Classification Engine
Symptoms:
When trying to access TCE Signature Update Page from the GUI:
Traffic Intelligence -> Applications -> Signature Update
The page will not load.
Conditions:
Clicking on Traffic Intelligence -> Applications -> Signature Update will show a blank page.
Impact:
You will not be able access the Traffic Intelligence -> Applications -> Signature page in the GUI.
Workaround:
None
Fix:
TMUI pages for Traffic classification will be accessible from TMUI : Traffic Intelligence -> Applications -> Signature
968733-6 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
Solution Article: K42202505
968641-2 : Fix for zero LACP priority
Component: Local Traffic Manager
Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.
Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.
Impact:
BIG-IP may be unable to connect to Cisco trunks.
Workaround:
None.
Fix:
Eliminate LACP priority equal 0
968533 : Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector.
Component: Advanced Firewall Manager
Symptoms:
When a PUSH flood vector is programmed to hardware after a flood is detected, rate limiting is performed on all the PUSH packets even when "Only Count Suspicious Events" is enabled.
Conditions:
-- Push flood vector needs to be triggered.
-- Rate limiting is enabled for the push flood vector.
-- The issue is observed only on the hardware platform.
Impact:
The packets with PUSH flag for the good connections are also getting dropped even though "Only Count Suspicious Events" is enabled.
Workaround:
None
Fix:
Fixed an issue with rate limiting on PUSH packets.
968421-2 : ASM attack signature doesn't matched
Solution Article: K30291321
Component: Application Security Manager
Symptoms:
A specific attack signature doesn't match as expected.
Conditions:
Undisclosed conditions.
Impact:
Attack signature does not match as expected, request is not logged.
Workaround:
N/A
Fix:
Attack signature now matches as expected.
968349 : TMM crashes with unspecified message
Solution Article: K19012930
967905-2 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
967889-1 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)
Component: Advanced Firewall Manager
Symptoms:
Custom signature of virtual server shows incorrect attack information.
Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)
Impact:
GUI shows incorrect information for custom signature
Fix:
GUI shows correct information for custom signature
967745 : Last resort pool error for the modify command for Wide IP
Component: TMOS
Symptoms:
System reports error for the modify command for Wide IP.
01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.
Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.
Impact:
The object is not modified, and the system reports an error.
Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Append the command with last-resort-pool a <pool_name>, for example:
modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test
Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
966901-2 : CVE-2020-14364: Qemu Vulnerability
Solution Article: K09081535
966701-2 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP
Component: Service Provider
Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.
Conditions:
-- SCTP transport profile
-- MRF generic msg router profile
Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing
Fix:
Enable the return type in generic msg filter when data received over SCTP transport
966681-1 : NAT translation failures while using SP-DAG in a multi-blade chassis
Component: Carrier-Grade NAT
Symptoms:
NAT translation fails
Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans
Impact:
Traffic failure, performance degraded
Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096
Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.
966277-1 : BFD down on multi-blade system
Component: TMOS
Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.
Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots
Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.
966073-1 : GENEVE protocol support
Component: TMOS
Symptoms:
BIG-IP software does not support the GENEVE protocol.
Conditions:
-- AWS Gateway load balancer is in use, which uses the GENEVE protocol
Impact:
GENEVE protocol is unsupported.
Workaround:
None.
Fix:
BIG-IP software now supports the GENEVE protocol.
965617-3 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode
Component: Advanced Firewall Manager
Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB
Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support
Impact:
More resources loading during DDoS attack
Fix:
Correct free spot search with offloading to HSB
965581-2 : Statistics are not reported to BIG-IQ
Component: Application Visibility and Reporting
Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.
Conditions:
A BIG-IP system is attached to BIG-IQ.
Impact:
No statistics collected.
Fix:
The avrd process no longer fails, and statistics are collected as expected.
965485-3 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
Solution Article: K41523201
965229-2 : ASM Load hangs after upgrade★
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
965205-2 : BIG-IP dashboard downloads unused widgets
Component: TMOS
Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.
Conditions:
This occurs when viewing the BIG-IP dashboard.
Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.
Workaround:
None.
965037-1 : SSL Orchestrator does not send HTTP CONNECT tunnel payload to services
Component: Local Traffic Manager
Symptoms:
In some cases, when Services in SSL Orchestrator (service-connect agent in per-request policy) is inserted after Category lookup for CONNECT request hostname, the HTTP CONNECT tunnel payload/data is not sent to services.
Conditions:
SSL Orchestrator use case and Services are inserted after Category lookup for CONNECT request hostname
Impact:
HTTP CONNECT tunnel payload is not sent to services
Workaround:
None
Fix:
HTTP CONNECT tunnel payload is now sent to services.
964941-1 : IPsec interface-mode tunnel does not initiate or respond after config change
Component: TMOS
Symptoms:
After reconfiguring an interface-mode IPsec tunnel, the IPsec tunnel may fail to initiate or negotiate as a Responder.
Conditions:
-- IPsec interface mode
-- Changing the IPsec tunnel configuration
Impact:
Remote networks cannot be reached because BIG-IP refuses to negotiate IPsec tunnel.
Workaround:
Reboot or restart tmm
Fix:
Valid changes to the IPsec tunnel configuration result in the tunnel negotiation happening.
964897-2 : Live Update - Indication of "Update Available" when there is no available update
Component: Application Security Manager
Symptoms:
Live Update notifies you that an update is available even though there is no available update.
Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status
Impact:
Live Update erroneously indicates that an update is available.
Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat
Fix:
Fixed an issue with Live Update notification.
964585-3 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update
Component: Protocol Inspection
Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.
Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.
Impact:
- The error message does not accurately explain the cause of the problem.
Workaround:
None.
Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.
964577-3 : IPS automatic IM download not working as expected
Component: Protocol Inspection
Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.
IPS automatic IM download considers the BIG-IP software major and minor version numbers.
However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.
Conditions:
Auto download of IM package for IPS.
Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.
Workaround:
Manually download the IM package and upload it onto the BIG-IP system.
Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.
964245-2 : ASM reports and enforces username always
Component: Application Security Manager
Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.
Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.
Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.
Workaround:
None
Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.
964037 : Error: Exception response while loading properties from server
Component: Access Policy Manager
Symptoms:
The General Customization interface for Endpoint Security in the GUI cannot be used for Access Profile with modern customization due to interface error.
Conditions:
-- Access Profile with modern customization
-- General Customization interface for Endpoint Security
Impact:
You are unable to modify Endpoint Security interface strings
963713-1 : HTTP/2 virtual server with translate-disable can core tmm
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing HTTP/2 traffic
Conditions:
-- HTTP/2 virtual server
-- Port and address translation disabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not configure an HTTP/2 virtual server with translate-disable
Fix:
Tmm does not crash anymore.
963705-3 : Proxy ssl server response not forwarded
Component: Local Traffic Manager
Symptoms:
A server response may not be forwarded after TLS renegotiation.
Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs
Impact:
Server response may not be not forwarded
Fix:
Proxy ssl will now forward server response after renegotiation
963485-1 : Performance issue with data guard
Component: Application Security Manager
Symptoms:
End user clients encounter poor network performance. Due to a correlation with ID 963461 it can lead to a crash.
Conditions:
-- The server response is compressed.
-- Data guard is enabled.
Impact:
Slow response time.
Workaround:
-- Disable data guard or block the data instead of masking it.
-- Force server sending uncompressed response using an iRule:
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}
963461-1 : ASM performance drop on the response side
Component: Application Security Manager
Symptoms:
Clients encounter a longer time to respond from the BIG-IP
Conditions:
-- One of the following features is enabled:
- convictions
- csrf
- ajax.
-- The response is HTML
-- The response has many tags
Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.
963237-3 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.
Component: Advanced Firewall Manager
Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.
Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.
Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server
Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.
963049-1 : Unexpected config loss when modifying protected object
Component: TMOS
Symptoms:
A virtual server configuration is changed unexpectedly.
Conditions:
- Create virtual server with two client SSL profiles
- Modify same virtual server in Protected Objects panel.
Impact:
Virtual servers client SSL profiles are removed if you have more than one profile.
Workaround:
None
Fix:
Virtual server client SSL profiles are no longer removed from the config if the update happens through Protected Objects panel in the GUI.
963017-2 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed
Component: TMOS
Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):
err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid
In addition, a message similar to the following may appear on the serial console while the system is booting:
[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:
# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since <...>
Main PID: #### (code=exited, status=1/FAILURE)
<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.
However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.
Conditions:
This may occur under the following conditions:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
- BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
- VIPRION B4450 blades
Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.
This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.
Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check
Fix:
This incorrect status reporting has been corrected.
962817-2 : Description field of a JSON policy overwrites policy templates description
Component: Application Security Manager
Symptoms:
Creating a UTF-8 policy using a template for the first time creates a binary policy the system uses the next time you create a UTF-8 policy with the same template.
If the creation occurs via JSON policy import, the description field of the JSON policy overwrites the description from the template, and the next time you create a UTF-8 policy using the same template, the system uses the description from the first JSON policy.
Conditions:
Create an initial UTF-8 policy with some template using a JSON policy with a custom description.
Impact:
The next time you create a UTF-8 policy with the same template, unless you provide a description, the system uses the one from the initially created JSON policy instead the template.
Workaround:
Before creating the second policy, remove the binary file that was created from the first run. For example if the template used was Fundamental:
rm -f /ts/install/policy_templates/fundamental.bin
Fix:
The binary file now contains the correct description.
962589-2 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
962497 : BD crash after ICAP response
Component: Application Security Manager
Symptoms:
BD crash when checking ICAP job after ICAP response
Conditions:
BD is used with ICAP feature
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
962433-4 : HTTP::retry for a HEAD request fails to create new connection
Component: Local Traffic Manager
Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.
Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version
Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.
962341 : BD crash while processing JSON content
Solution Article: K00602225
962249-2 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Component: TMOS
Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Conditions:
This message shows always on all platforms.
Impact:
No functional impact.
Fix:
Does not show this message on non-epva platforms.
962177-2 : Results of POLICY::names and POLICY::rules commands may be incorrect
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
962069-3 : Excessive resource consumption while processing OSCP requests via APM
Solution Article: K79428827
960749-2 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes, dumps a core file, and restarts.
Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.
-- The DNS Cache or Network DNS Resolver objects receive traffic.
Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.
Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.
960437-2 : The BIG-IP system may initially fail to resolve some DNS queries
Component: Global Traffic Manager (DNS)
Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.
Subsequent queries for the same domain name, however, work as expected.
Only some domain names are affected.
Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.
- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).
- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.
In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.
For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.
1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.
You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.
960369-2 : Negative value suggested in Traffic Learning as max value
Component: Application Security Manager
Symptoms:
Negative value suggested in Traffic Learning as max value
Conditions:
A huge parameter value is seen in traffic
Impact:
Wrong learning suggestion issued
Workaround:
Manually change maximum allowed value on the parameter to ANY
Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY
959889-2 : Cannot update firewall rule with ip-protocol property as 'any'
Component: TMOS
Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.
Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update
Impact:
Cannot update the firewall rule from GUI.
Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.
959629-2 : Logintegrity script for restjavad/restnoded fails
Component: TMOS
Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:
find: '14232restnoded_log_pattern': No such file or directory.
Conditions:
When the logintegrity script runs.
Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.
Workaround:
Modify the script file /usr/bin/rest_logintegrity:
1. mount -o remount,rw /usr
2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original
3. vi /usr/bin/rest_logintegrity
4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log
With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log
5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)
With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)
6. mount -o remount,ro /usr
Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.
959121-4 : Not following best practices in Guided Configuration Bundle Install worker
Solution Article: K74151369
958465-2 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization
Component: TMOS
Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.
The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.
958353-2 : Restarting the mcpd messaging service renders the PAYG VE license invalid.
Component: TMOS
Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.
Conditions:
Restarting the mcpd messaging service.
Impact:
The license becomes expired. A message is displayed in the console:
mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).
Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).
Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.
958093-3 : IPv6 routes missing after BGP graceful restart
Component: TMOS
Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.
Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.
Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.
958085-3 : IM installation fails with error: Spec file not found★
Component: Traffic Classification Engine
Symptoms:
IM installation fails with an error message:
ERROR Error during switching: Spec file not found
Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.
Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.
Workaround:
None.
Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.
957965-1 : Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent'
Component: Application Security Manager
Symptoms:
Request is blocked by 'CSRF attack detected' violation.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- CSRF protection enabled in an ASM policy
Impact:
False positive request blocking occurs.
Workaround:
Disable 'CSRF attack detected' violation in the ASM policy.
Fix:
'CSRF attack detected' now works as expected.
957337-1 : Tab complete in 'mgmt' tree is broken
Component: TMOS
Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:
(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"
Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete
Impact:
You are unable to configure objects in mgmt.
This issue also prevents users with the admin role from accessing the following REST endpoints:
shared/authz/users
shared/echo-js
The error returned was HTTP/1.1 401 F5 Authorization Required
Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.
957029-1 : MRF Diameter loop-detection is enabled by default
Component: Service Provider
Symptoms:
The default value of Message Routing Framework (MRF) Diameter loop detection is enabled.
Conditions:
Default diameter session profile loop detection configuration.
Impact:
System performance is impacted even if MRF Diameter loop detection is not used.
Workaround:
Disable loop detection in all message routing Diameter profiles when it is not needed.
Fix:
MRF Diameter loop detection is now disabled by default.
Note: If you expect MRF Diameter loop detection to be enabled, you must manually change the value after upgrading.
956589-1 : The tmrouted daemon restarts and produces a core file
Component: TMOS
Symptoms:
The tmrouted daemon restarts and produces a core file.
Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover
Impact:
Traffic disrupted while tmrouted restarts.
Workaround:
None
Fix:
Tmrouted daemon should not restart during blade reset
956373-2 : ASM sync files not cleaned up immediately after processing
Component: Application Security Manager
Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate
Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition
Impact:
If the files are large it may lead to "lack of disk space" problem.
956293-2 : High CPU from analytics-related REST calls - Dashboard TMUI
Component: TMOS
Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.
Conditions:
Leaving UI dashboard page left open.
Impact:
System performance is impacted if the dashboard page is kept open.
956133-3 : MAC address might be displayed as 'none' after upgrading★
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0
Impact:
Traffic disrupted when the MAC address is set to 'none'
Workaround:
None.
956105-2 : Websocket URLs content profiles are not created as expected during JSON Policy import
Component: Application Security Manager
Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import
Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.
Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.
Workaround:
The content profiles can be manually associated after the import process using REST or GUI.
Fix:
Setting the correct profile reference during import.
955145-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
955017-2 : Excessive CPU consumption by asm_config_event_handler
Component: Application Security Manager
Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync
Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.
Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.
Workaround:
Disable the signature staging action item for all policies.
954429-2 : User authorization changes for live update
Solution Article: K23203045
954425-2 : Hardening of Live-Update
Component: Application Security Manager
Symptoms:
Under certain conditions, the Live-Update process does not follow current best practices.
Conditions:
- Live-Update in use
- Specially-crafted update files
Impact:
The Live-Update process does not follow current best practices.
Workaround:
N/A
Fix:
The Live-Update process now follows current best practices.
954381-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
953845-1 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
Component: Local Traffic Manager
Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.
This can occur when using administrative commands such as:
-- tmsh run util fips-util init
-- fipsutil init
-- tmsh run util fips-util loginreset -r
-- fipsutil loginreset -r
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
+ vCMP guest on i5820-DF / i7820-DF
+ vCMP guest on 10350v-F
Impact:
BIG-IP is unable to communicate with the onboard HSM.
Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.
Immediately before doing this:
-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:
sys fipsuser f5cu {
password $M$Et$b3R0ZXJzCg==
}
Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.
953729-2 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
953677-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
953393-2 : TMM crashes when performing iterative DNS resolutions.
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes and produces a core file.
Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.
To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.
The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).
Fix:
TMM no longer crashes.
952557-2 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com
Component: Access Policy Manager
Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.
Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.
Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.
Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.
For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.
Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.
952545-2 : 'Current Sessions' statistics of HTTP2 pool may be incorrect
Component: Service Provider
Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552
Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.
Workaround:
None.
Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.
952509-2 : Cross origin AJAX requests are blocked in case there is no Origin header
Component: Application Security Manager
Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.
Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.
Impact:
Request is blocked.
Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.
Fix:
Check referrer header also when modifying CORS headers.
951705-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
951133-2 : Live Update does not work properly after upgrade★
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
950917-1 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
950849-4 : B4450N blades report page allocation failure.★
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This occurs on B4450N blades regardless of configuration.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You must perform the workaround on each blade installed in the system.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands:
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures on B4450 (A114) blades.
950077-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
950017-2 : TMM may crash while processing SCTP traffic
Solution Article: K94941221
949933-1 : BIG-IP APM CTU vulnerability CVE-2021-22980
Solution Article: K29282483
949889-3 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
Solution Article: K04107324
949721-2 : QUIC does not send control frames in PTO packets
Component: Local Traffic Manager
Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.
Conditions:
A control frame is in-flight when the PTO timer fires.
Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.
Workaround:
None.
Fix:
Retransmittable control frames are now sent when the PTO timer fires.
949593-3 : Unable to load config if AVR widgets were created under '[All]' partition★
Component: Application Visibility and Reporting
Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.
Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.
Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.
Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':
# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config
This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.
Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.
949477-1 : NTLM RPC exception: Failed to verify checksum of the packet
Component: Access Policy Manager
Symptoms:
NTLM authentication fails with the error:
RPC exception: Failed to verify checksum of the packet.
Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.
Impact:
User authentication fails.
Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.
2. Disable encryption for nlad:
# vim /etc/bigstart/startup/nlad
change:
exec /usr/bin/${service} -use-log-tag 01620000
to:
exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no
3. Restart nlad to make the change effective, and to force the schannel to be re-established:
# bigstart restart nlad
949145-5 : Improve TCP's response to partial ACKs during loss recovery
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
948805-1 : False positive "Null in Request"
Component: Application Security Manager
Symptoms:
A false positive violation "Null in Request" is thrown erroneously.
Conditions:
-- BIG-IP receives a query string in the "Referrer" header
Impact:
False positive violation "Null in Request" is thrown
Workaround:
None
Fix:
Fixed a false positive violation.
948769-5 : TMM panic with SCTP traffic
Solution Article: K05300051
948757-2 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
Component: Local Traffic Manager
Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.
Conditions:
A snat-translation address is configured with ARP enabled.
Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.
Workaround:
None.
Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.
948717-3 : F5-pf_daemon_cond_restart uses excessive CPU★
Component: TMOS
Symptoms:
The script /etc/init.d/f5-pf_daemon_cond_restart spawns a lot of ephemeral processes that collectively use about 10-15% of a core, regardless of the number of cores.
This is contributing to higher CPU usage after upgrading from an earlier version
Conditions:
On upgrade to a 15.1.x version, high CPU usage is observed.
Impact:
Higher CPU utilization on control plane, typically the equivalent of about 10-15% (of one core) extra.
Workaround:
None.
948573-4 : Wr_urldbd list of valid TLDs needs to be updated
Component: Traffic Classification Engine
Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.
Conditions:
New TLD is being queried
Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.
Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.
948417-2 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic
Component: Performance
Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)
Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking
Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)
Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)
Individual VMs & VMs in an availability set
First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
Azure CLI
az vm deallocate \
--resource-group myResourceGroup \
--name myVM
Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.
Once stopped, disable Accelerated Networking on the NIC of your VM:
Azure CLI
az network nic update \
--name myNic \
--resource-group myResourceGroup \
--accelerated-networking false
Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
Azure CLI
az vm start --resource-group myResourceGroup \
--name myVM
948113-3 : User-defined report scheduling fails
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
948073-2 : Dual stack download support for IP Intelligence Database
Component: Advanced Firewall Manager
Symptoms:
IP Intelligence cannot function if the BIG-IP management IP network is strict IPv6.
Conditions:
- IP Intelligence License installed
- Management IP is configured with only IPv6 addresses.
Impact:
The BIG-IP systems configured with IPv6 management networks cannot use IP Intelligence features even though they have installed IP Intelligence licenses.
Workaround:
None
Fix:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.
Behavior Change:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.
947925-1 : TMM may crash when executing L7 Protocol Lookup per-request policy agent
Component: SSL Orchestrator
Symptoms:
TMM may crash when executing the L7 Protocol Lookup per-request policy agent.
Conditions:
-- APM or SSL Orchestrator is licensed and provisioned.
-- L7 Protocol Lookup agent is included in the per-request policy for APM/SWG use cases.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM does not crash anymore when executing the L7 Protocol Lookup agent in the per-request policy.
947865-2 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
Component: TMOS
Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:
err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer
Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.
Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.
947529-2 : Security tab in virtual server menu renders slowly
Component: TMOS
Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.
Conditions:
Large number of virtual servers using the same ASM policy
Impact:
Loading of Security tab of a virtual server takes a long time
Workaround:
NA
Fix:
Security tab of a virtual server loads fast
947341-1 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
Component: Application Security Manager
Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------
2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.
Conditions:
ASM/AVR provisioned
Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.
Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
2. To identify the empty partitions, look into:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"
3. For every partition that is empty, manually (or via shell script) execute this sql:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"
Note: <empty_partition_name> must be substituted with the partition name, for example p100001.
4. Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5. pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
This release increases the default 'open_files_limit' to '10000'.
946953-1 : HTTP::close used in iRule might not close connection.
Component: Local Traffic Manager
Symptoms:
HTTP::close used in an iRule might not close the connection. For example:
when HTTP_REQUEST {
HTTP::close
HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
}
Conditions:
Using HTTP::close along with HTTP::respond
Impact:
HTTP connection can be re-used.
Workaround:
Explicitly add close header in the HTTP::respond. For example:
HTTP::respond 200 content "OK" Connection close
Fix:
Fixed an issue where HTTP::close might not close a connection.
946745-2 : 'System Integrity: Invalid' after Engineering Hotfix installation
Component: TMOS
Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.
946377-2 : HSM WebUI Hardening
Solution Article: K24301698
946185-1 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★
Component: iApp Technology
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.
946125-2 : Tmm restart adds 'Revoked' tokens to 'Active' token count
Component: Access Policy Manager
Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)
Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm
Impact:
User is denied access even though token limit per user is not reached
Fix:
Fixed an issue where users were unable to log in after a tmm restart.
946089-2 : BIG-IP might send excessive multicast/broadcast traffic.
Component: TMOS
Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.
Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.
Impact:
Excessive multicast/broadcast traffic.
946081-1 : Getcrc tool help displays directory structure instead of version
Component: Application Security Manager
Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.
Conditions:
Displaying help in getcrc utility.
Impact:
Version information is not displayed.
Fix:
Getcrc utility help now displays version information.
945997-2 : LTM policy applied to HTTP/2 traffic may crash TMM
Component: Local Traffic Manager
Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.
Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.
945853-2 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during a configuration change.
Conditions:
This occurs under the following conditions:
-- Create/modify/delete multiple virtual servers in quick succession.
-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes during a configuration change.
945789-1 : Live update cannot resolve hostname if ipv6 is configured
Component: Application Security Manager
Symptoms:
Live update is not working when BIG-IP DNS is configured to use IPv6
Conditions:
BIG-IP DNS uses IPv6
Impact:
-- Unable to install latest updates to signatures.
-- Unable to import user-defined signatures.
Workaround:
If possible, use IPv4 for DNS.
An alternative workaround could be to configure a working IPv4 address in the "/etc/hosts" file, as by issuing the following command from the advanced shell (bash):
echo "165.160.15.20 callhome.f5.net" >> /etc/hosts
Fix:
Replaced deprecated gethostbyname which does not work well with IPv6 with getaddrinfo
945265-4 : BGP may advertise default route with incorrect parameters
Component: TMOS
Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.
Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.
Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.
Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>
945109-2 : Freetype Parser Skip Token Vulnerability CVE-2015-9382
Solution Article: K46641512
944785-2 : Admd restarting constantly. Out of memory due to loading malformed state file
Component: Anomaly Detection Services
Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.
Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.
Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption
Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD
If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD
Fix:
No more memory corruption, no OOM nor ADMD restarts.
944641-1 : HTTP2 send RST_STREAM when exceeding max streams
Component: Local Traffic Manager
Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.
Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.
Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.
Workaround:
None.
Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.
944513-2 : Apache configuration file hardening
Component: TMOS
Symptoms:
Apache configuration file did not follow security best practice.
Conditions:
Normal system operation with httpd enabled.
Impact:
Apache configuration file did not follow security best practice.
Workaround:
None
Fix:
Apache configuration file has been hardened to follow security best practice.
944441-2 : BD_XML logs memory usage at TS_DEBUG level
Component: Application Security Manager
Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)
Conditions:
These messages can occur when XML/JSON profiles are configured.
Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.
Workaround:
None
Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.
943913-3 : ASM attack signature does not match
Solution Article: K30150004
Component: Application Security Manager
Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.
Conditions:
- ASM enabled
- Undisclosed attack signature variation
Impact:
ASM attack signature does not match or trigger further processing.
Workaround:
N/A
Fix:
ASM now processes traffic as expected.
943669-1 : B4450 blade reboot
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when needed.
943125-2 : ASM bd may crash while processing WebSocket traffic
Solution Article: K18570111
943101-2 : Tmm crash in cipher group delete.
Component: Local Traffic Manager
Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.
Conditions:
Deleting a cipher group associated with multiple profiles.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an issue with cipher group delete.
943081-3 : Unspecified HTTP/2 traffic may cause TMM to crash
Solution Article: K90603426
942701-2 : TMM may consume excessive resources while processing HTTP traffic
Solution Article: K35408374
942581-1 : Timestamp cookies do not work with hardware accelerated flows
Component: Advanced Firewall Manager
Symptoms:
Time stamp cookies and hardware accelerated flows are mutually exclusive.
Conditions:
Time stamp cookie enabled for TCP flows on a VLAN with hardware offload enabled as well.
Impact:
Reduced traffic throughput and increased CPU usage
Fix:
FPGA and software enhancement to allow hardware accelerate of TCP flows that have time stamp cookie enabled.
942549-2 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Component: TMOS
Symptoms:
During boot of a i15xxx system you see the message:
Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Conditions:
This issue can occur on any i15xxx device, although some devices exhibit the failure consistently and others never exhibit the issue.
Impact:
When this failure occurs in a system, the system is inoperable.
Workaround:
In order to workaround this issue, the system must be updated to install a script that is capable of resetting the hardware device during the HSB load process.
If it's not possible to install an EHF with the updated script or a version of BIG-IP with the fix, then it can be installed manually by providing the fw_update_post.init file and replacing it in /etc/init.d/fw_update_post. It is recommended that the existing fw_update_post is backed-up and this is only done in cases where the EHF or a fixed version of BIG-IP cannot be installed.
Fix:
A 'Dataplane INOPERABLE - Only 7 HSBs found. Expected 8' condition caused by a PCIE linking failure is resolved by an updated HSB load script which correctly resets BIG-IP i15xxx system hardware during boot.
Persistent 'Dataplane INOPERABLE' messages, after this fix is installed, indicate an unrelated failure.
942497-1 : Declarative onboarding unable to download and install RPM
Component: TMOS
Symptoms:
Installation of declarative onboarding RPM fails.
Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.
Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.
Workaround:
RPMs must be installed manually.
Fix:
The installation directory was updated to fix the RPM installation issue.
942185-2 : Non-mirrored persistence records may accumulate over time
Component: Local Traffic Manager
Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.
Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Persistence records are now reliably expired at the appropriate time.
941929-2 : Google Analytics shows incorrect stats, when Google link is redirected.
Component: Application Security Manager
Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
-- Google link is responded to (by the server) with a redirect.
-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
None
941893-3 : VE performance tests in Azure causes loss of connectivity to objects in configuration
Component: TMOS
Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.
Conditions:
Running performance tests of VE in Azure.
Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.
Workaround:
Reboot from the Azure console to restore functionality.
941853-1 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
941649-2 : Local File Inclusion Vulnerability
Solution Article: K63163637
941625-1 : BD sometimes encounters errors related to TS cookie building
Component: Application Security Manager
Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:
-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.
-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.
Impact:
The cookie is not built and an error is logged.
Workaround:
None.
941621-2 : Brute Force breaks server's Post-Redirect-Get flow
Solution Article: K91414704
Component: Application Security Manager
Symptoms:
Brute Force breaks server's Post-Redirect-Get flow
Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.
Impact:
Brute Force breaks server's Post-Redirect-Get flow
Workaround:
None
Fix:
Support PRG mechanism in brute force mitigations.
941481-2 : iRules LX - nodejs processes consuming excessive memory
Component: Local Traffic Manager
Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.
You can check the iRule LX plugins memory usage using the command:
tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):
Memory (bytes)
Total Virtual Size 946.8M
Resident Set Size 14.5K
Conditions:
-- iRulesLX in use.
Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.
Workaround:
Restart the iRule LX plugin that is leaking memory:
tmsh restart ilx plugin <PLUGIN_NAME>
941449-2 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
Solution Article: K55237223
941257-1 : Occasional Nitrox3 ZIP engine hang
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.
You can check if your platform has the nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable http compression
941249-2 : Improvement to getcrc tool to print cookie names when cookie attributes are involved
Component: Application Security Manager
Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server
Conditions:
This is applicable when domain and path cookie attributes are present in response from server
Impact:
ASM cookie name which is displayed is incorrect
Workaround:
None
Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s
941169-4 : Subscriber Management is not working properly with IPv6 prefix flows.
Component: Policy Enforcement Manager
Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.
Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).
Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.
Workaround:
None.
941089-3 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
940897-3 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
Component: Application Security Manager
Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".
Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.
Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.
Workaround:
N/A
Fix:
No false positives detected.
940885-2 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter
Component: TMOS
Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.
Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.
Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.
Fix:
Added the CX5 Ex device ID to the BIG-IP's Mellanox SR-IOV driver so that it can be used with that adapter.
940665-1 : DTLS 1.0 support for PFS ciphers
Component: Local Traffic Manager
Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.
* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA
Conditions:
DTLS 1.0 is configured in an SSL profile.
Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.
940401-2 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
940317-4 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability
Solution Article: K23157312
940249-2 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached
Component: Application Security Manager
Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.
Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.
Impact:
Data after last allowed element is not masked.
Fix:
Now the values are masked.
940209 : Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.
Component: Local Traffic Manager
Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, the BIG-IP system may not properly close established server-side connections causing subsequent HTTP/2 requests to stall.
Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.
Impact:
HTTP/2 requests intermittently stall due to the existing server-side TCP connection remaining open.
Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.
Fix:
HTTP/2 requests no longer stall, as the server side TCP connection is properly closed.
940021-3 : Syslog-ng hang may lead to unexpected reboot
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.
The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.
Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).
Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.
Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.
Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.
939961-2 : TCP connection is closed when necessary after HTTP::respond iRule.
Component: Local Traffic Manager
Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.
Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.
Impact:
TCP connection lives longer than needed.
Workaround:
N/A
Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.
939877-1 : OAuth refresh token not found
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.
939845-2 : BIG-IP MPTCP vulnerability CVE-2021-23004
Solution Article: K31025212
939841-2 : BIG-IP MPTCP vulnerability CVE-2021-23003
Solution Article: K43470422
939541-2 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
Component: TMOS
Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
TMM no longer shuts down prematurely during initialization.
939529-2 : Branch parameter not parsed properly when topmost via header received with comma separated values
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
939421-2 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow
Solution Article: K38481791
938233-2 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
Solution Article: K93231374
938165-1 : TMM Core after attempted update of IP geolocation database file
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.
Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Revert to using the previously working version of the IP-geolocation file.
For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.
Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.
938149-1 : Port Block Update log message is missing the "Start time" field
Component: Advanced Firewall Manager
Symptoms:
Port Block Update log message is missing the "Start time" field.
Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.
Impact:
NAT Log information is not usable for accounting purpose.
Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.
937749-3 : The 'total port blocks' value for NAT stats is limited to 64 bits of range
Component: Advanced Firewall Manager
Symptoms:
The 'total port blocks' value, which can be found in PBA 'tmctl' tables, 'tmsh show', and SNMP, is limited to 64 bits of range. The upper 64 bits of the value are not taken into account.
Conditions:
This always occurs, but affects only systems whose configuration makes the 'total port blocks' value exceed 64 bits of range.
Impact:
Incorrect statistics.
Workaround:
None.
Note: For those who really need this value, it is still possible to manually calculate it, but that is not a true workaround.
937637-3 : BIG-IP APM VPN vulnerability CVE-2021-23002
Solution Article: K71891773
937365-2 : LTM UI does not follow best practices
Solution Article: K42526507
937333-2 : Incomplete validation of input in unspecified forms
Component: Global Traffic Manager (DNS)
Symptoms:
Incomplete validation of input in unspecified forms
Conditions:
DNS Provisioned
Impact:
Incomplete validation
Fix:
Proper input validation now performed
937281-3 : SSL Orchestrator pool members are limited to 20 with Standalone license
Component: SSL Orchestrator
Symptoms:
BIG-IP limits the SSL Orchestrator Standalone license to only allow six pool members.
Conditions:
-- SSL Orchestrator add-on license is installed
Impact:
You are only able to configure six pool members in SSLO.
Workaround:
None.
Fix:
BIG-IP supports up to 20 pool members (up from 6) with the SSL Orchestrator standalone license.
936773-2 : Improve logging for "double flow removal" TMM Oops
Component: Local Traffic Manager
Symptoms:
/var/log/tmm contains this entry
notice Oops @ 0x286feeb:1127: double flow removal
Conditions:
The conditions under which this message is logged are unknown or may vary. This item is for logging the flow tuple and virtual server name to aid in diagnosing the cause.
Impact:
None
936557-2 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
Component: Local Traffic Manager
Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.
Conditions:
This issue occurs when the following conditions are true:
-- Standard TCP virtual server.
-- TCP profile with Verified Accept enabled.
-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.
Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.
Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.
Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.
936125-2 : SNMP request times out after configuring IPv6 trap destination
Component: TMOS
Symptoms:
SNMP request is times out.
Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.
Impact:
No response is returned for SNMP request.
Workaround:
Restart SNMP daemon by running the following TMSH command:
restart sys service snmpd
Fix:
N/A
935801-4 : HSB diagnostics are not provided under certain types of failures
Component: TMOS
Symptoms:
In rare cases where the HSB detects an error and triggers an high availability (HA) failover, HSB-specific diagnostic data is not provided.
An example are XLMAC errors, which can be seen in the LTM logs:
<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.
Conditions:
The HSB detects an internal error.
Impact:
There is less HSB data for analysis when an internal HSB occurs.
Workaround:
None.
Fix:
Dump HSB registers on all HSB initiated high availability (HA) failovers.
935721-5 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
Solution Article: K82252291
935593-4 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
Component: Local Traffic Manager
Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.
Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.
Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.
Workaround:
Do not use TCP timestamp rewrite.
935433-2 : iControl SOAP
Solution Article: K53854428
935401-2 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001
Solution Article: K06440657
935293-2 : 'Detected Violation' Field for event logs not showing
Component: Application Security Manager
Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.
Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.
Impact:
You cannot see the violation details.
Workaround:
Disabling parameter learning helps.
Note: This happens only with a large number of parameters. Usually it works as expected.
Fix:
The eventlog is reserving space for violations.
935029-3 : TMM may crash while processing IPv6 NAT traffic
Solution Article: K04048104
934993-2 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams
Component: Local Traffic Manager
Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.
Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.
Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.
Workaround:
None.
Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.
934941-2 : Platform FIPS power-up self test failures not logged to console
Component: TMOS
Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.
Conditions:
A FIPS failure occurs during the power-up self test.
Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.
Workaround:
None.
934721-2 : TMM core due to wrong assert
Component: Application Visibility and Reporting
Symptoms:
TMM crashes with a core
Conditions:
AFM and AVR provisioned and collecting ACL statistics.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.
Fix:
Fixed a tmm crash related to ACL statistics
934461-2 : Connection error with server with TLS1.3 single-dh-use.
Component: Local Traffic Manager
Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.
Conditions:
14.1 with TLS1.3 single-dh-use.
Impact:
Connection failure in 14.1 versions.
Workaround:
Disable single-dh-use, or disable tls1.3.
Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.
934393-2 : APM authentication fails due to delay in sessionDB readiness
Component: Access Policy Manager
Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.
Conditions:
-- APM configured.
-- SAML SP configured.
Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.
Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all
Note: Restarting all services causes temporary traffic disruption.
Fix:
The sessionDB readiness has been corrected so that authentication succeeds.
934241-2 : TMM may core when using FastL4's hardware offloading feature
Component: TMOS
Symptoms:
TMM cores.
Conditions:
FastL4's hardware offloading is used.
Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.
Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.
Workaround:
Disable PVA/EPVA on all FastL4 profiles
Fix:
Fix the internal logic error.
934065-1 : The turboflex-low-latency and turboflex-dns are missing.
Component: TMOS
Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.
Conditions:
The turboflex-low-latency or turboflex-dns in use.
Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.
Workaround:
None.
Fix:
The turboflex-low-latency and turboflex-dns profiles are restored.
933777-1 : Context use and syntax changes clarification
Component: Application Visibility and Reporting
Symptoms:
There are two context and syntax-related issues:
-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.
-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.
Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.
Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.
Workaround:
None
Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
933741-2 : BIG-IP FPS XSS vulnerability CVE-2021-22979
Solution Article: K63497634
933461-4 : BGP multi-path candidate selection does not work properly in all cases.
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
933409-2 : Tomcat upgrade via Engineering Hotfix causes live-update files removal★
Component: TMOS
Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.
Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.
Impact:
Live-update functionality does not work properly.
Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.
Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.
933405-2 : Zonerunner GUI hangs when attempting to list Resource Records
Solution Article: K34257075
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.
Conditions:
Attempt to list Resource Records in Zonerunner GUI.
Impact:
Zonerunner hangs.
Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.
933129-2 : Portal Access resources are visible when they should not be
Component: Access Policy Manager
Symptoms:
For Access Policy created with Customization type: modern, Portal Access resource is still present on user's webtop after the checkbox "Publish on Webtop" is disabled in config
Conditions:
-- Access Policy created with Customization type: modern
-- Disable the checkbox "Publish on Webtop" for any Portal Access resource
Impact:
Disabled Portal Access resource visible on the webtop when it should be hidden.
Workaround:
Re-create Access Policy with Customization type: standard
Fix:
Disabled Portal Access resource is hidden on user's webtop
932937-2 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
Component: Local Traffic Manager
Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.
Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.
Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.
Workaround:
Use an iRule to prevent connections from hanging:
when HTTP_REJECT {
after 1
}
Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.
932825-2 : Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device
Component: Local Traffic Manager
Symptoms:
When the standby system in a High Availability (HA) group becomes active, it sends out gratuitous ARPs to advertise its ownership of IP addresses and direct traffic to itself. In rare conditions, when becoming active, other processes may send out traffic before Gratuitous ARPs are generated.
Conditions:
-- HA configured
-- Protocols in use that generate frequent and fast signaling messages
Impact:
This has been observed as an issue for IPsec during failover, causing tunnel stability issues after failover. No other protocols are known to be affected by the issue.
Workaround:
None
Fix:
When the standby device in an HA pair becomes active, Gratuitous ARPs are prioritized over other traffic.
932737-2 : DNS & BADOS high-speed logger messages are mixed
Component: Anomaly Detection Services
Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.
Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.
Impact:
Reporting will be confusing.
932497-3 : Autoscale groups require multiple syncs of datasync-global-dg
Component: TMOS
Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.
Conditions:
Browser Challenges update image is automatically downloaded.
Impact:
Peers are not synced.
Workaround:
Manually sync datasync-global-db group.
Fix:
Perform full sync for each change when having multiple live update changes in a row.
932485-3 : Incorrect sum(hits_count) value in aggregate tables
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
932437-2 : Loading SCF file does not restore files from tar file★
Component: TMOS
Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.
Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:
01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.
Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles
Impact:
Restoring SCF does not restore contents of file objects.
Workaround:
None.
932233-2 : '@' no longer valid in SNMP community strings
Component: TMOS
Symptoms:
The '@' character is no longer valid in SNMP community strings.
Conditions:
Attempting to use the '@' character in SNMP community strings.
Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.
Workaround:
Use a community string that does not contain the '@' character.
932213-2 : Local user db not synced to standby device when it is comes online after forced offline state
Component: Access Policy Manager
Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.
Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.
Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.
Workaround:
None
Fix:
Fixed the issue by handling the forced offline scenario.
932137-5 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
932133-2 : Payloads with large number of elements in XML take a lot of time to process
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
932065-2 : iControl REST vulnerability CVE-2021-22978
Solution Article: K87502622
932033 : Chunked response may have DATA frame with END_STREAM prematurely
Component: Local Traffic Manager
Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, BIG-IP systems may send the END_STREAM flag before transmitting a whole payload.
Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.
Impact:
A browser may not receive the whole payload, or it may not recognize that the payload has been delivered fully (partially prior to the DATA frame with END_STREAM flag, partially after the frame).
Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.
Fix:
BIG-IP systems no longer send a DATA frame with END_STREAM flag prematurely when a connection to a client is congested.
931837-1 : NTP has predictable timestamps
Solution Article: K55376430
931513-3 : TMM vulnerability CVE-2021-22977
Solution Article: K14693346
930905-4 : Management route lost after reboot.
Component: TMOS
Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.
Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).
-- The instance is rebooted.
Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.
Workaround:
Use either of the following workarounds:
-- Delete the route completely and reinstall the route.
-- Restart mcpd:
bigstart restart mcpd
930741-2 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
Component: TMOS
Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.
One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.
Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.
Impact:
Traffic disruption caused by the reboot.
Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.
930385-3 : SSL filter does not re-initialize when an OCSP object is modified
Component: Local Traffic Manager
Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.
Then, modify the OCSP object to DNS resolver ns2.
After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.
Conditions:
An OCSP object is configured and modified.
Impact:
The wrong nameserver is used after modification to the OCSP object.
Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.
930005-2 : Recover previous QUIC cwnd value on spurious loss
Component: Local Traffic Manager
Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.
Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.
Impact:
Inefficient use of bandwidth in the presence of packet reordering.
Workaround:
None.
Fix:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.
Behavior Change:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.
929213-1 : iAppLX packages not rolled forward after BIG-IP upgrade★
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
Fix:
All installed package management LX such as AS3, DO, telemetry, failover extension, service discovery are available after upgrade
929077-2 : Bot Defense allow list does not apply when using default Route Domain and XFF header
Component: Application Security Manager
Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.
Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.
Impact:
Request from an IP address that is on the allow list is blocked.
Workaround:
Allow the IP address using an iRule.
Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.
929001-3 : ASM form handling improvements
Solution Article: K48321015
Component: Application Security Manager
Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.
Conditions:
- Brute force protection is configured
Impact:
Enforcement not triggered as expected.
Workaround:
N/A
Fix:
ASM now processes forms as expected.
928857-2 : Use of OCSP responder may leak X509 store instances
Component: Local Traffic Manager
Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
928805-2 : Use of OCSP responder may cause memory leakage
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
928789-2 : Use of OCSP responder may leak SSL handshake instances
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.
Workaround:
No workaround.
928717-3 : [ASM - AWS] - ASU fails to sync
Component: Application Security Manager
Symptoms:
Live Update configuration is not updated.
Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.
Impact:
Automatic signature updates (ASU) fail to sync.
Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:
1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.
928697-2 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
Component: TMOS
Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.
Conditions:
The initiator sends more than one proposal.
Impact:
Diagnosing connection issues is more difficult.
Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.
928685-2 : ASM Brute Force mitigation not triggered as expected
Solution Article: K49549213
Component: Application Security Manager
Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.
Conditions:
- ASM enabled
- Brute Force mitigation enabled
Impact:
Brute Force mitigation is not triggered as expected.
Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when ASM_REQUEST_DONE
{
if { [catch { HTTP::username } ] } {
log local0. "ERROR: bad username";
ASM::raise bad_auth_header_custom_violation
}
}
Fix:
Brute Force mitigation is now triggered as expected.
928553-3 : LSN64 with hairpinning can lead to a tmm core in rare circumstances
Component: Carrier-Grade NAT
Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.
Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.
Impact:
Tmm cores. Traffic disrupted while tmm restarts.
Workaround:
Disable full proxy config of hairpinning.
Fix:
Tmm does not crash anymore.
928321-1 : K19166530: XSS vulnerability CVE-2020-27719
Solution Article: K19166530
928037-2 : APM Hardening
Solution Article: K15310332
928029-2 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis
Component: TMOS
Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".
Conditions:
Run "switchboot" command
Impact:
A confusing popup message is displayed.
Workaround:
NA
Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"
927993-1 : Built-in SSL Orchestrator RPM installation failure
Solution Article: K97501254
Component: SSL Orchestrator
Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:
Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.
Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.
Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.
Workaround:
Step 1. Run the following commands in the BIG-IP command line:
# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')
# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')
# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1
# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done
# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
---
Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.
---
Step 3. Run the following commands in the BIG-IP command line:
# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2
---
Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.
Fix:
Built-in SSL Orchestrator RPM installation failure
927941-5 : IPv6 static route BFD does not come up after OAMD restart
Component: TMOS
Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"
Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.
Impact:
BFD session is not shown in 'show bfd session'.
Workaround:
Restart tmrouted:
bigstart restart tmrouted
Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.
927901-4 : After BIG-IP reboot, vxnet interfaces come up as uninitialized
Component: TMOS
Symptoms:
1. After BIG-IP reboots, the vxnet interfaces come up as uninitialized.
2. The driver does not log any issues:
echo "device driver [client-specific driver info] mlxvf5" >> /config/tmm_init.tcl
Conditions:
Running BIG-IP Virtual Edition (VE) v15.1.0.4 software.
Impact:
Vxnet driver requires manual intervention after reboot.
Workaround:
Tmsh enable/disable interface brings it back up until next reboot.
927617-2 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
Component: Application Security Manager
Symptoms:
A valid request that should be passed to the backend server is blocked.
Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.
-- The cookie header that contain the valid cookie value is encoded to base64.
Impact:
A request is blocked that should not be.
Workaround:
Disable 'Base64 Decoding' for the desired cookie.
Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.
927033-2 : Installer fails to calculate disk size of destination volume★
Component: TMOS
Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:
error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.
Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:
[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map
Impact:
Unable to successfully upgrade.
Workaround:
Create the expected symlink manually:
cd /dev/md
ln -s ../md127 _none_\:0
926997-1 : QUIC HANDSHAKE_DONE profile statistics are not reset
Component: Local Traffic Manager
Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.
Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.
Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.
Workaround:
Restart tmm to reset all statistics:
Impact of Workaround: Traffic disrupted while tmm restarts.
bigstart restart tmm
Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.
926929-3 : RFC Compliance Enforcement lacks configuration availability
Component: Local Traffic Manager
Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.
Conditions:
The configuration has a virtual server with an HTTP profile.
Impact:
Some applications that require certain constructions after a header name may not function.
Workaround:
None.
Fix:
A configuration item is introduced to manage any RFC compliance option when enforcement is turned on:
HTTP profile option enforcement.allow-ws-header-name; prior releases Tmm.HTTP.RFC.AllowWSHeaderName DB key (necessarily a global flag, rather than per-profile control).
926593-2 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.
Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.
Impact:
IPv6 virtual servers are marked down unexpectedly.
Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets
925989 : Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4★
Component: Local Traffic Manager
Symptoms:
After upgrade to v15.1.0.4, config does not load. Logs show:
-- err mcpd[11863]: 01b50049:3: FipsUserMgr Error: Master key load failure.
-- err mcpd[11863]: 01070712:3: Caught configuration exception (0), FIPS 140 operations not available on this system.
-- err tmsh[14528]: 01420006:3: Loading configuration process failed.
Conditions:
-- Upgrading to v15.1.0.4.
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
Cannot upgrade to v15.1.0.4, and the system is offline.
Important: Although you cannot prevent this from happening (except by not upgrading to 15.1.0.4), you can boot back into the previous configuration to recover BIG-IP system operation.
Workaround:
None.
925573-6 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted
Component: Access Policy Manager
Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.
Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.
Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue. Traffic disrupted while tmm restarts.
Workaround:
None.
924961-2 : CVE-2019-20892: SNMP Vulnerability
Solution Article: K45212738
924945-3 : Fail to detach HTTP profile from virtual server
Component: Application Visibility and Reporting
Symptoms:
The virtual server might stay attached to the initial HTTP profile.
Conditions:
Attaching new HTTP profiles or just detaching an existing one.
Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.
Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.
924929-2 : Logging improvements for VDI plugin
Component: Access Policy Manager
Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.
Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts
Impact:
Event names are not displayed in the APM log.
Workaround:
None.
Fix:
Event names along with the exceptions are also seen in the APM log file.
924857-1 : Logout URL with parameters resets TCP connection
Component: Access Policy Manager
Symptoms:
TCP connection reset when 'Logout URI Include' configured.
Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
/logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
/logoff.html?a=b
Impact:
TCP connection resets, reporting BIG-IP APM error messages.
'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.
Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.
Workaround:
None
Fix:
The system now ignores unsupported query parameters.
924521-2 : OneConnect does not work when WEBSSO is enabled/configured.
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.
Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.
Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server-side connections.
924493-2 : VMware EULA has been updated
Component: TMOS
Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.
Conditions:
The EULA is presented to the user when deploying an OVF template.
Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).
Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.
Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.
Fix:
The EULA presented in VMware was out of date and has been updated.
924429-2 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
Component: TMOS
Symptoms:
While restoring a UCS archive, you get an error similar to the following example:
/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.
The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.
This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.
Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.
Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.
Workaround:
None.
Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.
924349-2 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP
Component: Service Provider
Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.
Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses
Impact:
Unable to see multiple HostIPAddress in CER/CEA
Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.
924301-1 : Incorrect values in REST response for DNS/SIP
Component: Application Visibility and Reporting
Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.
Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached
Impact:
An incorrect value is calculated in the REST response.
Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation
923301-2 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group
Component: Application Security Manager
Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.
Conditions:
Automatic installation of ASU on manual sync setup.
Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.
Workaround:
Manually sync the device group.
Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
923125-2 : Huge amount of admd processes caused oom
Component: Anomaly Detection Services
Symptoms:
The top command shows that a large number of admd processes are running.
Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.
Impact:
Memory is exhausted.
Workaround:
Restart admd:
bigstart restart admd
Fix:
This issue no longer occurs.
922785-2 : Live Update scheduled installation is not installing on set schedule
Component: Application Security Manager
Symptoms:
A scheduled live update does not occur at the scheduled time.
Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.
Impact:
Automated installation does not initiate
Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14
922597-2 : BADOS default sensitivity of 50 creates false positive attack on some sites
Component: Anomaly Detection Services
Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.
Conditions:
This can occur for some requests that have high latency and low TPS.
Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.
Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500
For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.
The results is that the attack is declared later than for the default value, but it is declared and the site is protected.
Fix:
Default sensitivity value 500 now illuminates false positive DoS attacks declaration.
922297-2 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs
Component: TMOS
Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.
You see the following log entries in /var/log/tmm:
-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...
In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:
-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...
Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.
Impact:
TMM does not start.
Workaround:
Configure fewer network interfaces or vCPUs.
Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).
922261-2 : WebSocket server messages are logged even it is not configured
Component: Application Security Manager
Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.
Impact:
Remote logging server overloaded with unexpected WebSocket messages.
Workaround:
Set response-logging=illegal in all remote logging profiles.
Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.
922185-1 : LDAP referrals not supported for 'cert-ldap system-auth'★
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
922105-3 : Avrd core when connection to BIG-IQ data collection device is not available
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
921881-2 : Use of IPFIX log destination can result in increased CPU utilization
Component: Local Traffic Manager
Symptoms:
-- Increased baseline CPU.
- The memory_usage_stats table shows a continuous increase in mds_* rows.
Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.
Impact:
Increased baseline CPU may result in exhaustion of CPU resources.
Workaround:
Limiting changes to associated configuration can slow the effects of this issue.
921721-1 : FIPS 140-2 SP800-56Arev3 compliance
Component: Local Traffic Manager
Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.
Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.
Impact:
BIG-IP will comply with the older standard.
Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.
921677-2 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
Component: Application Security Manager
Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:
Bot defense profile <profile full name> error: match-order should be unique.
Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.
2. Delete item with the value: match-order 2 (in tmsh), and save.
3. Switch to the GUI, add new allow list item, and save.
Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.
Workaround:
Drag between two items, and then drag back.
Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.
921625-2 : The certs extend function does not work for GTM/DNS sync group
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.
As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.
The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.
You might see messages similar to the following:
-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....
Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.
-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.
Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.
Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.
921421-3 : iRule support to get/set UDP's Maximum Buffer Packets
Component: Local Traffic Manager
Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.
Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.
Impact:
Unable to dynamically change the max buffer packets setting in an iRule.
Workaround:
None
Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts
Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.
921369 : Signature verification for logs fails if the log files are modified during log rotation
Component: TMOS
Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.
Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs
Impact:
Signature verification may fail on rotated log files.
Fix:
Fixed an issue with signature verification failing on valid log files.
921365-1 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby
Component: TMOS
Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.
Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs
This is a timing issue and can occur intermittently during a normal failover.
Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.
Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).
Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.
921361-2 : SSL client and SSL server profile names truncated in GUI
Component: TMOS
Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.
Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.
Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.
Note: The fields remain at the limited width even when the browser window is maximized.
Workaround:
Use tmsh to see the full SSL client and SSL server name.
921337-2 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976
Solution Article: K88230177
921181 : Wrong error message upon bad credential stuffing configuration
Component: BIG-IP Risk Engine
Symptoms:
When you try to configure credential stuffing and provide invalid parameters, you see a misleading error:
HTML Tag-like Content in the Request URL/Body
Conditions:
Configuration of bad ApplicationID, Access Token or wrong service type, generates a validation error, but the error message is confusing.
Impact:
A misleading error is displayed.
Workaround:
None.
Fix:
Wrong error message upon bad credential stuffing configuration has been corrected.
921065 : BIG-IP systems not responding to DPD requests from initiator after failover
Component: TMOS
Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.
Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.
Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.
Workaround:
None.
Fix:
Fixed an issue with the BIG-IP system not responding to DPD requests after failover.
920961-2 : Devices incorrectly report 'In Sync' after an incremental sync
Component: Application Security Manager
Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.
Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).
Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.
Workaround:
Modify the underlying LTM policy to be 'legacy':
# tmsh modify ltm policy <LTM Policy Name> legacy
Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
920361-2 : Standby device name sent in Traffic Statistics syslog/Splunk messages
Component: Advanced Firewall Manager
Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.
Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.
Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.
Workaround:
None.
Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.
920301-1 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy
Component: TMOS
Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.
Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.
Impact:
High CPU Usage.
Workaround:
None.
Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.
920197-3 : Brute force mitigation can stop mitigating without a notification
Component: Application Security Manager
Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.
Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).
Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.
Workaround:
None.
920149-1 : Live Update default factory file for Server Technologies cannot be reinstalled
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
919989-2 : TMM does not follow TCP best practices
Solution Article: K64571774
919841-3 : AVRD may crash while processing Bot Defense traffic
Solution Article: K45143221
919745-2 : CSV files downloaded from the Dashboard have the first row with all 'NaN
Component: TMOS
Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'
Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.
Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.
Workaround:
None.
Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.
919553-2 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
Component: Global Traffic Manager (DNS)
Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.
Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.
919381-1 : Extend AFM subscriber aware policy rule feature to support multiple subscriber groups
Component: Advanced Firewall Manager
Symptoms:
Currently AFM does not have support to match rules against multiple subscriber policies
Conditions:
-- AFM provisioned
-- You wish to match rules against multiple subscriber policies
Impact:
AFM rules cannot be matched against multiple subscriber policies
Workaround:
None
Fix:
Enhancing the AFM rules matching against multiple subscriber policies
919305-2 : Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS
Component: TMOS
Symptoms:
Appliance mode does not enable on BIG-IP 14.1.x tenants deployed on VELOS
Conditions:
A BIG-IP 14.1.3 tenant is deployed on VELOS with Appliance Mode enabled.
Impact:
The appliance mode restriction is not working as expected. The root account still has bash access.
Fix:
Appliance mode will function when configured on a BIG-IP tenant deployed on VELOS
919301-3 : GTP::ie count does not work with -message option
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
919001-2 : Live Update: Update Available notification is shown twice in rare conditions
Component: Application Security Manager
Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.
Conditions:
This can be encountered on the first load of the Live Update page.
Impact:
Notification is shown twice.
Workaround:
None.
Fix:
Notification is shown only once in all cases.
918933-2 : The BIG-IP ASM system may not properly perform signature checks on cookies
Solution Article: K88162221
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221
918717-2 : Exception at rewritten Element.innerHTML='<a href></a>'
Component: Access Policy Manager
Symptoms:
If the "href" attribute of an anchor tag in a web application does not have any value, an exception will be thrown.
Conditions:
-- Rewrite enabled
-- The href attribute of an anchor tag on a web page does not have a value, for example:
<script>
d = document.createElement('div')
try {
d.innerHTML = "<a href b=1>click</a>"
}catch(e){
alert(e.message);
}
</script>
Impact:
Web page does not load properly.
Workaround:
Find the "href" attributes of anchor tag and give some empty value to it:
Before:
<a href></a>
After:
<a href=""></a>
Fix:
Fixed an issue with rewrite of anchors that contain an empty href attribute.
918597-5 : Under certain conditions, deleting a topology record can result in a crash.
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.
918317-2 : SSL Orchestrator resets subsequent requests when HTTP services are being used.
Component: SSL Orchestrator
Symptoms:
When connections are reused for subsequent requests, the subsequent requests might get aborted with reset cause 'connector service reconnected'.
Conditions:
SSL Orchestrator with HTTP services and multiple requests in a connection.
Impact:
Subsequent requests might get aborted with reset cause 'connector service reconnected'.
Workaround:
None
Fix:
SSL Orchestrator no longer aborts subsequent requests in the same connection.
918209-3 : GUI Network Map icons color scheme is not section 508 compliant
Component: TMOS
Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.
Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.
Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.
Workaround:
None.
Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.
918169-1 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when all of the following conditions are true:
-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).
-- The server's HTTP response does not terminate with a newline.
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by performing any one of the following actions:
-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.
-- Ensure the server's HTTP response ends with a newline.
Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.
918097-3 : Cookies set in the URI on Safari
Component: Application Security Manager
Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.
Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.
Impact:
A cookie is set on the URL.
Workaround:
None.
Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.
Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.
This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable
Default value is the original behavior (enable), which sets the cookie in the URl.
NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.
918081-1 : Application Security Administrator role cannot create parent policy in the GUI
Component: Application Security Manager
Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created
Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.
Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.
Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.
Fix:
The Application Security Administrator role can now create the parent policy when required.
917509-3 : BIG-IP ASM vulnerability CVE-2020-27718
Solution Article: K58102101
917469-2 : TMM may crash while processing FPS traffic
Solution Article: K53821711
917005-5 : ISC BIND Vulnerability: CVE-2020-8619
Solution Article: K19807532
916969-3 : Support of Microsoft Identity 2.0 platform
Component: Access Policy Manager
Symptoms:
BIG-IP does not support Template for Microsoft Identity Platform 2.0.
Conditions:
This is encountered if you want to use Template for Microsoft Identity Platform 2.0 as an identity provider.
Impact:
Unable to configure Microsoft Identity Platform 2.0 on BIG-IP.
Workaround:
OAuth provider has a custom template which provides the ability to configure and discover using new endpoints.
916821-2 : iControl REST vulnerability CVE-2021-22974
Solution Article: K68652018
916781-1 : Validation error while attaching DoS profile to GTP virtual
Component: Service Provider
Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.
Conditions:
Attach DoS security profile to GTP virtual server.
Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.
Workaround:
None.
Fix:
Create GTP virtual profile and attach DoS security profile to it. No validation error should be reported.
916753-2 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core
Component: Global Traffic Manager (DNS)
Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.
Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:
RESOLV::lookup @/Common/my_dns_virtual www.example.com
Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.
For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:
instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53
916589-2 : QUIC drops 0RTT packets if CID length changes
Component: Local Traffic Manager
Symptoms:
QUIC sometimes rejects valid 0RTT packets.
Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.
Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.
Workaround:
None.
Fix:
Fixed an issue with 0RTT packets when using QUIC.
915957-1 : The wocplugin may get into a restart loop when AAM is provisioned
Component: Local Traffic Manager
Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.
Conditions:
Application Acceleration Manager (AAM) is provisioned
Impact:
AAM is not functional
Workaround:
None
Fix:
The wocplugin is now correctly provisioned and runs without restarts.
915825-2 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
Component: TMOS
Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.
Configuration error: Can't associate folder (/User/Drafts) folder does not exist.
Conditions:
This occurs in the following scenario:
1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.
Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.
Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.
915773-1 : Restart of TMM after stale interface reference
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
915713-2 : Support QUIC and HTTP3 draft-29
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.
Conditions:
Browser requests draft-29.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-29 and draft-28, and has removed draft-27 support.
915689-1 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.
Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.
Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.
Workaround:
None.
Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.
915605-6 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★
Solution Article: K56251674
Component: Local Traffic Manager
Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.
tmsh show software status will report the status for the target volume as one of the following:
-- Could not access configuration source.
-- Unable to get hosting system product info.
Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.
Impact:
Unable to upgrade or more generally install an image on a new or existing volume.
Workaround:
Re-mount /usr as read-only:
mount -o remount,ro /usr
915509-1 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
Component: Access Policy Manager
Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).
Conditions:
RADIUS Auth with 'show-extended-error' enabled.
Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.
Workaround:
None.
915497-2 : New Traffic Class Page shows multiple question marks.
Component: TMOS
Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.
Conditions:
This is encountered when creating a new Traffic Class.
Impact:
Multi-byte characters are displayed incorrectly.
Workaround:
None.
Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.
915489-2 : LTM Virtual Server Health is not affected by iRule Requests dropped
Component: Anomaly Detection Services
Symptoms:
Virtual Server Health should not take into account deliberate drop requests.
Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.
Impact:
Server Health reflects it is overloading status more precisely.
Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.
Fix:
Virtual Server Health is no longer affected while dropping requests using iRules.
915305-5 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
Component: TMOS
Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.
Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.
Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.
Workaround:
Use static routing to provide a path to remote tunnel endpoint.
915281-2 : Do not rearm TCP Keep Alive timer under certain conditions
Component: Local Traffic Manager
Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.
Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.
Impact:
Continuous rearming results in consuming CPU resources unnecessarily.
Workaround:
None.
Fix:
Rearming of TCP Keep Alive timer is improved.
914761-3 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
Component: TMOS
Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:
Unexpected Error: UCS saving process failed.
Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.
Impact:
UCS file is not successfully saved and backup fails.
Workaround:
None.
914681-2 : Value of tmm.quic.log.level can differ between TMSH and GUI
Component: Local Traffic Manager
Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.
Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.
Impact:
Misleading log level displayed in the GUI.
Workaround:
Use TMSH to set and view values for tmm.quic.log.level.
Fix:
GUI values for tmm.quic.log.level are now displayed properly.
914649-3 : Support USB redirection through VVC (VMware virtual channel) with BlastX
Component: Access Policy Manager
Symptoms:
USB is unavailable after opening VMware View Desktop.
Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client
Impact:
USB is unavailable after opening VMware View Desktop
Workaround:
None.
Fix:
USB is now available after opening VMware View Desktop
914293-3 : TMM SIGSEGV and crash
Component: Anomaly Detection Services
Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.
Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.
Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.
Fix:
Fixed a tmm crash related to iRules and Behavioral DoS policies.
914277-2 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.
Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.
Fix:
Automatic downloads are quietly synced and do not have an impact on the device group sync status.
914245-2 : Reboot after tmsh load sys config changes sys FPGA firmware-config value
Component: TMOS
Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.
Chmand reports errors:
chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]
Conditions:
Running either of the following commands:
tmsh load sys config
/etc/init.d/fw_update_post reload
Impact:
Firmware update fails.
Workaround:
Use this procedure:
1. Mount /usr:
mount -o rw,remount /usr
2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload
3. Reload systemctl:
systemctl daemon-reload
4. Reload the file:
/etc/init.d/fw_update_post reload
Fix:
Added the reload option in fw_update_post service file.
914081-1 : Engineering Hotfixes missing bug titles
Component: TMOS
Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).
-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.
Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.
Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.
Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).
Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.
For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.
Fix:
BIG-IP Engineering Hotfixes now include the summary titles for fixed bugs that have been published via Bug Tracker.
913849-1 : Syslog-ng periodically logs nothing for 20 seconds
Component: TMOS
Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.
Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)
Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.
Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.
Workaround:
None.
Fix:
F5 patched syslog-ng to use a lower 1-second, 0-retries timeout back in 13.0.0, but this patch was made ineffective by the upgrade to centos 7 in 14.1.0. This fixes the patch so that it works again.
913829-4 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.
For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.
Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.
Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.
You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.
913761-2 : Security - Options section in navigation menu is visible for only Administrator users
Component: Application Security Manager
Symptoms:
The Security - Options section in the left navigation menu is visible for only for user accounts configured with the Administrator role.
Conditions:
You logged in as a user configured with a role other than Administrator.
Impact:
No direct access to many settings that are available only for user account configured with the Administrator role.
Workaround:
Direct links to the pages work for those with the appropriate roles.
Fix:
Security - Options section is available for all user roles when at least one of the following is enabled:
-- ASM
-- DoS
-- FPS
-- AFM
913757-1 : Error viewing security policy settings for virtual server with FTP Protocol Security
Component: Application Security Manager
Symptoms:
The system reports an error message when trying to navigate to 'Security :: Policies' under virtual server properties:
An error has occurred while trying to process your request.
Conditions:
-- An FTP or SMTP profile with protocol security enabled is attached to a virtual server.
-- Attempt to navigate to 'Security :: Policies'.
Impact:
-- No policies appear. You cannot perform any operations on the 'Security :: Policies' screen.
-- The following error message appears instead:
An error has occurred while trying to process your request.
Workaround:
As long as an FTP or SMTP profile with protocol security enabled is defined under virtual server properties (in another words, it is attached to a virtual server), this issue recurs. There are no true workarounds, but you can avoid the issue by using any of the following:
-- Use another profile, such as HTTP.
-- Set the FTP/SMTP profile under the virtual server settings to None.
-- Remove the profile via the GUI or the CLI (e.g., you can remove the profile from the virtual server in tmsh using this command:
tmsh modify ltm virtual /Common/test-vs { profiles delete { ftp_security } }
Fix:
You can now attach FTP or SMTP profile with protocol security enabled and navigate to 'Security :: Policies' without error.
913729-5 : Support for DNSSEC Lookaside Validation (DLV) has been removed.
Component: Global Traffic Manager (DNS)
Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.
Conditions:
Attempting to use DLV.
Impact:
Cannot use DLV.
Workaround:
None. DLV is no longer supported.
Fix:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV). If you roll forward a configuration that contains this feature, the system removes it from the configuration and prints a log message.
Behavior Change:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV).
913453-5 : URL Categorization: wr_urldbd cores while processing urlcat-query
Component: Traffic Classification Engine
Symptoms:
The webroot daemon (wr_urldbd) cores.
Conditions:
This can occur while passing traffic when webroot is enabled.
Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.
Workaround:
None.
Fix:
Fixed a core with wr_urldb.
913433-3 : On blade failure, some trunked egress traffic is dropped.
Component: TMOS
Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.
Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)
Workaround:
None.
913413-3 : 'GTP::header extension count' iRule command returns 0
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
Fix:
'GTP::header extension count' command now returns number of header extension correctly.
913373-2 : No connection error after failover with MRF, and no connection mirroring
Component: Service Provider
Symptoms:
-- Unable to establish MRF connection after failover.
-- Error reports 'no connection'.
Conditions:
- MRF configured.
- Using iRule for routing.
-- Failover occurs.
Impact:
Unable to establish new connection until existing sessions time out. No message is reported explaining the circumstances.
Workaround:
Any of the following:
-- Enable connection mirroring on the virtual server.
-- Disable session mirroring.
913249-2 : Restore missing UDP statistics
Component: Local Traffic Manager
Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
Conditions:
Viewing UDP statistics.
Impact:
Unable to view these UDP statistics.
Workaround:
None.
Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
913137-1 : No learning suggestion on ASM policies enabled via LTM policy
Component: Application Security Manager
Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.
Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.
This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.
Impact:
No learning suggestions.
Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.
Fix:
Policy builder now classifies non-bot traffic and applies learning suggestions.
913085-1 : Avrd core when avrd process is stopped or restarted
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
912969-2 : iAppsLX REST vulnerability CVE-2020-27727
Solution Article: K50343630
912945-2 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
Fix:
Fixed an issue with client SSL profile selection.
912425-3 : Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash
Component: Local Traffic Manager
Symptoms:
Modification of in-TMM monitors may result in TMM crashing, or the changes to the monitor configuration not taking effect, or only taking effect for some monitor instances.
Conditions:
TMM may crash under some of the following conditions:
-- Performing configuration sync
-- Deleting and recreating monitor and SSL profile configurations.
Changes to monitor configuration may not take effect under the following conditions:
-- Modifying the SSL profile assigned to a monitor.
-- A monitor instance is currently in progress.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Disable in-TMM monitors.
Fix:
This issue is now fixed.
912289-1 : Cannot roll back after upgrading on certain platforms★
Component: Local Traffic Manager
Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
- BIG-IP v12.1.6 or later in the v12.x branch of code
- BIG-IP v13.1.4 or later in the v13.x branch of code
- BIG-IP v14.1.4 or later in the v14.x branch of code
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
-- Upgrade the software to one of the following software versions:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
-- Attempt to roll back to a previous version.
Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.
Workaround:
None.
Fix:
Contact F5 Support for the reversion process if this is required.
Behavior Change:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
The particular platforms are:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
The particular software versions are:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
912221-1 : CVE-2020-12662 & CVE-2020-12663
Solution Article: K37661551
912149-5 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/:
asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
912089-2 : Some roles are missing necessary permission to perform Live Update
Component: Application Security Manager
Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.
Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.
Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.
Workaround:
None.
Fix:
The following roles can now perform live-update:
- Administrator
- Web Application Security Administrator
- Resource Administrator
- Application Security Operations Administrator
912001-3 : TMM cores on secondary blades of the Chassis system.
Component: Global Traffic Manager (DNS)
Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:
tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307
Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.
Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.
Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.
911809-2 : TMM might crash when sending out oversize packets.
Component: TMOS
Symptoms:
TMM crashes with an assert; Drop assertion similar to the following:
notice panic: ../dev/ndal/ndal.c:758: Assertion "pkt length cannot be greater than MAX_PKT_LEN" failed.
Conditions:
-- Xnet driver is used in BIG-IP Virtual Edition (VE).
-- TMM tries to send oversize packets.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
911761-2 : F5 TMUI XSS vulnerability CVE-2020-5948
Solution Article: K42696541
911729-2 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value
Component: Application Security Manager
Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.
Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.
Impact:
Redundant learning suggestion is issued.
Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.
Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.
911141-3 : GTP v1 APN is not decoded/encoded properly
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.
Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.
911041-3 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
Component: Local Traffic Manager
Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.
Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.
Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.
910653-5 : iRule parking in clientside/serverside command may cause tmm restart
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.
Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.
For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.
Fix:
iRule parking in clientside/serverside command no longer causes tmm to restart.
910633-1 : Continuous 'neurond restart' message on console
Component: Performance
Symptoms:
Neurond continuous restart after some TurboFlex configuration changes.
Conditions:
TurboFlex configuration modifications change underlying firmware without automatic reboot triggered.
Impact:
Features that utilize Neuron are not available.
Workaround:
Reboot the system.
910521-2 : Support QUIC and HTTP draft-28
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-25 and draft-27. IETF has released draft-28.
Conditions:
Browser requests draft-28.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-28 and draft-27, and has removed draft-25 support.
910517-1 : TMM may crash while processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic
Conditions:
- Client HTTP profile
- Server SSL profile
- Server HTTP/2 profile
- Undisclosed request conditions
Impact:
TMM may crash, leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes HTTP traffic as expected
910417-2 : TMM core may be seen when reattaching a vector to a DoS profile
Component: Advanced Firewall Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.
910253-2 : BD error on HTTP response after upgrade★
Component: Application Security Manager
Symptoms:
After upgrade, some requests can cause BD errors on response:
BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040
IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Upgrading BIG-IP systems to v15.0.0 or later from versions earlier than v15.0.0.
-- ASM policy is configured on a virtual server.
Impact:
For some requests, the response can arrive truncated or not arrive at all.
Workaround:
Add an iRule that deletes ASM cookies:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Note: Performing this workaround affects cookie-related violations (they may need to be disabled to use this workaround), session, and login protection.
910201-3 : OSPF - SPF/IA calculation scheduling might get stuck infinitely
Component: TMOS
Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.
Conditions:
SPF/IA calculation gets suspended;
This occurs for various reasons; BIG-IP end users have no influence on it occurring.
Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.
Workaround:
Restart the routing daemons:
# bigstart restart tmrouted
Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.
If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.
910177 : Poor HTTP/3 throughput
Component: Local Traffic Manager
Symptoms:
HTTP/3 throughput is poor.
Conditions:
Virtual Server configured with an HTTP/3 profile.
Impact:
Performance might be severely degraded.
Workaround:
There is no alternative other than not using the HTTP/3 profile.
Fix:
Erroneously enabled debug logs are now turned off, so performance is improved.
910097-2 : Changing per-request policy while tmm is under traffic load may drop heartbeats
Component: Access Policy Manager
Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash
Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.
910017-2 : Security hardening for the TMUI Interface page
Solution Article: K21540525
909837-1 : TMM may consume excessive resources when AFM is provisioned
Solution Article: K05204103
909673 : TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms
Component: TMOS
Symptoms:
TMM crashes when VLAN SYN cookie feature is used.
Conditions:
-- Configuring for VLAN SYN cookie use.
-- Running on iSeries i2800/i2600 and i4800/i4600 platforms.
Impact:
Tmm crashes and traffic processing stops. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
VLAN SYN cookie processing now functions as expected.
909237-6 : CVE-2020-8617: BIND Vulnerability
Solution Article: K05544642
909233-6 : DNS Hardening
Solution Article: K97810133
909197-3 : The mcpd process may become unresponsive
Component: TMOS
Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.
Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.
Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
Fixed handling of malformed messages by mcpd, so the problem should no longer occur.
909161-3 : A core file is generated upon avrd process restart or stop
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
908873-1 : Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached.
-- Certain scenarios where the proxy goes into passthrough mode.
This was encountered during internal testing of a certain iRule configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
908673-5 : TMM may crash while processing DNS traffic
Solution Article: K43850230
908621-2 : Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached to it.
-- Certain scenarios where the proxy goes into passthrough mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now correctly manages proxy handling of passthrough mode in specific scenarios, so the tmm crash no longer occurs.
908601-2 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
Component: TMOS
Symptoms:
When the BIG-IP system boots, mcpd continually restarts.
Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.
Impact:
The BIG-IP system is unable to complete the boot process and become active.
Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.
Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.
You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.
If the system is already in the defective state, use this shell command, and then reboot:
touch /.tmos.platform.init
The problem should be resolved.
Fix:
Running 'diskinit' from MOS with the '--style=volumes' option no longer causes continuous mcpd restarts.
908517-3 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
Component: TMOS
Symptoms:
LDAP authentication fails with an error message:
err nslcd[2867]: accept() failed: Too many open files
Conditions:
This problem occurs when user-template is used instead of Bind DN.
Impact:
You cannot logon to the system using LDAP authentication.
Workaround:
None.
Fix:
LDAP authentication now succeeds when user-template is used.
908065-2 : Logrotation for /var/log/avr blocked by files with .1 suffix
Component: Application Visibility and Reporting
Symptoms:
AVR logrotate reports errors in /var/log/avr:
error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged
Conditions:
Files ending with .1 exist in the log directory.
Impact:
Logrotate does not work. This might fill the disk with logs over time.
Workaround:
Remove or rename all of the .1 log files.
Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.
908021-1 : Management and VLAN MAC addresses are identical
Component: TMOS
Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.
Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.
Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.
Workaround:
None.
Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.
907765-1 : BIG-IP system does not respond to ARP requests if it has a route to the source IP address
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system receives an ARP request from a source IP address for which it has a route configured, the BIG-IP system does not give an ARP reply.
Conditions:
-- BIG-IP system receives an ARP who-is request for one of its self ip addresses.
-- The source IP address is in a different network, and the BIG-IP system has an L3 route configured for it.
Impact:
BIG-IP does not send an ARP reply.
Workaround:
None.
Fix:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.
Behavior Change:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.
907549-1 : Memory leak in BWC::Measure
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
Memory is not leaked.
907337-2 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
A specific scenario that results in memory corruption.
Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.
Workaround:
None.
Fix:
This BD crash no longer occurs.
907245-1 : AFM UI Hardening
Solution Article: K94255403
907201-2 : TMM may crash when processing IPSec traffic
Solution Article: K66782293
906889-4 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Component: TMOS
Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:
Packets In 2 shows as 016 in the GUI
Packets Out 0 shows as 8 in the GUI
Workaround:
View statistics in tmsh.
906885-1 : Spelling mistake on AFM GUI Flow Inspector screen
Component: Advanced Firewall Manager
Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.
Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).
Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.
Workaround:
None.
906377-2 : iRulesLX hardening
Solution Article: K61643620
905905-1 : TMUI CSRF vulnerability CVE-2020-5904
Solution Article: K31301245
905557-1 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
Component: Global Traffic Manager (DNS)
Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.
Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure HSL with only a single log destination.
905125-2 : Security hardening for APM Webtop
Solution Article: K30343902
904937-2 : Excessive resource consumption in zxfrd
Solution Article: K25595031
904845-2 : VMware guest OS customization works only partially in a dual stack environment.
Component: TMOS
Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).
By default, DHCP is enabled on the management interface.
During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.
Conditions:
Applying a customization profile to VMware VM in a dual stack environment.
Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.
Workaround:
Configure the mgmt interface addresses using the config script.
Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.
904785-1 : Remotely authenticated users may experience difficulty logging in over the serial console
Component: TMOS
Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user
Conditions:
-- Remote authentication (e.g., RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.
Impact:
Remotely authenticated users cannot log in over the serial console.
Workaround:
Using either of the following workaround:
-- Log in over SSH instead
-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.
904705-2 : Cannot clone Azure marketplace instances.
Component: TMOS
Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.
Conditions:
Applies to any Azure marketplace instance.
Impact:
Cannot clone Azure marketplace instances.
Workaround:
None.
Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.
904593-1 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the primary device, before the primary has a chance to sync the configuration to the new device, causing the configuration in the primary device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
Impact:
Configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
904373-3 : MRF GenericMessage: Implement limit to message queues size
Component: Service Provider
Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.
Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.
Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.
Workaround:
None.
Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.
904165-1 : BIG-IP APM vulnerability CVE-2020-27716
Solution Article: K51574311
904133-1 : Creating a user-defined signature via iControl REST occasionally fails with a 400 response code
Component: Application Security Manager
Symptoms:
Creating user-defined signature via iControl REST occasionally fails with a 400 response code.
Conditions:
You create a user-defined signature via iControl REST via this endpoint:
POST https://<BIG-IP>/mgmt/tm/asm/signatures
Impact:
Signature creation fails with 400 response code:
{
"code": 400,
"message": "remoteSender:10.10.10.10, method:POST ",
"originalRequestBody": "{...}",
"referer": "10.10.10.10",
"restOperationId": 6716673,
"kind": ":resterrorresponse"
}
Fix:
Creating user-defined signatures via REST works correctly.
904053-2 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never
Component: Application Security Manager
Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.
Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.
Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.
Workaround:
Disable Learning mode for the Policy disables Cookie hashing.
Note: This affects all learning, not just Cookie hashing.
Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".
904041-2 : Ephemeral pool members may be incorrect when modified via various actions
Component: Local Traffic Manager
Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.
For example:
A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.
B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.
Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"
Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.
Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.
Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.
For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.
Fix:
FQDN ephemeral pool members now better reflect expected states after the corresponding FQDN template pool member is modified by one of several actions such as config load, config sync and BIG-IP restart.
903905-2 : BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances
Component: Access Policy Manager
Symptoms:
The TMM process might eventually run out of memory, which can result in a disruption in BIG-IP services.
Conditions:
-- BIG-IP device has been running for 8 weeks or longer without a TMM restart or system reboot.
-- The BIG-IP system's internal risk-policy subsystem (used by the security features) has not been configured to communicate with an external risk-policy server.
-- In a vCMP configuration, the BIG-IP 'host' instance is susceptible, since no security features can be configured in its context.
-- A BIG-IQ device running any BIG-IQ v8.x release prior to 8.1.0.1 is also susceptible.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None.
Fix:
Default configuration of security mechanism no longer causes memory leak in TMM.
903581-1 : The pkcs11d process cannot recover under certain error condition
Component: Local Traffic Manager
Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.
Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.
Impact:
SSL handshake failure.
Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d
Fix:
Allow pkcs11d to re-initialize on error.
903573 : AD group cache query performance
Component: Access Policy Manager
Symptoms:
Active Directory queries are slow.
Conditions:
-- Active Directory (AD) authentication used
-- There are lots of AD caches in the environment, and users are in deeply nested groups.
Impact:
Active Directory query time can be excessive.
Fix:
Improved AD cache optimization.
903561-3 : Autodosd returns small bad destination detection value when the actual traffic is high
Component: Advanced Firewall Manager
Symptoms:
Bad destination detection threshold cannot accurately reflect the actual traffic pattern.
Conditions:
-- Enable bad destination and fully automatic mode.
-- Actual traffic is high.
Impact:
A small bad destination detection value is returned.
Workaround:
None.
Fix:
Fixed the threshold update algorithm.
903357-2 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
Component: Application Security Manager
Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.
Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.
Impact:
Bot Defense list page loading time can take more than 30 seconds.
Workaround:
None.
902485-3 : Incorrect pool member concurrent connection value
Component: Application Visibility and Reporting
Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.
Conditions:
This is encountered when viewing the pool-traffic report.
Impact:
Incorrect stats reported in the pool-traffic report table
Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:
From this:
formula=round(sum(server_concurrent_conns),2)
Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)
Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.
902417-2 : Configuration error caused by Drafts folder in a deleted custom partition★
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
902401-5 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device
Component: TMOS
Symptoms:
The ospfd process generates a core.
Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.
Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.
Workaround:
None.
Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.
902141-1 : TMM may crash while processing APM data
Solution Article: K94563369
901929-2 : GARPs not sent on virtual server creation
Component: Local Traffic Manager
Symptoms:
When a virtual server is created, GARPs are not sent out.
Conditions:
-- Creating a new virtual server.
Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.
Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.
Fix:
GARPs are now sent when a virtual server is created.
901061-2 : Safari browser might be blocked when using Bot Defense profile and related domains.
Component: Application Security Manager
Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.
Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.
Impact:
Some requests might be blocked.
Workaround:
None.
Fix:
Set the cookie so all requests in the target domain will contain it.
901041-3 : CEC update using incorrect method of determining number of blades in VIPRION chassis★
Component: Traffic Classification Engine
Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.
Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.
Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.
Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.
Workaround:
Install the package manually on each slot.
Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.
900933-1 : IPsec interoperability problem with ECP PFS
Component: TMOS
Symptoms:
IPsec tunnels fails to remain established after initially working.
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.
This may also immediately present as a problem when trying to establish a second tunnel to the same peer.
Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).
Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.
Workaround:
Do not use ECP for PFS.
Fix:
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.
900905-3 : TMM may crash while processing SIP data
Solution Article: K42830212
900797-2 : Brute Force Protection (BFP) hash table entry cleanup
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.
Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.
Workaround:
N/A
Fix:
Mitigated entries are kept in the hash table.
900793-1 : APM Brute Force Protection resources do not scale automatically
Solution Article: K32055534
Component: Application Security Manager
Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.
Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.
Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.
Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.
Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.
900789-2 : Alert before Brute Force Protection (BFP) hash are fully utilized
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.
Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.
Impact:
No alert is sent when entries are evicted.
Workaround:
None.
Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.
900757-2 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
899009 : Azure Active Directory deployment fails on BIG-IP 15.1
Component: Access Policy Manager
Symptoms:
In restnoded.log you see an error:
severe: [[azureUtils] ] Cannot get key data. Worker not available :/tm/access/certkey-file-helper/available, details: URI path /tm/access/certkey-file-helper/available not registered. Please verify URI is supported and wait for /available suffix to be responsive.
Conditions:
Azure Active Directory is enabled.
Impact:
Azure Active Directory can not be deployed on BIG-IP 15.1
898997-2 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
Component: Service Provider
Symptoms:
GTP message parsing fails and log maybe observed as below:
GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).
Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes
Impact:
- message parsing fails, traffic maybe interupted
Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes
898949-1 : APM may consume excessive resources while processing VPN traffic
Solution Article: K04518313
898741-2 : Missing critical files causes FIPS-140 system to halt upon boot
Component: Application Security Manager
Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.
Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing
Impact:
System halts during boot because of sys-eicheck.py failure.
Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.
If the missing files are due to missing signature update files:
- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.
898705-5 : IPv6 static BFD configuration is truncated or missing
Component: TMOS
Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.
-- IPv6 static BFD configuration entries go missing during a daemon restart.
Conditions:
IPv6 static BFD configuration.
Impact:
The IPv6 static BFD configuration does not persist during reloads.
-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.
Workaround:
None.
898461-2 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
Component: TMOS
Symptoms:
The following SCTP iRule commands:
-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port
Are unavailable in the following MRF iRule events:
-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS
Attempts to use these commands in these events result in errors similar to:
01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].
Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.
Impact:
Unable to use these iRule commands within these iRule events.
Workaround:
None.
Fix:
These iRule commands are now available within these iRule events.
898441-1 : Enable logging of IKE keys
Component: TMOS
Symptoms:
IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.
Conditions:
-- The BIG-IP system has an IPsec IKEv2 tunnel configured.
-- debug level logging is enabled.
Impact:
Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.
Workaround:
None, although the remote peer may log this information.
Fix:
Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.
898365-1 : XML Policy cannot be imported
Component: Application Security Manager
Symptoms:
XML Export does not work in configurations that have metacharacters or method overrides defined on URLs.
Conditions:
A policy that has metacharacter or method overrides defined on a URL is exported to XML format.
Impact:
Such a policy cannot be imported.
Workaround:
Use binary export/import or move/remove the problematic elements from the XML file:
* <mandatory_body>
* <operation_id>
Fix:
XML Policy export generates files that correctly correspond to the expected schema and can be imported.
898093-2 : Removing one member from a WideIP removes it from all WideIPs.
Component: Global Traffic Manager (DNS)
Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.
Conditions:
Use the 'Remove' button.
Impact:
Unintended configuration changes via GUI.
Workaround:
Use the 'Manage' button, rather than the 'Remove' button.
897509-1 : IPsec SAs are missing on HA standby, leading to packet drops after failover
Component: TMOS
Symptoms:
IPsec Security Associations (SAs) are missing on the standby high availability (HA) device.
Conditions:
-- HA mirroring is configured
-- IKEv2 tunnels are started
Impact:
During an HA failover, IPsec tunnels may be disrupted because the newly active device is not aware of some IPsec SAs.
Workaround:
None
Fix:
IPsec SAs are now mirrored correctly to the HA standby device. Note that HA failover for IPsec tunnels is only supported when IKEv2 tunnels are in use.
896917 : The fw_zone_stat 'Hits' field may not increment in some scenarios
Component: Advanced Firewall Manager
Symptoms:
The fw_zone_stat 'Hits' field does not reflect the current stats.
Conditions:
When the firewall rule has multiple VLANs defined as destinations (in a zone).
Impact:
The counter for all VLANs does not hit : fw_zone_stat. The corresponding stat value does not increment.
Workaround:
None.
896861-2 : PTR query enhancement for RESOLVER::name_lookup
Component: Global Traffic Manager (DNS)
Symptoms:
Currently RESOLVER::name_lookup does not have PTR reverse domain mapping.
Conditions:
RESOLVER::name_lookup needs an additional iRule to make PTR query work
Impact:
Need an additional iRule to convert to reverse IP PTR query to work
Workaround:
Use an iRule to convert ip address reverse mapping
Fix:
Address IP address reverse mapping for PTR query
896817-2 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
Component: TMOS
Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:
01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.
Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.
Impact:
Unable to replace configuration using TMSH's 'replace' verb.
Workaround:
None.
Fix:
When merging a configuration that modifies the list of iRules a virtual server uses using the TMSH 'replace' verb, no error is encountered.
896709-3 : Add support for Restart Desktop for webtop in VMware VDI
Component: Access Policy Manager
Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.
Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.
Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.
Workaround:
None.
Fix:
APM now supports restart desktop option on webtop for VMware VDI.
896553-3 : On blade failure, some trunked egress traffic is dropped.
Component: TMOS
Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.
Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)
Workaround:
Attach interfaces to all blades.
Fix:
Failed blades are detected within a second.
896473-2 : Duplicate internal connections can tear down the wrong connection
Component: TMOS
Symptoms:
Handling of duplicate internal connections can tear down and clean up the newest connection. Instead it should always remove the oldest.
Conditions:
When internal connections are re-established.
Impact:
The cleanup of previous connections may incorrectly tear down the new connection. Error messages are reported in the log when this happens, for example:
Duplicate connections between BCM56XXD1 and stpd7749-2. Closing the new one.
Workaround:
None.
Fix:
The system now always removes the oldest connection.
896285-2 : No parent entity in suggestion to add predefined-filetype as allowed filetype
Component: Application Security Manager
Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.
Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.
Impact:
No parent entity appears in the sugestion.
Workaround:
None.
Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.
896217-2 : BIG-IP GUI unresponsive
Component: TMOS
Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.
Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.
Impact:
GUI becomes unresponsive.
Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat
896125-2 : Reuse Windows Logon Credentials feature does not work with modern access policies
Component: Access Policy Manager
Symptoms:
Client users are not automatically logged on to the Edge client using previously entered Microsoft Windows credentials, while client users on Windows computers are prompted with a logon page to enter the credentials.
Conditions:
-- Access policy "customization type" should be set to "modern"
-- In connectivity profile, click Customize Package :: Windows.
-- Under Available Components, select the check box to enable User Logon Credentials Access Service.
Impact:
Unable to automatically logon to Edge client and user is prompted for credentials
Workaround:
Use standard access policy in the virtual server.
895993-2 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895981-2 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895881-1 : BIG-IP TMUI XSS vulnerability CVE-2020-5903
Solution Article: K43638305
895837-3 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified
Component: TMOS
Symptoms:
Virtual server configured with:
-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0
-- The configuration uses a destination port list.
Conditions:
Modify the virtual server's port-list to a different one.
Impact:
Mcpd generates a core, and causes services to restart and failover.
Workaround:
None.
Fix:
Mcpd no longer crashes when modifying a traffic-matching-criteria's destination port list.
895781-2 : Round Robin disaggregation does not disaggregate globally
Component: TMOS
Symptoms:
Traffic is not disaggregated uniformly as expected.
Conditions:
-- A multi-blade chassis with one HSB.
-- Traffic is received on blade one.
-- The imbalance is more pronounced when the IP variation is small.
Impact:
Some TMMs may use relatively more CPU.
Workaround:
None.
Fix:
Traffic is now disaggregated uniformly in a round robin fashion.
895557-2 : NTLM profile logs error when used with profiles that do redirect
Component: Local Traffic Manager
Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).
When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.
Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).
Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.
For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"
895525-2 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895153 : HTTP::has_responded returns incorrect values when using HTTP/2
Component: Local Traffic Manager
Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always return the value 'false'.
Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.
Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.
Workaround:
None.
Fix:
HTTP::has_responded is now properly detected in iRules where HTTP/2 is used.
894885-3 : [SAML] SSO crash while processing client SSL request
Component: Access Policy Manager
Symptoms:
-- Tmm crashes while processing a client SSO request.
-- Graphs show a high SWAP consumption and there are also some OOM events, although the process being terminated is avrd.
Log messages:
-- notice sod[4759]: 01140045:5: HA reports tmm NOT ready.
-- notice sod[4759]: 010c0050:5: Sod requests links down.
Conditions:
SAML SSO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a crash that occurred while handling SSL Orchestrator traffic.
894565-1 : Autodosd.default crash with SIGFPE
Component: Access Policy Manager
Symptoms:
The autodosd process crashes occasionally due to the division by zero.
Conditions:
It happens when the autodosd process receives zero value from tmm.
Impact:
Autodosd is rebooted.
Fix:
The autodosd process does not crash with SIGFPE.
893885-3 : The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation
Component: TMOS
Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.
Conditions:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on Trusted Platform Module (TPM)-supported BIG-IP platforms.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status.
893721-2 : PEM-provisioned systems may suffer random tmm crashes after upgrading★
Component: Traffic Classification Engine
Symptoms:
TMM crashes with SIGSEGV and a core file is written to /var/core/
Conditions:
This affects systems where PEM is provisioned and where the classification engine is running.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
None
893281-3 : Possible ssl stall on closed client handshake
Component: Local Traffic Manager
Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.
Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.
Impact:
Some ssl client connection remain until idle timeout.
Fix:
Allow transmit of any pending crypto during ssl shutdown.
893061-2 : Out of memory for restjavad
Component: Application Security Manager
Symptoms:
REST framework not available due to Out of memory error
Conditions:
Long list of Live Update installations
Impact:
Live Update GUI is not responding.
Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)
# tmsh modify sys db provision.extramb value 1000
2) Allow restjavad to access the extra memory:
# tmsh modify sys db restjavad.useextramb value true
3) Save the config:
# tmsh save sys config
4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.
5) Increase the restjavad maxMessageBodySize property:
# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
"maxMessageBodySize": 134217728,
"localhostRestnodedConnectionLimit": 8,
"defaultEventHandlerTimeoutInSeconds": 60,
"minEventHandlerTimeoutInSeconds": 15,
"maxEventHandlerTimeoutInSeconds": 60,
"maxActiveLoginTokensPerUser": 100,
"generation": 6,
"lastUpdateMicros": 1558012004824502,
"kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
"selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}
Ensure the command returns output showing the limit has been increased (as shown above).
6) Reboot the unit.
892941-2 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
Solution Article: K20105555
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
892937-2 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
Solution Article: K20105555
Component: Access Policy Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
892677-1 : Loading config file with imish adds the newline character
Component: TMOS
Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.
In particular, this affects the bigip_imish_config Ansible module.
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Regex expressions are not created properly.
Workaround:
You can use either of the following workarounds:
-- Delete and re-add the offending commands using the imish interactive shell.
-- Restart tmrouted:
bigstart restart tmrouted
892653-1 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
Component: Application Security Manager
Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI
Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html
Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.
892637-1 : Microservices cannot be added or modified
Component: Application Security Manager
Symptoms:
The 'Add' button is grayed out on Security :: Application Security :: Microservices, where in previous version, minimal microservice creation/modification was available.
Conditions:
-- Navigate to Security :: Application Security :: Microservices.
-- Attempt to add a microservice.
Impact:
Cannot add or modify a microservice in this version, where it was available in previous versions.
Workaround:
None
Fix:
The 'Add' button is now available to create basic microservices for Application Security.
892621-1 : Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software
Component: Advanced Firewall Manager
Symptoms:
BDoS Signature mitigated in software.
Conditions:
IP packets size metric in BDoS signature.
Impact:
BDoS Signature with IP packet size metric mitigated only in software for IPv6 packets.
Workaround:
None.
Fix:
IP packets size metric bin calculation algorithm for IPv6 packets in software now matches hardware version.
892385 : HTTP does not process WebSocket payload when received with server HTTP response
Component: Local Traffic Manager
Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.
Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.
Impact:
-- WebSocket connection hangs.
Workaround:
None.
Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.
891849-1 : Running iRule commands while suspending iRule commands that are running can lead to a crash
Component: Local Traffic Manager
Symptoms:
Running iRule commands while suspending iRule commands that are running can lead to a crash.
Conditions:
-- Running iRule commands.
-- iRule commands that suspend iRules are running.
For more information on the conditions that trigger iRule suspend, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Running iRule commands while suspending iRule commands are running no longer results in a tmm crash.
891729-2 : Errors in datasyncd.log★
Component: Fraud Protection Services
Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM
Conditions:
Upgrades from version 13.x to 14.0.0 or higher.
Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.
Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.
If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.
Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.
891721-3 : Anti-Fraud Profile URLs with query strings do not load successfully
Component: TMOS
Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:
010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.
Conditions:
Adding a query string to a URL for an anti-fraud profile.
Impact:
After a BIG-IP config save, loading of new bigip.conf fails.
Workaround:
Follow this procedure:
1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.
Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.
891613-1 : RDP resource with user-defined address cannot be launched from webtop with modern customization
Component: Access Policy Manager
Symptoms:
RDP resource with a user-defined address cannot be launched from the webtop when configured with modern customization.
After requesting the RDP file for a remote address, the RDP file fails to download and the system reports an error message:
Logon failed. Connection to your resource failed. Please click the Try Again button to try again or Close button to close this dialog.
Conditions:
-- Webtop with modern customization.
-- RDP resource with a user-defined address is assigned to the webtop.
Impact:
Cannot use remote desktop resource with user-defined addresses.
Workaround:
As the problem is with modern access policy with modern webtop, a quick workaround:
1. Create a standard access policy with standard webtop (it is similar to modern access policy and modern webtop):
-- 1.1 GUI: Access :: Profiles / Policies :: Create :: {choose Customization Type as 'Standard').
-- 1.2 GUI: Access :: Webtops :: Create :: {choose Customization Type as 'Standard').
Recreate similar access policy as modern access policy that is showing this problem.
If manually re-creating similar standard access policy is not possible, there is no workaround.
Fix:
Now, RDP resources with user-defined addresses can be used as expected on webtops with modern customization.
891505-3 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
Component: Access Policy Manager
Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.
Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.
Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
When fixed, TMM works as expected and no longer leaks memory.
891477-3 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
Component: TMOS
Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None.
891457-2 : NIC driver may fail while transmitting data
Solution Article: K75111593
891385-2 : Add support for URI protocol type "urn" in MRF SIP load balancing
Component: Service Provider
Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.
Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.
Impact:
SIP messages with urn URIs are rejected.
Fix:
Added support for the urn URI protocol type.
891373-2 : BIG-IP does not shut a connection for a HEAD request
Component: Local Traffic Manager
Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.
Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.
Impact:
Connection remains idle until it expires normally, consuming network resources.
Workaround:
None.
Fix:
When an HTTP HEAD request contains 'Connection: close' header and a OneConnect profile is configured on a virtual server, the BIG-IP system shuts a connection down after a response is served.
891337-1 : 'save_master_key(master): Not ready to save yet' errors in the logs
Component: TMOS
Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.
Conditions:
UCS load or configuration synchronization that includes encrypted objects.
Impact:
Many errors seen in the logs.
Workaround:
None.
Fix:
Fixed an issue causing 'save_master_key(master): Not ready to save yet' errors.
891093-1 : iqsyncer does not handle stale pidfile
Component: Global Traffic Manager (DNS)
Symptoms:
Stale /var/run/iqsyncer.pid file is causing a new iqsyncer application to exit immediately after start.
Conditions:
iqsyncer applications is killed by Linux kernel or any other reason causing a stale iqsyncer pid file
Impact:
Gtm config changes and gtm_add operations are blocked
Workaround:
Remove iqsyncer pid file manually or reboot
Fix:
Stale iqsyncer pid file condition handled in iqsyncer application
890881-4 : ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
Component: Local Traffic Manager
Symptoms:
Traffic drop occurs.
Conditions:
Source MAC in the ARP header and the Ethernet header do not match.
Impact:
The BIG-IP system drops these packets.
Workaround:
None.
890513-2 : MCPD fails to load configuration from binary database
Component: TMOS
Symptoms:
Mcpd errors are found in /var/log/ltm:
-- err mcpd[16068]: 01070734:3: Configuration error: MCPProcessor::initializeDB: basic_string::_S_create
-- err mcpd[16068]: 01070596:3: An unexpected failure has occurred, basic_string::_S_create, exiting...
-- err mcpd[16978]: 01b50049:3: FipsUserMgr Error: Master key load failure.
Conditions:
-- Restart MCPD (e.g. by rebooting the BIG-IP)
-- This affects BIG-IP v15.1.0.4 running on all platforms with the exception of the following:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
MCPD does not restore the configuration from its binary database, but instead re-reads the text config files (bigip.conf, et al.).
Workaround:
None.
Fix:
MCPD is again able to restore its configuration from the binary database during startup
890421-2 : New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★
Component: TMOS
Symptoms:
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217
Conditions:
When 15.0.1.2 is upgraded to 15.1.0 then the traps would be renumbered.
Impact:
This may be confusing for SNMP clients expecting specific trap IDs.
Workaround:
None.
Fix:
The traps have been correctly numbered in 15.0.1.3.
Behavior Change:
New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers. These traps will be renumbered when you upgrade 15.0.1.2 to 15.1.0.
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217
890277-3 : Full config sync to a device group operation takes a long time when there are a large number of partitions.
Component: TMOS
Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.
Conditions:
Full config sync on device with large number of partitions.
Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.
Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.
Workaround:
Enable Manual Incremental Sync.
890229-1 : Source port preserve setting is not honored
Component: Local Traffic Manager
Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.
Conditions:
This issue occurs when both of the following conditions are met:
-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
- Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
- Configuring a VLAN's 'CMP Hash' setting to a non-default value.
- Using a special variable such as non-default udp.hash or tcp.hash.
Impact:
Applications relying on a specific, fixed source port might not work as expected.
Workaround:
Set source-port to preserve-strict.
Fix:
Now source-port preserve setting does best effort to preserve the source port.
Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.
The source-port preserve setting now does best effort to preserve the source port.
889601-3 : OCSP revocation not properly checked
Solution Article: K14903688
Component: Local Traffic Manager
Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.
Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles
Impact:
The SSL handshake continues eve if a certificate is revoked.
Fix:
OCSP revocation checking now working properly.
889557-1 : jQuery Vulnerability CVE-2019-11358
Solution Article: K20455158
889505 : Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available
Component: Advanced Firewall Manager
Symptoms:
Several SNMP OIDs need to be added to provide the total number of port block allocations (PBAs) and the percentage of PBAs that are available.
Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.
Impact:
Need to manually calculate the values.
Workaround:
Make manual calculations from the current stats or configuration.
Fix:
-- Can now directly gather the total number of PBA and percentage of ports available.
There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.
Behavior Change:
The following new MIBs are now available:
F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatPercentFreePortBlocksSnmp
F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaPercentFreePortBlocksSnmp
889477-1 : Modern customization does not enforce validation at password changing
Component: Access Policy Manager
Symptoms:
You can change the password even if there are different values in the fields 'New Password' and 'Confirm Password' or if 'Confirm Password' is empty.
Conditions:
-- Access Policy with 'Modern' customization.
-- Configure an access policy with 'Logon Page' and 'AD Auth' agents.
-- When forced to change passwords, type different values in 'New Password' and 'Confirm Password', or leave 'Confirm Password' empty.
Impact:
The system allows the password change, even though the 'New Password' and 'Confirm Password' do not match.
Workaround:
None.
889209-2 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
Component: Local Traffic Manager
Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.
Conditions:
Enabled sflow receiver is configured.
Impact:
Egress traffic is dropped.
Workaround:
Disable Sflow receiver, save configuration, reboot. (You should not re-enable the sflow receiver in versions where this bug is present)
889165-3 : "http_process_state_cx_wait" errors in log and connection reset
Component: Local Traffic Manager
Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:
err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside
Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server
Impact:
Possible connection failure.
Fix:
Fixed incorrect early release of HUDEVT_ACCEPTED during ssl handshake irules.
889045-3 : Virtual server may stop responding while processing TCP traffic
Component: TMOS
Symptoms:
On certain platforms, virtual servers may stop responding while processing TCP traffic.
Conditions:
- i2000 platform
- TCP virtual server enabled
Impact:
Virtual servers stop responding.
Workaround:
N/A
Fix:
Virtual servers respond as expected when processing TCP traffic
889041-3 : Failover scripts fail to access resolv.conf due to permission issues
Component: TMOS
Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:
/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file
Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.
Impact:
Failover does not complete. Floating IP addresses do not move to the active device.
Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0
Impact of workaround: these commands disable SELinux policy enforcement.
889029-2 : Unable to login if LDAP user does not have search permissions
Component: TMOS
Symptoms:
A user is unable to log in using remote LDAP.
Conditions:
-- BIG-IP systems are configured to use LDAP authentication.
-- Remote user has no search permissions on directory
Impact:
Authentication does not work.
Workaround:
Grant search permissions to the user in LDAP.
888625 : CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks
Component: Carrier-Grade NAT
Symptoms:
There is a difference in active port block counter between statistics collected in TMM and actual allocations in 'lsndb list pba'.
Conditions:
The issue happens when the port block allocation process fails after incrementing the active port blocks counter.
Impact:
No functional impact. But the stats counters will be incorrect.
Fix:
Update the active port block counter correctly when port block allocation fails.
888569 : Added PBA stats for total number of free PBAs, and percent free PBAs
Component: Advanced Firewall Manager
Symptoms:
There are several port block allocation (PBA) statistics that need to be added.
Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.
Impact:
Need to manually calculate the values.
Workaround:
Make manual calculations from the current stats or configuration.
Fix:
The first and second item described are available using the 'tmsh show' command, and the third item is available in the tmstat tables (e.g., reported in response to the command 'tmctl lsn_pool_pba_stat' as total_port_blocks).
-- Total number of port blocks available:
The total amount of port blocks available according to the PBA configuration. For example, if you have 3 IP addresses for NAT pool/source translation and blocks of 128 ports, and ports from 1024 to 65535, then this stat indicates that you have a total of 1509 port blocks. This number is the result of (64511 (ports available) / 128 (ports per block)) * 3 (number of IP addresses)).
-- Percentage of port available (percentage is available in TMSH only):
Using the same example, where there are 1509 total blocks and currently are assigned 600 blocks, then there are 909 blocks free. This stat show that are 60.23% of ports available. (100*free ports / total ports).
-- Directly gather the values.
There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.
Behavior Change:
The following new tmstat value is now available, in both 'tmctl fw_lsn_pool_pba_stat' and 'tmctl lsn_pool_pba_stat:
total_port_blocks
The relevant TMSH show commands have been updated to include these new values:
-- Total Port Blocks
-- Percent Free Port Blocks
888517-2 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★
Component: Local Traffic Manager
Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.
Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.
Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.
Workaround:
Correct the underlying networking/virtualization issue.
Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.
888497-2 : Cacheable HTTP Response
Component: TMOS
Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.
Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.
Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.
Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.
Workaround:
Disable caching in browsers.
888493-2 : ASM GUI Hardening
Solution Article: K40843345
888489-2 : ASM UI hardening
Solution Article: K55873574
888417-5 : Apache Vulnerability: CVE-2020-8840
Solution Article: K15320518
888341-7 : HA Group failover may fail to complete Active/Standby state transition
Component: TMOS
Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:
-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.
Note: You can confirm sod process uptime in tmsh:
# tmsh show /sys service sod
Conditions:
HA Group failover configured.
Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:
o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).
Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.
Workaround:
There is no workaround.
The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
888289-1 : Add option to skip percent characters during normalization
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).
888285-1 : Sensitive positional parameter not masked in 'Referer' header value
Solution Article: K18304067
Component: Application Security Manager
Symptoms:
When the URI and 'Referer' header share the same positional parameter, the 'Referer' positional parameter is not masked in logs.
Conditions:
Sending a request with positional parameter in URI and 'Referer' header.
Impact:
'Referer' header positional parameter value is not masked in logs.
Workaround:
None.
Fix:
'Referer' positional parameter value is masked as expected.
888261-1 : Policy created with declarative WAF does not use updated template.
Component: Application Security Manager
Symptoms:
When importing a declarative policy with an updated template, the operation uses the old version of the template, which is saved on the machine.
Conditions:
Declarative policy is created from a user-defined template and then re-created after updating the template.
Impact:
The re-created declarative policy is based on the old template, which is saved without the changes that were made in the template.
Workaround:
Create new template and use it when recreating the declarative policy.
Fix:
While creating the policy, if the saved template on the machine is older than the template file, the system replaces the file on the machine and uses the updated template.
888145-2 : When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property
Component: Access Policy Manager
Symptoms:
The entityID property of SAML Service Provider (SP) object ('apm aaa saml') accepts only a valid URI as the value if host is empty. All other values are deemed invalid.
This creates a less than optimal configuration experience in certain use-cases. For instance, when the deployment contains two SAML SP configuration objects that are essentially identical, with the only difference being the entityID value, validation prevents reusing the same object, and mandates creation of two independent configuration objects.
Conditions:
-- The BIG-IP system is used as a SAML SP with two or more SP configuration objects.
-- The only difference between two (or more) configured SP configuration objects is the value of entityID.
Impact:
None. This is a usability enhancement.
Workaround:
Creating multiple SP objects.
Fix:
This enhancement supports configuring an APM session variable in the entityID property of SAML SP ('apm aaa saml') objects, thus reducing the number of nearly duplicate SP configuration objects.
NOTE: When a session variable is used in the entityID property of a SAML SP object, the SAML metadata exported by such object must be edited manually to replace the session variables with valid FQDN names before the metadata is shared with external parties.
888113-3 : TMM may core when the HTTP peer aborts the connection
Component: Local Traffic Manager
Symptoms:
TMM cores in the HTTP proxy.
Conditions:
-- HTTP and HTTP Router profiles are configured on the virtual server.
-- The HTTP peer aborts the connection unexpectedly.
Impact:
Failover (in a DSC), or outage (standalone) as traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores in the HTTP proxy when the HTTP peer aborts the connection.
887965-1 : Virtual server may stop responding while processing TCP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, a virtual server may stop responding while processing TCP traffic.
Conditions:
- TCP virtual server with FastL4 and L7 (e.g., HTTP) profiles.
- Undisclosed conditions
Impact:
Affected virtual server becomes unavailable until conditions resolve. Other virtual servers on the system are not impacted.
Workaround:
None.
Fix:
TCP traffic is now processed as expected
887637-2 : Systemd-journald Vulnerability: CVE-2019-3815
Solution Article: K22040951
887505-1 : Coreexpiration script improvement
Component: TMOS
Symptoms:
Script fails with:
stat: cannot stat '/shared/core/*.core.*': No such file or directory.
In addition, the system reports a message in /var/log/user and /var/log/messages when there are no core files:
Deleting file /shared/core/*.core.*
Conditions:
Coreexpiration script is run.
Impact:
No core is produced. In addition, there is no core deleted.
Workaround:
To resolve the issue, add the following line to the script:
for filename in /shared/core/*.core.*; do
+ [ -e "$filename" ] || continue
# Time of last modification as seconds since Epoch
887117-2 : Invalid SessionDB messages are sent to Standby
Component: TMOS
Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:
SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.
Impact:
Standby drops these messages
Workaround:
None.
887089-1 : Upgrade can fail when filenames contain spaces
Component: TMOS
Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.
The file's content is also significant because that determines the md5sum value.
Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:
Not enough free disk space to install!
Conditions:
Filenames with spaces in /config directory.
Impact:
Upgrade or loading of UCS fails.
Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.
887017-3 : The dwbld daemon consumes a large amount of memory
Component: Advanced Firewall Manager
Symptoms:
The dwbld daemon shows very large memory consumption after adding addresses to the shun-list.
Conditions:
-- Adding a large number of IP addresses to the shun-list (millions of IP addresses).
-- Viewing dwbl memory usage using:
config # top -p $(pidof dwbld)
Impact:
Excessive memory consumption. If memory is exhausted, enforcement does not occur.
Workaround:
None.
Fix:
Improvements to dwbld memory handling have been implemented.
886729-2 : Intermittent TMM crash in per-request-policy allow-ending agent
Component: Access Policy Manager
Symptoms:
TMM crash.
Conditions:
When user trying to access a URL with unique hostname in the current session.
Impact:
TMM crash. No access to the URL. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This intermittent TMM crash no longer occurs.
886717-1 : TMM crash while using SSL Orchestrator
Component: SSL Orchestrator
Symptoms:
On a multiple process TMM system, if a TMM process crashes, other TMM processes crash.
Conditions:
-- SSL Orchestrator is running in a system with multiple TMM processes and one of the TMM processes crashes.
-- SSL Orchestrator has been configured with HTTP (explicit or transparent) services.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Subsequent TMM core is no longer seen when any other TMM process cores.
886713-1 : Error log seen in case of SSL Orchestrator configured with http service during connection close.
Component: SSL Orchestrator
Symptoms:
An error is logged:
tmm2[24575]: 01c50003:3: Service : encountered error: ERR_UNKNOWN File: ../modules/hudfilter/service/service.c Function: hud_service_handler, Line: 778
Conditions:
SSL Orchestrator is configured with a http service and a connection closes.
Impact:
An error is logged, but it can be safely ignored.
Workaround:
None
Fix:
Error log is no longer seen in case of SSL Orchestrator configured with http service.
886693-3 : System may become unresponsive after upgrading★
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:
-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
-- BIG-IP Virtual Edition (VE)
886689-6 : Generic Message profile cannot be used in SCTP virtual
Component: TMOS
Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:
01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)
Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.
Impact:
You are unable to combine the Generic Message profile with the SCTP profile.
Fix:
Generic Message profile can be used in SCTP virtual
886085-5 : BIG-IP TMM vulnerability CVE-2020-5925
Solution Article: K45421311
885201-2 : BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
Component: Global Traffic Manager (DNS)
Symptoms:
Err (error) level messages in /var/log/gtm log when DNS (GTM) SSL monitors such as https are used and are unable to connect to the monitored target IP address:
err big3d[4658]: 01330014:3: CSSLSocket:: Unable to get the session.
These messages do not indicate the IP address or port of the target that failed to connect, and this ambiguity may cause concern.
Conditions:
-- SSL-based DNS (GTM) monitor assigned to a target, for example https
-- TCP fails to connect due to a layer 2-4 issue, for example:
- No route to host.
- Received a TCP RST.
- TCP handshake timeout.
Impact:
The system reports unnecessary messages; the fact that the monitor failed is already detailed by the pool/virtual status change message, and the target changing to a red/down status.
These messages can be safely ignored.
Workaround:
If you want to suppress these messages, you can configure a syslog filter.
For more information, see K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.
Fix:
Added debug messages for SSL probing with attached DB variable
884797-4 : Portal Access: in some cases data is not delivered via WebSocket connection
Component: Access Policy Manager
Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.
Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client
Impact:
Data is not delivered to the client browser via the WebSocket connection.
Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.
884425-2 : Creation of new allowed HTTP URL is not possible
Component: Application Security Manager
Symptoms:
When pressing 'Create' button in
Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs page, the requested page is not loaded.
Conditions:
Policy with about 5000 and more parameters causes long loading time, which results in loading failure.
Impact:
The requested page (New Allowed HTTP URL...) is not loaded.
Workaround:
Use fewer parameters (less than 5000) per policy.
884165-3 : Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG
Component: TMOS
Symptoms:
Frequent config syncs and spamming of logs are occurring on BIG-IP devices in a high availability (HA) configuration.
Conditions:
Datasync CAPTCHA table is re-generated while CAPTCHA is being consumed by users.
Impact:
Sync to the datasync groups cause the sync status of the devices to fluctuate.
883853-2 : Bot Defense Profile with staged signatures prevents signature update★
Component: Application Security Manager
Symptoms:
When a trying to install a new bot defense signature, the installation fails with the following log message:
com.f5.liveupdate.update.dosbotsignatures.file.Update.applyChanges.pl|INFO|Feb 10 13:22:12.924|7347|F5::Dos::BotSignatures::load_from_xml,,Cannot send updated objects to mcp: 01070265:3: The Bot Defense Signature (/Common/Headless Chromium, Chrome) cannot be deleted because it is in use by a Bot Defense Profile Signature Staging.
Conditions:
-- A Bot Defense Profile has a staged signature.
-- The staged signature points to something that does not exist in the update file.
Impact:
The new file cannot be installed.
Workaround:
Enforce the staged signature.
Fix:
Before deleting the signature, the installation process checks to see whether the signature is staged, and if it is, the process unstages it.
883717-1 : BD crash on specific server cookie scenario
Solution Article: K37466356
883577-4 : ACCESS::session irule command does not work in HTTP_RESPONSE event
Component: Access Policy Manager
Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm
No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)
Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.
Impact:
Cannot create APM session using the ACCESS::session irule command.
Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.
883529-1 : HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path
Component: Local Traffic Manager
Symptoms:
HTTP/2 request is not forwarded and RST_STREAM with PROTOCOL_ERROR is sent back to the client.
Conditions:
HTTP/2 request with method OPTIONS and pseudo header :path value equal to something other than '*' (asterisk).
Impact:
HTTP/2 request with Method OPTIONS is limited to :path '*' only. Any other URIs are not forwarded to the server but are rejected with RST_STREAM with PROTOCOL_ERROR.
Workaround:
None.
Fix:
HTTP/2 request with Method OPTIONS now allows the URI to be something other than '*'. This request is not rejected, but is forwarded to the server.
883513-1 : Support for QUIC and HTTP/3 draft-27
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-24 and draft-25. IETF released draft-27 in February 2020, and major browser vendors have announced they intend to widely deploy support for it, unlike previous drafts.
Conditions:
Browser requests draft-27.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-27. (The QUIC community skipped draft-26), has deleted draft-24 support from the implementation, and deprecates support for draft-25.
883105-1 : HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect
Component: Local Traffic Manager
Symptoms:
If a virtual server is configured with both client-side and server-side using HTTP/2, and with translate-address disabled, the connection to the server-side does not succeed.
Conditions:
-- HTTP/2 profiles on both client-side and server-side, using an http-router profile.
-- Translate-address is disabled.
Impact:
Connections fail.
Workaround:
None.
882769-1 : Request Log: wrong filter applied when searching by Response contains or Response does not contain
Component: Application Security Manager
Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed
Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter
Impact:
You are unable to search by response in the GUI
Workaround:
There is no way to search in GUI, but you can search using REST API
Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters
882713-3 : BGP SNMP trap has the wrong sysUpTime value
Component: TMOS
Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.
Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition
Impact:
The sysUpTime in the trap generated by BGP is incorrect.
Workaround:
None.
Fix:
Fixed an incorrect calculation of sysUpTime.
882633-2 : Active Directory authentication does not follow current best practices
Solution Article: K51213246
882557-2 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
Component: TMOS
Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:
ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.
Impact:
TMM continually restarts.
Workaround:
Use the sock driver instead of virtio.
In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:
# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
Configure a socket driver:
echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl
Reboot the instance
882549-2 : Sock driver does not use multiple queues in unsupported environments
Component: Local Traffic Manager
Symptoms:
In some unsupported environments, the underlying sock driver uses only only 1 queue. You can confirm whether it does so by executing the tmctl command to check the rxq column (which shows 0):
tmctl -d blade -i tmm/ndal_rx_stats' and
You can verify this on the tx side as well.
Conditions:
This occurs in certain unsupported environments.
Note: When you run 'ethtool -l', you can see: 'command not supported'.
Impact:
When multi-q is present, the use of single queue can impact performance when using the sock driver.
Workaround:
Use other available drivers.
You can check the available drivers by executing the tmctl command:
tmctl -d blade -i tmm/device_probed
Fix:
Fixed an issue with the sock driver.
882377-3 : ASM Application Security Editor Role User can update/install ASU
Component: Application Security Manager
Symptoms:
Live Update modifications are allowed for Application Security Editor Role.
Conditions:
Login as Application Security Editor user and try to install ASU.
Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.
882189-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897
Solution Article: K20346072
882185-6 : BIG-IP Edge Client Windows ActiveX
Solution Article: K20346072
882157-1 : One thread of pkcs11d consumes 100% without any traffic.
Component: Local Traffic Manager
Symptoms:
One thread of pkcs11d consumes 100% without any traffic.
Conditions:
-- The BIG-IP system is licensed with NetHSM, and service pkcs11d is running.
-- The MCDP service is restarted.
Impact:
NetHSM configurations and statistics updates are not updated.
Workaround:
Restart the pkcs11d service:
tmsh restart sys service pkcs11d
Fix:
The system now watches for errors and prevents this error from occurring.
881757-1 : Unnecessary HTML response parsing and response payload is not compressed
Component: Application Security Manager
Symptoms:
When either DoS Application Profile or Bot Defense profiles are used, or a complex LTM policy is used, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload.
Second effect is that the Bot Defense Profile and L7 DoS profile are always, not conditionally, considered internally as a profile that modifies a body that satisfies HTTP profile chunking configuration 'sustain' (default mode) triggering client-side chunking. This causes a response in the server-side that is unchunked to be always chunked in client-side with the mode set to 'sustain'.
Conditions:
One of these options:
-- Bot Defense Profile is associated with the Virtual Server.
-- DoS Profile is associated with the Virtual Server and has Application (L7) enabled.
-- Policy is associated with the Virtual Server and has complex LTM Policy: multiple Policies, or additional rules.
Impact:
-- Response payload sent by the backend server is uncompressed.
-- Performance impact caused by response parsing.
Workaround:
For version 15.1.0 and later, you can use the following workaround:
Disable the option for modification of Referer header:
tmsh modify sys db asm.inject_referrer_hook value false
Note: Using this brings back the impact of ID792341 (see https://cdn.f5.com/product/bugtracker/ID792341.html).
For versions earlier than 15.1.0, there is no workaround.
Fix:
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.
881641 : Errors on VPN client status window in non-English environment
Component: Access Policy Manager
Symptoms:
If Network Access resource or AppTunnel resource is being accessed using user interface language other than English, JavaScript errors may be shown in VPN client status window.
Conditions:
- Customization Type of Access policy is Modern
- Access Policy with languages other than English
- Network Access resource or AppTunnel resource assigned to this Access Policy
- standalone VPN client in non-English environment
Impact:
VPN connection or AppTunnel connection cannot be established.
Fix:
Now standalone VPN client can work correctly in non-English environment
881445-7 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
Solution Article: K69154630
881317-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
Solution Article: K15478554
881293-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
Solution Article: K15478554
881085-3 : Intermittent auth failures with remote LDAP auth for BIG-IP managment
Component: TMOS
Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.
Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).
Impact:
There might be intermittent remote-auth failures.
Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299
880789-3 : ASMConfig Handler undergoes frequent restarts
Component: Application Security Manager
Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.
Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.
Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None.
Fix:
The botd handler is now restored to a more robust process lifecycle.
880753-3 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server
Solution Article: K38157961
Component: Application Security Manager
Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.
Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).
Impact:
Some requests might not be processed by the Bot Defense profile.
Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable
Fix:
The mechanism which caused this issue is now correctly enabled.
880625-3 : Check-host-attr enabled in LDAP system-auth creates unusable config
Component: TMOS
Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.
Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.
Impact:
LDAP-based auth does not function.
Workaround:
None.
880361-1 : iRules LX vulnerability CVE-2021-22973
Solution Article: K13323323
880289 : FPGA firmware changes during configuration loads★
Component: TMOS
Symptoms:
FPGA firmware on DDoS Hybrid Defender products might be changed unexpectedly during a configuration load or license update.
Conditions:
Configuration load or license update.
Impact:
FPGA firmware changes unexpectedly, reboot might be required to stabilize.
Workaround:
None.
880165-2 : Auto classification signature update fails
Component: TMOS
Symptoms:
During classification update, you get an error:
"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"
An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".
Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.
It can occur when something goes wrong during license activation, but license activation ultimately succeeds.
Impact:
When this issue occurs, auto classification signature update will fail.
Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.
880001-1 : TMM may crash while processing L4 behavioral DoS traffic
Solution Article: K58290051
879841-4 : Domain cookie same-site option is missing the "None" as value in GUI and rest
Component: Application Security Manager
Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.
Conditions:
You want to have SameSite=none attribute added to a domain cookie.
Impact:
You are unable to set SameSite=None
Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM
879829-2 : HA daemon sod cannot bind to ports numbered lower than 1024
Component: TMOS
Symptoms:
If the network high availability (HA) daemon sod is configured to use a port number that is lower than 1024, the binding fails with a permission-denied error. This affects binding to ports on both management and self IP addresses.
Example log messages:
/var/log/ltm
err sod[2922]: 010c003b:3: bind fails on recv_sock_fd addr 1.2.3.4 port 1023 error Permission denied.
notice sod[2992]: 010c0078:5: Not listening for unicast failover packets on address 1.2.3.4 port 1023.
/var/log/auditd/audit.log
type=AVC msg=audit(1578067041.047:17108): avc: denied { net_bind_service } for pid=2922 comm="sod" capability=10 scontext=system_u:system_r:f5sod_t:s0 tcontext=system_u:system_r:f5sod_t:s0 tclass=capability
Conditions:
-- high availability (HA) daemon sod is configured to use a port lower than 1024 for network high availability (HA) operations.
-- Version 13.1.0 or later.
Impact:
A network high availability (HA) connection configured to use a port number lower than 1024 on an affected version does not function.
Workaround:
Change the port number to 1024 or higher.
Note: UDP port 1026 is the default.
879777-3 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge
Component: Application Security Manager
Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.
Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.
Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.
Workaround:
Use "validate in a bulk" option.
Fix:
Retrieving the cookie from the related domain even if the page is qualified.
879745-4 : TMM may crash while processing Diameter traffic
Solution Article: K82530456
879413-1 : Statsd fails to start if one or more of its *.info files becomes corrupted
Component: Local Traffic Manager
Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:
-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.
Conditions:
Corrupted *.info file in /var/rrd.
Impact:
Stats are no longer accurate.
Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):
found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done
Fix:
The system now detects corrupt *.info files and deletes and recreates them.
879409-3 : TMM core with mirroring traffic due to unexpected interface name length
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.
Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now validates the length of the interface name before processing the HA message at the receiver side and ignores the HA message if the interface name length is wrong.
879405-1 : Incorrect value in Transparent Nexthop property
Component: TMOS
Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN after a change is made via the DOS menu then another change is made on the advanced menu.
Conditions:
Starting with a working config if the admin makes changes
From the DoS menu
- DoS configuration -> protected objects -> protected objects list
- Select virtual server (eg: test_vpn_443) -> open Network & General -> set enabled on vlans to "test" and Transparent nexthop to "test" -> save
# Now make a change that cannot be made via the DoS menu
From the Advanced menu
- Local Traffic -> Virtual server -> Virtual server list -> select virtual server (test_vpn_443)
- Note that "Transparent Nexthop" is set to "none" despite being set to "test" in bigip.conf and DoS menu
- Change clientssl profile (or whatever change) -> update
# Now go back and check the impact
From the DoS menu
- DoS configuration -> protected objects -> protected objects list
- Select virtual server (eg: test_vpn_443) -> open Network & General -> you can see that Transparent nexthop has been set to "none"
At this point connectivity could be broken and transparent nexthop will need to be reconfigured via the DoS menu.
Impact:
Incorrect value shown in Transparent Nexthop property field. which can cause connectivity to be lost between the affected locations.
Workaround:
There are multiple possible options:
either:
Use tmsh to complete the action successfully.
or
Do not configure the same VLAN group for the VLAN list and Transparent Next Hop
or
use the advanced menu as it performs as expected.
879401-1 : Memory corruption during APM SAML SSO
Solution Article: K90423190
Component: Access Policy Manager
Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted. You might experience several types of unexpected actions, including a TMM restart and core-file generation.
Conditions:
-- BIG-IP system is configured as SAML SP.
-- External SAML IdP sends SLO request.
Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
BIG-IP systems configured as SAML SP no longer cause memory corruption when handling certain traffic.
879189-1 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
Component: TMOS
Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.
Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual server, but the module supporting the profile is not provisioned.
Impact:
The Network Map shows an error message.
Workaround:
Provision the module that supports the profile.
Fix:
The button text has been modified to be more informative.
879025-2 : When processing TLS traffic, LTM may not enforce certificate chain restrictions
Solution Article: K72752002
878925-2 : SSL connection mirroring failover at end of TLS handshake
Component: Local Traffic Manager
Symptoms:
In some cases, HTTP requests may fail if system failover occurs immediately after the TLS handshake finishes.
Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.
Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.
Workaround:
None.
Fix:
System now updates the high availability (HA) state at end of the TLS handshake to prevent this issue if failover occurs at end of the handshake but before client/server data.
878893-3 : During system shutdown it is possible the for sflow_agent to core
Component: TMOS
Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.
Conditions:
BIG-IP reboot can cause the sflow_agent to core.
Impact:
There is a core file in the /var/core directory after a system reboot.
Fix:
Fixed an issue causing a core of sflow_agent during shutdown.
877145-4 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
Component: TMOS
Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.
Conditions:
This can be encountered intermittently while using iControl REST.
Impact:
Login failure.
Workaround:
None.
Fix:
Fixed an issue related to authenticating to the iControl REST endpoint /mgmt/TOC.
877109-1 : Unspecified input can break intended functionality in iHealth proxy
Solution Article: K04234247
876957-1 : Reboot after tmsh load sys config changes sys FPGA firmware-config value
Component: TMOS
Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.
Chmand reports errors:
chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]
Conditions:
Running either of the following commands:
tmsh load sys config
/etc/init.d/fw_update_post reload
Impact:
Firmware update fails.
Workaround:
Use this procedure:
1. Mount /usr:
mount -o rw,remount /usr
2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload
3. Reload systemctl:
systemctl daemon-reload
4. Reload the file:
/etc/init.d/fw_update_post reload
Fix:
Added the reload option in fw_update_post service file.
876953-2 : Tmm crash while passing diameter traffic
Component: Service Provider
Symptoms:
Tmm crashes with the following log message.
-- crit tmm1[11661]: 01010289:2: Oops @ 0x2a3f440:205: msg->ref > 0.
Conditions:
This can be encountered while passing diameter traffic when one or more of the pool members goes down and retransmissions occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash while passing diameter traffic.
876937-3 : DNS Cache not functioning
Component: TMOS
Symptoms:
DNS queries are not being cached on the BIG-IP device.
Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache).
-- Device receives DNS queries.
Impact:
DNS queries are forwarded, but the BIG-IP system does not cache them.
Workaround:
None.
Fix:
DNS queries are now cached when DNS Cache is enabled.
Behavior Change:
Full DNS cache functionality has been restored. This results in performance degradation. You might notice it in OCSP performance, when compared to releases in which full DNS cache functionality is not present.
By default, DNS cache is disabled. To recapture performance, enable DNS cache.
876805-3 : Modifying address-list resets the route advertisement on virtual servers.
Component: TMOS
Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the address list is modified.
This issue has also been shown to cause inconsistent ICMP response behavior when 'selective' mode is used.
Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all virtual addresses.
-- Modify the address list.
Impact:
-- Modifications made to virtual addresses are lost.
-- Possible ICMP response issues when 'selective' mode is used (e.g., responses when all pool members are disabled, or no responses when pool members are enabled).
Workaround:
None
Fix:
Virtual address properties are now preserved when an address list is modified.
876801-5 : Tmm crash: invalid route type
Component: Local Traffic Manager
Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:
tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **
Conditions:
The issue is intermittent.
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.
Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.
876581-2 : JavaScript engine file is empty if the original HTML page cached for too long
Component: Fraud Protection Services
Symptoms:
JavaScript engine file is empty.
Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.
Impact:
No FPS protection for that HTML page.
Workaround:
You can use either workaround:
-- Use an iRule to disable caching for protected HTML pages.
-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).
Fix:
FPS now also removes ETag headers from protected HTML pages.
876393-1 : General database error while creating Access Profile via the GUI
Component: Access Policy Manager
Symptoms:
While trying to create an Access profile, the GUI reports a general database error. There are errors in /var/log/tomcat:
profiles.ProfileUtils$SettingsHandler:error - java.sql.SQLException: Column not found: SOURCE in statement [INSERT into
profile_access
Conditions:
This occurs when you try to create an Access Profile of type SSO from the GUI.
Impact:
You are unable to create the profile using the GUI.
Workaround:
You can create the Access Profile using TMSH.
tmsh create access access_test_sso type sso accept-languages add { en } sso-name sso_test1
Fix:
Access Profile of type SSO can now be created and edited from the GUI.
876353-1 : iRule command RESOLV::lookup may cause TMM to crash
Solution Article: K03125360
876077-1 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up
Component: Service Provider
Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.
Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
Stale pending retransmission entries are cleaned up properly.
875401-2 : PEM subcriber lookup can fail for internet side new connections
Component: Policy Enforcement Manager
Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.
Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm
Impact:
PEM subscriber lookup can fail on the internet side
Workaround:
No workaround.
Fix:
PEM subcriber lookup now always succeeds for internet side new connections,
874949-1 : TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.
Component: Access Policy Manager
Symptoms:
TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.
Conditions:
Client traffic is run through virtual server with APM per-request policy that contains empty variable assign agent.
Impact:
TMM may crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
When client traffic is run through virtual server with APM per-request policy that contains empty variable assign agent, TMM will not crash.
874753-3 : Filtering by Bot Categories on Bot Requests Log shows 0 events
Component: Application Security Manager
Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.
When filtering for only Bot Category: Browser Automation, nothing Shows up.
Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log
Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.
Workaround:
None.
Fix:
Filtering by Bot Categories on Bot Requests Log is now fixed on the GUI page.
874677-1 : Traffic Classification auto signature update fails from GUI★
Component: Traffic Classification Engine
Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.
The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.
Conditions:
Performing Traffic Classification auto signature update using the GUI.
Impact:
Fails to update the classification signature automatically.
Workaround:
You can use either of the following:
-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.
Fix:
Fixed the hitless upgrade script to download the IM packages from the EDSM server for point releases.
873641-1 : Re-offloading of TCP flows to hardware does not work
Component: TMOS
Symptoms:
Once Hardware evicts the EPVA TCP flows due to Idle timeout, tmm does not reinsert the flows back when it receives a packet belonging to that flow.
Conditions:
This occurs when the TCP connection is kept idle for ~20 seconds.
Impact:
Performance can be impacted. Hardware acceleration will be disabled for the flows once the flow is removed from hardware due to Idle timeout.
Fix:
Fix will re-offload the flows to HW once SW starts receiving packets due to HW eviction of flows by Idle timeout.
873469-2 : APM Portal Access: Base URL may be set to incorrectly
Solution Article: K24415506
872965-1 : HTTP/3 does not support draft-25
Component: Local Traffic Manager
Symptoms:
Clients attempting to connect with QUIC version 25 and ALPN h3-25 are unable to connect.
Conditions:
An end user client attempts to connect using QUIC version 25 and ALPN h3-25.
Impact:
Attempts to use HTTP/3 with some clients may fail.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-24 and draft-25.
872673-1 : TMM can crash when processing SCTP traffic
Solution Article: K26464312
872645-2 : Protected Object Aggregate stats are causing elevated CPU usage
Component: Advanced Firewall Manager
Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.
Conditions:
AFM, ASM, or DoS features are provisioned.
Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.
Workaround:
None.
Fix:
Protected Object Aggregate stats no longer cause elevated CPU usage.
872049-1 : Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command
Component: Advanced Firewall Manager
Symptoms:
Value in mitigation thresholds are above infinite value (4294967295)
Conditions:
Multiplier based mitigation mode for Dos static vectors after run relearn thresholds command
Impact:
Incorrect display value for DoS thresholds in GUI and tmctl
Fix:
Do not apply multiplayer for infinite threshold value (4294967295).
871985-1 : No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection
Component: Advanced Firewall Manager
Symptoms:
There are no hardware mitigation for DoS attacks
Conditions:
Auto-threshold mode and detection for attacked destinations should be activate for DoS static vector
Impact:
DoS attack mitigation performed only by software
Fix:
Improved search in already hardware offloaded entities
871905-2 : Incorrect masking of parameters in event log
Solution Article: K02705117
Component: Application Security Manager
Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.
Conditions:
The request contains a CSRF token and sensitive parameters.
Impact:
Sensitive parameters values can be masked incorrectly in the event log.
Workaround:
None.
Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.
871761-1 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
Component: Access Policy Manager
Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.
Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.
Impact:
APM end users are unable to get a logon page.
Workaround:
Disable the XML profile for the APM virtual server.
Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.
871657-1 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
Component: TMOS
Symptoms:
Mcpd restarts and produces a core file.
Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.
Impact:
Mcpd crash and restart results in high availability (HA) failover.
Workaround:
Use a lowercase 'a' or 's' as the flag value.
Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.
871653-1 : Access Policy cannot be created with 'modern' customization
Component: Access Policy Manager
Symptoms:
Per-Request Policy (PRP) Access Policy with Customization Type set to Modern cannot be created due to internal error.
Conditions:
Creating a PRP Access Policy with Customization Type set to Modern.
Impact:
Administrator cannot use modern customization.
Workaround:
1. In bigip.conf find the following line:
apm policy customization-source /Common/standard { }
2. Add the following line:
apm policy customization-source /Common/modern { }
3. Save the changes.
4. Load the config:
tmsh load sys config
Fix:
Now modern customization can be used for any Access Policy.
871633-1 : TMM may crash while processing HTTP/3 traffic
Solution Article: K61367237
871561-5 : Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★
Component: TMOS
Symptoms:
Software upgrades to an Engineering Hotfix on a vCMP guest might fail with one of the following messages:
failed (Software compatibility tests failed.)
failed (The requested product/version/build is not in the media.)
The failed installation is also indicated by log messages in /var/log/ltm similar to:
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (The requested product/version/build is not in the media.)
Conditions:
This may occur when performing a software upgrade to an engineering hotfix on a vCMP guest running affected versions of BIG-IP software, when the software images are present on the vCMP host.
This can be accomplished by running the following command from the vCMP guest console:
tmsh install sys software block-device-hotfix <hotfix-image-name> volume <volume.name>
Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host.
Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.
Then restart the lind service on the vCMP Guest:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.
Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:
1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
isoinfo -d -i /dev/cdrom
Note: Pay attention to the volume ID in the output from within the vCMP guest.
2. Unlock (eject) the image:
eject -r -F /dev/cdrom && vcmphc_tool -e
3. Verify the CD drive is now empty:
isoinfo -d -i /dev/cdrom
The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>
4. Restart lind:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
Fix:
Software upgrades on a vCMP guest complete successfully even when the software images are present on the vCMP hypervisor.
870957-4 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
Component: Application Visibility and Reporting
Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.
Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.
Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.
Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
$ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
$ bigstart restart monpd
Fix:
Dividing the TMM value with 100 to fit correct scale.
870389-3 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
Component: TMOS
Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.
Conditions:
This applies to deployments that use declarative onboarding for configuration.
Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.
Workaround:
The workaround is to manually extend the /var logical volume.
For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.
Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.
Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.
870385-5 : TMM may restart under very heavy traffic load
Component: Advanced Firewall Manager
Symptoms:
TMM occasionally restarts when running heavy workloads. The crash is a timing-related issue between different tmm threads, and thus happens only occasionally.
Conditions:
-- AFM is provisioned with DoS functionality.
-- The BIG-IP system is under heavy workload.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer restarts under these conditions.
870381-1 : Network Firewall Active Rule page does not load
Component: Advanced Firewall Manager
Symptoms:
In the BIG-IP GUI, the Network Firewall Active Rule page is blank and nothing is visible.
Conditions:
This occurs when viewing the Active Rule page.
Impact:
You are unable to view active Rules in GUI.
Workaround:
None.
Fix:
Network Firewall Active Rule page is now visible in the GUI.
870273-5 : TMM may consume excessive resources when processing SSL traffic
Solution Article: K44020030
869653-1 : VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction
Component: Access Policy Manager
Symptoms:
VCMP secondary blade restarts when creating more than one access profile in a transaction.
Conditions:
- In one transaction
- Create more than one access profiles
Impact:
Blade restarts and traffic is disrupted.
Fix:
All VCMP blades will continue to work when creating more than one access profile in a transaction.
869361-1 : Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated
Component: Global Traffic Manager (DNS)
Symptoms:
Load balance methods for Link Controller inbound wide IP are always set to default values when the load balancing method is updated through GUI.
Conditions:
-- Multiple inbound wide IPs are configured;
-- Load balancing methods are updated through GUI once.
Impact:
Unable to manage wide IPs through the GUI.
Workaround:
Use tmsh to manage Inbound WideIPs.
869049-4 : Charts discrepancy in AVR reports
Component: Application Visibility and Reporting
Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.
Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).
Impact:
Stats on DB get corrupted and incorrect.
Workaround:
None.
Fix:
Aggregation store-procedure is now fixed.
868781-1 : TMM crashes while processing MRF traffic
Component: Service Provider
Symptoms:
TMM panic occurs when processing overflowed the MPI messages due to incorrectly calculated master key length:
../dev/mpi/mpi_mem.c:1129: Assertion "tail not past head" failed.
Conditions:
-- Message Routing Framework (MRF) traffic of type Diameter and SIP.
-- Auto-initialization enabled on peer, but can happen without auto-initialization enabled, just at a less-predictable rate.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM crash no longer occurs under these conditions.
868721-1 : Transactions are held for a long time on specific server related conditions
Component: Application Security Manager
Symptoms:
Long request buffers are kept around for a long time in bd.
Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.
Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.
Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.
Fix:
Add a check for this scenario so transactions will be released correctly.
868641-3 : Possible TMM crash when disabling bot profile for the entire connection
Component: Application Security Manager
Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.
Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.
Fix:
TMM no longer crashes when disabling bot defense profile for the entire connection.
868381-1 : MRF DIAMETER: Retransmission queue unable to delete stale entries
Component: Service Provider
Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.
Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.
868349-1 : TMM may crash while processing iRules with MQTT commands
Solution Article: K62830532
868209-3 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.
This defect will also cause active FTP data connections over vlan-group to fail.
Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.
OR
- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.
Impact:
Server-side connections will fail.
Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)
868097-3 : TMM may crash while processing HTTP/2 traffic
Solution Article: K58494243
868053-3 : Live Update service indicates update available when the latest update was already installed
Component: Application Security Manager
Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.
Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.
Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.
Workaround:
None.
Fix:
The Live Update service no longer displays a false message regarding updates available.
867825-4 : Export/Import on a parent policy leaves children in an inconsistent state
Component: Application Security Manager
Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.
Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.
Impact:
The children on the different devices are left unexpectedly in different states.
Fix:
Import/Replace for a parent policy for sections that remain inherited will now delete elements that were removed from the parent policy instead of disinheriting them.
867793-1 : BIG-IP sending the wrong trap code for BGP peer state
Component: TMOS
Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.
Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.
Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.
Workaround:
None.
Fix:
BIG-IP now sends the correct trap code for BGP peer state.
Behavior Change:
The bgpPeerState for bgpBackwardTransNotification now reports the state after the state machine transition, i.e., the state into which the system is transitioning. In earlier releases, it reported the state prior to the state machine transition, which would always report idle because all backwards state transitions are into idle.
867373-4 : Methods Missing From ASM Policy
Component: Application Security Manager
Symptoms:
If the ASM http-methods are missing from the MCP configuration, importing an XML ASM policy creates a policy that has no allowed methods and will block all traffic.
Conditions:
-- BIG-IP system configuration is loaded without the required asm_base.conf.
-- An XML ASM policy is loaded.
Impact:
All traffic is blocked for the policy.
Workaround:
Recreate the required methods (GET, POST, etc.) in the policy.
Fix:
Lack of defined ASM http-methods in MCP no longer affects policy loading.
867181-1 : ixlv: double tagging is not working
Component: TMOS
Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).
Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.
Impact:
The BIG-IP's VLAN tag is lost.
Fix:
Both VLAN tags are now present in packets.
867013-2 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
Component: TMOS
Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.
Conditions:
This can be encountered when there are a large number of policies configured in ASM.
Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.
Workaround:
None.
Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.
866925-5 : The TMM pages used and available can be viewed in the F5 system stats MIB
Component: TMOS
Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.
Conditions:
When system resource decisions are being made, the information about memory usage is important.
Impact:
It is not feasible to query each BIG-IP device separately.
Workaround:
None.
Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.
866685-1 : Empty HSTS headers when HSTS mode for HTTP profile is disabled
Component: Access Policy Manager
Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.
Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.
Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.
Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
HTTP::header remove "Strict-Transport-Security"
}
}
Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.
866613-4 : Missing MaxMemory Attribute
Component: Application Visibility and Reporting
Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.
Conditions:
This is encountered when viewing the System Monitor report.
Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').
Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.
Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.
Fix:
The MaxMemory attribute is now reported in System Monitor statistics.
866481-2 : TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode
Component: Local Traffic Manager
Symptoms:
TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode.
Conditions:
-- HTTP profile is attached to the virtual server.
-- The httprouter profile is attached to the virtual server.
-- HTTP goes into passthrough mode for any variety of reasons.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when HTTP-MR proxy attempts goes into passthrough mode.
866161-1 : Client port reuse causes RST when the security service attempts server connection reuse.
Component: Access Policy Manager
Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.
Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.
Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.
Workaround:
None.
Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.
866109-2 : JWK keys frequency does not support fewer than 60 minutes
Component: Access Policy Manager
Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:
01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.
Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.
Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.
Workaround:
Use a value of 60 minutes or higher.
Fix:
Auto discovery frequency now supported values lower than 60 minutes.
866073-2 : Add option to exclude stats collection in qkview to avoid very large data files
Component: TMOS
Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:
qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938
Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.
Impact:
Qkview files may not be able to be parsed by the iHealth service.
Also, memory allocation error messages may be displayed when generating qkview.
Workaround:
None.
Fix:
Qkview now has a -x option that can be used to exclude statistics collection in the stat_module.xml file.
Behavior Change:
Qkview now has a -x option that can be used to exclude statistics collection.
866021-1 : Diameter Mirror connection lost on the standby due to "process ingress error"
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.
Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.
Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.
Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.
865461-1 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crash on specific scenario
Conditions:
A brute force attack mitigation using captcha or client side challenge.
Impact:
BD crash, failover.
Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.
865289-1 : TMM crash following DNS resolve with Bot Defense profile
Component: Application Security Manager
Symptoms:
TMM may crash when Bot Defense is enabled and network DNS is configured.
Conditions:
This can occur when is Bot Defense enabled and network DNS is configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when Bot Defense is enabled and network DNS is configured.
865241-1 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
Component: TMOS
Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.
Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.
The conditions that cause this to occur are unknown.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
865225-1 : 100G modules may not work properly in i15000 and i15800 platforms
Component: TMOS
Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.
Conditions:
-- Using OPT-0039 or OPT-0031 modules.
-- Running on i15000 and i15800 platforms.
Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.
Impact:
You might see traffic drop.
Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.
Workaround:
None.
865177-4 : Cert-LDAP returning only first entry in the sequence that matches san-other oid
Component: TMOS
Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists
Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids
Impact:
Only the first matching oid is returned.
865053-3 : AVRD core due to a try to load vip lookup when AVRD is down
Component: Application Visibility and Reporting
Symptoms:
AVRD cores during startup.
Conditions:
Avrd receives a SIGTERM while it is starting.
Impact:
This can lead to an AVRD core.
Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.
864797-2 : Cached results for a record are sent following region modification
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the contents of a topology region record may result in DNS queries temporarily being directed as if the change had not happened for queries from the IP address of the last end user client to use topology load balancing.
Conditions:
-- A client at a single IP address makes multiple queries that are load balanced using topology, both before and after a change to a topology region record, where that change also modifies the result the single client receives.
-- If a query from a different client IP address is received and load balanced using topology, then the issue is corrected until the next change to a topology region record.
Impact:
After changing the contents of a topology region record, the last end user client to send a query before the change may receive the wrong load balancing decision if the change affected that decision. Queries from other end user clients are load balanced correctly and cause the issue to go away until the next topology region record change.
Workaround:
This issue can be temporarily corrected by sending a DNS query that is load balanced using topology after making changes to region records.
Fix:
The system now handles regions item changes as expected, so this issue no longer occurs.
864757-3 : Traps that were disabled are enabled after configuration save
Component: TMOS
Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.
Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.
Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.
Workaround:
None.
864677-1 : ASM causes high mcpd CPU usage
Component: Application Security Manager
Symptoms:
-- CPU utilization is high on the odd-numbered cores.
-- Messages appear at 60-second intervals in /var/log/ts/asm_start.log:
update_GTM_score
Conditions:
-- One or more virtual servers have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.
Impact:
Elevated CPU usage.
Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.
-- Restart ASM:
bigstart restart asm
Fix:
This issue has been resolved so that CPU usage is no longer elevated under these conditions.
864513-1 : ASM policies may not load after upgrading to 14.x or later from a previous major version★
Solution Article: K48234609
Component: TMOS
Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.
Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.
Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.
Workaround:
You can use either of the following workarounds.
-- Remove ASM Policies while upgrading:
1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
2. Upgrade.
3. Reassociate each ASM Security Policy with its original virtual server.
-- Restore the UCS on a new boot location after upgrade:
1. Prior to upgrade, create a UCS.
2. Upgrade or create a new instance of the software version at the target location.
3. Restore the UCS at the new location.
Fix:
ASM policies now load as expected after upgrading to 14.x or later from a previous major version.
864329-3 : Client port reuse causes RST when the backend server-side connection is open
Component: SSL Orchestrator
Symptoms:
The BIG-IP system or SSL Orchestrator does not close server-side connections when the security service closes the connection with the BIG-IP or SSL Orchestrator. So if client reuses the port, SSL Orchestrator rejects new connections by sending RST.
Conditions:
-- Service profile is attached to virtual server.
or
-- SSL Orchestrator is licensed and provisioned and Service chain is added in the security policy.
-- Security service closes the server-side connection with SSL Orchestrator.
-- Client reuses the source port.
Impact:
The BIG-IP system or SSL Orchestrator rejects new connection from clients when a client reuses the port.
Workaround:
None.
Fix:
The BIG-IP system or SSL Orchestrator no longer rejects the client connection when the client reuses the port.
864109-1 : APM Portal Access: Base URL may be set to incorrectly
Solution Article: K24415506
863917-2 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
Component: Global Traffic Manager (DNS)
Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:
The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.
This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.
Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.
Impact:
Messages are logged that imply the system is overloaded when it is not.
Workaround:
Create a log filter to suppress the messages
sys log-config filter gtm-warn {
level warn
message-id 011ae116
source gtmd
}
863609-4 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
Component: Application Security Manager
Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.
Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes
Impact:
There are differences after deploy.
Workaround:
Discover and deploy again from BIG-IQ
Fix:
Changes are deployed from BIG-IQ without causing unexpected changes.
863401-1 : QUIC congestion window sometimes increases inappropriately
Component: Local Traffic Manager
Symptoms:
When QUIC is discovering the link bandwidth, it sometimes increases the congestion window when there is not enough available data to use the existing congestion window.
Conditions:
When the application is not generating enough data, or any streams with data are stream flow control limited.
Impact:
In some cases, the congestion window can be too large for the path and cause packet losses if it is later fully utilized.
Workaround:
None
Fix:
Correctly check for data limitations before increasing congestion window.
863161-1 : Scheduled reports are sent via TLS even if configured as non encrypted
Component: Application Visibility and Reporting
Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.
Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.
Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.
Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.
863069-1 : Avrmail timeout is too small
Component: Application Visibility and Reporting
Symptoms:
AVR report mailer times out prematurely and reports errors:
AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.
Conditions:
Configure reports, which will be sent to e-mail
Impact:
Error response from SMTP server, and the report is not sent
Workaround:
Increase timeout in avrmail.php via bash commands
Fix:
The timeout was increased in avrmail.php
862937-3 : Running cpcfg after first boot can result in daemons stuck in restart loop★
Component: TMOS
Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.
Conditions:
Running cpcfg on a volume that has already been booted into.
Impact:
Services do not come up.
Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:
# touch /.autorelabel
# reboot
862885-2 : Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error
Component: Local Traffic Manager
Symptoms:
A configuration with a virtual server-to-virtual server flow established, for example by the 'virtual' iRule command, and using a TCP stack with 'Tail Loss Probe' enabled, might encounter a race between the delayed ACK and the tail loss probe, which can lead to a tmm_panic or an OOPs message:
no trailing data.
Conditions:
-- Virtual server-to-virtual server flow established.
-- TCP profile with 'Tail Loss Probe' enabled.
-- Certain timing related traffic scenario.
Impact:
TMM generates a core and reports an OOPs message:
no trailing data.
Workaround:
Do not use a TCP stack with 'Tail Loss Probe' enabled in conjunction with a virtual server-to-virtual server flow configuration.
Fix:
Virtual server-to-virtual server with 'Tail Loss Probe' enabled can now be used without error.
862793-1 : ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation
Component: Application Security Manager
Symptoms:
When ASM detects "virus" (with help of external icap server), the response page will be JS-Challenge instead of blocking.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Anti-Virus protection enabled in ASM policy.
-- ASM finds a virus in a request.
Impact:
-- End user client gets JS-Challenge response instead of blocking page.
-- End user does not see ASM support ID.
-- Browser can run the JavaScript and resend the request to ASM, which is then forwarded to the backend server.
Workaround:
None.
Fix:
The software now replies with the blocking page, including the ASM support ID.
862597-7 : Improve MPTCP's SYN/ACK retransmission handling
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.
Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
Fix:
MPTCP's SYN/ACK retransmission handling is improved.
862557-1 : Client-ssl profiles derived from clientssl-quic fail validation
Component: Local Traffic Manager
Symptoms:
After configuring a clientssl-quic profile, you get a validation error:
01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/clientssl-f5quic-udp).
Conditions:
This can occur when using the clientssl-quic built-in profile to build a profile that can serve HTTP/3 over QUIC.
Impact:
You are unable to configure a clientssl profile to work with HTTP/3 + QUIC that is also customized to serve the right certificate, etc.
Workaround:
Modify the clientssl-quic profile to have the following properties:
cipher-group quic
ciphers none
This requires the following additional config objects:
ltm cipher group quic {
allow {
quic { }
}
}
ltm cipher rule quic {
cipher TLS13-AES128-GCM-SHA256,TLS13-AES256-GCM-SHA384
description "Ciphers usable by QUIC"
}
Fix:
Update the built-in configuration to pass validation.
860881-3 : TMM can crash when handling a compressed response from HTTP server
Component: Local Traffic Manager
Symptoms:
TMM crashes while handling HTTP response
Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable compression on the server.
860617-3 : Radius sever pool without attaching the load balancing algorithm will result into core
Component: Access Policy Manager
Symptoms:
Tmm crashes after configuring a radius server pool.
Conditions:
-- Radius server pool exists
-- Radius server pool does not have a designated load balancing algorithm.
Impact:
TMM will core while radius accounting stops. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Pool selection counter gets incremented and message will be freed.
860517-1 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
Component: TMOS
Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.
As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash
Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.
Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.
Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.
Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.
860349-3 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
Component: TMOS
Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .
The /var/log/secure will show :
/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145
/var/log/daemon.log will show ;
/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.
> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault
Conditions:
LDAP/nslcd config , remote authentication , user-template used
The values within user-template include white spaces :
example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org
Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.
Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon
860317-3 : JavaScript Obfuscator can hang indefinitely
Component: TMOS
Symptoms:
High CPU usage by obfuscator for an extended period of time.
Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.
Impact:
High CPU Usage.
Workaround:
Kill the obfuscator process
Fix:
Datasyncd daemon kills hanging obfuscator processes if they stop responding.
860005-1 : Ephemeral nodes/pool members may be created for wrong FQDN name
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.
Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.
The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.
Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.
Workaround:
It may be possible to mitigate this issue by one or more of the following actions:
-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.
-- Reducing the number of FQDN template nodes (FQDN names to be resolved).
-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.
859721-1 : Using GENERICMESSAGE create together with reject inside periodic after may cause core
Component: Service Provider
Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.
when CLIENT_ACCEPTED {
... omitted ...
after 1000 -periodic {
... omitted ...
reject
GENERICMESSAGE::message create "test"
}
}
This relates to ID 859113.
Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event
Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core
859717-2 : ICMP-limit-related warning messages in /var/log/ltm
Component: Local Traffic Manager
Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:
warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.
Conditions:
Viewing /var/log/ltm.
Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.
Workaround:
None.
Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.
859113-1 : Using "reject" iRules command inside "after" may causes core
Component: Local Traffic Manager
Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.
when CLIENT_ACCEPTED {
... omitted ...
after 1000 -periodic {
... omitted ...
reject
GENERICMESSAGE::message create "test"
}
}
This relates to ID 859721
Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event
Fix:
Using "reject" iRules command inside "after" no longer cause core.
859089-7 : TMSH allows SFTP utility access
Solution Article: K00091341
858973-1 : DNS request matches less specific WideIP when adding new wildcard wideips
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.
Conditions:
New less specific Wildcard WideIPs are created.
Impact:
DNS request matches less specific WideIP.
Workaround:
# tmsh load sys config gtm-only
or
restart tmm
858769-6 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2
Solution Article: K82498430
Component: TMOS
Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.
Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.
Impact:
The longer keys lengths for SNMPv3 cannot be used.
Workaround:
None
Fix:
With the net-snmp 5.8 libraries there is SHA-2 support for longer SHA and AES keys. New options are: SHA-224, 256, 384, and 512 and AES-192, 192-C, 256, 256-C.
858701-1 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★
Component: Local Traffic Manager
Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.
-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.
Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.
Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:
If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.
Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:
Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:
Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.
You can check this value with the guishell command:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.
------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:
1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.
2. Fail over Active system to Standby status:
tmsh run sys failover standby
3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.
4. Save the config to disk:
tmsh save sys config
5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
tmsh load sys config
6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
tmsh load sys config
7. Verify it worked:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example of a fixed config:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':
tmsh load sys config
858537-2 : CVE-2019-1010204: Binutilis Vulnerability
Solution Article: K05032915
858429-3 : BIG-IP system sending ICMP packets on both virtual wire interface
Component: Local Traffic Manager
Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.
Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.
Impact:
Traffic is disrupted in the network.
Workaround:
None.
858349-3 : TMM may crash while processing SAML SLO traffic
Solution Article: K44808538
858301-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
858297-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
858289-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
858285-1 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
858229-5 : XML with sensitive data gets to the ICAP server
Solution Article: K22493037
Component: Application Security Manager
Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.
Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.
Impact:
Sensitive data will reach the ICAP server.
Workaround:
No immediate workaround except policy related changes
Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.
Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.
When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.
858197-2 : Merged crash when memory exhausted
Component: TMOS
Symptoms:
Merged crashes when system memory is exhausted
Conditions:
System memory is is at 0% available.
Impact:
Merged crashes, stopping stats updates
Workaround:
Reduce the configuration on the system
Fix:
Remove function call to drop row from table on error path where row was not successfully added.
858189-3 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.
Component: Device Management
Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.
Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.
Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.
Workaround:
None.
Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.
Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:
restnoded.timeout
restjavad.timeout
icrd.timeout
The default value is 60 seconds for each of these.
A restart of restjavad and restnoded is required for the change to take effect.
tmsh restart /sys service restjavad
tmsh restart /sys service restnoded
858025-1 : BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984
Solution Article: K33440533
857953-2 : Non-functional disable/enable buttons present in GTM wide IP members page
Component: Global Traffic Manager (DNS)
Symptoms:
Enable/disable buttons do not perform any action against the selected members when pressed.
Conditions:
-- GTM wide IP has members.
-- Navigate to the GTM wide IP members page.
-- Attempt to enable or disable a selected member./
Impact:
No action against the selected members occurs when the buttons are pressed.
Workaround:
None.
857845-1 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule
Component: Local Traffic Manager
Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.
Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.
Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.
857633-7 : Attack Type (SSRF) appears incorrectly in REST result
Component: Application Security Manager
Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.
Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.
Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.
Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:
DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";
857589-1 : On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'
Component: Access Policy Manager
Symptoms:
On the Citrix Workspace app, clicking 'Refresh Apps' after signing out fails with message "Refresh Failed" with v15.1.x
Conditions:
-- Running the Citrix Workspace all.
-- Clicking 'Refresh Apps' after signing out.
-- Running software v15.1.x.
Impact:
The system reports a 'Refresh failed' error, and the app must to be reset.
Workaround:
None.
Fix:
The system now shows a prompt/pop-up for credentials and signs-in successfully.
856961-7 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207
Solution Article: K17269881
856953-4 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
Component: TMOS
Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.
Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.
Fix:
TMM no longer cores.
856725-1 : Missing learning suggestion for "Illegal repeated parameter name" violation
Component: Application Security Manager
Symptoms:
Some URL/parameter related suggestions are not issued
Conditions:
The can occur on URLs that are configured with a method. It can also occur on URL-level parameters that are configured on such URLs.
Impact:
Some learning suggestions are not issued as expected
Workaround:
None
Fix:
After fix suggestions are issued as expected
854493-5 : Kernel page allocation failures messages in kern.log
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures.
854177-5 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
Component: Application Security Manager
Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.
Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.
Impact:
Latency is introduced to ASM handling.
Workaround:
Set the fast changing nodes to static updates every hour.
Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.
854001-2 : TMM might crash in case of trusted bot signature and API protected url
Component: Application Security Manager
Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.
Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.
Fix:
An issue where tmm could crash when processing a request sent to a protected API URL with a trusted bot signature has been fixed.
853613-4 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
Component: Local Traffic Manager
Symptoms:
A TCP connection hangs occasionally.
Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.
Impact:
TCP connections hangs, and data transfer cannot be completed.
Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.
Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.
853585-1 : REST Wide IP object presents an inconsistent lastResortPool value
Component: Global Traffic Manager (DNS)
Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:
...
"lastResortPool": "aaaa \"\""
...
Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:
tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>
Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.
Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.
Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.
853545-1 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
Component: Service Provider
Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.
Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.
Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.
Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.
Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.
853325-1 : TMM Crash while parsing form parameters by SSO.
Component: Access Policy Manager
Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.
Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.
Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.
Workaround:
Do not use Passthrough mode with SSO.
Fix:
TMM does not crash when Passthrough mode is enabled in SSO, and SSO receives any valid form in a response.
853101-2 : ERROR: syntax error at or near 'FROM' at character 17
Component: TMOS
Symptoms:
After clicking UI Security :: Network Firewall : Active Rules, /var/log/ltm reports the following error message:
--warning postgres ERROR: syntax error at or near 'FROM' at character 17.
Conditions:
Enabled turboflex-security and AFM module.
Impact:
-- Possible leak of postgres database connections.
-- A warning log message is created, but the system continues to function normally.
Workaround:
None.
Fix:
Correct is AFMProvisioned check was added to wrap database connection deallocation
852929-6 : AFM WebUI Hardening
Solution Article: K25160703
852873-2 : Proprietary Multicast PVST+ packets are forwarded instead of dropped
Component: Local Traffic Manager
Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.
Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.
Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.
Workaround:
None.
Fix:
Traffic with Destination MAC as PVST+ (01:00:0c:cc:cc:cd) or STP (01:80:c2:00:00:00) is sent to the BIG-IP system, egress traffic is monitored to check that MAC is dropped when either or both of the following db variables is enabled or vice-versa:
bcm56xxd.rules.badpdu_drop
bcm56xxd.rules.lldp_drop
852861-1 : TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario
Component: Local Traffic Manager
Symptoms:
TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario.
Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL and httprouter profiles.
-- 0-RTT connection resumption in progress.
Impact:
TMM cores intermittently.
Workaround:
No workaround.
Fix:
Defer sending of early keys from SSL to QUIC. This results in delaying of ingress decryption. HTTP/3 is initialized before receiving decrypted data.
852557-3 : Tmm core while using service chaining for SSL Orchestrator
Component: SSL Orchestrator
Symptoms:
Tmm core found when using service chaining for SSL Orchestrator (SSL Orchestrator).
Conditions:
SSL Orchestrator with service chaining.
Impact:
Tmm crashes and generates a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Tmm no longer crashes while using service chaining for SSL Orchestrator.
852481-3 : Failure to check virtual-server context when closing server-side connection
Component: SSL Orchestrator
Symptoms:
The TMM process may fail with a segment fault (SIGSEGV) panic and deposit a core file.
Conditions:
-- SSL Orchestrator configuration.
-- Closing server-side connection.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer experiences panic when server-side connections are being closed.
852477-3 : Tmm core when SSL Orchestrator is enabled
Component: SSL Orchestrator
Symptoms:
The tmm process may fail with a segment fault (SIGSEGV) panic and deposit a core file.
Conditions:
This can occur when SSL Orchestrator is enabled and is passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Tmm no longer experiences panic when draining data from server-side connections that are being closed.
852437-3 : Overly aggressive file cleanup causes failed ASU installation
Solution Article: K25037027
Component: Application Security Manager
Symptoms:
Directory cleanup for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.
Conditions:
An ASU runs at the same time as the file cleanup task.
Impact:
The ASU fails to complete successfully.
Workaround:
The default clean interval is 300 seconds (5 minutes).
1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles
2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles
3. Upgrade the ASU immediately.
If 5 minutes is not enough, you can increase the clean interval.
1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:
From:
[CleanFiles]
Interval=300
To:
[CleanFiles]
Interval=3000
Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.
2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>
3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles
4. Install the ASU; the temp files can stay in the folder for 50 minutes.
5. After the ASU is installed, change the interval back to 300 and restart asmcrond.
6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log
Fix:
The directory cleanup does not clean up files that are being actively used for an installation.
852373-3 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
Component: Local Traffic Manager
Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:
TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".
Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.
Impact:
HTTP/2 traffic is not passed to the serverside.
Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside
Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.
852313-4 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
Component: Access Policy Manager
Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431
Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.
Impact:
VMware Horizon client cannot connect to APM after some time.
Workaround:
None.
Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.
852289-4 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
Solution Article: K23278332
Component: Advanced Firewall Manager
Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.
Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.
Impact:
DNS over TCP is DDoS attack is not mitigated correctly.
Workaround:
Using DNS DoS vector to mitigate the attack.
Fix:
The attack mitigation by sweep and flood vector is accurate.
852101-1 : Monitor fails.
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.
Conditions:
TLS SIP monitor on pool member requiring client auth.
Impact:
Big3d fails external monitor SIP_monitor.
Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.
852001-1 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
Component: TMOS
Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.
Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.
Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.
Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.
Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.
851857-1 : HTTP 100 Continue handling does not work when it arrives in multiple packets
Component: Local Traffic Manager
Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.
Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.
Impact:
The response is not delivered to the client. Browsers may retry the request.
Workaround:
None.
Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.
851789-2 : SSL monitors flap with client certs with private key stored in FIPS
Component: Local Traffic Manager
Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.
Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.
Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.
Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.
Fix:
Optimized FIPS API calls to improve performance of SSL monitors.
851745-3 : High cpu consumption due when enabling large number of virtual servers
Component: Advanced Firewall Manager
Symptoms:
Observed autodosd CPU burst
Conditions:
Enable autodosd and a large number of virtual servers
Impact:
High cpu utilization in autodosd
Workaround:
Disable autodosd
Fix:
Autodosd no longer excessively consumes CPU cycles.
851581-3 : Server-side detach may crash TMM
Component: Local Traffic Manager
Symptoms:
TMM crash with 'server drained' panic string.
Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.
Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.
Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.
-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.
Fix:
TMM does not crash no matter when the server-side detach is triggered.
851477-1 : Memory allocation failures during proxy initialization are ignored leading to TMM cores
Component: Local Traffic Manager
Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.
Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.
Impact:
TMM cores when accessing uninitialized memory.
Workaround:
No workaround.
Fix:
Memory allocation failures are now detected and virtual server ends up in DENY state. No connections are accepted in this state.
851445-1 : QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams
Component: Local Traffic Manager
Symptoms:
QUIC profile has a field for maximum uni-streams. This represents the number of concurrent uni-streams that the peer can create. If HTTP/3 is also configured on the virtual, then the value for uni-streams should ne >=3. The peer should be able to create at least 3 uni-streams, for control, encoder and decoder.
Conditions:
QUIC, HTTP/3, SSL and httprouter profiles are configured on the virtual. QUIC client tries to establish a connection with Big-IP. HTTP/3 is negotiated in ALPN.
Impact:
If fewer than 3 max uni-streams are configured, HTTP/3 transactions will not be successful.
Workaround:
Configure correct value of max uni-streams in QUIC profile.
Fix:
Validation added to prevent a value of less than 3 to be configured when HTTP/3 is also on the virtual.
851393-1 : Tmipsecd leaves a zombie rm process running after starting up
Component: TMOS
Symptoms:
After booting the system, you notice zombie 'rm' processes:
$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
Restarting tmipsecd will kill the zombied process but will start a new one.
Conditions:
-- IPsec is enabled.
-- Booting up the system.
Impact:
A zombie 'rm' process exists. There should be no other impact.
Workaround:
None.
851345-1 : The TMM may crash in certain rare scenarios involving HTTP/2
Component: Local Traffic Manager
Symptoms:
The HTTP/2 Gateway configuration is used without the HTTP MRF Router.
The TMM may crash in rare scenarios when a stream is being torn down.
Conditions:
-- HTTP/2 is configured in the Gateway scenario.
-- The HTTP MRF Router is not used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM no longer crashes in rare scenarios when a stream is being torn down.
851045-1 : LTM database monitor may hang when monitored DB server goes down
Component: Local Traffic Manager
Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.
Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).
Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.
Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.
850973-1 : Improve QUIC goodput for lossy links
Component: Local Traffic Manager
Symptoms:
QUIC gets lower goodput compared to TCP when tested on lossy links.
Conditions:
The tested links are lossy (e.g, 0.1% loss probability).
Impact:
QUIC completes the data transfer in longer time.
Workaround:
N/A
Fix:
QUIC achieves similar or better goodput compared to TCP on lossy links.
850933-1 : Improve QUIC rate pacing functionality
Component: Local Traffic Manager
Symptoms:
QUIC rate pacing becomes dis-functional under some conditions.
Conditions:
- QUIC rate pacing is in use.
- Packet size becomes slightly larger than available rate pacing bytes.
Impact:
QUIC rate pacing becomes noneffective which leads to sending data more bursty.
Workaround:
N/A
Fix:
QUIC rate pacing does not become dis-functional under some conditions anymore.
850873-3 : LTM global SNAT sets TTL to 255 on egress.
Component: Local Traffic Manager
Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.
Conditions:
Traffic is handled by global SNAT.
Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.
Workaround:
None.
850777-3 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
Component: TMOS
Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.
Errors similar to one below are seen in an LTM log:
err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.
Conditions:
- Static management IP address configuration.
- Instance is restarted.
Impact:
Instance is not operational after restart.
Workaround:
After instance is fully booted, reload the license with 'reloadlic'.
Fix:
In case of 1 NIC with static route, issuing "bigstart restart mcpd" will not be enough to bring system to the licensed state, issue "reboot" instead.
850677-4 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
Component: Application Security Manager
Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.
Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.
Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.
Workaround:
Use UTF-8.
Fix:
This release supports REST access in non-UTF-8 policies.
850673-1 : BD sends bad ACKs to the bd_agent for configuration
Component: Application Security Manager
Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.
-- The policy may be incomplete in the bd causing incorrect enforcement actions.
Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.
Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).
-- A partial policy may exist in bd causing improper enforcement.
Workaround:
-- Unassign and reassign the policy.
-- if unassign/reassign does not help, export and then reimport the policy.
Fix:
Fixed inconsistency scenario between bd and bd_agent.
850641-2 : Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies
Component: Application Security Manager
Symptoms:
An incorrect parameter is created for names with non-ASCII characters, e.g., a parameter with Chinese characters in the name in a BIG-IP encoding policy.
Conditions:
Non-UTF8 policy parameters created using the GUI.
Impact:
The BIG-IP system does not enforce these parameters, and the list of parameters is not rendered correctly.
Workaround:
Create the parameter using REST API.
Fix:
Parameters are now created correctly in the GUI for any policy encoding and any characters in the parameter name.
850509-1 : Zone Trusted Signature inadequately maintained, following change of master key
Component: Global Traffic Manager (DNS)
Symptoms:
During config load or system start-up, you may see the following error:
-- 01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.
In some instances, other errors resembling the following may appear:
-- Failed to sign zone transfer query for zone DNSZONE01 using TSIG key zone01key.pl.
-- Failed to transfer DNSZONE01 from 203.0.113.53, will attempt IXFR (Retry).
Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.
Impact:
Unable to view TSIG keys. Configuration cannot be loaded. Failures of DNS zone transfers may occur.
Workaround:
None.
Fix:
When master key changes, TSIG keys are now properly re-encrypted, so this problem no longer exists.
850277-1 : Memory leak when using OAuth
Component: Access Policy Manager
Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.
Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.
Impact:
Memory leak occurs in which tmm memory usage increases.
Workaround:
None.
850193-4 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues
Component: TMOS
Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.
Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.
Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.
Workaround:
None.
850145-1 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
Component: Local Traffic Manager
Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.
Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.
Impact:
Connection hangs and is eventually reset.
Workaround:
No workaround.
Fix:
If a connection to the server has been established, pipelined requests are now processed immediately and not queued.
849405-2 : LTM v14.1.2.1 does not log after upgrade★
Component: TMOS
Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.
Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.
Impact:
Logs are not generated and sysstat.service is not running.
Workaround:
Once the BIG-IP system starts up, check for failed services:
systemctl list-units --failed
If results show sysstat.service as FAILED, run the following command:
restorecon -Rv /var/log/sa6 && systemctl start sysstat
849157-2 : An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck
Component: TMOS
Symptoms:
The outgoing SCTP connection does not expire after attempting to INIT the maximum number of times. It then becomes stuck and does not expire when it reaches its idle-timeout, and cannot be manually deleted.
Conditions:
An outgoing SCTP connection is permitted to attempt the INIT retransmit the maximum number of times configured with no responses (accepting or aborting) from the target endpoint.
Impact:
Stale SCTP connections are left in the system and start to use up memory. Traffic may be interrupted in certain configurations, as the system thinks it is still attempting to bring up the lost SCTP connection and does not ever try to create a new one.
Workaround:
To clear the stale connections, restart tmm:
bigstart restart tmm
Note: Restarting tmm causes an interruption to traffic.
Fix:
SCTP connections now expire properly after the maximum number of INITs have been attempted and can no longer get stuck in this case.
849085-1 : Lines with only asterisks filling message and user.log file
Component: TMOS
Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.
For example:
Nov 12 10:40:57 bigip1 **********************************************
Conditions:
Snmp query an OID handled by sflow, for example:
snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1
Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.
Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.
Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.
=============================================
Solution #1 - Filter out all sflow_agent logs:
1) remount /usr as read+write:
mount -o rw,remount /usr
2) Make a backup copy of the template:
cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig
3) Add write permissions to the template:
chmod +w /usr/share/defaults/config/templates/syslog.tmpl
4) Add the filter to syslog.tmpl
4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl
4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};
For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};
4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}
5) Save the changes and quit vi.
6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice
7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.
8) remount /usr as read-only
mount -o ro,remount /usr
=============================================
Solution #2 - Filter out all messages with \n or \r:
1) remount /usr as r+w:
mount -o rw,remount /usr
2) Make a backup copy of the template:
cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig
3) Add write permissions to the template:
chmod +w /usr/share/defaults/config/templates/syslog.tmpl
4) Add the filter to syslog.tmpl:
4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl
4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
};
For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};
filter f_no_multi_line {
not (message('\n') or message('\r'));
};
4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}
5) Save the changes and quit vi.
6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice
7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.
8) remount /usr as read-only:
mount -o ro,remount /usr
Fix:
The sflow log message that was a multiline message has been changed so that it is no longer multiline.
848777-3 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
Component: Local Traffic Manager
Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:
-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).
-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).
Conditions:
-- Create custom partition.
-- Create custom route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port, or port list.
-- Now, try to Sync to high availability (HA) peer.
Impact:
Sync fails with error. Configuration does not sync to peer node.
On VIPRION systems this may cause mcpd on a secondary blade to crash and fail to come up.
Workaround:
None
Fix:
Configuration now syncs to peer node successfully.
848445-1 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★
Solution Article: K86285055
Component: Application Security Manager
Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.
Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.
Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.
Workaround:
Can defined the parameters as global sensitive parameters.
Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer
848405-2 : TMM may consume excessive resources while processing compressed HTTP traffic
Solution Article: K26244025
847325-3 : Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.
Component: Local Traffic Manager
Symptoms:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.
Conditions:
-- A OneConnect profile is combined with certain persist profiles on a virtual server.
-- The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.
-- The persistence types that are affected are:
- Source Address (but not hash-algorithm carp)
- Destination Address (but not hash-algorithm carp)
- Universal
- Cookie (only cookie hash)
- Host
- SSL session
- SIP
- Hash (but not hash-algorithm carp)
Impact:
-- High tmm CPU utilization.
-- Stalled connections.
-- Incorrect persistence decisions.
Workaround:
None.
Fix:
Changing a virtual server that uses a OneConnect profile no longer triggers incorrect persistence behavior.
847105-2 : The bigip_gtm.conf is reverted to default after rebooting with license expired★
Component: Global Traffic Manager (DNS)
Symptoms:
The bigip_gtm.conf is reverted to default after rebooting (or upgrading to a newer BIG-IP software release).
Conditions:
-- The BIG-IP license is expired prior to the reboot or upgrade.
-- GTM is configured.
Impact:
The GTM configuration (in /config/bigip_gtm.conf) information is lost in the newly installed boot location.
Workaround:
Renew license before reboot. Always reboot with valid license.
If you have already rebooted or upgraded with an expired license, and your configuration has been lost, you can restore it using the following procedure.
1. Re-activate the BIG-IP license
2. Restore bigip_gtm.conf from the auto-created backup (.bak) file:
cp /config/bigip_gtm.conf.bak /config/bigip_gtm.conf
3. Load the replaced config:
tmsh load sys config gtm-only
If this is a the result of a software upgrade, and the .bak file is not available or has been overwritten, you can boot back to the previous volume and re-copy the configuration from there (cpcfg or via the GUI) before rebooting back to the upgraded software release.
846917-1 : lodash Vulnerability: CVE-2019-10744
Solution Article: K47105354
846713-1 : Gtm_add does not restart named
Component: Global Traffic Manager (DNS)
Symptoms:
Running gtm_add failed to restart the named daemon.
Conditions:
Run gtm_add to completion.
Impact:
Named is not restarted. No BIND functionality.
Workaround:
Restart named:
bigstart start named
Fix:
Fixed an issue preventing 'named' from restarting after running the gtm_add script.
846601-4 : Traffic classification does not update when an inactive slot becomes active after upgrade★
Component: Traffic Classification Engine
Symptoms:
VIPRION platforms have an automated process of joining a newly inserted blade to a cluster. TMOS install, licensing, and configuration including iAppLX are synchronized from primary to the newly inserted blade automatically without manual intervention. Traffic classification update is not occurring as expected under these conditions.
Conditions:
-- Traffic classification configured.
-- Update installation.
-- VIPRION blade is inactive, and later comes online.
Impact:
Traffic policies/rules related to updated installation do not work on inactive slot when it returns to the online state.
Workaround:
To prevent this issue from occurring, ensure that all blades are online when installation begins.
If you insert a blade, run config sync manually from the active blade.
Fix:
Upgrade script now initiates install when the slot becomes active.
846441-2 : Flow-control is reset to default for secondary blade's interface
Component: TMOS
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
The flow-control setting is reset to default (tx-rx).
Workaround:
Reload the configuration on the primary blade.
846365-1 : TMM may crash while processing IP traffic
Solution Article: K35750231
846217-3 : Translucent vlan-groups set local bit in destination MAC address
Component: Local Traffic Manager
Symptoms:
Translucent vlan-groups may set the locally-unique bit in a destination MAC address when sending traffic to a pool member/client.
Conditions:
On versions earlier than 15.0.0:
- Translucent vlan-group is in use.
On v15.0.0 and later:
-- Translucent vlan-group is in use.
-- The connection.vgl2transparent db variable is enabled.
Impact:
Traffic handled by translucent vlan-groups may not work properly.
Workaround:
On versions earlier than 15.0.0, there is no workaround.
-- On version 15.0.0 and later, you can disable the connection.vgl2transparent db variable to mitigate the problem:
tmsh modify sys db connection.vgl2transparent value disable
Note: connection.vgl2transparent is disabled by default.
846181-3 : Request samples for some of the learning suggestions are not visible
Component: Application Security Manager
Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.
Conditions:
'Learning Suggestion' created from only one 'Request Log' record.
Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section
Workaround:
None.
846157-1 : TMM may crash while processing traffic on AWS
Solution Article: K01054113
846137-4 : The icrd returns incorrect route names in some cases
Component: TMOS
Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.
Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.
Impact:
Result information is not compatible with actual result.
Workaround:
None.
Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.
846073-1 : Installation of browser challenges fails through Live Update
Component: Application Security Manager
Symptoms:
Live Update of Browser Challenges fails installation.
Live Update provides an interface on the F5 Downloads site to manually install or configure automatic installation of various updates to BIG-IP ASM components, including ASM Attack Signatures, Server Technologies, Browser Challenges, and others.
Conditions:
-- From the F5 Downloads side, select a software version.
-- Click BrowserChallengesUpdates.
-- Attempt to download and install Download BrowserChallenges<version_number>.im.
Note: Browser Challenges perform browser verification, device and bot identification, and proactive bot defense.
Impact:
Browser Challenges update file cannot be installed.
Workaround:
None.
Fix:
Browser Challenges update file can now be installed via Live Update.
846057-3 : UCS backup archive may include unnecessary files
Component: Application Security Manager
Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.
Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.
Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.
Workaround:
Before running the UCS backup process, remove directories:
/var/tmp/ts_db.save_dir_*.cstmp/
845333-6 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
Component: Local Traffic Manager
Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]
Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.
Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.
Workaround:
Make the datagroup a Tcl variable to bypass validation.
Fix:
Validation can recognize the datagroup on Transport Config objects.
845313-3 : Tmm crash under heavy load
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes.
Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to PEM subscriber IDs.
844781-3 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
Component: Access Policy Manager
Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.
Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384
Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.
Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/
Fix:
Fixed an issue with an SELinux policy blocking Portal Access from processing web applications traces.
844689-1 : Possible temporary CPU usage increase with unusually large named.conf file
Component: Global Traffic Manager (DNS)
Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.
Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).
Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.
Workaround:
None.
Fix:
ZoneRunner does not issue a reload command when zones are checked for updates, so no CPU usage increases occur.
844685-1 : Per-request policy is not exported if it contains HTTP Connector Agent
Component: Access Policy Manager
Symptoms:
Per-request policy cannot be exported if it contains an HTTP Connector agent.
Conditions:
-- Create a Per Request Policy.
-- In the sub-routine section, create a new sub-routine and
attach HTTP Connector to that sub-routine.
-- After the policy creation is done, export the policy.
Impact:
Per-request policy cannot be exported and reports an error.
Workaround:
None.
Fix:
Create a valid HTTP Connector agent in tmsh and the per request policy gets exported as expected.
844573-1 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
Component: Access Policy Manager
Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.
Conditions:
This is encountered when this message is logged by mcpd.
Impact:
Log message cannot be grouped with messages at the correct log level.
Workaround:
None.
844281-3 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
Component: Access Policy Manager
Symptoms:
Java applets are not patched when accessed through APM Portal Access.
/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.
/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.
Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.
Impact:
Java applets cannot be patched by APM Portal Access rewriter.
Workaround:
None.
Fix:
Fixed an issue with SELinux policy blocking Portal Access code from reading Java Patcher certificates.
844085-1 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
Component: TMOS
Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:
01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.
Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.
Impact:
Unable to change the source address of a virtual server to an address list.
Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:
tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}
tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any
843801-2 : Like-named previous Signature Update installations block Live Update usage after upgrade★
Component: Application Security Manager
Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.
Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.
Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.
Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat
This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.
** Another Workaround incase the above does not solve the issue:
1. stop the tomcat server:
> bigstart stop tomcat
2. clean the live update db :
> cd /var/lib/hsqldb/live-update
> rm -f liveupdatedb.*
3. remove all *.im files which are not genesis file (factory-default files):
3.1 get the list of genesis files:
> less /etc/live-update-genesis.yaml | grep genes | cut -d":" -f2
3.2 go to update file directory:
> cd /var/lib/hsqldb/live-update/update-files
3.3 manually remove the *.im files that are not genesis
4. restart the tomcat server:
> bigstart start tomcat
843597-1 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
Component: TMOS
Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes. This issue can present itself in a few different ways, depending on the underlying platform. One example would be the BIG-IP failing to initialize vmxnet interfaces with messages similar to the following logged in /var/log/tmm:
notice vmxnet3[1b:00.0]: MTU: 9198
notice vmxnet3[1b:00.0]: Error: Activation command failed: 1
If the BIG-IP does successfully initialize its vmxnet interfaces, there can be unpredictable behavior (possibly with the hypervisor).
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- If the BIG-IP is able to initialize the vmxnet interfaces: Passing packets larger than 9000 bytes.
Impact:
The BIG-IP system may not be able to initialize the vmxnet3 interfaces on startup. If it is able to do so, then packets may be dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.
Workaround:
Modify the tmm_init.tcl file, adding the following line:
ndal mtu 9000 15ad:07b0
Fix:
The software now ensure that the default setting for the vmxnet3 driver MTU is 9000, which prevents the issue from occurring.
842989-6 : PEM: tmm could core when running iRules on overloaded systems
Component: Policy Enforcement Manager
Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.
Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Reduce the load on tmm or modify the optimize the irule.
842937-6 : TMM crash due to failed assertion 'valid node'
Component: Local Traffic Manager
Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.
Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Refrain from using ramcache may mitigate the problem.
Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.
842865-2 : Add support for Auto MAC configuration (ixlv)
Component: TMOS
Symptoms:
Mac addresses are forced to be the same for ixlv trunks.
Conditions:
This happens when ixlv trunks are used.
Impact:
Mac addresses may not be as depicted on the device.
Workaround:
None.
Fix:
Unicast mac filters are used for ixlv trunks.
842829-1 : Multiple tcpdump vulnerabilities
Solution Article: K04367730
842717-6 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
Solution Article: K55102004
842625-5 : SIP message routing remembers a 'no connection' failure state forever
Component: Service Provider
Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.
Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.
Impact:
The BIG-IP system is never be able to establish connection to the peer.
Workaround:
None.
Fix:
SIP message routing now recovers from a 'no connection' failure state.
842517-2 : CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails
Component: Local Traffic Manager
Symptoms:
SSL handshake fails with error in LTM logs.pkcs11d[10407]:
err pkcs11d[10407]: 01680048:3: C_Sign: pkcs11_rv=0x00000082, CKR_OBJECT_HANDLE_INVALID
Conditions:
Key created with Safenet NetHSM is used in SSL profile for virtual server. This error is seen randomly.
Impact:
SSL handshake fails.
Workaround:
Restart the PKCS11D.
842189-4 : Tunnels removed when going offline are not restored when going back online
Component: TMOS
Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.
Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.
Impact:
Failure of tunnel packet traffic.
Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.
Fix:
Tunnels removed when going offline are now restored when going back online.
842161-1 : Installation of Browser Challenges fails in 15.1.0
Component: Application Security Manager
Symptoms:
Browser Challenges default installation fails in 15.1.0 after upgrade or resetting back to default.
BIG-IP software v15.1.0 ships with a BrowserChallenges_20191121_043810.im file that does not have a proper encryption, and when trying to install the file via the Live Update page the following error occurs:
gpg: WARNING: unsafe ownership on homedir `/ts/share/negsig/gpg_asm_sigfile_installer'
gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20
"asm_sigfile_installer"
gpg: Signature made Thu 21 Nov 2019 02:38:10 PM IST using RSA key ID BC67BA01
gpg: Can't check signature: No public key
Conditions:
Live Update file BrowserChallenges_20191121_043810.im has a different status than 'Currently Installed'.
Impact:
If the file 'BrowserChallenges_20191121_043810.im ' is the newest file then upgrade is not applicable.
Workaround:
None
Fix:
Browser Challenges update file can now be installed via Live Update.
842125-6 : Unable to reconnect outgoing SCTP connections that have previously aborted
Component: TMOS
Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.
Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.
Impact:
New connections are unable to be created resulting in dropped messages.
Workaround:
None.
Fix:
SCTP connections can now be halted and recreated to the same endpoint.
842013-3 : ASM Configuration is Lost on License Reactivation★
Component: Application Security Manager
Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.
Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded
Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'
Workaround:
In the case of license re-activation/before upgrade:
Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.
In a case of booting the system into the new version:
Option 1:
1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.
Option 2:
1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324
Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.
841953-7 : A tunnel can be expired when going offline, causing tmm crash
Component: TMOS
Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.
If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.
Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.
Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm process no longer crashes under these conditions.
841649-4 : Hardware accelerated connection mismatch resulting in tmm core
Component: TMOS
Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.
Conditions:
One or more of the following:
-- A FastL4 virtual server that has hardware acceleration enabled.
-- A NAT or SNAT object without a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable hardware acceleration.
841581 : License activation takes a long time to complete on Google GCE platform
Component: TMOS
Symptoms:
The license installation and activation process takes a very long time to complete.
Conditions:
- BIG-IP Virtual Edition running on Google Compute Engine (GCE) Platform.
- Activating the BIG-IP license.
Impact:
It can take 2-3 minutes to report the device is licensed and 3-4 minutes for BIG-IP system to become Active after that.
Workaround:
None.
841577-2 : iControl REST hardening
Solution Article: K20606443
841469-6 : Application traffic may fail after an internal interface failure on a VIPRION system.
Component: Local Traffic Manager
Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.
For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.
Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.
For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:
slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.
You can run the following command to inspect the CMP state of each slot:
clsh 'tmctl -d blade -s cmp_state tmm/cmp'
All slots should report the same state, for instance:
# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
15
=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
15
=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
15
=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
15
When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:
-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
And a CMP transition will be visible in the /var/log/tmm file similar to the following example:
-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb
For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.
Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.
Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.
Workaround:
F5 recommends the following to minimize the impact of this potential issue:
1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).
The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.
To ensure this functionality will trigger, the following configuration requirements must be met:
a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).
Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.
2) For 'regular' standalone units.
If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.
3) For a standalone chassis which belongs to a pool on an upstream load-balancer.
If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.
An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.
The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.
Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.
When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:
-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.
-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.
Fix:
The system now includes the enhancement for the 'standalone chassis which belongs to a pool' use-case, as discussed under the Workaround section.
841333-7 : TMM may crash when tunnel used after returning from offline
Component: TMOS
Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.
Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
841305-2 : HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log
Component: Application Visibility and Reporting
Symptoms:
The HTTP/2 version appears in charts, but when clicking on the chart reports, errors are reported in monpd log and the chart is empty in the GUI, with an error reported in the GUI and in the monpd log:
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:mysql_query_safe:0209| Error (err-code 1054) executing SQL string :
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:runSqlQuery:0677| Error executing SQL query:
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/handlers/ReportRunnerHandler.cpp:runReport:0409| Results for query came back as NULL
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/ReporterUtils.cpp:throwInternalException:0105| throwing exception to client error code is 1 error msg is Internal error
Conditions:
-- Create a new policy or use an existing policy.
-- Go to Security :: Reporting : Application : Charts.
-- Select weekly charts.
Impact:
Charts are empty in the GUI, and the system logs errors in monpd.
Workaround:
None.
Fix:
Fixed an issue with HTTP stats database tables.
841277-7 : C4800 LCD fails to load after annunciator hot-swap
Component: TMOS
Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.
Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.
Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.
Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable
2. Wait 10 seconds.
3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.
This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.
Fix:
The LCD now automatically reloads once a functioning annunciator card is inserted into the left slot and the top bezel is replaced. It may take up to 10 seconds for the LCD to return to normal functionality.
840821-1 : SCTP Multihoming not working within MRF Transport-config connections
Component: Service Provider
Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.
Conditions:
Usage of SCTP multi-homing with a MRF transport-config.
Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
THe system is now able to create outgoing SCTP multihoming connections using a transport-config to define the connection.
840809-2 : If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged
Component: Advanced Firewall Manager
Symptoms:
When subscriber info changes, the log events for LSN_PB_UPDATE are not logged.
Conditions:
If subscriber info changes, for example, if a client is sending a radius message with IMSI A - LSN_PB_UPDATE logs are observed. And later when the IMSI is changed to B and another radius message is sent from the client, then LSN_PB_UPDATE log events are not observed.
Impact:
LSN_PB_UPDATE are not logged.
Fix:
Fix will send LSN_PB_UPDATE even if subscriber info is changed
839761-1 : Response Body preview hardening
Solution Article: K12002065
839749-3 : Virtual server with specific address list might fail to create via GUI
Component: Local Traffic Manager
Symptoms:
When a user tries to create a virtual server with address list, it might fail with below shown error:
01b90011:3: Virtual Server /Common/VS1's Traffic Matching Criteria /Common/testvs1 illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/testvs2 destination address, source address, service port.
Conditions:
-- One or more virtual servers that were created via the GUI already exist on the BIG-IP system.
-- Attempt to use the GUI to create another virtual server with address list.
Impact:
Cannot create the virtual server.
Fix:
You can now create virtual servers with address lists directly from the GUI.
839597-6 : Restjavad fails to start if provision.extramb has a large value
Component: Device Management
Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:
daemon.log: emerg logger: Re-starting restjavad
The system reports similar message at the command line.
No obvious cause is logged in rest logs.
Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800 MB for v12.1.0 and earlier.
+ above ~2900-3000 MB for v13.0.0 and later.
-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'
*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.
To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb
tmsh list sys db restjavad.useextramb
Impact:
This impacts the ability to use the REST API to manage the system.
Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).
To set that at command line:
tmsh modify sys db provision.extramb value 2000
If continual restarts of restjavad are causing difficulties managing the unit on the command line:
1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad
2. Reduce the large value of provision.extramb if necessary.
3. Restart the restjavad service:
tmsh start sys service restjavad
Fix:
Restjavad memory is now capped at a sensible maximum.
If provision.extramb is set to a value higher than 2500 MB it will be considered to be 2500 MB for the purposes of restjavad, and the system logs a message similar to the following in /var/log/ltm, where XXXX is the value of provision.extramb:
notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX.
839453-6 : lodash library vulnerability CVE-2019-10744
Solution Article: K47105354
839401-1 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
Component: Local Traffic Manager
Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).
Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.
Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.
Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.
Fix:
GARPs are sent out as expected.
839245-3 : IPother profile with SNAT sets egress TTL to 255
Component: Local Traffic Manager
Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.
Conditions:
Virtual-server with ipother profile and SNAT configured.
Impact:
Traffic leaves with egress TTL set to 255.
Workaround:
None.
Fix:
TTL is now decremented by 1 on forwarded packets.
839145-3 : CVE-2019-10744: lodash vulnerability
Solution Article: K47105354
839121-3 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★
Solution Article: K74221031
Component: TMOS
Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.
Conditions:
The upgrade failure is seen when all the following conditions are met:
-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.
Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.
Workaround:
There are two possible workarounds:
-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.
-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:
1. cp /config/bigip.conf /config/backup_bigip.conf
2. Run: sed -i "s/\(\!SSLv2:\|:\!SSLv2\)//g" /config/bigip.conf
3. tmsh load /sys config
838909-3 : BIG-IP APM Edge Client vulnerability CVE-2020-5893
Solution Article: K97733133
838901-4 : TMM receives invalid rx descriptor from HSB hardware
Component: TMOS
Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.
Conditions:
The exact conditions under which this occurs are unknown.
Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.
Workaround:
None.
838881-1 : APM Portal Access Vulnerability: CVE-2020-5853
Solution Article: K73183618
838861-3 : TMM might crash once after upgrading SSL Orchestrator★
Component: Access Policy Manager
Symptoms:
TMM might crash due to SIGABRT.
Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.
Impact:
TMM might crash once. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Session check agent now exits and terminates the flow.
838713 : LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test'
Component: TMOS
Symptoms:
During EUDSF3.9.1 Front Port LED Test on BIG-IP iSeries platforms, the LCD buttons are unresponsive.
Conditions:
-- Running the EUDSF3.9.1 Front Port LED Test.
-- Using BIG-IP iSeries platforms.
Impact:
Cannot execute the EUDSF3.9.1 Front Port LED Test on BIG-IP iSeries platforms..
Workaround:
Continue to use EUDSF 3.7.0. EUDSF3.9.1 is required only for iSeries i10010, where the test does not have this issue.
Fix:
The version EUD3.9.2 release contains a fix for this issus.
838709-4 : Enabling DoS stats also enables page-load-time
Component: Application Visibility and Reporting
Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.
Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.
Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.
Workaround:
Can use iRules to control which pages should get the JavaScript injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.
838685-4 : DoS report exist in per-widget but not under individual virtual
Component: Application Visibility and Reporting
Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.
Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.
Impact:
GUI widgets report errors and cannot show stats.
Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:
1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
$ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/
2. Change permissions to allow modifying it:
$ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
3. Change the file to include the fix:
$ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
$ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
4. Verify that the fix is as expected:
$ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php
(** You should see two lines modified:
1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')
5. Revert permissions of the file:
$ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
6. Log out and log back into the GUI, so that the new version of the file loads.
Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.
838677-1 : lodash library vulnerability CVE-2019-10744
Solution Article: K47105354
838297-2 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
Component: TMOS
Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.
Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.
Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).
Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication
Workaround:
Clear the value of shadowLastChange within AD.
837837-2 : F5 SSH server key size vulnerability CVE-2020-5917
Solution Article: K43404629
837773-7 : Restjavad Storage and Configuration Hardening
Solution Article: K12936322
837637-1 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★
Solution Article: K02038650
Component: Global Traffic Manager (DNS)
Symptoms:
Configuration fails to load after upgrade with a message:
01420006:3: Can't find specified cli schema data for x.x.x.x
Where x.x.x.x indicates an older version of BIG-IP software than is currently running.
Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.
-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.
Impact:
Configuration fails to load after upgrade.
Workaround:
Before upgrading:
If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh load sys config gtm-only
After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh restart sys service all
837617-1 : Tmm may crash while processing a compression context
Component: Local Traffic Manager
Symptoms:
Tmm crashes on segfault.
Conditions:
Conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
837333-1 : User cannot update blocking response pages after upgrade★
Component: Application Security Manager
Symptoms:
Response Pages screen is stuck after user tries to save changes
Conditions:
The device is upgraded from a pre-15.1 release to a newer version
Impact:
Impossible to update blocking response pages using the GUI
Workaround:
Blocking pages can be updated using the REST API
Fix:
Database upgrade script was fixed to preserve correct Server Technology settings that lead to errors in Response Pages screen