Applies To:
Show Versions
BIG-IP AAM
- 15.1.5
BIG-IP APM
- 15.1.5
BIG-IP Link Controller
- 15.1.5
BIG-IP Analytics
- 15.1.5
BIG-IP LTM
- 15.1.5
BIG-IP AFM
- 15.1.5
BIG-IP PEM
- 15.1.5
BIG-IP DNS
- 15.1.5
BIG-IP FPS
- 15.1.5
BIG-IP ASM
- 15.1.5
BIG-IP Release Information
Version: 15.1.5
Build: 10.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Known Issues in BIG-IP v15.1.x
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1015133-3 | 3-Major | Tail loss can cause TCP TLP to retransmit slowly. | 14.1.4.5, 15.1.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 749332-2 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 14.1.4.4, 15.1.5 |
| 1040929 | 2-Critical | BT1040929 | Change F5OS BIG-IP tenant name from VELOS to F5OS | 15.1.5 |
| 1004929-2 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | 14.1.4.5, 15.1.5 |
| 996001-1 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 14.1.4.5, 15.1.5 |
| 940185-2 | 3-Major | icrd_child may consume excessive resources while processing REST requests | 14.1.4.5, 15.1.5 | |
| 940177-1 | 3-Major | BT940177 | Certificate instances tab shows incorrect number of instances in certain conditions | 15.1.5 |
| 888869-2 | 3-Major | BT888869 | GUI reports General Database Error when accessing Instances Tab of SSL Certificates | 15.1.5 |
| 1055785 | 3-Major | BT1055785 | SmartNIC 2.0: stats throughput logging is broken on Virtual Edition dashboard | 15.1.5 |
| 1048917 | 3-Major | Image2disk does not work on F5OS BIG-IP tenant.★ | 15.1.5 | |
| 1032949 | 3-Major | BT1032949 | Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate | 15.1.5 |
| 1022637-2 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 15.1.5 |
| 1019793 | 3-Major | Image2disk does not work on F5OS BIG-IP tenant.★ | 15.1.5 | |
| 528894-6 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 15.1.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1064649-1 | 2-Critical | Tmm crash after upgrade★ | 15.1.5 | |
| 1060093 | 2-Critical | BT1060093 | Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues★ | 15.1.5 |
| 1056213 | 2-Critical | TMM core due to freeing of connflow, assuming it as http data | 15.1.5 | |
| 1047089 | 2-Critical | TMM may crash will processing TLS/DTLS traffic | 15.1.5 | |
| 1040361-2 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server | 14.1.4.5, 15.1.5, 16.1.2 |
| 1013181-2 | 2-Critical | BT1013181 | TMM may produce core when dynamic CRL check is enabled on the client SSL profile | 15.1.5 |
| 1000021-5 | 2-Critical | TMM may consume excessive resources while processing packet filters | 15.1.5 | |
| 999097-3 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 14.1.4.5, 15.1.5 |
| 997193-1 | 3-Major | TCP connections may fail when AFM global syncookies are in operation. | 14.1.4.5, 15.1.5 | |
| 967093-1 | 3-Major | In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail | 15.1.5 | |
| 686395-3 | 3-Major | BT686395 | With DTLS version1, when client hello uses version1.2, handshake shall proceed | 12.1.3.4, 15.1.5 |
| 608952-1 | 3-Major | BT608952 | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5 |
| 1065789-2 | 3-Major | TMM may send duplicated alerts while processing SSL connections | 15.1.5 | |
| 1038629 | 3-Major | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 14.1.4.5, 15.1.5 | |
| 1034365-2 | 3-Major | BT1034365 | DTLS handshake fails with DTLS1.2 client version | 14.1.4.5, 15.1.5 |
| 1015201 | 3-Major | BT1015201 | HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. | 14.1.4.4, 15.1.5 |
| 1007749-1 | 3-Major | BT1007749 | URI TCL parse functions fail when there are interior segments with periods and semi-colons | 15.1.5 |
| 1024761-3 | 4-Minor | BT1024761 | HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body | 15.1.5 |
| 1005109-2 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 14.1.4.5, 15.1.5 |
| 898929-4 | 5-Cosmetic | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 14.1.4.5, 15.1.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1035853-3 | 2-Critical | Transparent DNS Cache can consume excessive resources. | 14.1.4.5, 15.1.5, 16.1.2 | |
| 935249-2 | 3-Major | BT935249 | GTM virtual servers have the wrong status | 15.1.5 |
| 1039553-2 | 3-Major | BT1039553 | Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors | 15.1.5 |
| 1024553-2 | 3-Major | BT1024553 | GTM Pool member set to monitor type "none" results in big3d: timed out | 14.1.4.5, 15.1.5 |
| 1021061-3 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 14.1.4.5, 15.1.5 |
| 1011285-2 | 3-Major | BT1011285 | The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. | 15.1.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 993613-5 | 2-Critical | BT993613 | Device fails to request full sync | 14.1.4.5, 15.1.5 |
| 984593-2 | 3-Major | BT984593 | BD crash | 14.1.4.5, 15.1.5 |
| 907025-3 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 14.1.4.5, 15.1.5 |
| 885765-3 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 14.1.4.5, 15.1.5 |
| 580715-2 | 3-Major | BT580715 | ASM is not sending 64 KB remote logs over UDP | 15.1.5 |
| 1045101-3 | 3-Major | Bd may crash while processing ASM traffic | 15.1.5 | |
| 1004069-1 | 3-Major | BT1004069 | Brute force attack is detected too soon | 14.1.4.5, 15.1.5, 16.1.2 |
| 1003317-3 | 3-Major | ASM signatures do not match as expected | 14.1.4.5, 15.1.5 | |
| 886865-1 | 4-Minor | BT886865 | P3P header is added for all browsers, but required only for Internet Explorer | 14.1.4.5, 15.1.5 |
| 1016033-2 | 4-Minor | BT1016033 | Remote logging of WS/WSS shows date_time equal to Unix epoch start time | 15.1.5 |
| 1002385-3 | 4-Minor | Fixing issue with input normalization | 15.1.5 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1009093-1 | 2-Critical | BT1009093 | GUI widgets pages are not functioning correctly | 15.1.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 883889-3 | 2-Critical | BT883889 | Tmm might crash when under memory pressure | 14.1.4.5, 15.1.5 |
| 997761-2 | 3-Major | BT997761 | Subsessionlist entries leak if there is no RADIUS accounting agent in policy | 15.1.5 |
| 973673-1 | 3-Major | BT973673 | CPU spikes when the LDAP operational timeout is set to 180 seconds | 15.1.5 |
| 926973-1 | 3-Major | BT926973 | APM / OAuth issue with larger JWT validation | 15.1.5 |
| 828761-1 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 14.1.4.5, 15.1.5 |
| 738593-2 | 3-Major | Vmware Horizon session collaboration (shadow session) feature does not work through APM | 14.1.4.5, 15.1.5 | |
| 1020561-1 | 3-Major | BT1020561 | Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case | 15.1.5 |
| 942965-2 | 4-Minor | BT942965 | Local users database can sometimes take more than 5 minutes to sync to the standby device | 14.1.4.5, 15.1.5 |
| 886841-1 | 4-Minor | BT886841 | Allow LDAP Query and HTTP Connector for API Protection policies | 15.1.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1047053-2 | 2-Critical | TMM may consume excessive resources while processing RTSP traffic | 15.1.5 | |
| 1029397-1 | 2-Critical | Tmm may crash with SIP-ALG deployment in a particular race condition | 15.1.5 | |
| 1056933-5 | 3-Major | TMM may crash while processing SIP traffic | 15.1.5 | |
| 1039329-1 | 3-Major | MRF per peer mode is not working in vCMP guest. | 14.1.4.5, 15.1.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 919465-2 | 2-Critical | BT919465 | A dwbld core on configuration changes on IP Intelligence policy | 15.1.5 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 956013-1 | 3-Major | BT956013 | System reports{{validation_errors}} | 14.1.4.5, 15.1.5 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 922665-2 | 3-Major | BT922665 | The admd process is terminated by watchdog on some heavy load configuration process | 14.1.4.5, 15.1.5 |
| 1023437-3 | 3-Major | Buffer overflow during attack with large HTTP Headers | 14.1.4.5, 15.1.5 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1050273-2 | 3-Major | ERR_BOUNDS errors observed with HTTP explicit proxy service in SSL Orchestrator | 15.1.5 | |
| 1038669-2 | 3-Major | BT1038669 | Antserver keeps restarting | 15.1.5, 16.1.2 |
| 1032797-2 | 3-Major | BT1032797 | Tmm continuously cores when parsing custom category URLs | 15.1.5, 16.1.2 |
Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 988549-5 | CVE-2020-29573 | K27238230, BT988549 | CVE-2020-29573: glibc vulnerability | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 966901-2 | CVE-2020-14364 | K09081535, BT966901 | CVE-2020-14364: Qemu Vulnerability | 14.1.4.4, 15.1.4.1 |
| 940317-4 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 1032405-3 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1012365-2 | CVE-2021-20305 | K33101555, BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 988589-5 | CVE-2019-25013 | K68251873 | CVE-2019-25013 glibc vulnerability: buffer over-read in iconv | 15.1.4.1 |
| 975589-4 | CVE-2020-8277 | K07944249, BT975589 | CVE-2020-8277 Node.js vulnerability | 14.1.4.4, 15.1.4.1 |
| 973409-5 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 941649-2 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1001369-2 | CVE-2020-12049 | K16729408 | D-Bus vulnerability CVE-2020-12049 | 15.1.4.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 754335-3 | 3-Major | BT754335 | Install ISO does not boot on BIG-IP VE★ | 14.1.4.4, 15.1.4.1 |
| 985953-3 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 14.1.4.5, 15.1.4.1, 16.1.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1042993-2 | 1-Blocking | K19272127, BT1042993 | Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' | 14.1.4.5, 15.1.4.1 |
| 1039049 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 997313-3 | 2-Critical | BT997313 | Unable to create APM policies in a sync-only folder★ | 15.1.4.1, 16.1.2 |
| 942549-2 | 2-Critical | BT942549 | Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 | 14.1.4.4, 15.1.4.1 |
| 897509-1 | 2-Critical | BT897509 | IPsec SAs are missing on HA standby, leading to packet drops after failover | 15.1.4.1 |
| 831821-1 | 2-Critical | BT831821 | Corrupted DAG packets causes bcm56xxd core on VCMP host | 14.1.4.5, 15.1.4.1 |
| 1043277-3 | 2-Critical | K06520200, BT1043277 | 'No access' error page displays for APM policy export and apply options | 14.1.4.5, 15.1.4.1 |
| 992053-1 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows | 15.1.4.1 |
| 989701-5 | 3-Major | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 965205-2 | 3-Major | BT965205 | BIG-IP dashboard downloads unused widgets | 14.1.4.4, 15.1.4.1 |
| 958093-3 | 3-Major | BT958093 | IPv6 routes missing after BGP graceful restart | 14.1.4.5, 15.1.4.1 |
| 947529-2 | 3-Major | BT947529 | Security tab in virtual server menu renders slowly | 14.1.4.4, 15.1.4.1 |
| 940885-2 | 3-Major | BT940885 | Add embedded SR-IOV support for Mellanox CX5 Ex adapter | 14.1.4.4, 15.1.4.1 |
| 922185-1 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth'★ | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 909197-3 | 3-Major | BT909197 | The mcpd process may become unresponsive | 14.1.4, 15.1.4.1, 16.0.1.1 |
| 900933-1 | 3-Major | BT900933 | IPsec interoperability problem with ECP PFS | 14.1.4.5, 15.1.4.1, 16.0.1.2 |
| 887117-2 | 3-Major | BT887117 | Invalid SessionDB messages are sent to Standby | 15.1.4.1, 16.1.1 |
| 881085-3 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 873641-1 | 3-Major | BT873641 | Re-offloading of TCP flows to hardware does not work | 15.1.4.1 |
| 856953-4 | 3-Major | BT856953 | IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 | 14.1.2.8, 15.1.4.1 |
| 809657-7 | 3-Major | BT809657 | HA Group score not computed correctly for an unmonitored pool when mcpd starts | 14.1.4.4, 15.1.4.1 |
| 1045421-2 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1032737-1 | 3-Major | BT1032737 | IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate | 15.1.4.1, 16.1.2 |
| 1032077-2 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1028669-5 | 3-Major | Python vulnerability: CVE-2019-9948 | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 1028573-5 | 3-Major | Perl vulnerability: CVE-2020-10878 | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 1027713 | 3-Major | BT1027713 | SELinux avc: denied { signull } for pid=6207 comm="useradd" on vCMP guest during its deployment. | 15.1.4.1 |
| 1026549-3 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1024877-2 | 3-Major | BT1024877 | Systemd[]: systemd-ask-password-serial.service failed | 14.1.4.4, 15.1.4.1 |
| 1019429-3 | 3-Major | BT1019429 | CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated | 15.1.4.1 |
| 1018309-3 | 3-Major | BT1018309 | Loading config file with imish removes the last character | 15.1.4.1, 16.1.1 |
| 1015093-3 | 3-Major | BT1015093 | The "iq" column is missing from the ndal_tx_stats table | 14.1.4.5, 15.1.4.1 |
| 1010245-1 | 3-Major | BT1010245 | Duplicate ipsec-sa SPI values shown by tmsh command | 15.1.4.1 |
| 1009949-2 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version★ | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 1009725-3 | 3-Major | Excessive resource usage when ixlv drivers are enabled | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 1003257-4 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 988533-1 | 4-Minor | BT988533 | GRE-encapsulated MPLS packet support | 14.1.4.5, 15.1.4.1 |
| 966073-1 | 4-Minor | BT966073 | GENEVE protocol support | 15.1.4.1 |
| 884165-3 | 4-Minor | BT884165 | Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG | 14.1.4.4, 15.1.4.1 |
| 1030845-2 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1028497-5 | 4-Minor | libexpat vulnerability: CVE-2019-15903 | 14.1.4.5, 15.1.4.1, 16.1.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 999933-3 | 2-Critical | TMM may crash while processing DNS traffic on certain platforms | 14.1.4.5, 15.1.4.1 | |
| 991421-3 | 2-Critical | TMM may crash while processing TLS traffic | 15.1.4.1, 16.1.2 | |
| 989637-3 | 2-Critical | TMM may crash while processing SSL traffic | 14.1.4.5, 15.1.4.1 | |
| 862885-2 | 2-Critical | BT862885 | Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error | 14.1.4.5, 15.1.4.1 |
| 1020645-1 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | 15.1.4.1 |
| 1008077-5 | 2-Critical | TMM may crash while processing TCP traffic with a FastL4 VS | 14.1.4.4, 15.1.4.1 | |
| 1007489-5 | 2-Critical | TMM may crash while handling specific HTTP requests★ | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 985433-2 | 3-Major | BT985433 | Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset. | 15.1.4.1 |
| 978833-2 | 3-Major | BT978833 | Use of CRL-based Certificate Monitoring Causes Memory Leak | 14.1.4.4, 15.1.4.1 |
| 965037-1 | 3-Major | BT965037 | SSL Orchestrator does not send HTTP CONNECT tunnel payload to services | 15.1.4.1 |
| 963705-3 | 3-Major | BT963705 | Proxy ssl server response not forwarded | 14.1.4.5, 15.1.4.1 |
| 915773-1 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 910517-1 | 3-Major | TMM may crash while processing HTTP traffic | 14.1.4.5, 15.1.4.1 | |
| 904041-2 | 3-Major | BT904041 | Ephemeral pool members may be incorrect when modified via various actions | 14.1.4.5, 15.1.4.1 |
| 803629-7 | 3-Major | BT803629 | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | 14.1.4.5, 15.1.4.1, 16.0.1.1 |
| 758041-1 | 3-Major | BT758041 | Pool Members may not be updated accurately when multiple identical database monitors are configured | 13.1.3.5, 14.1.2.7, 15.1.4.1 |
| 723112-8 | 3-Major | BT723112 | LTM policies does not work if a condition has more than 127 matches | 14.1.4.4, 15.1.4.1 |
| 550928-5 | 3-Major | TMM may crash when processing HTTP traffic with a FastL4 virtual server | 14.1.4.4, 15.1.4.1 | |
| 1023365-1 | 3-Major | BT1023365 | SSL server response could be dropped on immediate client shutdown | 15.1.4.1, 16.1.2 |
| 1018577-3 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1012009-1 | 3-Major | BT1012009 | MQTT Message Routing virtual may result in TMM crash | 15.1.4.1 |
| 1008017-5 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1006781-1 | 3-Major | BT1006781 | Server SYN is sent on VLAN 0 when destination MAC is multicast | 15.1.4.1 |
| 949721-2 | 4-Minor | BT949721 | QUIC does not send control frames in PTO packets | 15.1.4.1, 16.0.1.2 |
| 936773-2 | 4-Minor | BT936773 | Improve logging for "double flow removal" TMM Oops | 14.1.4.4, 15.1.4.1 |
| 936557-2 | 4-Minor | BT936557 | Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. | 14.1.4.5, 15.1.4.1 |
| 890881-4 | 4-Minor | BT890881 | ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address | 14.1.4.5, 15.1.4.1 |
| 1031901-1 | 4-Minor | BT1031901 | In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked | 15.1.4.1, 16.1.2 |
| 1002945-2 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 14.1.4.5, 15.1.4.1, 16.1.2 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 933405-2 | 1-Blocking | K34257075, BT933405 | Zonerunner GUI hangs when attempting to list Resource Records | 14.1.4, 15.1.4.1, 16.0.1.1 |
| 1009037-3 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 847105-2 | 3-Major | BT847105 | The bigip_gtm.conf is reverted to default after rebooting with license expired★ | 14.1.4.4, 15.1.4.1 |
| 1021417-3 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 14.1.4.5, 15.1.4.1, 16.1.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 997137-3 | 2-Critical | CSRF token removal may allow WAF bypass on GET requests | 14.1.4.4, 15.1.4.1 | |
| 912149-5 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 879841-4 | 2-Critical | BT879841 | Domain cookie same-site option is missing the "None" as value in GUI and rest | 14.1.4.5, 15.1.4.1 |
| 1019853-2 | 2-Critical | Some signatures are not matched under specific conditions | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 1011065-2 | 2-Critical | Certain attack signatures may not match in multipart content | 15.1.4.1, 16.1.2 | |
| 1011061-2 | 2-Critical | Certain attack signatures may not match in multipart content | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 974341-2 | 3-Major | REST API: File upload | 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 948805-1 | 3-Major | BT948805 | False positive "Null in Request" | 14.1.4.5, 15.1.4.1 |
| 945789-1 | 3-Major | BT945789 | Live update cannot resolve hostname if IPv6 is configured. | 15.1.4.1 |
| 932133-2 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 920149-1 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 14.1.4.4, 15.1.4.1, 16.1.1 |
| 914277-2 | 3-Major | BT914277 | [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU | 14.1.4.4, 15.1.4.1, 16.0.1.2 |
| 904133-1 | 3-Major | BT904133 | Creating a user-defined signature via iControl REST occasionally fails with a 400 response code | 14.1.4.4, 15.1.4.1 |
| 882377-3 | 3-Major | BT882377 | ASM Application Security Editor Role User can update/install ASU | 14.1.2.5, 15.1.4.1 |
| 857633-7 | 3-Major | BT857633 | Attack Type (SSRF) appears incorrectly in REST result | 14.1.4.5, 15.1.4.1 |
| 842013-3 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation★ | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 753715-2 | 3-Major | BT753715 | False positive JSON max array length violation | 14.1.4.4, 15.1.4.1 |
| 1042069-2 | 3-Major | Some signatures are not matched under specific conditions | 14.1.4.5, 15.1.4.1 | |
| 1017153-2 | 3-Major | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1039805 | 4-Minor | Save button in Response and Blocking Pages section is enabled when there are no changes to save. | 15.1.4.1 | |
| 1003765-1 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled | 15.1.4.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 932137-5 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 922105-3 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 14.1.4.4, 15.1.4.1, 16.1.2 |
| 832805-2 | 3-Major | BT832805 | AVR should make sure file permissions are correct (tmstat_tables.xml) | 14.1.4.5, 15.1.4.1 |
| 787677-5 | 3-Major | BT787677 | AVRD stays at 100% CPU constantly on some systems | 14.1.4.5, 15.1.4.1 |
| 1035133-3 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 948113-3 | 4-Minor | BT948113 | User-defined report scheduling fails | 14.1.4.5, 15.1.4.1, 16.1.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1027217 | 1-Blocking | BT1027217 | Script errors in Network Access window using browser | 15.1.4.1, 16.1.2 |
| 860617-3 | 2-Critical | BT860617 | Radius sever pool without attaching the load balancing algorithm will result into core | 14.1.4.5, 15.1.4.1 |
| 817137-1 | 2-Critical | BT817137 | SSO setting for Portal Access resources in webtop sections cannot be updated. | 15.1.4.1 |
| 1006893-2 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 998473-2 | 3-Major | BT998473 | NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL) | 15.1.4.1 |
| 993457-2 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 969317-3 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 14.1.4.5, 15.1.4.1 |
| 968893-2 | 3-Major | TMM crash when processing APM traffic | 15.1.4.1, 16.1.2 | |
| 964037 | 3-Major | BT964037 | Error: Exception response while loading properties from server | 15.1.4.1 |
| 949477-1 | 3-Major | BT949477 | NTLM RPC exception: Failed to verify checksum of the packet | 14.1.4.4, 15.1.4.1 |
| 933129-2 | 3-Major | BT933129 | Portal Access resources are visible when they should not be | 15.1.4.1 |
| 932213-2 | 3-Major | BT932213 | Local user db not synced to standby device when it is comes online after forced offline state | 14.1.4.5, 15.1.4.1 |
| 918717-2 | 3-Major | BT918717 | Exception at rewritten Element.innerHTML='<a href></a>' | 15.1.4.1 |
| 915509-1 | 3-Major | BT915509 | RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true | 14.1.4.5, 15.1.4.1 |
| 891613-1 | 3-Major | BT891613 | RDP resource with user-defined address cannot be launched from webtop with modern customization | 15.1.4.1 |
| 1021485-2 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1017233-1 | 3-Major | BT1017233 | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | 15.1.4.1, 16.1.2 |
| 1007677-1 | 3-Major | BT1007677 | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | 15.1.4.1 |
| 1007629-1 | 3-Major | BT1007629 | APM policy configured with many ACL policies can create APM memory pressure | 14.1.4.4, 15.1.4.1 |
| 1002557-2 | 3-Major | BT1002557 | Tcl free object list growth | 14.1.4.4, 15.1.4.1 |
| 1001337-1 | 3-Major | BT1001337 | Cannot read single sign-on configuration from GUI when logged in as guest | 14.1.4.5, 15.1.4.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1012721-1 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 14.1.4.4, 15.1.4.1, 16.1.1 |
| 1012533-1 | 2-Critical | BT1012533 | `HTTP2::disable serverside` can cause cores | 15.1.4.1 |
| 1007113-1 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1030689-2 | 3-Major | TMM may consume excessive resources while processing Diameter traffic | 14.1.4.4, 15.1.4.1, 16.1.2 | |
| 1025529-1 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 14.1.4.5, 15.1.4.1 |
| 1018285-1 | 4-Minor | BT1018285 | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | 15.1.4.1, 16.1.2 |
| 1003633-3 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 14.1.4.5, 15.1.4.1, 16.1.2 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 968533 | 2-Critical | BT968533 | Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector. | 15.1.4.1 |
| 1049229-2 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 997169 | 3-Major | BT997169 | AFM rule not triggered | 15.1.4.1 |
| 995433 | 3-Major | BT995433 | IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT | 14.1.4.5, 15.1.4.1 |
| 1032329 | 3-Major | BT1032329 | A user with role "Firewall Manager" cannot open the Rule List editor in UI | 15.1.4.1 |
| 1031909-1 | 3-Major | BT1031909 | NAT policies page unusable due to the page load time | 15.1.4.1 |
| 987345-1 | 5-Cosmetic | BT987345 | Disabling periodic-refresh-log has no effect | 15.1.4.1 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 981693-1 | 2-Critical | TMM may consume excessive resources while processing IPSec ALG traffic | 14.1.4.2, 15.1.4.1 | |
| 981689-2 | 2-Critical | BT981689 | TMM memory leak with IPsec ALG | 14.1.4.2, 15.1.4.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 984657-3 | 3-Major | BT984657 | Sysdb variable not working from tmsh | 15.1.4.1, 16.0.1.2 |
| 686783-2 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1032689-3 | 4-Minor | BT1032689 | UlrCat Custom db feedlist is not working for www.croupiest.com with attached feedlist file | 14.1.4.5, 15.1.4.1, 16.1.2 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 929213-1 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade★ | 14.1.4.4, 15.1.4.1, 16.1.2 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 946185-1 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ | 14.1.4.4, 15.1.4.1, 16.1.2 |
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 949933-1 | CVE-2021-22980 | K29282483, BT949933 | BIG-IP APM CTU vulnerability CVE-2021-22980 | 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1 |
| 1017973-2 | CVE-2021-25215 | K96223611, BT1017973 | BIND Vulnerability CVE-2021-25215 | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 1017965-2 | CVE-2021-25214 | K11426315, BT1017965 | BIND Vulnerability CVE-2021-25214 | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 981273-2 | CVE-2021-23054 | K41997459, BT981273 | APM webtop hardening | 15.1.4 |
| 965485-3 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 949889-3 | CVE-2019-3900 | K04107324, BT949889 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 803965-7 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 14.1.4.5, 15.1.4, 16.1.2 |
| 797797-4 | CVE-2019-11811 | K01512680, BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.1 |
| 797769-9 | CVE-2019-11599 | K51674118 | Linux vulnerability : CVE-2019-11599 | 13.1.4.1, 15.1.4, 16.0.1.2 |
| 968733-6 | CVE-2018-1120 | K42202505, BT968733 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 939421-2 | CVE-2020-10029 | K38481791, BT939421 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow | 14.1.4.3, 15.1.4, 16.0.1.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 913729-5 | 2-Critical | BT913729 | Support for DNSSEC Lookaside Validation (DLV) has been removed. | 15.1.4, 16.0.1.2 |
| 907765-1 | 2-Critical | BT907765 | BIG-IP system does not respond to ARP requests if it has a route to the source IP address | 15.1.4 |
| 1014433 | 2-Critical | BT1014433 | Time stamp format is not the same for all LTM logs | 15.1.4 |
| 948073-2 | 3-Major | BT948073 | Dual stack download support for IP Intelligence Database | 15.1.4 |
| 923301-2 | 3-Major | BT923301 | ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 911141-3 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 14.1.4.4, 15.1.4, 16.1.1 |
| 876937-3 | 3-Major | BT876937 | DNS Cache not functioning | 14.1.4.3, 15.1.4 |
| 866073-2 | 3-Major | BT866073 | Add option to exclude stats collection in qkview to avoid very large data files | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 1001865-2 | 3-Major | No platform trunk information passed to tenant | 15.1.4 | |
| 751032-5 | 4-Minor | BT751032 | TCP receive window may open too slowly after zero-window | 14.1.4.4, 15.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1032761 | 1-Blocking | BT1032761 | HA mirroring may not function correctly | 15.1.4 |
| 1004833-2 | 1-Blocking | BT1004833 | NIST SP800-90B compliance | 14.1.4.2, 15.1.4 |
| 1002109-3 | 1-Blocking | BT1002109 | Xen binaries do not follow security best practices | 14.1.4.4, 15.1.4 |
| 988645 | 2-Critical | BT988645 | Traffic may be affected after tmm is aborted and restarted | 15.1.4 |
| 987113-1 | 2-Critical | BT987113 | CMP state degraded while under heavy traffic | 15.1.4 |
| 980325-5 | 2-Critical | BT980325 | Chmand core due to memory leak from dossier requests. | 14.1.4.4, 15.1.4 |
| 974241-1 | 2-Critical | BT974241 | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | 15.1.4, 16.1.1 |
| 967905-2 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 944513-2 | 2-Critical | BT944513 | Apache configuration file hardening | 15.1.4 |
| 941893-3 | 2-Critical | BT941893 | VE performance tests in Azure causes loss of connectivity to objects in configuration | 15.1.4 |
| 928029-2 | 2-Critical | BT928029 | Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis | 14.1.3, 15.1.4 |
| 1027637 | 2-Critical | BT1027637 | System controller failover may cause dropped requests | 15.1.4 |
| 1004517-2 | 2-Critical | BT1004517 | BIG-IP tenants on VELOS cannot install EHFs | 14.1.4.3, 15.1.4 |
| 1000973-3 | 2-Critical | BT1000973 | Unanticipated restart of TMM due to heartbeat failure | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 998221-3 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2 |
| 996593-2 | 3-Major | BT996593 | Password change through REST or GUI not allowed if the password is expired | 14.1.4.3, 15.1.4, 16.0.1.2 |
| 992865 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | 15.1.4 |
| 988793 | 3-Major | BT988793 | SecureVault on BIG-IP tenant does not store unit key securely | 15.1.4 |
| 985537-1 | 3-Major | BT985537 | Upgrade Microsoft Hyper-V driver★ | 15.1.4 |
| 976505-2 | 3-Major | BT976505 | Rotated restnoded logs will fail logintegrity verification. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 975809-1 | 3-Major | BT975809 | Rotated restjavad logs fail logintegrity verification. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 973201-2 | 3-Major | BT973201 | F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★ | 14.1.4, 15.1.4 |
| 969713-1 | 3-Major | BT969713 | IPsec interface mode tunnel may fail to pass packets after first IPsec rekey | 15.1.4 |
| 969105-2 | 3-Major | BT969105 | HA failover connections via the management address do not work on vCMP guests running on VIPRION | 14.1.4.4, 15.1.4 |
| 964941-1 | 3-Major | BT964941 | IPsec interface-mode tunnel does not initiate or respond after config change | 15.1.4 |
| 959629-2 | 3-Major | BT959629 | Logintegrity script for restjavad/restnoded fails | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 958353-2 | 3-Major | BT958353 | Restarting the mcpd messaging service renders the PAYG VE license invalid. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 956293-2 | 3-Major | BT956293 | High CPU from analytics-related REST calls - Dashboard TMUI | 14.1.4.4, 15.1.4 |
| 946089-2 | 3-Major | BT946089 | BIG-IP might send excessive multicast/broadcast traffic. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 932497-3 | 3-Major | BT932497 | Autoscale groups require multiple syncs of datasync-global-dg | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 928697-2 | 3-Major | BT928697 | Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT | 15.1.4, 16.0.1.2 |
| 919305-2 | 3-Major | BT919305 | Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS | 15.1.4 |
| 913849-1 | 3-Major | BT913849 | Syslog-ng periodically logs nothing for 20 seconds | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 908601-2 | 3-Major | BT908601 | System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option | 14.1.4.3, 15.1.4, 16.0.1.2 |
| 895781-2 | 3-Major | BT895781 | Round Robin disaggregation does not disaggregate globally | 15.1.4 |
| 889045-3 | 3-Major | Virtual server may stop responding while processing TCP traffic | 15.1.4 | |
| 880289 | 3-Major | BT880289 | FPGA firmware changes during configuration loads★ | 15.1.4 |
| 850193-4 | 3-Major | BT850193 | Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues | 14.1.4.4, 15.1.4 |
| 849157-2 | 3-Major | BT849157 | An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck | 15.1.4 |
| 841277-7 | 3-Major | BT841277 | C4800 LCD fails to load after annunciator hot-swap | 14.1.4.3, 15.1.4 |
| 827033-1 | 3-Major | BT827033 | Boot marker is being logged before shutdown logs | 14.1.4.4, 15.1.4 |
| 746861-3 | 3-Major | BT746861 | SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★ | 14.1.2.5, 15.1.4 |
| 1029105 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address | 15.1.4 |
| 1024853 | 3-Major | BT1024853 | Platform Agent logs to ERROR severity on success | 15.1.4 |
| 1013649-4 | 3-Major | BT1013649 | Leftover files in /var/run/key_mgmt after key export | 15.1.4 |
| 1010393-4 | 3-Major | BT1010393 | Unable to relax AS-path attribute in multi-path selection | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 1008837-2 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 14.1.4.4, 15.1.4 |
| 1002761-1 | 3-Major | BT1002761 | SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure | 15.1.4, 16.0.1.2 |
| 962249-2 | 4-Minor | BT962249 | Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm | 15.1.4 |
| 921365-1 | 4-Minor | BT921365 | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | 15.1.4, 16.1.2 |
| 921065 | 4-Minor | BT921065 | BIG-IP systems not responding to DPD requests from initiator after failover | 15.1.4 |
| 898441-1 | 4-Minor | BT898441 | Enable logging of IKE keys | 14.1.4.4, 15.1.4 |
| 819053 | 4-Minor | CVE-2019-13232 unzip: overlapping of files in ZIP container | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 | |
| 1004417-3 | 4-Minor | BT1004417 | Provisioning error message during boot up★ | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1029357 | 1-Blocking | BT1029357 | Performance drop during traffic test on VIPRION (B2250, C2400) platforms | 15.1.4 |
| 945997-2 | 2-Critical | BT945997 | LTM policy applied to HTTP/2 traffic may crash TMM | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 943101-2 | 2-Critical | BT943101 | Tmm crash in cipher group delete. | 14.1.3, 15.1.4 |
| 942185-2 | 2-Critical | BT942185 | Non-mirrored persistence records may accumulate over time | 15.1.4, 16.0.1.2 |
| 934461-2 | 2-Critical | BT934461 | Connection error with server with TLS1.3 single-dh-use. | 14.1.3, 15.1.4 |
| 1039145-3 | 2-Critical | BT1039145 | Tenant mirroring channel disconnects with peer and never reconnects after failover | 15.1.4 |
| 1005489-2 | 2-Critical | BT1005489 | iRules with persist command might result in tmm crash. | 15.1.4, 16.0.1.2 |
| 997929-3 | 3-Major | BT997929 | Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 969637-2 | 3-Major | BT969637 | Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★ | 14.1.4.4, 15.1.4 |
| 963713-1 | 3-Major | BT963713 | HTTP/2 virtual server with translate-disable can core tmm | 15.1.4 |
| 956133-3 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading★ | 14.1.4.4, 15.1.4 |
| 944641-1 | 3-Major | BT944641 | HTTP2 send RST_STREAM when exceeding max streams | 14.1.4, 15.1.4, 16.0.1.1 |
| 941481-2 | 3-Major | BT941481 | iRules LX - nodejs processes consuming excessive memory | 14.1.4.4, 15.1.4 |
| 941257-1 | 3-Major | BT941257 | Occasional Nitrox3 ZIP engine hang | 14.1.4.4, 15.1.4 |
| 940665-1 | 3-Major | BT940665 | DTLS 1.0 support for PFS ciphers | 15.1.4, 16.0.1.2 |
| 930385-3 | 3-Major | BT930385 | SSL filter does not re-initialize when an OCSP object is modified | 14.1.3, 15.1.4 |
| 912425-3 | 3-Major | BT912425 | Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 891373-2 | 3-Major | BT891373 | BIG-IP does not shut a connection for a HEAD request | 15.1.4, 16.0.1.2 |
| 887965-1 | 3-Major | Virtual server may stop responding while processing TCP traffic | 14.1.4.4, 15.1.4 | |
| 882549-2 | 3-Major | BT882549 | Sock driver does not use multiple queues in unsupported environments | 14.1.4.3, 15.1.4, 16.0.1.2 |
| 819329-4 | 3-Major | BT819329 | Specific FIPS device errors will not trigger failover | 14.1.3.1, 15.1.4, 16.0.1.2 |
| 818833-1 | 3-Major | BT818833 | TCP re-transmission during SYN Cookie activation results in high latency | 14.1.4.4, 15.1.4 |
| 760050-8 | 3-Major | BT760050 | "cwnd too low" warning message seen in logs | 13.1.4.1, 14.1.2.7, 15.1.4 |
| 1020941-2 | 3-Major | BT1020941 | HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags | 14.1.4.5, 15.1.4 |
| 1016113-3 | 3-Major | BT1016113 | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | 15.1.4, 16.1.2 |
| 962433-4 | 4-Minor | BT962433 | HTTP::retry for a HEAD request fails to create new connection | 13.1.4.1, 14.1.4.3, 15.1.4 |
| 962177-2 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2 |
| 912945-2 | 4-Minor | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 14.1.4.4, 15.1.4, 16.1.1 |
| 895557-2 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2 |
| 751586-3 | 4-Minor | BT751586 | Http2 virtual does not honour translate-address disabled | 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4 |
| 1018493-2 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 14.1.4.5, 15.1.4, 16.1.2 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910633-1 | 2-Critical | BT910633 | Continuous 'neurond restart' message on console | 15.1.4 |
| 1004633-3 | 2-Critical | BT1004633 | Performance degradation on KVM and VMware platforms. | 15.1.4 |
| 948417-2 | 3-Major | BT948417 | Network Management Agent (Azure NMAgent) updates causes Kernel Panic | 15.1.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1039069-2 | 1-Blocking | BT1039069 | Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★ | 15.1.4, 16.1.1 |
| 995853-2 | 2-Critical | BT995853 | Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. | 14.1.4.4, 15.1.4 |
| 918597-5 | 2-Critical | BT918597 | Under certain conditions, deleting a topology record can result in a crash. | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 993489-3 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
| 973261-2 | 3-Major | BT973261 | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 937333-2 | 3-Major | Incomplete validation of input in unspecified forms | 14.1.4.4, 15.1.4 | |
| 912001-3 | 3-Major | BT912001 | TMM cores on secondary blades of the Chassis system. | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 864797-2 | 3-Major | BT864797 | Cached results for a record are sent following region modification | 14.1.4.4, 15.1.4 |
| 857953-2 | 4-Minor | BT857953 | Non-functional disable/enable buttons present in GTM wide IP members page | 14.1.4.2, 15.1.4, 16.0.1.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 996381-3 | 2-Critical | ASM attack signature may not match as expected | 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 | |
| 970329-3 | 2-Critical | ASM hardening | 14.1.4.4, 15.1.4, 16.1.1 | |
| 965229-2 | 2-Critical | BT965229 | ASM Load hangs after upgrade★ | 14.1.4.4, 15.1.4, 16.1.1 |
| 957965-1 | 2-Critical | BT957965 | Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent' | 15.1.4 |
| 898365-1 | 2-Critical | BT898365 | XML Policy cannot be imported | 15.1.4 |
| 854001-2 | 2-Critical | BT854001 | TMM might crash in case of trusted bot signature and API protected url | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 791669-2 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains | 14.1.2.3, 15.1.4, 16.0.1.2 |
| 1017645-2 | 2-Critical | BT1017645 | False positive HTTP compliance violation | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 986937-1 | 3-Major | BT986937 | Cannot create child policy when the signature staging setting is not equal in template and parent policy | 15.1.4, 16.0.1.2, 16.1.1 |
| 981785-3 | 3-Major | BT981785 | Incorrect incident severity in Event Correlation statistics | 14.1.4.3, 15.1.4, 16.0.1.2 |
| 981069-1 | 3-Major | BT981069 | Reset cause: "Internal error ( requested abort (payload release error))" | 15.1.4, 16.1.1 |
| 964245-2 | 3-Major | BT964245 | ASM reports and enforces username always | 14.1.4.4, 15.1.4 |
| 963485-1 | 3-Major | BT963485 | Performance issue with data guard | 15.1.4 |
| 963461-1 | 3-Major | BT963461 | ASM performance drop on the response side | 15.1.4, 16.0.1.2 |
| 962589-2 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 14.1.4.4, 15.1.4, 16.1.1 |
| 962497 | 3-Major | BT962497 | BD crash after ICAP response | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 955017-2 | 3-Major | BT955017 | Excessive CPU consumption by asm_config_event_handler | 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 954425-2 | 3-Major | Hardening of Live-Update | 14.1.4.4, 15.1.4, 16.1.1 | |
| 951133-2 | 3-Major | BT951133 | Live Update does not work properly after upgrade★ | 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
| 950917-1 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 13.1.4.1, 14.1.4.2, 15.1.4 |
| 946081-1 | 3-Major | BT946081 | Getcrc tool help displays directory structure instead of version | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 928717-3 | 3-Major | BT928717 | [ASM - AWS] - ASU fails to sync | 14.1.4.4, 15.1.4 |
| 922261-2 | 3-Major | BT922261 | WebSocket server messages are logged even it is not configured | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 920197-3 | 3-Major | BT920197 | Brute force mitigation can stop mitigating without a notification | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 912089-2 | 3-Major | BT912089 | Some roles are missing necessary permission to perform Live Update | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 907337-2 | 3-Major | BT907337 | BD crash on specific scenario | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 888289-1 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1 |
| 883853-2 | 3-Major | BT883853 | Bot Defense Profile with staged signatures prevents signature update★ | 14.1.4.2, 15.1.4 |
| 867825-4 | 3-Major | BT867825 | Export/Import on a parent policy leaves children in an inconsistent state | 14.1.4.4, 15.1.4 |
| 862793-1 | 3-Major | BT862793 | ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation | 15.1.4 |
| 846181-3 | 3-Major | BT846181 | Request samples for some of the learning suggestions are not visible | 14.1.4.2, 15.1.4 |
| 837333-1 | 3-Major | BT837333 | User cannot update blocking response pages after upgrade★ | 15.1.4 |
| 830341-2 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 802873-2 | 3-Major | BT802873 | Manual changes to policy imported as XML may introduce corruption for Login Pages | 14.1.2.7, 15.1.4 |
| 673272-2 | 3-Major | BT673272 | Search by "Signature ID is" does not return results for some signature IDs | 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 1022269-2 | 3-Major | BT1022269 | False positive RFC compliant violation | 14.1.4.4, 15.1.4, 16.1.2 |
| 1005105-1 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 14.1.4.5, 15.1.4, 16.1.1 |
| 1000741-3 | 3-Major | Fixing issue with input normalization | 14.1.4.4, 15.1.4, 16.1.1 | |
| 952509-2 | 4-Minor | BT952509 | Cross origin AJAX requests are blocked in case there is no Origin header | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 944441-2 | 4-Minor | BT944441 | BD_XML logs memory usage at TS_DEBUG level | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 941929-2 | 4-Minor | BT941929 | Google Analytics shows incorrect stats, when Google link is redirected. | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 941625-1 | 4-Minor | BT941625 | BD sometimes encounters errors related to TS cookie building | 15.1.4, 16.1.1 |
| 941249-2 | 4-Minor | BT941249 | Improvement to getcrc tool to print cookie names when cookie attributes are involved | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 911729-2 | 4-Minor | BT911729 | Redundant learning suggestion to set a Maximum Length when parameter is already at that value | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 1004537-1 | 4-Minor | BT1004537 | Traffic Learning: Accept actions for multiple suggestions not localized | 15.1.4, 16.1.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 965581-2 | 2-Critical | BT965581 | Statistics are not reported to BIG-IQ | 14.1.4, 15.1.4 |
| 932485-3 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 913085-1 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1 |
| 909161-3 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 14.1.4.4, 15.1.4, 16.1.1 |
| 833113-6 | 3-Major | BT833113 | Avrd core when sending large messages via https | 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 934393-2 | 1-Blocking | BT934393 | APM authentication fails due to delay in sessionDB readiness | 14.1.3, 15.1.4 |
| 995029-3 | 2-Critical | BT995029 | Configuration is not updated during auto-discovery | 14.1.4.2, 15.1.4 |
| 891505-3 | 2-Critical | BT891505 | TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. | 14.1.2.8, 15.1.4 |
| 874949-1 | 2-Critical | BT874949 | TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent. | 15.1.4 |
| 997641 | 3-Major | BT997641 | APM policy ending with redirection results in policy execution failure | 15.1.4 |
| 984765-1 | 3-Major | BT984765 | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★ | 14.1.4.4, 15.1.4 |
| 946125-2 | 3-Major | BT946125 | Tmm restart adds 'Revoked' tokens to 'Active' token count | 14.1.4.4, 15.1.4 |
| 924521-2 | 3-Major | BT924521 | OneConnect does not work when WEBSSO is enabled/configured. | 14.1.4.3, 15.1.4 |
| 903573 | 3-Major | BT903573 | AD group cache query performance | 15.1.4 |
| 896125-2 | 3-Major | BT896125 | Reuse Windows Logon Credentials feature does not work with modern access policies | 15.1.4 |
| 894885-3 | 3-Major | BT894885 | [SAML] SSO crash while processing client SSL request | 14.1.4.2, 15.1.4 |
| 881641 | 3-Major | BT881641 | Errors on VPN client status window in non-English environment | 15.1.4 |
| 869653-1 | 3-Major | BT869653 | VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction | 15.1.4 |
| 866109-2 | 3-Major | BT866109 | JWK keys frequency does not support fewer than 60 minutes | 13.1.4.1, 14.1.4.2, 15.1.4 |
| 827325-1 | 3-Major | BT827325 | JWT token verification failure | 15.1.4 |
| 825493-1 | 3-Major | BT825493 | JWT token verification failure | 15.1.4 |
| 738865-6 | 3-Major | BT738865 | MCPD might enter into loop during APM config validation | 14.1.4.2, 15.1.4 |
| 470346-3 | 3-Major | BT470346 | Some IPv6 client connections get RST when connecting to APM virtual | 14.1.4.3, 15.1.4 |
| 1001041-3 | 3-Major | BT1001041 | Reset cause 'Illegal argument' | 14.1.4.4, 15.1.4 |
| 939877-1 | 4-Minor | BT939877 | OAuth refresh token not found | 14.1.4.4, 15.1.4, 16.1.2 |
| 747234-7 | 4-Minor | BT747234 | Macro policy does not find corresponding access-profile directly | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 993913-2 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 14.1.4.4, 15.1.4, 16.1.1 |
| 974881-2 | 2-Critical | BT974881 | Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 1007821-1 | 2-Critical | BT1007821 | SIP message routing may cause tmm crash | 15.1.4, 16.1.1 |
| 996113-1 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 14.1.4.4, 15.1.4, 16.1.1 |
| 989753-2 | 3-Major | BT989753 | In HA setup, standby fails to establish connection to server | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 957029-1 | 3-Major | BT957029 | MRF Diameter loop-detection is enabled by default | 15.1.4, 16.0.1.2 |
| 805821-3 | 3-Major | BT805821 | GTP log message contains no useful information | 14.1.4.4, 15.1.4, 16.1.1 |
| 788625-1 | 3-Major | BT788625 | A pool member is not marked up by the inband monitor even after successful connection to the pool member | 14.1.4.3, 15.1.4, 16.0.1.2 |
| 1008561-1 | 3-Major | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 14.1.4.4, 15.1.4, 16.1.1 | |
| 919301-3 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 14.1.4.4, 15.1.4, 16.1.1 |
| 916781-1 | 4-Minor | BT916781 | Validation error while attaching DoS profile to GTP virtual | 15.1.4, 16.0.1 |
| 913413-3 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 14.1.4.4, 15.1.4, 16.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 987637-2 | 1-Blocking | BT987637 | DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware | 15.1.4 |
| 1016633 | 2-Critical | BT1016633 | iprep.protocol with auto-detect fails when DNS takes time to resolve | 15.1.4 |
| 992213-2 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 14.1.4.2, 15.1.4, 16.1.1 |
| 988761-1 | 3-Major | BT988761 | Cannot create Protected Object in GUI | 15.1.4 |
| 988005-1 | 3-Major | BT988005 | Zero active rules counters in GUI | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 987605-2 | 3-Major | BT987605 | DDoS: ICMP attacks are not hardware-mitigated | 15.1.4 |
| 759799-3 | 3-Major | BT759799 | New rules cannot be compiled | 15.1.4 |
| 685904-1 | 3-Major | BT685904 | Firewall Rule hit counts are not auto-updated after a Reset is done | 14.1.4.2, 15.1.4 |
| 1016309-1 | 3-Major | BT1016309 | When two policies with the same properties are configured with geo property, the geo for the second policy is ignored. | 15.1.4 |
| 1012521-2 | 3-Major | BT1012521 | BIG-IP UI file permissions | 14.1.4.4, 15.1.4, 16.0.1.2 |
| 1012413-3 | 3-Major | BT1012413 | Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled | 15.1.4 |
| 1000405-2 | 3-Major | BT1000405 | VLAN/Tunnels not listed when creating a new rule via GUI | 15.1.4, 16.1.1 |
| 977005-1 | 4-Minor | BT977005 | Network Firewall Policy rules-list showing incorrect 'Any' for source column | 14.1.4.2, 15.1.4 |
| 1014609 | 4-Minor | BT1014609 | Tunnel_src_ip support for dslite event log for type field list | 15.1.4 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1019481 | 2-Critical | BT1019481 | Unable to provision PEM on VELOS platform | 15.1.4 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 994985-2 | 3-Major | BT994985 | CGNAT GUI shows blank page when applying SIP profile | 14.1.4.2, 15.1.4 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 968741-1 | 2-Critical | BT968741 | Traffic Intelligence pages not visible | 15.1.4 |
| 913453-5 | 2-Critical | BT913453 | URL Categorization: wr_urldbd cores while processing urlcat-query | 14.1.4.4, 15.1.4 |
| 901041-3 | 2-Critical | BT901041 | CEC update using incorrect method of determining number of blades in VIPRION chassis★ | 15.1.4, 16.0.1.2 |
| 893721-2 | 2-Critical | BT893721 | PEM-provisioned systems may suffer random tmm crashes after upgrading★ | 14.1.4.2, 15.1.4 |
| 958085-3 | 3-Major | BT958085 | IM installation fails with error: Spec file not found★ | 14.1.4.4, 15.1.4 |
| 948573-4 | 3-Major | BT948573 | Wr_urldbd list of valid TLDs needs to be updated | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 846601-4 | 3-Major | BT846601 | Traffic classification does not update when an inactive slot becomes active after upgrade★ | 14.1.4.2, 15.1.4, 16.0.1.2 |
| 974205-3 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 12.1.6, 14.1.4.4, 15.1.4 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 970829-5 | 2-Critical | K03310534, BT970829 | iSeries LCD incorrectly displays secure mode | 14.1.4.4, 15.1.4, 16.0.1.2 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1018145-1 | 3-Major | BT1018145 | Firewall Manager user role is not allowed to configure/view protocol inspection profiles | 15.1.4, 16.1.1 |
Guided Configuration Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1013569 | 3-Major | Hardening of iApps processing | 15.1.4, 16.1.1 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 822245-2 | 4-Minor | BT822245 | Large number of in-TMM monitors results in some monitors being marked down | 14.1.4.4, 15.1.4 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 947925-1 | 3-Major | BT947925 | TMM may crash when executing L7 Protocol Lookup per-request policy agent | 14.1.4.3, 15.1.4 |
| 918317-2 | 3-Major | BT918317 | SSL Orchestrator resets subsequent requests when HTTP services are being used. | 14.1.4.4, 15.1.4 |
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 989317-12 | CVE-2021-23023 | K33757590, BT989317 | Windows Edge Client does not follow best practice | 15.1.3.1 |
| 989009-3 | CVE-2021-23033 | K05314769, BT989009 | BD daemon may crash while processing WebSocket traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 981461-4 | CVE-2021-23032 | K45407662, BT981461 | Unspecified DNS responses cause TMM crash | 14.1.4.4, 15.1.3.1 |
| 980125-3 | CVE-2021-23030 | K42051445, BT980125 | BD Daemon may crash while processing WebSocket traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 962341 | CVE-2021-23028 | K00602225, BT962341 | BD crash while processing JSON content | 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 946377-2 | CVE-2021-23027 | K24301698, BT946377 | HSM WebUI Hardening | 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 1007049-3 | CVE-2021-23034 | K30523121, BT1007049 | TMM may crash while processing DNS traffic | 15.1.3.1 |
| 996753-2 | CVE-2021-23050 | K44553214, BT996753 | ASM BD process may crash while processing HTML traffic | 15.1.3.1, 16.0.1.2 |
| 984613-11 | CVE-2021-23022 | K08503505, BT984613 | CVE-2020-5896 - Edge Client Installer Vulnerability | 15.1.3.1 |
| 968349 | CVE-2021-23048 | K19012930, BT968349 | TMM crashes with unspecified message | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 962069-3 | CVE-2021-23047 | K79428827, BT962069 | Excessive resource consumption while processing OSCP requests via APM | 14.1.4.4, 15.1.3.1 |
| 950017-2 | CVE-2021-23045 | K94941221, BT950017 | TMM may crash while processing SCTP traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 942701-2 | CVE-2021-23044 | K35408374, BT942701 | TMM may consume excessive resources while processing HTTP traffic | 13.1.4.1, 14.1.4.2, 15.1.3.1 |
| 906377-2 | CVE-2021-23038 | K61643620, BT906377 | iRulesLX hardening | 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 1015381-5 | CVE-2021-23022 | K08503505, BT1015381 | Windows Edge Client does not follow best practices while installing | 15.1.3.1 |
| 1009773 | CVE-2021-23051 | K01153535, BT1009773 | AWS deployments of TMM may crash while processing traffic | 15.1.3.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 737692-4 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE | 15.1.3.1 |
| 1024421-1 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log | 15.1.3.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 994801-3 | 3-Major | SCP file transfer system | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 | |
| 958465-2 | 3-Major | BT958465 | in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization | 14.1.4.4, 15.1.3.1, 16.0.1.2 |
| 950849-4 | 3-Major | BT950849 | B4450N blades report page allocation failure.★ | 14.1.4.4, 15.1.3.1 |
| 948717-3 | 3-Major | BT948717 | F5-pf_daemon_cond_restart uses excessive CPU★ | 15.1.3.1 |
| 1032001-1 | 3-Major | BT1032001 | Statemirror address can be configured on management network or clusterd restarting | 15.1.3.1 |
| 1006345-1 | 3-Major | BT1006345 | Static mac entry on trunk is not programmed on CPU-only blades | 15.1.3.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1019081-3 | 2-Critical | K97045220, BT1019081 | HTTP/2 hardening | 14.1.4.5, 15.1.3.1 |
| 980821-2 | 3-Major | BT980821 | Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. | 14.1.4.2, 15.1.3.1, 16.0.1.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 943913-3 | 2-Critical | K30150004, BT943913 | ASM attack signature does not match | 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1020705-1 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 14.1.4.4, 15.1.3.1, 16.1.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 999317-8 | 2-Critical | K03544414, BT999317 | Running Diagnostics report for Edge Client on Windows does not follow best practice | 15.1.3.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1019453-3 | 3-Major | BT1019453 | Core generated for autodosd daemon when synchronization process is terminated | 15.1.3.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 976365 | 3-Major | BT976365 | Traffic Classification hardening★ | 14.1.4.3, 15.1.3.1 |
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 980809-2 | CVE-2021-23031 | K41351250, BT980809 | ASM REST Signature Rule Keywords Tool Hardening | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 959121-4 | CVE-2021-23015 | K74151369, BT959121 | Not following best practices in Guided Configuration Bundle Install worker | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 943081-3 | CVE-2021-23009 | K90603426, BT943081 | Unspecified HTTP/2 traffic may cause TMM to crash | 15.1.3, 16.0.1.1 |
| 935433-2 | CVE-2021-23026 | K53854428, BT935433 | iControl SOAP | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 882633-2 | CVE-2021-23008 | K51213246, BT882633 | Active Directory authentication does not follow current best practices | 12.1.6, 13.1.4, 14.1.4, 15.1.3 |
| 990333-5 | CVE-2021-23016 | K75540265, BT990333 | APM may return unexpected content when processing HTTP requests | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 975465-2 | CVE-2021-23049 | K65397301, BT975465 | TMM may consume excessive resources while processing DNS iRules | 15.1.3, 16.0.1.2 |
| 954429-2 | CVE-2021-23014 | K23203045, BT954429 | User authorization changes for live update | 14.1.4, 15.1.3, 16.0.1.1 |
| 948769-5 | CVE-2021-23013 | K05300051, BT948769 | TMM panic with SCTP traffic | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 945109-2 | CVE-2015-9382 | K46641512, BT945109 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 938233-2 | CVE-2021-23042 | K93231374 | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization | 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 937637-3 | CVE-2021-23002 | K71891773, BT937637 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 937365-2 | CVE-2021-23041 | K42526507, BT937365 | LTM UI does not follow best practices | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 907245-1 | CVE-2021-23040 | K94255403, BT907245 | AFM UI Hardening | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 907201-2 | CVE-2021-23039 | K66782293, BT907201 | TMM may crash when processing IPSec traffic | 14.1.2.8, 15.1.3, 16.0.1.2 |
| 877109-1 | CVE-2021-23012 | K04234247 | Unspecified input can break intended functionality in iHealth proxy | 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 842829-1 | CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 | K04367730, BT842829 | Multiple tcpdump vulnerabilities | 13.1.4.1, 14.1.3.1, 15.1.3 |
| 832757 | CVE-2017-18551 | K48073202, BT832757 | Linux kernel vulnerability CVE-2017-18551 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3 |
| 803933-7 | CVE-2018-20843 | K51011533, BT803933 | Expat XML parser vulnerability CVE-2018-20843 | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 718189-9 | CVE-2021-23011 | K10751325, BT718189 | Unspecified IP traffic can cause low-memory conditions | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 1003557-3 | CVE-2021-23015 | K74151369, BT1003557 | Not following best practices in Guided Configuration Bundle Install worker | 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 1003105-3 | CVE-2021-23015 | K74151369, BT1003105 | iControl Hardening | 15.1.3, 16.0.1.2 |
| 1002561-5 | CVE-2021-23007 | K37451543, BT1002561 | TMM vulnerability CVE-2021-23007 | 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 825413-4 | CVE-2021-23053 | K36942191, BT825413 | ASM may consume excessive resources when matching signatures | 13.1.3.6, 14.1.3.1, 15.1.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 933777-1 | 3-Major | BT933777 | Context use and syntax changes clarification | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 930005-2 | 3-Major | BT930005 | Recover previous QUIC cwnd value on spurious loss | 15.1.3, 16.0.1.1 |
| 913829-4 | 3-Major | BT913829 | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 794417-4 | 3-Major | BT794417 | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★ | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 918097-3 | 4-Minor | BT918097 | Cookies set in the URI on Safari | 14.1.4.1, 15.1.3, 16.0.1.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 995629-3 | 2-Critical | BT995629 | Loading UCS files may hang if ASM is provisioned★ | 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 990849-2 | 2-Critical | BT990849 | Loading UCS with platform-migrate option hangs and requires exiting from the command★ | 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2 |
| 908517-3 | 2-Critical | BT908517 | LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' | 14.1.4, 15.1.3, 16.0.1.1 |
| 888341-7 | 2-Critical | BT888341 | HA Group failover may fail to complete Active/Standby state transition | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 886693-3 | 2-Critical | BT886693 | System may become unresponsive after upgrading★ | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 860349-3 | 2-Critical | BT860349 | Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication | 14.1.2.8, 15.1.3 |
| 785017-3 | 2-Critical | BT785017 | Secondary blades go offline after new primary is elected | 13.1.4, 14.1.4, 15.1.3 |
| 776393-3 | 2-Critical | BT776393 | Restjavad restarts frequently due to insufficient memory with relatively large configurations | 14.1.4, 15.1.3, 16.0.1.1 |
| 969213-1 | 3-Major | BT969213 | VMware: management IP cannot be customized via net.mgmt.addr property | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 963049-1 | 3-Major | BT963049 | Unexpected config loss when modifying protected object | 15.1.3 |
| 963017-2 | 3-Major | BT963017 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed | 14.1.4, 15.1.3 |
| 946745-2 | 3-Major | BT946745 | 'System Integrity: Invalid' after Engineering Hotfix installation | 14.1.4, 15.1.3 |
| 945265-4 | 3-Major | BT945265 | BGP may advertise default route with incorrect parameters | 14.1.4, 15.1.3, 16.0.1.1 |
| 939541-2 | 3-Major | BT939541 | TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE | 14.1.4, 15.1.3, 16.0.1.1 |
| 936125-2 | 3-Major | BT936125 | SNMP request times out after configuring IPv6 trap destination | 15.1.3, 16.0.1.1 |
| 934941-2 | 3-Major | BT934941 | Platform FIPS power-up self test failures not logged to console | 14.1.3.1, 15.1.3 |
| 934065-1 | 3-Major | BT934065 | The turboflex-low-latency and turboflex-dns are missing. | 15.1.3, 16.0.1.2 |
| 927941-5 | 3-Major | BT927941 | IPv6 static route BFD does not come up after OAMD restart | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 922297-2 | 3-Major | BT922297 | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 914245-2 | 3-Major | BT914245 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 914081-1 | 3-Major | BT914081 | Engineering Hotfixes missing bug titles | 14.1.4, 15.1.3 |
| 913433-3 | 3-Major | BT913433 | On blade failure, some trunked egress traffic is dropped. | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 908021-1 | 3-Major | BT908021 | Management and VLAN MAC addresses are identical | 13.1.3.5, 14.1.3.1, 15.1.3 |
| 896553-3 | 3-Major | BT896553 | On blade failure, some trunked egress traffic is dropped. | 13.1.3.6, 14.1.4, 15.1.3 |
| 896473-2 | 3-Major | BT896473 | Duplicate internal connections can tear down the wrong connection | 15.1.3 |
| 893885-3 | 3-Major | BT893885 | The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation | 14.1.4, 15.1.3 |
| 891337-1 | 3-Major | BT891337 | 'save_master_key(master): Not ready to save yet' errors in the logs | 14.1.4, 15.1.3 |
| 889029-2 | 3-Major | BT889029 | Unable to login if LDAP user does not have search permissions | 14.1.4, 15.1.3, 16.0.1.2 |
| 879829-2 | 3-Major | BT879829 | HA daemon sod cannot bind to ports numbered lower than 1024 | 14.1.4, 15.1.3, 16.0.1.2 |
| 876805-3 | 3-Major | BT876805 | Modifying address-list resets the route advertisement on virtual servers. | 14.1.4, 15.1.3, 16.0.1.1 |
| 862937-3 | 3-Major | BT862937 | Running cpcfg after first boot can result in daemons stuck in restart loop★ | 14.1.4, 15.1.3, 16.0.1.2 |
| 839121-3 | 3-Major | K74221031, BT839121 | A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★ | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 829821-1 | 3-Major | BT829821 | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 820845-3 | 3-Major | BT820845 | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 809205-6 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2 | |
| 803237-2 | 3-Major | BT803237 | PVA does not validate interface MTU when setting MSS | 14.1.4, 15.1.3 |
| 799001-1 | 3-Major | BT799001 | Sflow agent does not handle disconnect from SNMPD manager correctly | 14.1.4, 15.1.3 |
| 787885-2 | 3-Major | BT787885 | The device status is falsely showing as forced offline on the network map while actual device status is not. | 14.1.4, 15.1.3, 16.0.1.1 |
| 749007-1 | 3-Major | BT749007 | South Sudan, Sint Maarten, and Curacao country missing in GTM region list | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 692218-1 | 3-Major | BT692218 | Audit log messages sent from the primary blade to the secondaries should not be logged. | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 675911-12 | 3-Major | K13272442, BT675911 | Different sections of the GUI can report incorrect CPU utilization | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 615934-6 | 3-Major | BT615934 | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | 13.1.3.5, 14.1.4, 15.1.3 |
| 569859-7 | 3-Major | BT569859 | Password policy enforcement for root user when mcpd is not available | 14.1.4.1, 15.1.3 |
| 966277-1 | 4-Minor | BT966277 | BFD down on multi-blade system | 14.1.4, 15.1.3, 16.0.1.1 |
| 959889-2 | 4-Minor | BT959889 | Cannot update firewall rule with ip-protocol property as 'any' | 14.1.4, 15.1.3 |
| 947865-2 | 4-Minor | BT947865 | Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read | 14.1.4, 15.1.3 |
| 887505-1 | 4-Minor | BT887505 | Coreexpiration script improvement | 15.1.3 |
| 879189-1 | 4-Minor | BT879189 | Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section | 14.1.4.1, 15.1.3, 16.0.1.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910653-5 | 2-Critical | BT910653 | iRule parking in clientside/serverside command may cause tmm restart | 14.1.4, 15.1.3, 16.0.1.1 |
| 882157-1 | 2-Critical | BT882157 | One thread of pkcs11d consumes 100% without any traffic. | 14.1.4, 15.1.3 |
| 738964-4 | 2-Critical | Instruction logger debugging enhancement | 14.1.4.1, 15.1.3 | |
| 1001509 | 2-Critical | K11162395, BT1001509 | Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates | 14.1.4.3, 15.1.3 |
| 968641-2 | 3-Major | BT968641 | Fix for zero LACP priority | 14.1.4, 15.1.3, 16.0.1.2 |
| 953845-1 | 3-Major | BT953845 | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | 12.1.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 946953-1 | 3-Major | BT946953 | HTTP::close used in iRule might not close connection. | 15.1.3, 16.0.1.1 |
| 928857-2 | 3-Major | BT928857 | Use of OCSP responder may leak X509 store instances | 14.1.4, 15.1.3 |
| 928805-2 | 3-Major | BT928805 | Use of OCSP responder may cause memory leakage | 14.1.4, 15.1.3 |
| 928789-2 | 3-Major | BT928789 | Use of OCSP responder may leak SSL handshake instances | 14.1.4, 15.1.3 |
| 921881-2 | 3-Major | BT921881 | Use of IPFIX log destination can result in increased CPU utilization | 14.1.4, 15.1.3, 16.0.1.2 |
| 921721-1 | 3-Major | BT921721 | FIPS 140-2 SP800-56Arev3 compliance | 14.1.3, 15.1.3 |
| 889601-3 | 3-Major | K14903688, BT889601 | OCSP revocation not properly checked | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 889165-3 | 3-Major | BT889165 | "http_process_state_cx_wait" errors in log and connection reset | 14.1.4, 15.1.3 |
| 888517-2 | 3-Major | BT888517 | Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★ | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 858701-1 | 3-Major | BT858701 | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★ | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 845333-6 | 3-Major | BT845333 | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | 14.1.4, 15.1.3, 16.0.1.1 |
| 842517-2 | 3-Major | BT842517 | CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails | 15.1.3 |
| 785877-5 | 3-Major | BT785877 | VLAN groups do not bridge non-link-local multicast traffic. | 14.1.4, 15.1.3, 16.0.1.2 |
| 767341-1 | 3-Major | BT767341 | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | 14.1.4, 15.1.3, 16.0.1.2 |
| 756812-3 | 3-Major | BT756812 | Nitrox 3 instruction/request logger may fail due to SELinux permission error | 14.1.4.1, 15.1.3 |
| 696755-5 | 3-Major | BT696755 | HTTP/2 may truncate a response body when served from cache | 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2 |
| 804157-3 | 4-Minor | BT804157 | ICMP replies are forwarded with incorrect checksums causing them to be dropped | 14.1.4, 15.1.3, 16.0.1.2 |
| 748333-5 | 4-Minor | BT748333 | DHCP Relay does not retain client source IP address for chained relay mode | 14.1.4, 15.1.3, 16.0.1.1 |
| 743253-2 | 4-Minor | BT743253 | TSO in software re-segments L3 fragments. | 14.1.4, 15.1.3, 16.0.1.2 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 960749-2 | 1-Blocking | BT960749 | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 960437-2 | 2-Critical | BT960437 | The BIG-IP system may initially fail to resolve some DNS queries | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 971297-2 | 3-Major | BT971297 | DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★ | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 921625-2 | 3-Major | BT921625 | The certs extend function does not work for GTM/DNS sync group | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 863917-2 | 3-Major | BT863917 | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2 |
| 858973-1 | 3-Major | BT858973 | DNS request matches less specific WideIP when adding new wildcard wideips | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 835209-3 | 3-Major | BT835209 | External monitors mark objects down | 14.1.4.2, 15.1.3 |
| 896861-2 | 4-Minor | BT896861 | PTR query enhancement for RESOLVER::name_lookup | 15.1.3, 16.0.1.1 |
| 885201-2 | 4-Minor | BT885201 | BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log | 14.1.4.1, 15.1.3 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 846057-3 | 2-Critical | BT846057 | UCS backup archive may include unnecessary files | 13.1.4, 14.1.4, 15.1.3 |
| 960369-2 | 3-Major | BT960369 | Negative value suggested in Traffic Learning as max value | 14.1.4, 15.1.3, 16.0.1.2 |
| 956373-2 | 3-Major | BT956373 | ASM sync files not cleaned up immediately after processing | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 947341-1 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2 |
| 941621-2 | 3-Major | K91414704, BT941621 | Brute Force breaks server's Post-Redirect-Get flow | 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 929077-2 | 3-Major | BT929077 | Bot Defense allow list does not apply when using default Route Domain and XFF header | 14.1.4, 15.1.3, 16.0.1.1 |
| 929001-3 | 3-Major | K48321015, BT929001 | ASM form handling improvements | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 928685-2 | 3-Major | K49549213, BT928685 | ASM Brute Force mitigation not triggered as expected | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 921677-2 | 3-Major | BT921677 | Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. | 14.1.4, 15.1.3, 16.0.1.1 |
| 910253-2 | 3-Major | BT910253 | BD error on HTTP response after upgrade★ | 15.1.3, 16.0.1.1 |
| 884425-2 | 3-Major | Creation of new allowed HTTP URL is not possible | 14.1.3.1, 15.1.3 | |
| 868053-3 | 3-Major | BT868053 | Live Update service indicates update available when the latest update was already installed | 14.1.3.1, 15.1.3 |
| 867373-4 | 3-Major | BT867373 | Methods Missing From ASM Policy | 14.1.4, 15.1.3 |
| 864677-1 | 3-Major | BT864677 | ASM causes high mcpd CPU usage | 14.1.4, 15.1.3 |
| 856725-1 | 3-Major | BT856725 | Missing learning suggestion for "Illegal repeated parameter name" violation | 15.1.3 |
| 964897-2 | 4-Minor | BT964897 | Live Update - Indication of "Update Available" when there is no available update | 14.1.4, 15.1.3, 16.0.1.2 |
| 962817-2 | 4-Minor | BT962817 | Description field of a JSON policy overwrites policy templates description | 15.1.3, 16.0.1.1 |
| 956105-2 | 4-Minor | BT956105 | Websocket URLs content profiles are not created as expected during JSON Policy import | 15.1.3, 16.0.1.2 |
| 935293-2 | 4-Minor | BT935293 | 'Detected Violation' Field for event logs not showing | 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 922785-2 | 4-Minor | BT922785 | Live Update scheduled installation is not installing on set schedule | 14.1.4, 15.1.3, 16.0.1.2 |
| 824093-5 | 4-Minor | BT824093 | Parameters payload parser issue | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 981385-3 | 3-Major | BT981385 | AVRD does not send HTTP events to BIG-IQ DCD | 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 949593-3 | 3-Major | BT949593 | Unable to load config if AVR widgets were created under '[All]' partition★ | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 924945-3 | 3-Major | BT924945 | Fail to detach HTTP profile from virtual server | 15.1.3, 16.0.1.2, 16.1.1 |
| 869049-4 | 3-Major | BT869049 | Charts discrepancy in AVR reports | 14.1.4.1, 15.1.3, 16.0.1.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 894565-1 | 2-Critical | BT894565 | Autodosd.default crash with SIGFPE | 14.1.4, 15.1.3 |
| 879401-1 | 2-Critical | K90423190, BT879401 | Memory corruption during APM SAML SSO | 14.1.2.5, 15.1.3 |
| 976501-2 | 3-Major | BT976501 | Failed to establish VPN connection | 13.1.3.6, 14.1.4, 15.1.3 |
| 952557-2 | 3-Major | BT952557 | Azure B2C Provider OAuth URLs are updated for B2Clogin.com | 14.1.4, 15.1.3 |
| 925573-6 | 3-Major | BT925573 | SIGSEGV: receiving a sessiondb callback response after the flow is aborted | 14.1.4, 15.1.3 |
| 916969-3 | 3-Major | BT916969 | Support of Microsoft Identity 2.0 platform | 14.1.4, 15.1.3 |
| 888145-2 | 3-Major | BT888145 | When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property | 15.1.3 |
| 883577-4 | 3-Major | BT883577 | ACCESS::session irule command does not work in HTTP_RESPONSE event | 14.1.4.1, 15.1.3 |
| 831517-2 | 3-Major | BT831517 | TMM may crash when Network Access tunnel is used | 14.1.2.7, 15.1.3 |
WebAccelerator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 833213-1 | 3-Major | BT833213 | Conditional requests are served incorrectly with AAM policy in webacceleration profile | 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 982869-1 | 3-Major | BT982869 | With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 977053-2 | 3-Major | BT977053 | TMM crash on standby due to invalid MR router instance | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 966701-2 | 3-Major | BT966701 | Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP | 14.1.4.1, 15.1.3, 16.0.1.2 |
| 952545-2 | 3-Major | BT952545 | 'Current Sessions' statistics of HTTP2 pool may be incorrect | 14.1.4, 15.1.3, 16.0.1.1 |
| 913373-2 | 3-Major | BT913373 | No connection error after failover with MRF, and no connection mirroring | 14.1.4, 15.1.3, 16.0.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 945853-2 | 2-Critical | BT945853 | Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession | 15.1.3 |
| 969509-4 | 3-Major | BT969509 | Possible memory corruption due to DOS vector reset | 14.1.4, 15.1.3, 16.0.1.2 |
| 965617-3 | 3-Major | BT965617 | HSB mitigation is not applied on BDoS signature with stress-based mitigation mode | 14.1.4, 15.1.3, 16.0.1.1 |
| 963237-3 | 3-Major | BT963237 | Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. | 14.1.4, 15.1.3, 16.0.1.1 |
| 937749-3 | 3-Major | BT937749 | The 'total port blocks' value for NAT stats is limited to 64 bits of range | 15.1.3 |
| 903561-3 | 3-Major | BT903561 | Autodosd returns small bad destination detection value when the actual traffic is high | 14.1.4, 15.1.3 |
| 887017-3 | 3-Major | BT887017 | The dwbld daemon consumes a large amount of memory | 14.1.4, 15.1.3 |
| 837233-3 | 3-Major | BT837233 | Application Security Administrator user role cannot use GUI to manage DoS profile | 14.1.4, 15.1.3 |
| 716746-3 | 3-Major | BT716746 | Possible tmm restart when disabling single endpoint vector while attack is ongoing | 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 967889-1 | 4-Minor | BT967889 | Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) | 14.1.4, 15.1.3 |
| 748561-2 | 4-Minor | BT748561 | Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context | 14.1.4, 15.1.3 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 928553-3 | 2-Critical | BT928553 | LSN64 with hairpinning can lead to a tmm core in rare circumstances | 14.1.4, 15.1.3, 16.0.1.1 |
| 966681-1 | 3-Major | BT966681 | NAT translation failures while using SP-DAG in a multi-blade chassis | 14.1.4, 15.1.3, 16.0.1.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 998085-1 | 3-Major | BT998085 | BIG-IP DataSafe GUI does not save changes | 15.1.3 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 932737-2 | 2-Critical | BT932737 | DNS & BADOS high-speed logger messages are mixed | 14.1.4, 15.1.3, 16.0.1.2 |
| 922597-2 | 3-Major | BT922597 | BADOS default sensitivity of 50 creates false positive attack on some sites | 14.1.4, 15.1.3 |
| 914293-3 | 3-Major | BT914293 | TMM SIGSEGV and crash | 14.1.4.1, 15.1.3, 16.0.1.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 874677-1 | 2-Critical | BT874677 | Traffic Classification auto signature update fails from GUI★ | 14.1.4.3, 15.1.3, 16.0.1.1 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 768085-4 | 4-Minor | BT768085 | Error in python script /usr/libexec/iAppsLX_save_pre line 79 | 14.1.4, 15.1.3, 16.0.1.1 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 964585-3 | 3-Major | BT964585 | "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update | 14.1.4, 15.1.3, 16.0.1.2 |
| 825501-3 | 3-Major | BT825501 | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★ | 14.1.4, 15.1.3, 16.0.1.1 |
| 964577-3 | 4-Minor | BT964577 | IPS automatic IM download not working as expected | 14.1.4.1, 15.1.3, 16.0.1.2 |
BIG-IP Risk Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 969385-2 | 3-Major | BT969385 | Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers. | 15.1.3, 16.0.1.2 |
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 975233-2 | CVE-2021-22992 | K52510511, BT975233 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 973333-5 | CVE-2021-22991 | K56715231, BT973333 | TMM buffer-overflow vulnerability CVE-2021-22991 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 955145-2 | CVE-2021-22986 | K03009991, BT955145 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 954381-2 | CVE-2021-22986 | K03009991, BT954381 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 953677-2 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT953677 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 951705-2 | CVE-2021-22986 | K03009991, BT951705 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 950077-2 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT950077 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 981169-2 | CVE-2021-22994 | K66851119, BT981169 | F5 TMUI XSS vulnerability CVE-2021-22994 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 953729-2 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101, BT953729 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 931837-1 | CVE-2020-13817 | K55376430, BT931837 | NTP has predictable timestamps | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 976925-2 | CVE-2021-23002 | K71891773, BT976925 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 935401-2 | CVE-2021-23001 | K06440657, BT935401 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 743105-2 | CVE-2021-22998 | K31934524, BT743105 | BIG-IP SNAT vulnerability CVE-2021-22998 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 867793-1 | 3-Major | BT867793 | BIG-IP sending the wrong trap code for BGP peer state | 14.1.4, 15.1.2.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 942497-1 | 2-Critical | BT942497 | Declarative onboarding unable to download and install RPM | 15.1.2.1, 16.0.1.1 |
| 940021-3 | 2-Critical | BT940021 | Syslog-ng hang may lead to unexpected reboot | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 932437-2 | 2-Critical | BT932437 | Loading SCF file does not restore files from tar file★ | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 915305-5 | 2-Critical | BT915305 | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 838713 | 2-Critical | BT838713 | LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test' | 15.1.2.1 |
| 829277-2 | 2-Critical | BT829277 | A Large /config folder can cause memory exhaustion during live-install★ | 14.1.3.1, 15.1.2.1 |
| 739505-3 | 2-Critical | BT739505 | Automatic ISO digital signature checking not required when FIPS license active★ | 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 967745 | 3-Major | BT967745 | Last resort pool error for the modify command for Wide IP | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 956589-1 | 3-Major | BT956589 | The tmrouted daemon restarts and produces a core file | 15.1.2.1 |
| 930905-4 | 3-Major | BT930905 | Management route lost after reboot. | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 904785-1 | 3-Major | BT904785 | Remotely authenticated users may experience difficulty logging in over the serial console | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 896817-2 | 3-Major | BT896817 | iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 895837-3 | 3-Major | BT895837 | Mcpd crash when a traffic-matching-criteria destination-port-list is modified | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 865177-4 | 3-Major | BT865177 | Cert-LDAP returning only first entry in the sequence that matches san-other oid | 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 842189-4 | 3-Major | BT842189 | Tunnels removed when going offline are not restored when going back online | 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1 |
| 830413-3 | 3-Major | BT830413 | Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure★ | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 806073-1 | 3-Major | BT806073 | MySQL monitor fails to connect to MySQL Server v8.0 | 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 767737-4 | 3-Major | BT767737 | Timing issues during startup may make an HA peer stay in the inoperative state | 13.1.3.5, 14.1.3.1, 15.1.2.1 |
| 853101-2 | 4-Minor | BT853101 | ERROR: syntax error at or near 'FROM' at character 17 | 15.1.2.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 926929-3 | 1-Blocking | BT926929 | RFC Compliance Enforcement lacks configuration availability | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2 |
| 911041-3 | 2-Critical | BT911041 | Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash | 14.1.3.1, 15.1.2.1, 16.0.1.2 |
| 846217-3 | 2-Critical | BT846217 | Translucent vlan-groups set local bit in destination MAC address | 14.1.4.4, 15.1.2.1 |
| 841469-6 | 2-Critical | BT841469 | Application traffic may fail after an internal interface failure on a VIPRION system. | 13.1.3.4, 15.1.2.1 |
| 812525-1 | 2-Critical | K27551003, BT812525 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 974501-1 | 3-Major | BT974501 | Excessive memory usage by mirroring subsystem when remirroring | 15.1.2.1 |
| 903581-1 | 3-Major | BT903581 | The pkcs11d process cannot recover under certain error condition | 15.1.2.1 |
| 868209-3 | 3-Major | BT868209 | Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection | 14.1.4, 15.1.2.1 |
| 863401-1 | 3-Major | BT863401 | QUIC congestion window sometimes increases inappropriately | 15.1.2.1 |
| 858301-1 | 3-Major | K27551003, BT858301 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858297-1 | 3-Major | K27551003, BT858297 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858289-1 | 3-Major | K27551003, BT858289 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858285-1 | 3-Major | K27551003, BT858285 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 818109-1 | 3-Major | BT818109 | Certain plaintext traffic may cause SSL Orchestrator to hang | 14.1.4, 15.1.2.1 |
| 773253-5 | 4-Minor | BT773253 | The BIG-IP may send VLAN failsafe probes from a disabled blade | 13.1.4, 14.1.4.2, 15.1.2.1 |
| 738032-3 | 4-Minor | BT738032 | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 953393-2 | 1-Blocking | BT953393 | TMM crashes when performing iterative DNS resolutions. | 15.1.2.1, 16.0.1.1 |
| 891093-1 | 3-Major | BT891093 | iqsyncer does not handle stale pidfile | 14.1.4, 15.1.2.1, 16.0.1.1 |
| 853585-1 | 4-Minor | BT853585 | REST Wide IP object presents an inconsistent lastResortPool value | 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 968421-2 | 2-Critical | K30291321, BT968421 | ASM attack signature doesn't matched | 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2 |
| 865289-1 | 2-Critical | BT865289 | TMM crash following DNS resolve with Bot Defense profile | 15.1.2.1 |
| 913757-1 | 3-Major | BT913757 | Error viewing security policy settings for virtual server with FTP Protocol Security | 15.1.2.1, 16.0.1.1 |
| 758336-5 | 4-Minor | BT758336 | Incorrect recommendation in Online Help of Proactive Bot Defense | 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 934721-2 | 2-Critical | BT934721 | TMM core due to wrong assert | 15.1.2.1, 16.0.1.1 |
| 743826-2 | 3-Major | BT743826 | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 648242-6 | 3-Major | K73521040, BT648242 | Administrator users unable to access all partition via TMSH for AVR reports | 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 896709-3 | 2-Critical | BT896709 | Add support for Restart Desktop for webtop in VMware VDI | 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 924929-2 | 3-Major | BT924929 | Logging improvements for VDI plugin | 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 899009 | 3-Major | BT899009 | Azure Active Directory deployment fails on BIG-IP 15.1 | 15.1.2.1 |
| 760629-5 | 3-Major | BT760629 | Remove Obsolete APM keys in BigDB | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 939529-2 | 3-Major | BT939529 | Branch parameter not parsed properly when topmost via header received with comma separated values | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 870381-1 | 2-Critical | BT870381 | Network Firewall Active Rule page does not load | 15.1.2.1 |
| 919381-1 | 3-Major | Extend AFM subscriber aware policy rule feature to support multiple subscriber groups | 15.1.2.1 | |
| 870385-5 | 3-Major | BT870385 | TMM may restart under very heavy traffic load | 14.1.2.8, 15.1.2.1 |
| 906885-1 | 5-Cosmetic | BT906885 | Spelling mistake on AFM GUI Flow Inspector screen | 14.1.2.8, 15.1.2.1 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 845313-3 | 2-Critical | BT845313 | Tmm crash under heavy load | 14.1.4, 15.1.2.1 |
| 941169-4 | 3-Major | BT941169 | Subscriber Management is not working properly with IPv6 prefix flows. | 14.1.4, 15.1.2.1 |
| 875401-2 | 3-Major | BT875401 | PEM subcriber lookup can fail for internet side new connections | 14.1.4, 15.1.2.1 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 915489-2 | 4-Minor | BT915489 | LTM Virtual Server Health is not affected by iRule Requests dropped | 14.1.4, 15.1.2.1, 16.0.1.1 |
BIG-IP Risk Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 921181 | 3-Major | BT921181 | Wrong error message upon bad credential stuffing configuration | 15.1.2.1 |
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 943125-2 | CVE-2021-23010 | K18570111, BT943125 | ASM bd may crash while processing WebSocket traffic | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 941449-2 | CVE-2021-22993 | K55237223, BT941449 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 921337-2 | CVE-2021-22976 | K88230177, BT921337 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 916821-2 | CVE-2021-22974 | K68652018, BT916821 | iControl REST vulnerability CVE-2021-22974 | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 882189-6 | CVE-2020-5897 | K20346072, BT882189 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 882185-6 | CVE-2020-5897 | K20346072, BT882185 | BIG-IP Edge Client Windows ActiveX | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 881317-6 | CVE-2020-5896 | K15478554, BT881317 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 881293-6 | CVE-2020-5896 | K15478554, BT881293 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 939845-2 | CVE-2021-23004 | K31025212, BT939845 | BIG-IP MPTCP vulnerability CVE-2021-23004 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 939841-2 | CVE-2021-23003 | K43470422, BT939841 | BIG-IP MPTCP vulnerability CVE-2021-23003 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 924961-2 | CVE-2019-20892 | K45212738, BT924961 | CVE-2019-20892: SNMP Vulnerability | 15.1.2, 16.0.1.1 |
| 919989-2 | CVE-2020-5947 | K64571774, BT919989 | TMM does not follow TCP best practices | 15.1.2, 16.0.1 |
| 881445-7 | CVE-2020-5898 | K69154630, BT881445 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 880361-1 | CVE-2021-22973 | K13323323, BT880361 | iRules LX vulnerability CVE-2021-22973 | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 842717-6 | CVE-2020-5855 | K55102004, BT842717 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 693360-2 | CVE-2020-27721 | K52035247, BT693360 | A virtual server status changes to yellow while still available | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1 |
| 773693-7 | CVE-2020-5892 | K15838353, BT773693 | CVE-2020-5892: APM Client Vulnerability | 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 920961-2 | 3-Major | BT920961 | Devices incorrectly report 'In Sync' after an incremental sync | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 756139-3 | 3-Major | BT756139 | Inconsistent logging of hostname files when hostname contains periods | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 754924-1 | 3-Major | BT754924 | New VLAN statistics added. | 15.1.2 |
| 921421-3 | 4-Minor | BT921421 | iRule support to get/set UDP's Maximum Buffer Packets | 14.1.3.1, 15.1.2, 16.0.1.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 957337-1 | 2-Critical | BT957337 | Tab complete in 'mgmt' tree is broken | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 933409-2 | 2-Critical | BT933409 | Tomcat upgrade via Engineering Hotfix causes live-update files removal★ | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 927033-2 | 2-Critical | BT927033 | Installer fails to calculate disk size of destination volume★ | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 910201-3 | 2-Critical | BT910201 | OSPF - SPF/IA calculation scheduling might get stuck infinitely | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 829677-2 | 2-Critical | BT829677 | .tmp files in /var/config/rest/ may cause /var directory exhaustion | 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1 |
| 796601-2 | 2-Critical | BT796601 | Invalid parameter in errdefsd while processing hostname db_variable | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 943669-1 | 3-Major | BT943669 | B4450 blade reboot | 15.1.2 |
| 935801-4 | 3-Major | BT935801 | HSB diagnostics are not provided under certain types of failures | 14.1.4.5, 15.1.2 |
| 932233-2 | 3-Major | BT932233 | '@' no longer valid in SNMP community strings | 15.1.2, 16.0.1.1 |
| 930741-2 | 3-Major | BT930741 | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 920301-1 | 3-Major | BT920301 | Unnecessarily high number of JavaScript Obfuscator instances when device is busy | 14.1.3.1, 15.1.2 |
| 911809-2 | 3-Major | BT911809 | TMM might crash when sending out oversize packets. | 14.1.3.1, 15.1.2 |
| 902401-5 | 3-Major | BT902401 | OSPFd SIGSEGV core when 'ospf clear' is done on remote device | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 898705-5 | 3-Major | BT898705 | IPv6 static BFD configuration is truncated or missing | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 889041-3 | 3-Major | BT889041 | Failover scripts fail to access resolv.conf due to permission issues | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 879405-1 | 3-Major | BT879405 | Incorrect value in Transparent Nexthop property | 15.1.2, 16.0.1.1 |
| 867181-1 | 3-Major | BT867181 | ixlv: double tagging is not working | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 865241-1 | 3-Major | BT865241 | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 860317-3 | 3-Major | BT860317 | JavaScript Obfuscator can hang indefinitely | 14.1.3.1, 15.1.2 |
| 858197-2 | 3-Major | BT858197 | Merged crash when memory exhausted | 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1 |
| 846441-2 | 3-Major | BT846441 | Flow-control is reset to default for secondary blade's interface | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 846137-4 | 3-Major | BT846137 | The icrd returns incorrect route names in some cases | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 843597-1 | 3-Major | BT843597 | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 841649-4 | 3-Major | BT841649 | Hardware accelerated connection mismatch resulting in tmm core | 14.1.4.1, 15.1.2 |
| 838901-4 | 3-Major | BT838901 | TMM receives invalid rx descriptor from HSB hardware | 13.1.4, 14.1.4, 15.1.2 |
| 826905-3 | 3-Major | BT826905 | Host traffic via IPv6 route pool uses incorrect source address | 14.1.3.1, 15.1.2 |
| 816229-3 | 3-Major | BT816229 | Kernel Log Messages Logged Twice | 14.1.2.4, 15.1.2 |
| 811053-6 | 3-Major | BT811053 | REBOOT REQUIRED prompt appears after failover and clsh reboot | 14.1.2.7, 15.1.2 |
| 811041-7 | 3-Major | BT811041 | Out of shmem, increment amount in /etc/ha_table/ha_table.conf | 15.1.2 |
| 810821-3 | 3-Major | BT810821 | Management interface flaps after rebooting the device. | 13.1.3.5, 14.1.2.7, 15.1.2 |
| 789181-5 | 3-Major | BT789181 | Link Status traps are not issued on VE based BIG-IP systems | 15.1.2 |
| 755197-5 | 3-Major | BT755197 | UCS creation might fail during frequent config save transactions | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 754932-1 | 3-Major | BT754932 | New SNMP MIB, sysVlanIfcStat, for VLAN statistics. | 15.1.2 |
| 737098-1 | 3-Major | BT737098 | ASM Sync does not work when the configsync IP address is an IPv6 address | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 933461-4 | 4-Minor | BT933461 | BGP multi-path candidate selection does not work properly in all cases. | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 924429-2 | 4-Minor | BT924429 | Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 892677-1 | 4-Minor | BT892677 | Loading config file with imish adds the newline character | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 882713-3 | 4-Minor | BT882713 | BGP SNMP trap has the wrong sysUpTime value | 14.1.3.1, 15.1.2 |
| 583084-6 | 4-Minor | K15101680, BT583084 | iControl produces 404 error while creating records successfully | 13.1.3.5, 14.1.3.1, 15.1.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 941089-3 | 2-Critical | BT941089 | TMM core when using Multipath TCP | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2 |
| 915957-1 | 2-Critical | BT915957 | The wocplugin may get into a restart loop when AAM is provisioned | 14.1.3, 15.1.2 |
| 908873-1 | 2-Critical | BT908873 | Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core | 15.1.2 |
| 908621-2 | 2-Critical | BT908621 | Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core | 14.1.4.1, 15.1.2 |
| 891849-1 | 2-Critical | BT891849 | Running iRule commands while suspending iRule commands that are running can lead to a crash | 14.1.3.1, 15.1.2 |
| 876801-5 | 2-Critical | BT876801 | Tmm crash: invalid route type | 13.1.4, 14.1.4, 15.1.2 |
| 866481-2 | 2-Critical | BT866481 | TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode | 15.1.2 |
| 851345-1 | 2-Critical | BT851345 | The TMM may crash in certain rare scenarios involving HTTP/2 | 14.1.3.1, 15.1.2 |
| 850873-3 | 2-Critical | BT850873 | LTM global SNAT sets TTL to 255 on egress. | 14.1.3.1, 15.1.2 |
| 726518-1 | 2-Critical | BT726518 | Tmsh show command terminated with CTRL-C can cause TMM to crash. | 13.1.3.6, 14.1.2.8, 15.1.2 |
| 705768-2 | 2-Critical | BT705768 | The dynconfd process may core and restart with multiple DNS name servers configured | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2 |
| 949145-5 | 3-Major | BT949145 | Improve TCP's response to partial ACKs during loss recovery | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 948757-2 | 3-Major | BT948757 | A snat-translation address responds to ARP requests but not to ICMP ECHO requests. | 14.1.3.1, 15.1.2, 16.0.1 |
| 940209 | 3-Major | BT940209 | Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. | 14.1.4, 15.1.2 |
| 939961-2 | 3-Major | BT939961 | TCP connection is closed when necessary after HTTP::respond iRule. | 15.1.2, 16.0.1.2 |
| 934993-2 | 3-Major | BT934993 | BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams | 15.1.2, 16.0.1.1 |
| 932033 | 3-Major | BT932033 | Chunked response may have DATA frame with END_STREAM prematurely | 14.1.4, 15.1.2 |
| 915605-6 | 3-Major | K56251674, BT915605 | Image install fails if iRulesLX is provisioned and /usr mounted read-write★ | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 913249-2 | 3-Major | BT913249 | Restore missing UDP statistics | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 901929-2 | 3-Major | BT901929 | GARPs not sent on virtual server creation | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 892941-2 | 3-Major | K20105555, BT892941 | F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) | 14.1.4, 15.1.2, 16.0.1.1 |
| 888113-3 | 3-Major | BT888113 | TMM may core when the HTTP peer aborts the connection | 15.1.2 |
| 879413-1 | 3-Major | BT879413 | Statsd fails to start if one or more of its *.info files becomes corrupted | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 878925-2 | 3-Major | BT878925 | SSL connection mirroring failover at end of TLS handshake | 14.1.4.1, 15.1.2 |
| 860005-1 | 3-Major | BT860005 | Ephemeral nodes/pool members may be created for wrong FQDN name | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2 |
| 857845-1 | 3-Major | BT857845 | TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 850145-1 | 3-Major | BT850145 | Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed | 14.1.3.1, 15.1.2 |
| 820333-1 | 3-Major | BT820333 | LACP working member state may be inconsistent when blade is forced offline | 14.1.3.1, 15.1.2 |
| 809701-7 | 3-Major | BT809701 | Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist | 14.1.3.1, 15.0.1.3, 15.1.2 |
| 803233-1 | 3-Major | BT803233 | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1 |
| 790845-4 | 3-Major | BT790845 | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | 13.1.3.5, 14.1.4, 15.1.2 |
| 724824-1 | 3-Major | BT724824 | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2 |
| 714642-2 | 3-Major | BT714642 | Ephemeral pool-member state on the standby is down | 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1 |
| 935593-4 | 4-Minor | BT935593 | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 895153 | 4-Minor | BT895153 | HTTP::has_responded returns incorrect values when using HTTP/2 | 14.1.3.1, 15.1.2 |
| 883105-1 | 4-Minor | BT883105 | HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect | 15.1.2 |
| 808409-4 | 4-Minor | BT808409 | Unable to specify if giaddr will be modified in DHCP relay chain | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 859717-2 | 5-Cosmetic | BT859717 | ICMP-limit-related warning messages in /var/log/ltm | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 918169-1 | 2-Critical | BT918169 | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1 |
| 916753-2 | 2-Critical | BT916753 | RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core | 15.1.2, 16.0.1.1 |
| 905557-1 | 2-Critical | BT905557 | Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure | 14.1.4, 15.1.2 |
| 850509-1 | 2-Critical | BT850509 | Zone Trusted Signature inadequately maintained, following change of master key | 14.1.4.4, 15.1.2 |
| 837637-1 | 2-Critical | K02038650, BT837637 | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 926593-2 | 3-Major | BT926593 | GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 852101-1 | 3-Major | BT852101 | Monitor fails. | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 844689-1 | 3-Major | BT844689 | Possible temporary CPU usage increase with unusually large named.conf file | 14.1.3.1, 15.1.2 |
| 746348-4 | 3-Major | BT746348 | On rare occasions, gtmd fails to process probe responses originating from the same system. | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2 |
| 644192-2 | 3-Major | K23022557, BT644192 | Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN | 11.6.5.3, 14.1.3.1, 15.1.2, 16.0.1.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 940249-2 | 2-Critical | BT940249 | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 927617-2 | 2-Critical | BT927617 | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 941853-1 | 3-Major | BT941853 | Logging Profiles do not disassociate from virtual server when multiple changes are made | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 940897-3 | 3-Major | BT940897 | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 918933-2 | 3-Major | K88162221, BT918933 | The BIG-IP ASM system may not properly perform signature checks on cookies | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1 |
| 913137-1 | 3-Major | BT913137 | No learning suggestion on ASM policies enabled via LTM policy | 15.1.2, 16.0.1.1 |
| 904053-2 | 3-Major | BT904053 | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1 |
| 893061-2 | 3-Major | BT893061 | Out of memory for restjavad | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 882769-1 | 3-Major | BT882769 | Request Log: wrong filter applied when searching by Response contains or Response does not contain | 13.1.3.5, 14.1.2.7, 15.1.2 |
| 919001-2 | 4-Minor | BT919001 | Live Update: Update Available notification is shown twice in rare conditions | 14.1.2.8, 15.1.2, 16.0.1.1 |
| 896285-2 | 4-Minor | BT896285 | No parent entity in suggestion to add predefined-filetype as allowed filetype | 14.1.2.7, 15.1.2, 16.0.1.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 924301-1 | 3-Major | BT924301 | Incorrect values in REST response for DNS/SIP | 15.1.2, 16.0.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910097-2 | 2-Critical | BT910097 | Changing per-request policy while tmm is under traffic load may drop heartbeats | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 924857-1 | 3-Major | BT924857 | Logout URL with parameters resets TCP connection | 14.1.4.5, 15.1.2, 16.0.1.2 |
| 914649-3 | 3-Major | BT914649 | Support USB redirection through VVC (VMware virtual channel) with BlastX | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 739570-4 | 3-Major | BT739570 | Unable to install EPSEC package★ | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 833049-4 | 4-Minor | BT833049 | Category lookup tool in GUI may not match actual traffic categorization | 13.1.3.5, 14.1.4, 15.1.2 |
| 766017-6 | 4-Minor | BT766017 | [APM][LocalDB] Local user database instance name length check inconsistencies★ | 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 942581-1 | 1-Blocking | BT942581 | Timestamp cookies do not work with hardware accelerated flows | 15.1.2 |
| 938165-1 | 2-Critical | BT938165 | TMM Core after attempted update of IP geolocation database file | 14.1.3.1, 15.1.2, 16.0.1.1 |
| 938149-1 | 3-Major | BT938149 | Port Block Update log message is missing the "Start time" field | 15.1.2, 16.0.1.1 |
| 910417-2 | 3-Major | BT910417 | TMM core may be seen when reattaching a vector to a DoS profile | 14.1.4, 15.1.2, 16.0.1.2 |
| 872049-1 | 3-Major | BT872049 | Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command | 15.1.2 |
| 871985-1 | 3-Major | BT871985 | No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection | 15.1.2 |
| 851745-3 | 3-Major | BT851745 | High cpu consumption due when enabling large number of virtual servers | 14.1.4.1, 15.1.2 |
| 840809-2 | 3-Major | BT840809 | If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged | 14.1.4, 15.1.2 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 842989-6 | 3-Major | BT842989 | PEM: tmm could core when running iRules on overloaded systems | 14.1.4, 15.1.2 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 944785-2 | 3-Major | BT944785 | Admd restarting constantly. Out of memory due to loading malformed state file | 14.1.3.1, 15.1.2, 16.0.1.2 |
| 923125-2 | 3-Major | BT923125 | Huge amount of admd processes caused oom | 14.1.3.1, 15.1.2 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 927993-1 | 1-Blocking | K97501254, BT927993 | Built-in SSL Orchestrator RPM installation failure | 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1 |
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 935721-5 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291, BT935721 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1 |
| 935029-3 | CVE-2020-27720 | K04048104, BT935029 | TMM may crash while processing IPv6 NAT traffic | 14.1.3.1, 15.1.1, 16.0.1 |
| 933741-2 | CVE-2021-22979 | K63497634, BT933741 | BIG-IP FPS XSS vulnerability CVE-2021-22979 | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 932065-2 | CVE-2021-22978 | K87502622, BT932065 | iControl REST vulnerability CVE-2021-22978 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 931513-3 | CVE-2021-22977 | K14693346, BT931513 | TMM vulnerability CVE-2021-22977 | 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1 |
| 928321-1 | CVE-2020-27719 | K19166530, BT928321 | K19166530: XSS vulnerability CVE-2020-27719 | 14.1.3.1, 15.1.1, 16.0.1 |
| 917509-3 | CVE-2020-27718 | K58102101, BT917509 | BIG-IP ASM vulnerability CVE-2020-27718 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 911761-2 | CVE-2020-5948 | K42696541, BT911761 | F5 TMUI XSS vulnerability CVE-2020-5948 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 908673-5 | CVE-2020-27717 | K43850230, BT908673 | TMM may crash while processing DNS traffic | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 904165-1 | CVE-2020-27716 | K51574311, BT904165 | BIG-IP APM vulnerability CVE-2020-27716 | 14.1.3.1, 15.1.1 |
| 879745-4 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 876353-1 | CVE-2020-5941 | K03125360, BT876353 | iRule command RESOLV::lookup may cause TMM to crash | 15.1.1, 16.0.1 |
| 839453-6 | CVE-2019-10744 | K47105354, BT839453 | lodash library vulnerability CVE-2019-10744 | 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1 |
| 834257-1 | CVE-2020-5931 | K25400442, BT834257 | TMM may crash when processing HTTP traffic | 13.1.3.6, 14.1.2.5, 15.1.1 |
| 814953 | CVE-2020-5940 | K43310520, BT814953 | TMUI dashboard hardening | 14.1.2.5, 15.1.1, 16.0.1 |
| 754855-7 | CVE-2020-27714 | K60344652, BT754855 | TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile | 13.1.4, 14.1.3.1, 15.1.1 |
| 928037-2 | CVE-2020-27729 | K15310332, BT928037 | APM Hardening | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 919841-3 | CVE-2020-27728 | K45143221, BT919841 | AVRD may crash while processing Bot Defense traffic | 14.1.3.1, 15.1.1, 16.0.1 |
| 917469-2 | CVE-2020-5946 | K53821711, BT917469 | TMM may crash while processing FPS traffic | 14.1.2.8, 15.1.1, 16.0.1 |
| 912969-2 | CVE-2020-27727 | K50343630, BT912969 | iAppsLX REST vulnerability CVE-2020-27727 | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 910017-2 | CVE-2020-5945 | K21540525, BT910017 | Security hardening for the TMUI Interface page | 14.1.2.8, 15.1.1, 16.0.1 |
| 905125-2 | CVE-2020-27726 | K30343902, BT905125 | Security hardening for APM Webtop | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 904937-2 | CVE-2020-27725 | K25595031, BT904937 | Excessive resource consumption in zxfrd | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 889557-1 | CVE-2019-11358 | K20455158, BT889557 | jQuery Vulnerability CVE-2019-11358 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 880001-1 | CVE-2020-5937 | K58290051, BT880001 | TMM may crash while processing L4 behavioral DoS traffic | 15.1.1 |
| 870273-5 | CVE-2020-5936 | K44020030, BT870273 | TMM may consume excessive resources when processing SSL traffic | 12.1.5.2, 14.1.2.8, 15.1.1 |
| 868349-1 | CVE-2020-5935 | K62830532, BT868349 | TMM may crash while processing iRules with MQTT commands | 13.1.3.4, 14.1.2.5, 15.1.1 |
| 858349-3 | CVE-2020-5934 | K44808538, BT858349 | TMM may crash while processing SAML SLO traffic | 14.1.2.5, 15.1.1 |
| 848405-2 | CVE-2020-5933 | K26244025, BT848405 | TMM may consume excessive resources while processing compressed HTTP traffic | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1 |
| 839761-1 | CVE-2020-5932 | K12002065, BT839761 | Response Body preview hardening | 15.1.1 |
| 778049-2 | CVE-2018-13405 | K00854051, BT778049 | Linux Kernel Vulnerability: CVE-2018-13405 | 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1 |
| 887637-2 | CVE-2019-3815 | K22040951, BT887637 | Systemd-journald Vulnerability: CVE-2019-3815 | 14.1.2.5, 15.0.1.4, 15.1.1 |
| 852929-6 | CVE-2020-5920 | K25160703, BT852929 | AFM WebUI Hardening | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 818213-4 | CVE-2019-10639 | K32804955, BT818213 | CVE-2019-10639: KASLR bypass using connectionless protocols | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 818177-6 | CVE-2019-12295 | K06725231, BT818177 | CVE-2019-12295 Wireshark Vulnerability | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1 |
| 858537-2 | CVE-2019-1010204 | K05032915, BT858537 | CVE-2019-1010204: Binutilis Vulnerability | 14.1.2.8, 15.1.1 |
| 834533-7 | CVE-2019-15916 | K57418558, BT834533 | Linux kernel vulnerability CVE-2019-15916 | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 912289-1 | 2-Critical | BT912289 | Cannot roll back after upgrading on certain platforms★ | 12.1.6, 14.1.4, 15.1.1 |
| 890229-1 | 3-Major | BT890229 | Source port preserve setting is not honored | 13.1.3.5, 14.1.2.8, 15.1.1 |
| 858189-3 | 3-Major | BT858189 | Make restnoded/restjavad/icrd timeout configurable with sys db variables. | 12.1.5.2, 14.1.2.7, 15.1.1 |
| 719338-1 | 4-Minor | BT719338 | Concurrent management SSH connections are unlimited | 13.1.4, 14.1.4, 15.1.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 864513-1 | 1-Blocking | K48234609, BT864513 | ASM policies may not load after upgrading to 14.x or later from a previous major version★ | 14.1.2.7, 15.1.1 |
| 896217-2 | 2-Critical | BT896217 | BIG-IP GUI unresponsive | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 876957-1 | 2-Critical | BT876957 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 14.1.4.1, 15.1.1 |
| 871561-5 | 2-Critical | BT871561 | Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★ | 14.1.2.8, 15.1.1, 16.0.1 |
| 860517-1 | 2-Critical | BT860517 | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 818253-3 | 2-Critical | BT818253 | Generate signature files for logs | 14.1.2.8, 15.1.1, 16.0.1.1 |
| 805417-3 | 2-Critical | BT805417 | Unable to enable LDAP system auth profile debug logging | 14.1.2.7, 15.1.1 |
| 706521-2 | 2-Critical | K21404407, BT706521 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 593536-9 | 2-Critical | K64445052, BT593536 | Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations | 14.1.2.8, 15.1.1 |
| 924493-2 | 3-Major | BT924493 | VMware EULA has been updated | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 921361-2 | 3-Major | BT921361 | SSL client and SSL server profile names truncated in GUI | 15.1.1, 16.0.1.1 |
| 915825-2 | 3-Major | BT915825 | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | 13.1.3.5, 14.1.3.1, 15.1.1 |
| 904845-2 | 3-Major | BT904845 | VMware guest OS customization works only partially in a dual stack environment. | 14.1.3.1, 15.1.1, 16.0.1 |
| 904705-2 | 3-Major | BT904705 | Cannot clone Azure marketplace instances. | 14.1.2.8, 15.1.1, 16.0.1 |
| 898461-2 | 3-Major | BT898461 | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | 14.1.3.1, 15.1.1, 16.0.1.1 |
| 886689-6 | 3-Major | BT886689 | Generic Message profile cannot be used in SCTP virtual | 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1 |
| 880625-3 | 3-Major | BT880625 | Check-host-attr enabled in LDAP system-auth creates unusable config | 14.1.2.8, 15.1.1, 16.0.1 |
| 880165-2 | 3-Major | BT880165 | Auto classification signature update fails | 14.1.2.8, 15.1.1, 16.0.1 |
| 867013-2 | 3-Major | BT867013 | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | 13.1.3.5, 14.1.2.7, 15.1.1 |
| 850777-3 | 3-Major | BT850777 | BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config | 14.1.3.1, 15.1.1 |
| 838297-2 | 3-Major | BT838297 | Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication | 14.1.2.8, 15.1.1 |
| 828789-1 | 3-Major | BT828789 | Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters | 14.1.2.8, 15.1.1 |
| 807337-5 | 3-Major | BT807337 | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | 14.1.2.8, 15.1.1, 16.0.1.1 |
| 788577-7 | 3-Major | BT788577 | BFD sessions may be reset after CMP state change | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 759564-2 | 3-Major | BT759564 | GUI not available after upgrade | 14.1.2.8, 15.1.1, 16.0.1 |
| 740589-4 | 3-Major | BT740589 | Mcpd crash with core after 'tmsh edit /sys syslog all-properties' | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 719555-3 | 3-Major | BT719555 | Interface listed as 'disable' after SFP insertion and enable | 14.1.4, 15.1.1 |
| 489572-5 | 3-Major | K60934489, BT489572 | Sync fails if file object is created and deleted before sync to peer BIG-IP | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 431503-8 | 3-Major | K14838, BT431503 | TMSH crashes in rare initial tunnel configurations | 13.1.3.5, 14.1.2.8, 15.1.1 |
| 921369 | 4-Minor | BT921369 | Signature verification for logs fails if the log files are modified during log rotation | 15.1.1 |
| 914761-3 | 4-Minor | BT914761 | Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. | 14.1.2.8, 15.1.1, 16.0.1.1 |
| 906889-4 | 4-Minor | BT906889 | Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. | 14.1.2.8, 15.1.1, 16.0.1 |
| 902417-2 | 4-Minor | BT902417 | Configuration error caused by Drafts folder in a deleted custom partition★ | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1 |
| 890277-3 | 4-Minor | BT890277 | Full config sync to a device group operation takes a long time when there are a large number of partitions. | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 864757-3 | 4-Minor | BT864757 | Traps that were disabled are enabled after configuration save | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 822377-6 | 4-Minor | CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability | 14.1.2.8, 15.1.1 | |
| 779857-2 | 4-Minor | BT779857 | Misleading GUI error when installing a new version in another partition★ | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 751103-2 | 4-Minor | BT751103 | TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop | 14.1.2.8, 15.1.1, 16.0.1 |
| 849085-1 | 5-Cosmetic | BT849085 | Lines with only asterisks filling message and user.log file | 14.1.3.1, 15.1.1 |
| 714176-1 | 5-Cosmetic | BT714176 | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 889209-2 | 2-Critical | BT889209 | Sflow receiver configuration may lead to egress traffic dropped after TMM starts. | 14.1.4, 15.1.1 |
| 879409-3 | 2-Critical | BT879409 | TMM core with mirroring traffic due to unexpected interface name length | 14.1.3.1, 15.1.1 |
| 858429-3 | 2-Critical | BT858429 | BIG-IP system sending ICMP packets on both virtual wire interface | 14.1.2.8, 15.0.1.4, 15.1.1 |
| 851857-1 | 2-Critical | BT851857 | HTTP 100 Continue handling does not work when it arrives in multiple packets | 13.1.3.5, 14.1.3.1, 15.1.1 |
| 851581-3 | 2-Critical | BT851581 | Server-side detach may crash TMM | 14.1.2.8, 15.1.1 |
| 842937-6 | 2-Critical | BT842937 | TMM crash due to failed assertion 'valid node' | 12.1.5.3, 14.1.2.7, 15.1.1 |
| 932825-2 | 3-Major | BT932825 | Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device | 15.1.1 |
| 915713-2 | 3-Major | BT915713 | Support QUIC and HTTP3 draft-29 | 15.1.1, 16.0.1.1 |
| 915689-1 | 3-Major | BT915689 | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 915281-2 | 3-Major | BT915281 | Do not rearm TCP Keep Alive timer under certain conditions | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 892385 | 3-Major | BT892385 | HTTP does not process WebSocket payload when received with server HTTP response | 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1 |
| 883529-1 | 3-Major | BT883529 | HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path | 15.1.1 |
| 851789-2 | 3-Major | BT851789 | SSL monitors flap with client certs with private key stored in FIPS | 12.1.5.3, 14.1.2.5, 15.1.1 |
| 851477-1 | 3-Major | BT851477 | Memory allocation failures during proxy initialization are ignored leading to TMM cores | 14.1.3.1, 15.1.1 |
| 851045-1 | 3-Major | BT851045 | LTM database monitor may hang when monitored DB server goes down | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1 |
| 830797-3 | 3-Major | BT830797 | Standby high availability (HA) device passes traffic through virtual wire | 14.1.2.3, 15.0.1.1, 15.1.1 |
| 825689-1 | 3-Major | Enhance FIPS crypto-user storage | 12.1.6, 13.1.4, 14.1.4, 15.1.1 | |
| 816881-2 | 3-Major | BT816881 | Serverside conection may use wrong VLAN when virtual wire is configured | 14.1.2.8, 15.1.1 |
| 801497-3 | 3-Major | BT801497 | Virtual wire with LACP pinning to one link in trunk. | 14.1.2.1, 15.1.1 |
| 932937-2 | 4-Minor | BT932937 | HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. | 14.1.3.1, 15.1.1, 16.0.1 |
| 926997-1 | 4-Minor | BT926997 | QUIC HANDSHAKE_DONE profile statistics are not reset | 15.1.1, 16.0.1 |
| 852373-3 | 4-Minor | BT852373 | HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error | 14.1.2.5, 15.0.1.4, 15.1.1 |
| 814037-6 | 4-Minor | BT814037 | No virtual server name in Hardware Syncookie activation logs. | 13.1.3.5, 14.1.2.8, 15.1.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 919553-2 | 2-Critical | BT919553 | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 788465-5 | 2-Critical | BT788465 | DNS cache idx synced across HA group could cause tmm crash | 14.1.3.1, 15.1.1, 16.0.1 |
| 783125-1 | 2-Critical | BT783125 | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 898093-2 | 3-Major | BT898093 | Removing one member from a WideIP removes it from all WideIPs. | 15.1.1 |
| 869361-1 | 3-Major | BT869361 | Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated | 15.1.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 868641-3 | 2-Critical | BT868641 | Possible TMM crash when disabling bot profile for the entire connection | 14.1.2.7, 15.1.1 |
| 843801-2 | 2-Critical | BT843801 | Like-named previous Signature Update installations block Live Update usage after upgrade★ | 14.1.2.7, 15.1.1 |
| 918081-1 | 3-Major | BT918081 | Application Security Administrator role cannot create parent policy in the GUI | 15.1.1, 16.0.1.1 |
| 913761-2 | 3-Major | BT913761 | Security - Options section in navigation menu is visible for only Administrator users | 15.1.1, 16.0.1.2 |
| 903357-2 | 3-Major | BT903357 | Bot defense Profile list is loads too slow when there are 750 or more Virtual servers | 14.1.2.7, 15.1.1, 16.0.1.1 |
| 901061-2 | 3-Major | BT901061 | Safari browser might be blocked when using Bot Defense profile and related domains. | 14.1.2.8, 15.1.1, 16.0.1 |
| 898741-2 | 3-Major | BT898741 | Missing critical files causes FIPS-140 system to halt upon boot | 14.1.2.7, 15.1.1 |
| 892637-1 | 3-Major | BT892637 | Microservices cannot be added or modified | 15.1.1 |
| 888285-1 | 3-Major | K18304067, BT888285 | Sensitive positional parameter not masked in 'Referer' header value | 14.1.2.8, 15.1.1 |
| 888261-1 | 3-Major | BT888261 | Policy created with declarative WAF does not use updated template. | 15.1.1 |
| 881757-1 | 3-Major | BT881757 | Unnecessary HTML response parsing and response payload is not compressed | 14.1.4.2, 15.1.1, 16.0.1.2 |
| 880753-3 | 3-Major | K38157961, BT880753 | Possible issues when using DoSL7 and Bot Defense profile on the same virtual server | 14.1.2.7, 15.0.1.4, 15.1.1 |
| 879777-3 | 4-Minor | BT879777 | Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge | 14.1.2.8, 15.1.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 908065-2 | 3-Major | BT908065 | Logrotation for /var/log/avr blocked by files with .1 suffix | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 819301-2 | 3-Major | BT819301 | Incorrect values in REST response for dos-l3 table | 15.1.1, 16.0.1 |
| 866613-4 | 4-Minor | BT866613 | Missing MaxMemory Attribute | 13.1.3.5, 14.1.2.8, 15.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 886729-2 | 2-Critical | BT886729 | Intermittent TMM crash in per-request-policy allow-ending agent | 15.1.1 |
| 838861-3 | 2-Critical | BT838861 | TMM might crash once after upgrading SSL Orchestrator★ | 14.1.2.7, 15.1.1 |
| 579219-5 | 2-Critical | BT579219 | Access keys missing from SessionDB after multi-blade reboot. | 14.1.2.8, 15.1.1 |
| 892937-2 | 3-Major | K20105555, BT892937 | F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) | 14.1.4, 15.1.1, 16.0.1 |
| 857589-1 | 3-Major | BT857589 | On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed' | 15.1.1 |
| 771961-3 | 3-Major | BT771961 | While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core | 14.1.3.1, 15.1.1 |
| 747020-2 | 3-Major | BT747020 | Requests that evaluate to same subsession can be processed concurrently | 14.1.3.1, 15.1.1, 16.0.1 |
| 679751-2 | 4-Minor | BT679751 | Authorization header can cause a connection reset | 13.1.3.5, 14.1.2.8, 15.1.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 868781-1 | 2-Critical | BT868781 | TMM crashes while processing MRF traffic | 13.1.4.1, 14.1.4.2, 15.1.1 |
| 898997-2 | 3-Major | BT898997 | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | 14.1.2.7, 15.1.1, 16.0.1 |
| 891385-2 | 3-Major | BT891385 | Add support for URI protocol type "urn" in MRF SIP load balancing | 14.1.3.1, 15.1.1, 16.0.1 |
| 697331-2 | 3-Major | BT697331 | Some TMOS tools for querying various DBs fail when only a single TMM is running | 14.1.3, 14.1.3.1, 15.1.1 |
| 924349-2 | 4-Minor | DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP | 14.1.3.1, 15.1.1, 16.0.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 872645-2 | 3-Major | BT872645 | Protected Object Aggregate stats are causing elevated CPU usage | 14.1.3.1, 15.1.1 |
| 852289-4 | 3-Major | K23278332, BT852289 | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector | 13.1.3.4, 14.1.2.5, 15.1.1 |
| 789857 | 3-Major | BT789857 | "TCP half open' reports drops made by LTM syn-cookies mitigation. | 14.1.4, 15.1.1 |
| 920361-2 | 4-Minor | BT920361 | Standby device name sent in Traffic Statistics syslog/Splunk messages | 14.1.3.1, 15.1.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 876581-2 | 3-Major | BT876581 | JavaScript engine file is empty if the original HTML page cached for too long | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 891729-2 | 4-Minor | BT891729 | Errors in datasyncd.log★ | 14.1.2.8, 15.1.1, 16.0.1 |
| 759988-2 | 4-Minor | BT759988 | Geolocation information inconsistently formatted | 15.1.1, 16.0.1 |
| 940401-2 | 5-Cosmetic | BT940401 | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 937281-3 | 3-Major | BT937281 | SSL Orchestrator pool members are limited to 20 with Standalone license | 15.1.1, 16.0.0.1 |
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 912221-1 | CVE-2020-12662 CVE-2020-12663 |
K37661551, BT912221 | CVE-2020-12662 & CVE-2020-12663 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 900905-3 | CVE-2020-5926 | K42830212, BT900905 | TMM may crash while processing SIP data | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 888417-5 | CVE-2020-8840 | K15320518, BT888417 | Apache Vulnerability: CVE-2020-8840 | 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 883717-1 | CVE-2020-5914 | K37466356, BT883717 | BD crash on specific server cookie scenario | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 841577-2 | CVE-2020-5922 | K20606443, BT841577 | iControl REST hardening | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 838677-1 | CVE-2019-10744 | K47105354, BT838677 | lodash library vulnerability CVE-2019-10744 | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 837773-7 | CVE-2020-5912 | K12936322, BT837773 | Restjavad Storage and Configuration Hardening | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 788057-3 | CVE-2020-5921 | K00103216, BT788057 | MCPD may crash while processing syncookies | 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 917005-5 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1 |
| 909837-1 | CVE-2020-5950 | K05204103, BT909837 | TMM may consume excessive resources when AFM is provisioned | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 902141-1 | CVE-2020-5919 | K94563369, BT902141 | TMM may crash while processing APM data | 15.1.0.5 |
| 898949-1 | CVE-2020-27724 | K04518313, BT898949 | APM may consume excessive resources while processing VPN traffic | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 888489-2 | CVE-2020-5927 | K55873574, BT888489 | ASM UI hardening | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 886085-5 | CVE-2020-5925 | K45421311, BT886085 | BIG-IP TMM vulnerability CVE-2020-5925 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 872673-1 | CVE-2020-5918 | K26464312, BT872673 | TMM can crash when processing SCTP traffic | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 856961-7 | CVE-2018-12207 | K17269881, BT856961 | INTEL-SA-00201 MCE vulnerability CVE-2018-12207 | 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5 |
| 837837-2 | CVE-2020-5917 | K43404629, BT837837 | F5 SSH server key size vulnerability CVE-2020-5917 | 12.1.5.2, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 832885-1 | CVE-2020-5923 | K05975972, BT832885 | Self-IP hardening | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 830481-1 | CVE-2020-5916 | K29923912, BT830481 | SSL TMUI hardening | 15.0.1.4, 15.1.0.5 |
| 816413-5 | CVE-2019-1125 | K31085564, BT816413 | CVE-2019-1125: Spectre SWAPGS Gadget | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 811789-7 | CVE-2020-5915 | K57214921, BT811789 | Device trust UI hardening | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 888493-2 | CVE-2020-5928 | K40843345, BT888493 | ASM GUI Hardening | 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 748122-8 | CVE-2018-15333 | K53620021, BT748122 | BIG-IP Vulnerability CVE-2018-15333 | 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 746091-8 | CVE-2019-19151 | K21711352, BT746091 | TMSH Vulnerability: CVE-2019-19151 | 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 717276-9 | CVE-2020-5930 | K20622530, BT717276 | TMM Route Metrics Hardening | 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5 |
| 839145-3 | CVE-2019-10744 | K47105354, BT839145 | CVE-2019-10744: lodash vulnerability | 14.1.2.7, 15.1.0.5, 16.0.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 816233-1 | 2-Critical | BT816233 | Session and authentication cookies should use larger character set | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 890421-2 | 3-Major | BT890421 | New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★ | 15.0.1.3, 15.1.0.5 |
| 691499-5 | 3-Major | BT691499 | GTP::ie primitives in iRule to be certified | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 745465-4 | 4-Minor | BT745465 | The tcpdump file does not provide the correct extension | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 934241-2 | 1-Blocking | BT934241 | TMM may core when using FastL4's hardware offloading feature | 15.1.0.5 |
| 891477-3 | 2-Critical | BT891477 | No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 890513-2 | 2-Critical | BT890513 | MCPD fails to load configuration from binary database | 14.1.4, 15.1.0.5 |
| 849405-2 | 2-Critical | BT849405 | LTM v14.1.2.1 does not log after upgrade★ | 14.1.2.5, 15.1.0.5 |
| 842865-2 | 2-Critical | BT842865 | Add support for Auto MAC configuration (ixlv) | 14.1.2.8, 15.0.1.4, 15.1.0.5 |
| 739507-3 | 2-Critical | BT739507 | Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check | 13.1.1.2, 14.1.4, 15.1.0.5 |
| 927901-4 | 3-Major | BT927901 | After BIG-IP reboot, vxnet interfaces come up as uninitialized | 15.1.0.5 |
| 915497-2 | 3-Major | BT915497 | New Traffic Class Page shows multiple question marks. | 14.1.3.1, 15.1.0.5, 16.0.1.1 |
| 907549-1 | 3-Major | BT907549 | Memory leak in BWC::Measure | 15.1.0.5 |
| 891721-3 | 3-Major | BT891721 | Anti-Fraud Profile URLs with query strings do not load successfully | 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 888497-2 | 3-Major | BT888497 | Cacheable HTTP Response | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1 |
| 887089-1 | 3-Major | BT887089 | Upgrade can fail when filenames contain spaces | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5 |
| 877145-4 | 3-Major | BT877145 | Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException | 15.0.1.3, 15.1.0.5 |
| 871657-1 | 3-Major | BT871657 | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 844085-1 | 3-Major | BT844085 | GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address | 14.1.2.8, 15.1.0.5, 16.0.1 |
| 842125-6 | 3-Major | BT842125 | Unable to reconnect outgoing SCTP connections that have previously aborted | 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 821309-1 | 3-Major | BT821309 | After an initial boot, mcpd has a defunct child "systemctl" process | 14.1.2.7, 15.1.0.5 |
| 814585-1 | 3-Major | BT814585 | PPTP profile option not available when creating or modifying virtual servers in GUI | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1 |
| 807005-5 | 3-Major | BT807005 | Save-on-auto-sync is not working as expected with large configuration objects | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 802685-2 | 3-Major | BT802685 | Unable to configure performance HTTP virtual server via GUI | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 797829-6 | 3-Major | BT797829 | The BIG-IP system may fail to deploy new or reconfigure existing iApps | 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1 |
| 785741-3 | 3-Major | K19131357, BT785741 | Unable to login using LDAP with 'user-template' configuration | 14.1.2.3, 15.0.1.4, 15.1.0.5 |
| 760622-5 | 3-Major | BT760622 | Allow Device Certificate renewal from BIG-IP Configuration Utility | 15.1.0.5 |
| 405329-3 | 3-Major | The imish utility cores while checking help strings for OSPF6 vertex-threshold | 15.1.0.5 | |
| 919745-2 | 4-Minor | BT919745 | CSV files downloaded from the Dashboard have the first row with all 'NaN | 14.1.2.8, 15.1.0.5, 16.0.1 |
| 918209-3 | 4-Minor | BT918209 | GUI Network Map icons color scheme is not section 508 compliant | 14.1.2.8, 15.1.0.5, 16.0.1 |
| 851393-1 | 4-Minor | BT851393 | Tmipsecd leaves a zombie rm process running after starting up | 14.1.4.4, 15.1.0.5 |
| 804309-1 | 4-Minor | BT804309 | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 713614-7 | 4-Minor | BT713614 | Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) | 15.1.0.5 |
| 767269-5 | 5-Cosmetic | Linux kernel vulnerability: CVE-2018-16884 | 14.1.2.8, 15.1.0.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 925989 | 2-Critical | BT925989 | Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4★ | 15.1.0.5 |
| 839749-3 | 2-Critical | BT839749 | Virtual server with specific address list might fail to create via GUI | 14.1.2.8, 15.0.1.1, 15.1.0.5 |
| 715032-1 | 2-Critical | K73302459, BT715032 | iRulesLX Hardening | 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 916589-2 | 3-Major | BT916589 | QUIC drops 0RTT packets if CID length changes | 15.1.0.5, 16.0.1.1 |
| 910521-2 | 3-Major | BT910521 | Support QUIC and HTTP draft-28 | 15.1.0.5, 16.0.1 |
| 893281-3 | 3-Major | BT893281 | Possible ssl stall on closed client handshake | 14.1.2.7, 15.1.0.5 |
| 813701-6 | 3-Major | BT813701 | Proxy ARP failure | 14.1.2.7, 15.1.0.5 |
| 788753-2 | 3-Major | BT788753 | GATEWAY_ICMP monitor marks node down with wrong error code | 13.1.3.4, 14.1.2.8, 15.1.0.5 |
| 786517-5 | 3-Major | BT786517 | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | 13.1.3.5, 14.1.3.1, 15.1.0.5 |
| 720440-6 | 3-Major | BT720440 | Radius monitor marks pool members down after 6 seconds | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5 |
| 914681-2 | 4-Minor | BT914681 | Value of tmm.quic.log.level can differ between TMSH and GUI | 15.1.0.5, 16.0.1.1 |
| 714502-3 | 4-Minor | BT714502 | bigd restarts after loading a UCS for the first time | 14.1.2.7, 15.1.0.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 789421-4 | 3-Major | BT789421 | Resource-administrator cannot create GTM server object through GUI | 14.1.2.7, 15.1.0.5, 16.0.1 |
| 774257-4 | 5-Cosmetic | BT774257 | tmsh show gtm pool and tmsh show gtm wideip print duplicate object types | 14.1.2.7, 15.1.0.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 904593-1 | 2-Critical | BT904593 | Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled | 14.1.2.7, 15.1.0.5 |
| 865461-1 | 2-Critical | BT865461 | BD crash on specific scenario | 14.1.2.7, 15.1.0.5 |
| 850641-2 | 2-Critical | BT850641 | Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies | 15.1.0.5 |
| 900797-2 | 3-Major | BT900797 | Brute Force Protection (BFP) hash table entry cleanup | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 900793-1 | 3-Major | K32055534, BT900793 | APM Brute Force Protection resources do not scale automatically | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 900789-2 | 3-Major | BT900789 | Alert before Brute Force Protection (BFP) hash are fully utilized | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 892653-1 | 3-Major | BT892653 | Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI | 14.1.2.7, 15.1.0.5, 16.0.1 |
| 880789-3 | 3-Major | BT880789 | ASMConfig Handler undergoes frequent restarts | 14.1.2.7, 15.1.0.5 |
| 874753-3 | 3-Major | Filtering by Bot Categories on Bot Requests Log shows 0 events | 14.1.2.7, 15.1.0.5 | |
| 871905-2 | 3-Major | K02705117, BT871905 | Incorrect masking of parameters in event log | 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 868721-1 | 3-Major | BT868721 | Transactions are held for a long time on specific server related conditions | 14.1.2.7, 15.1.0.5 |
| 863609-4 | 3-Major | BT863609 | Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies | 14.1.2.7, 15.1.0.5 |
| 854177-5 | 3-Major | BT854177 | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 850677-4 | 3-Major | BT850677 | Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy | 14.1.2.7, 15.1.0.5 |
| 848445-1 | 3-Major | K86285055, BT848445 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★ | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5 |
| 833685-5 | 3-Major | BT833685 | Idle async handlers can remain loaded for a long time doing nothing | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 809125-5 | 3-Major | BT809125 | CSRF false positive | 12.1.5.1, 14.1.2.7, 15.1.0.5 |
| 799749-2 | 3-Major | BT799749 | Asm logrotate fails to rotate | 14.1.2.7, 15.1.0.5 |
| 783165-1 | 3-Major | BT783165 | Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile | 14.1.2.7, 15.1.0.5 |
| 742549-3 | 3-Major | BT742549 | Cannot create non-ASCII entities in non-UTF ASM policy using REST | 13.1.3.6, 14.1.2.7, 15.1.0.5 |
| 722337-2 | 3-Major | BT722337 | Always show violations in request log when post request is large | 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1 |
| 640842-5 | 3-Major | BT640842 | ASM end user using mobile might be blocked when CSRF is enabled | 14.1.2.7, 15.1.0.5 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 828937-1 | 2-Critical | K45725467, BT828937 | Some systems can experience periodic high IO wait due to AVR data aggregation | 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 902485-3 | 3-Major | BT902485 | Incorrect pool member concurrent connection value | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 841305-2 | 3-Major | BT841305 | HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log | 15.1.0.5, 16.0.1 |
| 838685-4 | 3-Major | BT838685 | DoS report exist in per-widget but not under individual virtual | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 884797-4 | 3-Major | BT884797 | Portal Access: in some cases data is not delivered via WebSocket connection | 14.1.2.5, 15.1.0.5 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 904373-3 | 3-Major | BT904373 | MRF GenericMessage: Implement limit to message queues size | 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 876953-2 | 3-Major | BT876953 | Tmm crash while passing diameter traffic | 15.0.1.4, 15.1.0.5, 16.0.1 |
| 876077-1 | 3-Major | BT876077 | MRF DIAMETER: stale pending retransmission entries may not be cleaned up | 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 868381-1 | 3-Major | BT868381 | MRF DIAMETER: Retransmission queue unable to delete stale entries | 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 866021-1 | 3-Major | BT866021 | Diameter Mirror connection lost on the standby due to "process ingress error" | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 824149-5 | 3-Major | BT824149 | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 815877-2 | 3-Major | BT815877 | Information Elements with zero-length value are rejected by the GTP parser | 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 696348-5 | 3-Major | BT696348 | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 788513-6 | 4-Minor | BT788513 | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 793005-1 | 5-Cosmetic | BT793005 | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 802421-6 | 2-Critical | BT802421 | The /var partition may become 100% full requiring manual intervention to clear space | 14.1.2.7, 15.1.0.5 |
| 757279-3 | 3-Major | BT757279 | LDAP authenticated Firewall Manager role cannot edit firewall policies | 13.1.1.5, 14.1.2.8, 15.1.0.5 |
| 896917 | 4-Minor | BT896917 | The fw_zone_stat 'Hits' field may not increment in some scenarios | 15.1.0.5 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 839597-6 | 3-Major | BT839597 | Restjavad fails to start if provision.extramb has a large value | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 886717-1 | 3-Major | BT886717 | TMM crash while using SSL Orchestrator | 15.1.0.5 |
| 886713-1 | 4-Minor | BT886713 | Error log seen in case of SSL Orchestrator configured with http service during connection close. | 14.1.2.5, 15.1.0.5 |
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 900757-2 | CVE-2020-5902 | K52145254, BT900757 | TMUI RCE vulnerability CVE-2020-5902 | 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895525-2 | CVE-2020-5902 | K52145254, BT895525 | TMUI RCE vulnerability CVE-2020-5902 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 909237-6 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 909233-6 | CVE-2020-8616 | K97810133, BT909233 | DNS Hardening | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 905905-1 | CVE-2020-5904 | K31301245, BT905905 | TMUI CSRF vulnerability CVE-2020-5904 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895993-2 | CVE-2020-5902 | K52145254, BT895993 | TMUI RCE vulnerability CVE-2020-5902 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895981-2 | CVE-2020-5902 | K52145254, BT895981 | TMUI RCE vulnerability CVE-2020-5902 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895881-1 | CVE-2020-5903 | K43638305, BT895881 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 891457-2 | CVE-2020-5939 | K75111593, BT891457 | NIC driver may fail while transmitting data | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1 |
| 859089-7 | CVE-2020-5907 | K00091341, BT859089 | TMSH allows SFTP utility access | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 909673 | 2-Critical | BT909673 | TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms | 15.1.0.4 |
| 882557-2 | 3-Major | BT882557 | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4 |
| 878893-3 | 3-Major | BT878893 | During system shutdown it is possible the for sflow_agent to core | 15.1.0.4 |
| 858769-6 | 3-Major | K82498430, BT858769 | Net-snmp library must be upgraded to 5.8 in order to support SHA-2 | 15.1.0.4 |
| 829193-4 | 3-Major | BT829193 | REST system unavailable due to disk corruption | 13.1.3.6, 14.1.3.1, 15.1.0.4 |
| 826265-5 | 3-Major | BT826265 | The SNMPv3 engineBoots value restarts at 1 after an upgrade | 15.1.0.4 |
| 812493-4 | 3-Major | BT812493 | When engineID is reconfigured, snmp and alert daemons must be restarted★ | 15.1.0.4 |
| 810381-2 | 3-Major | BT810381 | The SNMP max message size check is being incorrectly applied. | 13.1.3.5, 14.1.2.8, 15.1.0.4 |
| 743234-6 | 3-Major | BT743234 | Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons | 15.1.0.4 |
| 774617-3 | 4-Minor | BT774617 | SNMP daemon reports integer truncation error for values greater than 32 bits | 14.1.4, 15.1.0.4 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 910177 | 2-Critical | BT910177 | Poor HTTP/3 throughput | 15.1.0.4 |
| 848777-3 | 3-Major | BT848777 | Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. | 14.1.2.7, 15.1.0.4 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 892621-1 | 3-Major | BT892621 | Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software | 14.1.3, 15.1.0.4 |
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 889505 | 3-Major | BT889505 | Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available | 15.1.0.3 |
| 888569 | 3-Major | BT888569 | Added PBA stats for total number of free PBAs, and percent free PBAs | 15.1.0.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 795649-5 | 3-Major | BT795649 | Loading UCS from one iSeries model to another causes FPGA to fail to load | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 883513-1 | 3-Major | BT883513 | Support for QUIC and HTTP/3 draft-27 | 15.1.0.3 |
| 828601-1 | 3-Major | BT828601 | IPv6 Management route is preferred over IPv6 tmm route | 13.1.3.5, 14.1.2.7, 15.1.0.3 |
| 758599-3 | 3-Major | BT758599 | IPv6 Management route is preferred over IPv6 tmm route | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 846713-1 | 2-Critical | BT846713 | Gtm_add does not restart named | 15.1.0.3 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 903905-2 | 2-Critical | BT903905 | BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances | 15.1.0.3 |
| 889477-1 | 2-Critical | BT889477 | Modern customization does not enforce validation at password changing | 15.1.0.3 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 888625 | 3-Major | BT888625 | CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks | 14.1.2.7, 15.1.0.3 |
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 879025-2 | CVE-2020-5913 | K72752002, BT879025 | When processing TLS traffic, LTM may not enforce certificate chain restrictions | 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2 |
| 871633-1 | CVE-2020-5859 | K61367237, BT871633 | TMM may crash while processing HTTP/3 traffic | 15.1.0.2 |
| 846917-1 | CVE-2019-10744 | K47105354, BT846917 | lodash Vulnerability: CVE-2019-10744 | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2 |
| 846365-1 | CVE-2020-5878 | K35750231, BT846365 | TMM may crash while processing IP traffic | 14.1.2.3, 15.0.1.2, 15.1.0.2 |
| 830401-1 | CVE-2020-5877 | K54200228, BT830401 | TMM may crash while processing TCP traffic with iRules | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 819197-2 | CVE-2019-13135 | K20336394, BT819197 | BIGIP: CVE-2019-13135 ImageMagick vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 819189-1 | CVE-2019-13136 | K03512441, BT819189 | BIGIP: CVE-2019-13136 ImageMagick vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 636400 | CVE-2019-6665 | K26462555, BT636400 | CPB (BIG-IP->BIGIQ log node) Hardening | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2 |
| 873469-2 | CVE-2020-5889 | K24415506, BT873469 | APM Portal Access: Base URL may be set to incorrectly | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 864109-1 | CVE-2020-5889 | K24415506, BT864109 | APM Portal Access: Base URL may be set to incorrectly | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 858025-1 | CVE-2021-22984 | K33440533, BT858025 | BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 838881-1 | CVE-2020-5853 | K73183618, BT838881 | APM Portal Access Vulnerability: CVE-2020-5853 | 11.6.5.2, 12.1.5.2, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 832021-3 | CVE-2020-5888 | K73274382, BT832021 | Port lockdown settings may not be enforced as configured | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 832017-3 | CVE-2020-5887 | K10251014, BT832017 | Port lockdown settings may not be enforced as configured | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 829121-1 | CVE-2020-5886 | K65720640, BT829121 | State mirroring default does not require TLS | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2 |
| 829117-1 | CVE-2020-5885 | K17663061, BT829117 | State mirroring default does not require TLS | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2 |
| 789921-5 | CVE-2020-5881 | K03386032, BT789921 | TMM may restart while processing VLAN traffic | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 868097-3 | CVE-2020-5891 | K58494243, BT868097 | TMM may crash while processing HTTP/2 traffic | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 846157-1 | CVE-2020-5862 | K01054113, BT846157 | TMM may crash while processing traffic on AWS | 14.1.2.3, 15.0.1.2, 15.1.0.2 |
| 838909-3 | CVE-2020-5893 | K97733133, BT838909 | BIG-IP APM Edge Client vulnerability CVE-2020-5893 | 11.6.5.2, 12.1.5.2, 13.1.4, 14.1.2.4, 15.1.0.2 |
| 823893-7 | CVE-2020-5890 | K03318649, BT823893 | Qkview may fail to completely sanitize LDAP bind credentials | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 870389-3 | 3-Major | BT870389 | Increase size of /var logical volume to 1.5 GiB for LTM-only VE images | 14.1.2.5, 15.1.0.2 |
| 858229-5 | 3-Major | K22493037, BT858229 | XML with sensitive data gets to the ICAP server | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 854493-5 | 2-Critical | BT854493 | Kernel page allocation failures messages in kern.log | 14.1.2.8, 15.1.0.2 |
| 841953-7 | 2-Critical | BT841953 | A tunnel can be expired when going offline, causing tmm crash | 12.1.5.3, 14.1.2.8, 15.1.0.2 |
| 841581 | 2-Critical | BT841581 | License activation takes a long time to complete on Google GCE platform | 15.1.0.2 |
| 841333-7 | 2-Critical | BT841333 | TMM may crash when tunnel used after returning from offline | 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2 |
| 817709-3 | 2-Critical | BT817709 | IPsec: TMM cored with SIGFPE in racoon2 | 14.1.2.8, 15.1.0.2 |
| 811701-3 | 2-Critical | BT811701 | AWS instance using xnet driver not receiving packets on an interface. | 14.1.2.7, 15.0.1.4, 15.1.0.2 |
| 811149-2 | 2-Critical | BT811149 | Remote users are unable to authenticate via serial console. | 14.1.2.8, 15.0.1.4, 15.1.0.2 |
| 866925-5 | 3-Major | BT866925 | The TMM pages used and available can be viewed in the F5 system stats MIB | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 865225-1 | 3-Major | BT865225 | 100G modules may not work properly in i15000 and i15800 platforms | 13.1.3.4, 15.1.0.2 |
| 852001-1 | 3-Major | BT852001 | High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 830717 | 3-Major | BT830717 | Appdata logical volume cannot be resized for some cloud images★ | 15.1.0.2 |
| 829317-5 | 3-Major | BT829317 | Memory leak in icrd_child due to concurrent REST usage | 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2 |
| 828873-3 | 3-Major | BT828873 | Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor | 15.1.0.2 |
| 812981-6 | 3-Major | BT812981 | MCPD: memory leak on standby BIG-IP device | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 802281-3 | 3-Major | BT802281 | Gossip shows active even when devices are missing | 13.1.3.5, 14.1.2.5, 15.1.0.2 |
| 793121-5 | 3-Major | BT793121 | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2 |
| 742628-1 | 3-Major | BT742628 | A tmsh session initiation adds increased control plane pressure | 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2 |
| 605675-6 | 3-Major | BT605675 | Sync requests can be generated faster than they can be handled | 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2 |
| 831293-5 | 4-Minor | BT831293 | SNMP address-related GET requests slow to respond. | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2 |
| 755317-3 | 4-Minor | BT755317 | /var/log logical volume may run out of space due to agetty error message in /var/log/secure | 14.1.2.5, 15.1.0.2 |
| 722230-1 | 4-Minor | BT722230 | Cannot delete FQDN template node if another FQDN node resolves to same IP address | 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 860881-3 | 2-Critical | BT860881 | TMM can crash when handling a compressed response from HTTP server | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 839401-1 | 2-Critical | BT839401 | Moving a virtual-address from one floating traffic-group to another does not send GARPs out. | 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 837617-1 | 2-Critical | BT837617 | Tmm may crash while processing a compression context | 14.1.4.4, 15.1.0.2 |
| 872965-1 | 3-Major | BT872965 | HTTP/3 does not support draft-25 | 15.1.0.2 |
| 862597-7 | 3-Major | BT862597 | Improve MPTCP's SYN/ACK retransmission handling | 13.1.3.5, 14.1.3.1, 15.1.0.2 |
| 853613-4 | 3-Major | BT853613 | Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 852873-2 | 3-Major | BT852873 | Proprietary Multicast PVST+ packets are forwarded instead of dropped | 14.1.2.7, 15.1.0.2 |
| 852861-1 | 3-Major | BT852861 | TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario | 15.1.0.2 |
| 851445-1 | 3-Major | BT851445 | QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams | 15.1.0.2 |
| 850973-1 | 3-Major | BT850973 | Improve QUIC goodput for lossy links | 15.1.0.2 |
| 850933-1 | 3-Major | BT850933 | Improve QUIC rate pacing functionality | 15.1.0.2 |
| 847325-3 | 3-Major | BT847325 | Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 818853-1 | 3-Major | BT818853 | Duplicate MAC entries in FDB | 13.1.3.5, 14.1.3.1, 15.1.0.2 |
| 809597-5 | 3-Major | BT809597 | Memory leak in icrd_child observed during REST usage | 13.1.4, 14.1.3, 15.1.0.2 |
| 714372-5 | 3-Major | BT714372 | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | 14.1.4.4, 15.0.1.1, 15.1.0.2 |
| 705112-6 | 3-Major | BT705112 | DHCP server flows are not re-established after expiration | 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2 |
| 859113-1 | 4-Minor | BT859113 | Using "reject" iRules command inside "after" may causes core | 14.1.2.5, 15.1.0.2 |
| 839245-3 | 4-Minor | BT839245 | IPother profile with SNAT sets egress TTL to 255 | 14.1.2.5, 15.1.0.2 |
| 824365-5 | 4-Minor | BT824365 | Need informative messages for HTTP iRule runtime validation errors | 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2 |
| 822025 | 4-Minor | BT822025 | HTTP response not forwarded to client during an early response | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 760471-1 | 3-Major | BT760471 | GTM iQuery connections may be reset during SSL key renegotiation. | 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 852437-3 | 2-Critical | K25037027, BT852437 | Overly aggressive file cleanup causes failed ASU installation | 14.1.2.5, 15.1.0.2 |
| 846073-1 | 2-Critical | BT846073 | Installation of browser challenges fails through Live Update | 15.1.0.2 |
| 850673-1 | 3-Major | BT850673 | BD sends bad ACKs to the bd_agent for configuration | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 842161-1 | 3-Major | BT842161 | Installation of Browser Challenges fails in 15.1.0 | 15.1.0.2 |
| 793017-3 | 3-Major | BT793017 | Files left behind by failed Attack Signature updates are not cleaned | 14.1.2.3, 15.1.0.2 |
| 778261-2 | 3-Major | BT778261 | CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate | 15.0.1.1, 15.1.0.2 |
| 739618-3 | 3-Major | BT739618 | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | 13.1.3.2, 14.1.2.3, 15.1.0.2 |
| 681010-4 | 3-Major | K33572148, BT681010 | 'Referer' is not masked when 'Query String' contains sensitive parameter | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 838709-4 | 2-Critical | BT838709 | Enabling DoS stats also enables page-load-time | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 870957-4 | 3-Major | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 | |
| 863161-1 | 3-Major | BT863161 | Scheduled reports are sent via TLS even if configured as non encrypted | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 835381-3 | 3-Major | BT835381 | HTTP custom analytics profile 'not found' when default profile is modified | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 830073-2 | 3-Major | BT830073 | AVRD may core when restarting due to data collection device connection timeout | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 865053-3 | 4-Minor | BT865053 | AVRD core due to a try to load vip lookup when AVRD is down | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 863069-1 | 4-Minor | BT863069 | Avrmail timeout is too small | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 876393-1 | 2-Critical | BT876393 | General database error while creating Access Profile via the GUI | 15.1.0.2 |
| 871761-1 | 2-Critical | BT871761 | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 871653-1 | 2-Critical | BT871653 | Access Policy cannot be created with 'modern' customization | 15.1.0.2 |
| 866685-1 | 3-Major | BT866685 | Empty HSTS headers when HSTS mode for HTTP profile is disabled | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 866161-1 | 3-Major | BT866161 | Client port reuse causes RST when the security service attempts server connection reuse. | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 853325-1 | 3-Major | BT853325 | TMM Crash while parsing form parameters by SSO. | 14.1.4.5, 15.0.1.3, 15.1.0.2 |
| 852313-4 | 3-Major | BT852313 | VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 850277-1 | 3-Major | BT850277 | Memory leak when using OAuth | 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2 |
| 844781-3 | 3-Major | BT844781 | [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection | 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 844685-1 | 3-Major | BT844685 | Per-request policy is not exported if it contains HTTP Connector Agent | 15.1.0.2 |
| 844573-1 | 3-Major | BT844573 | Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret. | 15.1.0.2 |
| 844281-3 | 3-Major | BT844281 | [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. | 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 835309-1 | 3-Major | Some strings on BIG-IP APM Server pages are not localized | 15.1.0.2 | |
| 832881-1 | 3-Major | BT832881 | F5 Endpoint Inspection helper app is not updated | 15.1.0.2 |
| 832569-3 | 3-Major | BT832569 | APM end-user connection reset | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 831781-4 | 3-Major | BT831781 | AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 803825-5 | 3-Major | BT803825 | WebSSO does not support large NTLM target info length | 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 761303-5 | 3-Major | BT761303 | Upgrade of standby BIG-IP system results in empty Local Database | 15.0.1.3, 15.1.0.2 |
| 744407-1 | 3-Major | BT744407 | While the client has been closed, iRule function should not try to check on a closed session | 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 706782-5 | 3-Major | BT706782 | Inefficient APM processing in large configurations. | 14.1.2.8, 15.0.1.3, 15.1.0.2 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 853545-1 | 3-Major | BT853545 | MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event | 14.1.2.5, 15.1.0.2 |
| 842625-5 | 3-Major | BT842625 | SIP message routing remembers a 'no connection' failure state forever | 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2 |
| 840821-1 | 3-Major | BT840821 | SCTP Multihoming not working within MRF Transport-config connections | 15.1.0.2 |
| 825013-1 | 3-Major | BT825013 | GENERICMESSAGE::message's src and dst may get cleared in certain scenarios | 14.1.2.7, 15.0.1.1, 15.1.0.2 |
| 803809-4 | 3-Major | BT803809 | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | 13.1.3.4, 14.1.2.7, 15.1.0.2 |
| 859721-1 | 4-Minor | BT859721 | Using GENERICMESSAGE create together with reject inside periodic after may cause core | 14.1.2.5, 15.1.0.2 |
| 836357-5 | 4-Minor | BT836357 | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 852557-3 | 2-Critical | BT852557 | Tmm core while using service chaining for SSL Orchestrator | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 864329-3 | 3-Major | BT864329 | Client port reuse causes RST when the backend server-side connection is open | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 852481-3 | 3-Major | BT852481 | Failure to check virtual-server context when closing server-side connection | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 852477-3 | 3-Major | BT852477 | Tmm core when SSL Orchestrator is enabled | 14.1.2.5, 15.0.1.3, 15.1.0.2 |
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 834853 | 3-Major | BT834853 | Azure walinuxagent has been updated to v2.2.42 | 15.1.0.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 862557-1 | 3-Major | BT862557 | Client-ssl profiles derived from clientssl-quic fail validation | 15.1.0.1 |
Cumulative fix details for BIG-IP v15.1.5 that are included in this release
999933-3 : TMM may crash while processing DNS traffic on certain platforms
Component: Local Traffic Manager
Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge (HSB) may crash while processing DNS traffic.
Conditions:
-DNS profile enabled
-Hardware system (or vCMP guests) with a High-Speed Bridge (HSB)
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes DNS traffic as expected.
Fixed Versions:
14.1.4.5, 15.1.4.1
999317-8 : Running Diagnostics report for Edge Client on Windows does not follow best practice
Links to More Info: K03544414, BT999317
Component: Access Policy Manager
Symptoms:
Running Diagnostics report for Edge Client on Windows does not follow best practice
Conditions:
Running Diagnostics report for Edge client on Windows system
Impact:
Edge client does not follow best practice
Workaround:
No workaround.
Fix:
Edge Client on Windows now follows best practice
Fixed Versions:
15.1.3.1
999097-3 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
14.1.4.5, 15.1.5
998473-2 : NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Links to More Info: BT998473
Component: Access Policy Manager
Symptoms:
NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Conditions:
1. NTLM front-end authentication is enabled.
2. Active Directory users are subscribed to more than one hundred groups.
Impact:
NTLM authentication for Active Directory users which are subscribed to more than hundred groups will fail.
Workaround:
None
Fix:
A fix has been provided to the sequence number handling which is used to calculate the RPC checksum as part of ID 949477.
Fixed Versions:
15.1.4.1
998221-3 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2
998085-1 : BIG-IP DataSafe GUI does not save changes
Links to More Info: BT998085
Component: Fraud Protection Services
Symptoms:
Due to a JavaScript error, the BIG-IP DataSafe GUI does not save changes.
Conditions:
-- Provision FPS.
-- License DataSafe.
-- Configure the system using the GUI.
Impact:
Configurations made for DataSafe using the BIG-IP Configuration Utility GUI cannot be saved.
Workaround:
Use tmsh to configure the BIG-IP system.
Fix:
BIG-IP DataSafe GUI is working properly and configurations are now saved.
Fixed Versions:
15.1.3
997929-3 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
Links to More Info: BT997929
Component: Local Traffic Manager
Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.
If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.
Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.
-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.
Impact:
The virtual server stops processing traffic.
Workaround:
To recover, you can do either of the following:
-- Restart tmm:
bigstart restart tmm
-- Change the virtual server's port back to 'any' (0).
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
997761-2 : Subsessionlist entries leak if there is no RADIUS accounting agent in policy
Links to More Info: BT997761
Component: Access Policy Manager
Symptoms:
Subsessionlist entries are not cleaned up when subsessions are deleted. For long-lived main sessions, use cases such as API protection, the number of leaked subsessionlist entries increases over time, resulting in increasing memory consumption. If high availability (HA) is configured, the standby device can experience even more memory pressure when a very large number of subsessionlist entries are sent to it for mirroring.
Conditions:
This issue occurs if the main session is long-lived and there is no RADIUS accounting agent in the policy.
Impact:
TMM may run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
15.1.5
997641 : APM policy ending with redirection results in policy execution failure
Links to More Info: BT997641
Component: Access Policy Manager
Symptoms:
After successful authentication, the APM end user client connection gets reset.
/var/log/apm shows errors:
err tmm2[18140]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_rewrite_pdp_response_to_302, Line: 19766
Conditions:
Access policy has a path ending with a redirect.
Impact:
APM end user clients cannot access the backend resources protected by the policy.
Workaround:
None
Fix:
Fixed an issue with APM policies not working when they ended with redirect.
Fixed Versions:
15.1.4
997313-3 : Unable to create APM policies in a sync-only folder★
Links to More Info: BT997313
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
Fixed Versions:
15.1.4.1, 16.1.2
997193-1 : TCP connections may fail when AFM global syncookies are in operation.
Component: Local Traffic Manager
Symptoms:
TCP connections are rejected by the BIG-IP system with reset cause "No flow found for ACK".
Conditions:
1) AFM is provisioned.
2) AFM global syncookies are in operation.
3a) The traffic arrives over an APM VPN tunnel, and is handled by one of the internal default APM listeners (not a more specific listener).
-or-
3b) The device is Active for multiple floating traffic-groups, said traffic-groups don't use MAC masquerading, and connection.syncookies.algorithm is set to software.
-or-
3c) The traffic belongs to traffic-group-local-only, and connection.syncookies.algorithm is set to software.
Impact:
Application failures as TCP connections fail.
Workaround:
You can work around this issue as follows.
- For the APM VPN case: define a listener (e.g. virtual server) over the tunnel to process the traffic (instead of relying on one of the default internal APM listeners). Note that the workaround may not work if the device is Active for multiple floating traffic-groups at the same time.
- For the device Active for multiple floating traffic-groups case: use MAC masquerading for all floating traffic-group, or set connection.syncookies.algorithm back to its default of hardware.
- For the traffic-group-local-only case: set connection.syncookies.algorithm back to its default of hardware, or disable AFM global syncookies by turning off the TCP Half-Open attack vector at the device level.
Fix:
TCP connections now establish successfully regardless of syncookies being in operation.
Fixed Versions:
14.1.4.5, 15.1.5
997169 : AFM rule not triggered
Links to More Info: BT997169
Component: Advanced Firewall Manager
Symptoms:
An AFM rule is not triggered when it should be.
Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route
Impact:
A firewall rule is not triggered and the default deny rule is used.
Workaround:
Alter the route to use an IP address and not a pool.
Fix:
Firewall rules are now triggered when gateway pools are used.
Fixed Versions:
15.1.4.1
997137-3 : CSRF token removal may allow WAF bypass on GET requests
Component: Application Security Manager
Symptoms:
Under certain conditions the "csrt" parameter is not processed as expected.
Conditions:
1. CSRF feature is configured
2. Request contains a crafted "csrt" parameter
Impact:
Malicious request will bypass signatures and will not raise any attack signature violation
Workaround:
N/A
Fix:
"csrt" parameter is now processed as expected.
Fixed Versions:
14.1.4.4, 15.1.4.1
996593-2 : Password change through REST or GUI not allowed if the password is expired
Links to More Info: BT996593
Component: TMOS
Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:
Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.
Impact:
Expired password cannot be updated through REST or the GUI.
Workaround:
Update password using tmsh:
tmsh modify auth password <username>
Fix:
You can now change an expired password through REST or the GUI.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2
996381-3 : ASM attack signature may not match as expected
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
996113-1 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
996001-1 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
14.1.4.5, 15.1.5
995853-2 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.
Links to More Info: BT995853
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.
Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.
Impact:
GSLB Server object creation fails.
Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.
Fix:
GSLB Server object creation no longer fails.
Fixed Versions:
14.1.4.4, 15.1.4
995629-3 : Loading UCS files may hang if ASM is provisioned★
Links to More Info: BT995629
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.
Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.
Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html
Fix:
Loading UCS files no longer hangs if ASM is provisioned.
Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
995433 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT
Links to More Info: BT995433
Component: Advanced Firewall Manager
Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.
Conditions:
This is encountered when viewing PPTP log entries.
Impact:
IPV6 addresses in PPTP logs are truncated.
Workaround:
None
Fix:
The full IPv6 address is now logged in PPTP logs.
Fixed Versions:
14.1.4.5, 15.1.4.1
995029-3 : Configuration is not updated during auto-discovery
Links to More Info: BT995029
Component: Access Policy Manager
Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:
-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token
Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).
Impact:
JWT auto-discovery fails and the configuration is not updated.
Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.
Fix:
Fixed an issue with auto-discovery and JWKs.
Fixed Versions:
14.1.4.2, 15.1.4
994985-2 : CGNAT GUI shows blank page when applying SIP profile
Links to More Info: BT994985
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
Fix:
The GUI shows virtual server config page with all config values
Fixed Versions:
14.1.4.2, 15.1.4
994801-3 : SCP file transfer system
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.
Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.
Workaround:
None
Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
993913-2 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
993613-5 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
14.1.4.5, 15.1.5
993489-3 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
993457-2 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
992865 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
Fixed Versions:
15.1.4
992213-2 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
14.1.4.2, 15.1.4, 16.1.1
992053-1 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
Fix:
Updated pva_stats to reflect server side flow.
Fixed Versions:
15.1.4.1
991421-3 : TMM may crash while processing TLS traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing TLS traffic
Conditions:
- Forward proxy configured
- Forward proxy passthrough
- TLS1.3 traffic
Impact:
Traffic disrupted while TMM restarts.
Workaround:
N/A
Fix:
TMM now processes TLS traffic as expected.
Fixed Versions:
15.1.4.1, 16.1.2
990849-2 : Loading UCS with platform-migrate option hangs and requires exiting from the command★
Links to More Info: BT990849
Component: TMOS
Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:
Platform migrate loaded successfully. Saving configuration.
Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate
Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html
Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.
Workaround:
None.
Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.
Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
989753-2 : In HA setup, standby fails to establish connection to server
Links to More Info: BT989753
Component: Service Provider
Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:
err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config
Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.
Impact:
Standby BIG-IP system fails to establish a connection to the server.
Workaround:
None.
Fix:
Standby is now able to establish a connection to the server.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
989701-5 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
Component: TMOS
Symptoms:
A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response allow for local memory corruption and possibly privilege escalation.
Conditions:
Mounting an unauthenticated server can cause this flaw
Impact:
Can cause local memory corruption and possibly privilege escalation.
Workaround:
While there is no known mitigation to this flaw, configuring authentication and only mounting authenticated NFSv4 servers will significantly reduce the risk of this flaw being successfully exploited.
Fix:
Kernel patched to resolve CVE-2020-25212
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
989637-3 : TMM may crash while processing SSL traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing SSL traffic
Conditions:
-SSL profile enabled
-Client authentication enabled
Impact:
TMM consumes excessive resources, potentially leading to a crash and failover event.
Workaround:
N/A
Fix:
TMM now processes SSL traffic as expected.
Fixed Versions:
14.1.4.5, 15.1.4.1
988793 : SecureVault on BIG-IP tenant does not store unit key securely
Links to More Info: BT988793
Component: TMOS
Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.
Conditions:
BIG-IP tenant running on the VELOS platform.
Impact:
The BIG-IP tenant does not utilize secure storage for unit key.
Workaround:
None
Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.
Fixed Versions:
15.1.4
988761-1 : Cannot create Protected Object in GUI
Links to More Info: BT988761
Component: Advanced Firewall Manager
Symptoms:
GUI Page stuck in loading phase and never completes the Protected Object creation step
Conditions:
This occurs in normal operation
Impact:
Cannot create Protected Objects using the GUI
Workaround:
Use tmsh to create Protected Objects
Fix:
GUI Page no longer gets stuck in loading phase and completes the Protected Object creation step.
Fixed Versions:
15.1.4
988645 : Traffic may be affected after tmm is aborted and restarted
Links to More Info: BT988645
Component: TMOS
Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.
Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.
Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.
Workaround:
Reboot the tenant
Fix:
Fixed system behavior when tmm is aborted and restarted.
Fixed Versions:
15.1.4
988589-5 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv
Links to More Info: K68251873
988533-1 : GRE-encapsulated MPLS packet support
Links to More Info: BT988533
Component: TMOS
Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).
Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.
Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.
Workaround:
None
Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.
Fixed Versions:
14.1.4.5, 15.1.4.1
988005-1 : Zero active rules counters in GUI
Links to More Info: BT988005
Component: Advanced Firewall Manager
Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).
Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules
Impact:
Incorrect information on active rules count is seen in the UI.
Workaround:
Disable firewall inline editor.
Fix:
The active rules count column now displays the correct number of times a rule has been hit.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
987637-2 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
Links to More Info: BT987637
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.
Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server
Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.
Workaround:
None
Fixed Versions:
15.1.4
987605-2 : DDoS: ICMP attacks are not hardware-mitigated
Links to More Info: BT987605
Component: Advanced Firewall Manager
Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.
Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.
Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.
Workaround:
None
Fix:
Until the hardware is fixed, the software uses the SPVA in hardware to mitigate these attacks.
Fixed Versions:
15.1.4
987345-1 : Disabling periodic-refresh-log has no effect
Links to More Info: BT987345
Component: Advanced Firewall Manager
Symptoms:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is not honored. You might see messages similar to the following logged in /var/log/ltm or sent to remote logging destinations:
info tmm[6215]: 23003168 "Port Block Periodic Log","10.10.10.10","0","","10.10.10.10","0","1024","1031","16164968240","","unknown".
Conditions:
PBA periodic-refresh-log set to '0'.
Impact:
System provides unnecessary, excessive logging.
Workaround:
None
Fix:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is now honored."Port Block Periodic Log" messages are no longer logged with this configuration setting.
Fixed Versions:
15.1.4.1
987113-1 : CMP state degraded while under heavy traffic
Links to More Info: BT987113
Component: TMOS
Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.
Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.
Impact:
System performance drops dramatically.
Workaround:
Lower traffic load.
Fix:
Fixed an inconsistent CMP state.
Fixed Versions:
15.1.4
986937-1 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Links to More Info: BT986937
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
Fix:
The error no longer occurs on child policy creation.
Fixed Versions:
15.1.4, 16.0.1.2, 16.1.1
985953-3 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
985537-1 : Upgrade Microsoft Hyper-V driver★
Links to More Info: BT985537
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host.
When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.
Conditions:
-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.
-- Running performance tests of VE in Azure.
Impact:
The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.
Workaround:
None.
Fix:
The Microsoft Hyper-V driver has been updated to v4.3.5.
Fixed Versions:
15.1.4
985433-2 : Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset.
Links to More Info: BT985433
Component: Local Traffic Manager
Symptoms:
Some client connections are being reset with rst-cause 'Unknown reason'.
Conditions:
--- Standard virtual server with the TCP and HTTP profiles.
--- The HTTP profile is configured to insert the X-Forwarded-For header.
--- The client supplies an empty X-Forwarded-For header in the HTTP request.
Impact:
Affected client connections are reset, leading to application failures.
Workaround:
You can work around this issue by disabling the header insertion in the HTTP profile and instead using an iRule similar to the following example:
when HTTP_REQUEST {
HTTP::header replace X-Forwarded-For [IP::remote_addr]
}
Fix:
Insertion of the X-Forwarded-For header now works as expected, regardless of input client data.
Fixed Versions:
15.1.4.1
984765-1 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★
Links to More Info: BT984765
Component: Access Policy Manager
Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.
Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.
Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.
Workaround:
To resolve the issue temporarily, use either of the following:
-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.
-- Run the command:
bigstart restart nlad
The problem can reappear after a week, so you must repeat these steps each time the issue occurs.
Fixed Versions:
14.1.4.4, 15.1.4
984657-3 : Sysdb variable not working from tmsh
Links to More Info: BT984657
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
Fix:
After the fix able to verify sysdb variables from tmsh
Fixed Versions:
15.1.4.1, 16.0.1.2
984593-2 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.5
982869-1 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0
Links to More Info: BT982869
Component: Service Provider
Symptoms:
Tmm may crash.
Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes under these conditions.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
981785-3 : Incorrect incident severity in Event Correlation statistics
Links to More Info: BT981785
Component: Application Security Manager
Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".
Conditions:
Usually happens for the first incident after ASM startup.
Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.
Workaround:
Use severity info from the Incidents list.
Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2
981693-1 : TMM may consume excessive resources while processing IPSec ALG traffic
Component: Carrier-Grade NAT
Symptoms:
When processing IPSec ALG traffic, TMM may consume excessive resources.
Conditions:
-- IPsec ALG virtual server with ALG logging profile.
-- IPsec traffic is passed.
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes IPSec traffic as expected.
Fixed Versions:
14.1.4.2, 15.1.4.1
981689-2 : TMM memory leak with IPsec ALG
Links to More Info: BT981689
Component: Carrier-Grade NAT
Symptoms:
TMM crash due to out of memory.
Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.
Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm memory leak related to IPsec ALG connections.
Fixed Versions:
14.1.4.2, 15.1.4.1
981385-3 : AVRD does not send HTTP events to BIG-IQ DCD
Links to More Info: BT981385
Component: Application Visibility and Reporting
Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).
Conditions:
This happens under normal operation.
Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.
Workaround:
None.
Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
981069-1 : Reset cause: "Internal error ( requested abort (payload release error))"
Links to More Info: BT981069
Component: Application Security Manager
Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"
Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type
Impact:
Traffic is affected.
Workaround:
Any of the following actions can resolve the issue:
1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Fix:
Fixed an issue that was triggering resets on traffic.
Fixed Versions:
15.1.4, 16.1.1
980821-2 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.
Links to More Info: BT980821
Component: Local Traffic Manager
Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.
Conditions:
There are two virtual servers configured:
- One with a specific port and ip-protocol 'any'
- One with port any and a specific ip-protocol
Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.
Workaround:
Create individual listeners for specific protocols.
For example, given the configuration:
ltm virtual vs-port80-protoAny {
destination 10.1.1.1:80
ip-protocol any
...
}
ltm virtual vs-portAny-protoTCP {
destination 10.1.1.1:0
ip-protocol TCP
...
}
Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
ltm virtual vs-port80-protoTCP {
destination 10.1.1.1:80
ip-protocol TCP
...
}
ltm virtual vs-port80-protoUDP {
destination 10.1.1.1:80
ip-protcol UDP
...
}
Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.
Fixed Versions:
14.1.4.2, 15.1.3.1, 16.0.1.2
980325-5 : Chmand core due to memory leak from dossier requests.
Links to More Info: BT980325
Component: TMOS
Symptoms:
Chmand generates a core file when get_dossier is run continuously.
Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.
Conditions:
Repeated/continuous dossier requests during licensing operations.
Impact:
Chmand crashes; potential traffic impact while chmand restarts.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4
978833-2 : Use of CRL-based Certificate Monitoring Causes Memory Leak
Links to More Info: BT978833
Component: Local Traffic Manager
Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.
Conditions:
CRL certificate validator is configured.
Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.
Workaround:
None.
Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.
Fixed Versions:
14.1.4.4, 15.1.4.1
977053-2 : TMM crash on standby due to invalid MR router instance
Links to More Info: BT977053
Component: Service Provider
Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.
Conditions:
-- HA environment.
-- Connection mirroring is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM on the standby device no longer crashes under these conditions.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
977005-1 : Network Firewall Policy rules-list showing incorrect 'Any' for source column
Links to More Info: BT977005
Component: Advanced Firewall Manager
Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.
Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.
Impact:
GUI shows 'Any' extra text under the source column
Workaround:
None
Fix:
The GUI no longer shows extra text
Fixed Versions:
14.1.4.2, 15.1.4
976505-2 : Rotated restnoded logs will fail logintegrity verification.
Links to More Info: BT976505
Component: TMOS
Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restnoded logs fail logintegrity verification.
Workaround:
None
Fix:
Restnoded logs are now verified successfully by the logintegrity utility.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
976501-2 : Failed to establish VPN connection
Links to More Info: BT976501
Component: Access Policy Manager
Symptoms:
VPN client exits with message "Failed to establish VPN connection"
Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser
Impact:
Client will be unable to launch the VPN tunnel from the browser.
Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3
976365 : Traffic Classification hardening★
Links to More Info: BT976365
Component: Traffic Classification Engine
Symptoms:
Traffic Classification IM packages do not follow current best practices.
Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user
Impact:
Traffic Classification IM packages do not follow current best practices.
Workaround:
No Workaround
Fix:
Traffic Classification IM packages now follow current best practices.
Fixed Versions:
14.1.4.3, 15.1.3.1
975809-1 : Rotated restjavad logs fail logintegrity verification.
Links to More Info: BT975809
Component: TMOS
Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restjavad logs fail logintegrity verification.
Workaround:
None
Fix:
Restjavad logs are now verified successfully by the logintegrity utility.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
974881-2 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic
Links to More Info: BT974881
Component: Service Provider
Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.
Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to handling certain events in an iRule.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
974501-1 : Excessive memory usage by mirroring subsystem when remirroring
Links to More Info: BT974501
Component: Local Traffic Manager
Symptoms:
Aggressive sweeper messages are seen in /var/log/ltm similar to the following:
Dec 31 02:35:44 bigip1 warning tmm[25306]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory). (26227799/30854144 pages)
In severe cases, tmm might restart and generate a core file due to an out of memory condition.
Conditions:
The active BIG-IP has a large number of mirrored fastL4 connections.
The active BIG-IP reconnects the statemirror connection to the standby BIG-IP. This is indicated by messages similar to the following in /var/log/ltm:
Dec 31 02:35:37 bigip1 err tmm[25306]: 01340001:3: high availability (HA) Connection with peer 10.25.0.11:1029 for traffic-group /Common/traffic-group-1 established.
Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections. In severe cases, tmm might restart causing traffic interruption.
Fix:
The memory utilization when remirroring fastL4 flows has been improved to allow remirroring to handle a larger number of connections.
Fixed Versions:
15.1.2.1
974341-2 : REST API: File upload
Component: Application Security Manager
Symptoms:
Under certain conditions, the REST API does not process file uploads as expected
Conditions:
- REST API access
- File uploaded
Impact:
File uploads are not processed as expected.
Workaround:
N/A
Fix:
The REST API now handles file uploads as expected
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
974241-1 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
Links to More Info: BT974241
Component: TMOS
Symptoms:
Mcpd exists with error similar to:
01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'
Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled
Impact:
Mcpd restarts leading to failover.
Workaround:
Use standard customization and not modern customization.
Fixed Versions:
15.1.4, 16.1.1
974205-3 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
Fixed Versions:
12.1.6, 14.1.4.4, 15.1.4
973673-1 : CPU spikes when the LDAP operational timeout is set to 180 seconds
Links to More Info: BT973673
Component: Access Policy Manager
Symptoms:
By default, the LDAP operation timeout is 180 seconds, and this can cause CPU spikes.
Conditions:
-- BIG-IP configured with a per-request access policy.
-- A high traffic load containing a lot of LDAP Auth and LDAP Query operations occurs.
Impact:
High LDAP traffic load can cause cpu spikes and traffic disruption.
Fix:
Reduced LDAP operational timeout to 50 sec for per-request based LDAP Auth and LDAP Query requests as accessV2 mpi request timeout is 60 sec only.
Fixed Versions:
15.1.5
973261-2 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
Links to More Info: BT973261
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:
err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.
Conditions:
GTM HTTPS monitor with non-default cert/key.
Impact:
Unable to use HTTPs monitor.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
973201-2 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★
Links to More Info: BT973201
Component: TMOS
Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.
Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.
Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.
Workaround:
None
Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.
Fixed Versions:
14.1.4, 15.1.4
971297-2 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★
Links to More Info: BT971297
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.
Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded
Impact:
The keys are stored locally following the upgrade.
Workaround:
None.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
970829-5 : iSeries LCD incorrectly displays secure mode
Links to More Info: K03310534, BT970829
Component: Device Management
Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.
Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.
Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:
-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.
The restjavad-audit.*.log may contain similar messages
[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}
Workaround:
None
Fix:
The LCD now functions normally, and no authentication errors appear in the logs.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
970329-3 : ASM hardening
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
969713-1 : IPsec interface mode tunnel may fail to pass packets after first IPsec rekey
Links to More Info: BT969713
Component: TMOS
Symptoms:
IPsec tunnel initially works until the IPsec (ESP) SA is re-negotiated.
Conditions:
-- IKEv2
-- IPsec tunnel uses interface mode ipsec-policy
-- IPsec SAs are re-negotiated, for example after the SA lifetime expires
-- Traffic selector narrowing occurs due to the BIG-IP and remote peer having different selectors configured
Impact:
IPsec tunnel suddenly stops forwarding packets across the tunnel
Workaround:
-- Configure the traffic-selectors to be identical on both the BIG-IP and remote IPsec peer.
Fix:
IPsec tunnel forwards packets after IPsec SAs are re-established.
Fixed Versions:
15.1.4
969637-2 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★
Links to More Info: BT969637
Component: Local Traffic Manager
Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"
Conditions:
-- A small subset of the following BIG-IP platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
Configuration load fails and the device does not come online.
Fixed Versions:
14.1.4.4, 15.1.4
969509-4 : Possible memory corruption due to DOS vector reset
Links to More Info: BT969509
Component: Advanced Firewall Manager
Symptoms:
Unpredictable result due to possible memory corruption
Conditions:
DOS vector configuration change
Impact:
Memory corruption
Fix:
Added correct logic to reset DOS vector.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
969385-2 : Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers.
Links to More Info: BT969385
Component: BIG-IP Risk Engine
Symptoms:
Automatic attach/detach BeWAF policy to a virtual server stops working for all virtual servers if at least one virtual server has a regular ASM policy with TAP profile
Conditions:
Define Virtual Servers with DOS profiles, along with Virtual Servers that are managed by cloud (Cortex)
Impact:
Detaching virtual servers from DOS can cause the attach option to be disabled.
Workaround:
Do not define virtual servers with cloud along with virtual servers managed by cloud (Applications).
Fix:
None
Fixed Versions:
15.1.3, 16.0.1.2
969317-3 : "Restrict to Single Client IP" option is ignored for vmware VDI
Links to More Info: BT969317
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.
Fixed Versions:
14.1.4.5, 15.1.4.1
969213-1 : VMware: management IP cannot be customized via net.mgmt.addr property
Links to More Info: BT969213
Component: TMOS
Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.
Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.
Impact:
Management IP cannot be customized in VMware during the VM setup.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
969105-2 : HA failover connections via the management address do not work on vCMP guests running on VIPRION
Links to More Info: BT969105
Component: TMOS
Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.
BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.
HA failover connections using self IPs are unaffected.
Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)
Impact:
Failover state determination over the management port is permanently down.
Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).
To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid
The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.
Add this line to the end of /config/startup:
(sleep 120; touch /var/run/chmand.pid) &
Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.
Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:
#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready
# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.
You may also request an Engineering Hotfix from F5.
Fixed Versions:
14.1.4.4, 15.1.4
968893-2 : TMM crash when processing APM traffic
Component: Access Policy Manager
Symptoms:
Under certain conditions, TMM may crash while processing APM traffic that generates DNS lookups
Conditions:
- APM provisioned
- Undisclosed conditions
Impact:
TMM crash leading to traffic interruption and a failover event
Workaround:
N/A
Fix:
TMM now processes APM traffic as expected
Fixed Versions:
15.1.4.1, 16.1.2
968741-1 : Traffic Intelligence pages not visible
Links to More Info: BT968741
Component: Traffic Classification Engine
Symptoms:
When trying to access TCE Signature Update Page from the GUI:
Traffic Intelligence -> Applications -> Signature Update
The page will not load.
Conditions:
Clicking on Traffic Intelligence -> Applications -> Signature Update will show a blank page.
Impact:
You will not be able access the Traffic Intelligence -> Applications -> Signature page in the GUI.
Workaround:
None
Fix:
TMUI pages for Traffic classification will be accessible from TMUI : Traffic Intelligence -> Applications -> Signature
Fixed Versions:
15.1.4
968733-6 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
968641-2 : Fix for zero LACP priority
Links to More Info: BT968641
Component: Local Traffic Manager
Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.
Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.
Impact:
BIG-IP may be unable to connect to Cisco trunks.
Workaround:
None.
Fix:
Eliminate LACP priority equal 0
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
968533 : Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector.
Links to More Info: BT968533
Component: Advanced Firewall Manager
Symptoms:
When a PUSH flood vector is programmed to hardware after a flood is detected, rate limiting is performed on all the PUSH packets even when "Only Count Suspicious Events" is enabled.
Conditions:
-- Push flood vector is triggered.
-- Rate limiting is enabled for the push flood vector.
-- The issue is observed only on the hardware platform.
Impact:
The packets with PUSH flag for the good connections also get dropped even though "Only Count Suspicious Events" is enabled.
Workaround:
None
Fix:
Fixed an issue with rate limiting on PUSH packets.
Fixed Versions:
15.1.4.1
968421-2 : ASM attack signature doesn't matched
Links to More Info: K30291321, BT968421
Component: Application Security Manager
Symptoms:
A specific attack signature doesn't match as expected.
Conditions:
Undisclosed conditions.
Impact:
Attack signature does not match as expected, request is not logged.
Workaround:
N/A
Fix:
Attack signature now matches as expected.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
967905-2 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Links to More Info: BT967905
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
967889-1 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)
Links to More Info: BT967889
Component: Advanced Firewall Manager
Symptoms:
Custom signature of virtual server shows incorrect attack information.
Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)
Impact:
GUI shows incorrect information for custom signature
Fix:
GUI shows correct information for custom signature
Fixed Versions:
14.1.4, 15.1.3
967745 : Last resort pool error for the modify command for Wide IP
Links to More Info: BT967745
Component: TMOS
Symptoms:
System reports error for the modify command for Wide IP.
01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.
Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.
Impact:
The object is not modified, and the system reports an error.
Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Append the command with last-resort-pool a <pool_name>, for example:
modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test
Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
967093-1 : In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail
Component: Local Traffic Manager
Symptoms:
In SSL forward proxy, the client side handshake may fail with the message: fwdp lookup error.
Conditions:
The handshake failure occurs when the certificate chain consists of different key types. For example, the following cert chain may fail the handshake:
root CA (rsa) --> intermediate CA1 (rsa) --> intermediate CA2 (ec) --> end-entity cert (ec)
The signing CA which is intermediate CA2 has a key of EC type, but cert is signed by RSA signature. The end-entity cert has a key of EC type, but cert is signed by ECDSA.
In this case, the signer cert has different signature from that of the end-entity cert.
Impact:
SSL forward proxy handshake fails.
Fix:
Fixed an issue with SSL forward handshakes.
Fixed Versions:
15.1.5
966701-2 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP
Links to More Info: BT966701
Component: Service Provider
Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.
Conditions:
-- SCTP transport profile
-- MRF generic msg router profile
Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing
Fix:
Enable the return type in generic msg filter when data received over SCTP transport
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
966681-1 : NAT translation failures while using SP-DAG in a multi-blade chassis
Links to More Info: BT966681
Component: Carrier-Grade NAT
Symptoms:
NAT translation fails
Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans
Impact:
Traffic failure, performance degraded
Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096
Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
966277-1 : BFD down on multi-blade system
Links to More Info: BT966277
Component: TMOS
Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.
Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots
Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
966073-1 : GENEVE protocol support
Links to More Info: BT966073
Component: TMOS
Symptoms:
BIG-IP software does not support the GENEVE protocol.
Conditions:
-- AWS Gateway load balancer is in use, which uses the GENEVE protocol
Impact:
GENEVE protocol is unsupported.
Workaround:
None.
Fix:
BIG-IP software now supports the GENEVE protocol.
Fixed Versions:
15.1.4.1
965617-3 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode
Links to More Info: BT965617
Component: Advanced Firewall Manager
Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB
Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support
Impact:
More resources loading during DDoS attack
Fix:
Correct free spot search with offloading to HSB
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
965581-2 : Statistics are not reported to BIG-IQ
Links to More Info: BT965581
Component: Application Visibility and Reporting
Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.
Conditions:
A BIG-IP system is attached to BIG-IQ.
Impact:
No statistics collected.
Fix:
The avrd process no longer fails, and statistics are collected as expected.
Fixed Versions:
14.1.4, 15.1.4
965485-3 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
Links to More Info: K41523201
965229-2 : ASM Load hangs after upgrade★
Links to More Info: BT965229
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
965205-2 : BIG-IP dashboard downloads unused widgets
Links to More Info: BT965205
Component: TMOS
Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.
Conditions:
This occurs when viewing the BIG-IP dashboard.
Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1
965037-1 : SSL Orchestrator does not send HTTP CONNECT tunnel payload to services
Links to More Info: BT965037
Component: Local Traffic Manager
Symptoms:
In some cases, when Services in SSL Orchestrator (service-connect agent in per-request policy) is inserted after Category lookup for CONNECT request hostname, the HTTP CONNECT tunnel payload/data is not sent to services.
Conditions:
SSL Orchestrator use case and Services are inserted after Category lookup for CONNECT request hostname
Impact:
HTTP CONNECT tunnel payload is not sent to services
Workaround:
None
Fix:
HTTP CONNECT tunnel payload is now sent to services.
Fixed Versions:
15.1.4.1
964941-1 : IPsec interface-mode tunnel does not initiate or respond after config change
Links to More Info: BT964941
Component: TMOS
Symptoms:
After reconfiguring an interface-mode IPsec tunnel, the IPsec tunnel may fail to initiate or negotiate as a Responder.
Conditions:
-- IPsec interface mode
-- Changing the IPsec tunnel configuration
Impact:
Remote networks cannot be reached because BIG-IP refuses to negotiate IPsec tunnel.
Workaround:
Reboot or restart tmm
Fix:
Valid changes to the IPsec tunnel configuration result in the tunnel negotiation happening.
Fixed Versions:
15.1.4
964897-2 : Live Update - Indication of "Update Available" when there is no available update
Links to More Info: BT964897
Component: Application Security Manager
Symptoms:
Live Update notifies you that an update is available even though there is no available update.
Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status
Impact:
Live Update erroneously indicates that an update is available.
Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat
Fix:
Fixed an issue with Live Update notification.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
964585-3 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update
Links to More Info: BT964585
Component: Protocol Inspection
Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.
Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.
Impact:
- The error message does not accurately explain the cause of the problem.
Workaround:
None.
Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
964577-3 : IPS automatic IM download not working as expected
Links to More Info: BT964577
Component: Protocol Inspection
Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.
IPS automatic IM download considers the BIG-IP software major and minor version numbers.
However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.
Conditions:
Auto download of IM package for IPS.
Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.
Workaround:
Manually download the IM package and upload it onto the BIG-IP system.
Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
964245-2 : ASM reports and enforces username always
Links to More Info: BT964245
Component: Application Security Manager
Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.
Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.
Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.
Workaround:
None
Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.
Fixed Versions:
14.1.4.4, 15.1.4
964037 : Error: Exception response while loading properties from server
Links to More Info: BT964037
Component: Access Policy Manager
Symptoms:
The General Customization interface for Endpoint Security in the GUI cannot be used for Access Profile with modern customization due to interface error.
Conditions:
-- Access Profile with modern customization
-- General Customization interface for Endpoint Security
Impact:
You are unable to modify Endpoint Security interface strings
Fixed Versions:
15.1.4.1
963713-1 : HTTP/2 virtual server with translate-disable can core tmm
Links to More Info: BT963713
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing HTTP/2 traffic
Conditions:
-- HTTP/2 virtual server
-- Port and address translation disabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not configure an HTTP/2 virtual server with translate-disable
Fix:
Tmm does not crash anymore.
Fixed Versions:
15.1.4
963705-3 : Proxy ssl server response not forwarded
Links to More Info: BT963705
Component: Local Traffic Manager
Symptoms:
A server response may not be forwarded after TLS renegotiation.
Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs
Impact:
Server response may not be not forwarded
Fix:
Proxy ssl will now forward server response after renegotiation
Fixed Versions:
14.1.4.5, 15.1.4.1
963485-1 : Performance issue with data guard
Links to More Info: BT963485
Component: Application Security Manager
Symptoms:
End user clients encounter poor network performance. Due to a correlation with ID 963461 it can lead to a crash.
Conditions:
-- The server response is compressed.
-- Data guard is enabled.
Impact:
Slow response time.
Workaround:
-- Disable data guard or block the data instead of masking it.
-- Force server sending uncompressed response using an iRule:
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}
Fixed Versions:
15.1.4
963461-1 : ASM performance drop on the response side
Links to More Info: BT963461
Component: Application Security Manager
Symptoms:
Clients encounter a longer time to respond from the BIG-IP
Conditions:
-- One of the following features is enabled:
- convictions
- csrf
- ajax.
-- The response is HTML
-- The response has many tags
Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.
Fixed Versions:
15.1.4, 16.0.1.2
963237-3 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.
Links to More Info: BT963237
Component: Advanced Firewall Manager
Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.
Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.
Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server
Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
963049-1 : Unexpected config loss when modifying protected object
Links to More Info: BT963049
Component: TMOS
Symptoms:
A virtual server configuration is changed unexpectedly.
Conditions:
- Create virtual server with two client SSL profiles
- Modify same virtual server in Protected Objects panel.
Impact:
Virtual servers client SSL profiles are removed if you have more than one profile.
Workaround:
None
Fix:
Virtual server client SSL profiles are no longer removed from the config if the update happens through Protected Objects panel in the GUI.
Fixed Versions:
15.1.3
963017-2 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed
Links to More Info: BT963017
Component: TMOS
Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):
err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid
In addition, a message similar to the following may appear on the serial console while the system is booting:
[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:
# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since <...>
Main PID: #### (code=exited, status=1/FAILURE)
<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.
However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.
Conditions:
This may occur under the following conditions:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
- BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
- VIPRION B4450 blades
Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.
This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.
Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check
Fix:
This incorrect status reporting has been corrected.
Fixed Versions:
14.1.4, 15.1.3
962817-2 : Description field of a JSON policy overwrites policy templates description
Links to More Info: BT962817
Component: Application Security Manager
Symptoms:
Creating a UTF-8 policy using a template for the first time creates a binary policy the system uses the next time you create a UTF-8 policy with the same template.
If the creation occurs via JSON policy import, the description field of the JSON policy overwrites the description from the template, and the next time you create a UTF-8 policy using the same template, the system uses the description from the first JSON policy.
Conditions:
Create an initial UTF-8 policy with some template using a JSON policy with a custom description.
Impact:
The next time you create a UTF-8 policy with the same template, unless you provide a description, the system uses the one from the initially created JSON policy instead the template.
Workaround:
Before creating the second policy, remove the binary file that was created from the first run. For example if the template used was Fundamental:
rm -f /ts/install/policy_templates/fundamental.bin
Fix:
The binary file now contains the correct description.
Fixed Versions:
15.1.3, 16.0.1.1
962589-2 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Links to More Info: BT962589
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
962497 : BD crash after ICAP response
Links to More Info: BT962497
Component: Application Security Manager
Symptoms:
BD crash when checking ICAP job after ICAP response
Conditions:
BD is used with ICAP feature
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
962433-4 : HTTP::retry for a HEAD request fails to create new connection
Links to More Info: BT962433
Component: Local Traffic Manager
Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.
Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version
Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4
962249-2 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Links to More Info: BT962249
Component: TMOS
Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm
Conditions:
This message shows always on all platforms.
Impact:
No functional impact.
Fix:
Does not show this message on non-epva platforms.
Fixed Versions:
15.1.4
962177-2 : Results of POLICY::names and POLICY::rules commands may be incorrect
Links to More Info: BT962177
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
960749-2 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
Links to More Info: BT960749
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes, dumps a core file, and restarts.
Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.
-- The DNS Cache or Network DNS Resolver objects receive traffic.
Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.
Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960437-2 : The BIG-IP system may initially fail to resolve some DNS queries
Links to More Info: BT960437
Component: Global Traffic Manager (DNS)
Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.
Subsequent queries for the same domain name, however, work as expected.
Only some domain names are affected.
Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.
- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).
- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.
In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.
For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.
1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.
You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960369-2 : Negative value suggested in Traffic Learning as max value
Links to More Info: BT960369
Component: Application Security Manager
Symptoms:
Negative value suggested in Traffic Learning as max value
Conditions:
A huge parameter value is seen in traffic
Impact:
Wrong learning suggestion issued
Workaround:
Manually change maximum allowed value on the parameter to ANY
Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
959889-2 : Cannot update firewall rule with ip-protocol property as 'any'
Links to More Info: BT959889
Component: TMOS
Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.
Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update
Impact:
Cannot update the firewall rule from GUI.
Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.
Fixed Versions:
14.1.4, 15.1.3
959629-2 : Logintegrity script for restjavad/restnoded fails
Links to More Info: BT959629
Component: TMOS
Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:
find: '14232restnoded_log_pattern': No such file or directory.
Conditions:
When the logintegrity script runs.
Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.
Workaround:
Modify the script file /usr/bin/rest_logintegrity:
1. mount -o remount,rw /usr
2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original
3. vi /usr/bin/rest_logintegrity
4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log
With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log
5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)
With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)
6. mount -o remount,ro /usr
Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
958465-2 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization
Links to More Info: BT958465
Component: TMOS
Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.
The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.
Fixed Versions:
14.1.4.4, 15.1.3.1, 16.0.1.2
958353-2 : Restarting the mcpd messaging service renders the PAYG VE license invalid.
Links to More Info: BT958353
Component: TMOS
Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.
Conditions:
Restarting the mcpd messaging service.
Impact:
The license becomes expired. A message is displayed in the console:
mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).
Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).
Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
958093-3 : IPv6 routes missing after BGP graceful restart
Links to More Info: BT958093
Component: TMOS
Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.
Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.
Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.
Fixed Versions:
14.1.4.5, 15.1.4.1
958085-3 : IM installation fails with error: Spec file not found★
Links to More Info: BT958085
Component: Traffic Classification Engine
Symptoms:
IM installation fails with an error message:
ERROR Error during switching: Spec file not found
Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.
Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.
Workaround:
None.
Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.
Fixed Versions:
14.1.4.4, 15.1.4
957965-1 : Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent'
Links to More Info: BT957965
Component: Application Security Manager
Symptoms:
Request is blocked by 'CSRF attack detected' violation.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- CSRF protection enabled in an ASM policy
Impact:
False positive request blocking occurs.
Workaround:
Disable 'CSRF attack detected' violation in the ASM policy.
Fix:
'CSRF attack detected' now works as expected.
Fixed Versions:
15.1.4
957337-1 : Tab complete in 'mgmt' tree is broken
Links to More Info: BT957337
Component: TMOS
Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:
(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"
Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete
Impact:
You are unable to configure objects in mgmt.
This issue also prevents users with the admin role from accessing the following REST endpoints:
shared/authz/users
shared/echo-js
The error returned was HTTP/1.1 401 F5 Authorization Required
Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
957029-1 : MRF Diameter loop-detection is enabled by default
Links to More Info: BT957029
Component: Service Provider
Symptoms:
The default value of Message Routing Framework (MRF) Diameter loop detection is enabled.
Conditions:
Default diameter session profile loop detection configuration.
Impact:
System performance is impacted even if MRF Diameter loop detection is not used.
Workaround:
Disable loop detection in all message routing Diameter profiles when it is not needed.
Fix:
MRF Diameter loop detection is now disabled by default.
Note: If you expect MRF Diameter loop detection to be enabled, you must manually change the value after upgrading.
Fixed Versions:
15.1.4, 16.0.1.2
956589-1 : The tmrouted daemon restarts and produces a core file
Links to More Info: BT956589
Component: TMOS
Symptoms:
The tmrouted daemon restarts and produces a core file.
Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover
Impact:
Traffic disrupted while tmrouted restarts.
Workaround:
None
Fix:
Tmrouted daemon should not restart during blade reset
Fixed Versions:
15.1.2.1
956373-2 : ASM sync files not cleaned up immediately after processing
Links to More Info: BT956373
Component: Application Security Manager
Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate
Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition
Impact:
If the files are large it may lead to "lack of disk space" problem.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
956293-2 : High CPU from analytics-related REST calls - Dashboard TMUI
Links to More Info: BT956293
Component: TMOS
Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.
Conditions:
Leaving UI dashboard page left open.
Impact:
System performance is impacted if the dashboard page is kept open.
Fixed Versions:
14.1.4.4, 15.1.4
956133-3 : MAC address might be displayed as 'none' after upgrading★
Links to More Info: BT956133
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.
Impact:
Traffic disrupted when the MAC address is set to 'none'.
Workaround:
None
Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.
Fixed Versions:
14.1.4.4, 15.1.4
956105-2 : Websocket URLs content profiles are not created as expected during JSON Policy import
Links to More Info: BT956105
Component: Application Security Manager
Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import
Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.
Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.
Workaround:
The content profiles can be manually associated after the import process using REST or GUI.
Fix:
Setting the correct profile reference during import.
Fixed Versions:
15.1.3, 16.0.1.2
956013-1 : System reports{{validation_errors}}
Links to More Info: BT956013
Component: Policy Enforcement Manager
Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses
Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.
Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.5
955017-2 : Excessive CPU consumption by asm_config_event_handler
Links to More Info: BT955017
Component: Application Security Manager
Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync
Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.
Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.
Workaround:
Disable the signature staging action item for all policies.
Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
954425-2 : Hardening of Live-Update
Component: Application Security Manager
Symptoms:
Under certain conditions, the Live-Update process does not follow current best practices.
Conditions:
- Live-Update in use
- Specially-crafted update files
Impact:
The Live-Update process does not follow current best practices.
Workaround:
N/A
Fix:
The Live-Update process now follows current best practices.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
953845-1 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
Links to More Info: BT953845
Component: Local Traffic Manager
Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.
This can occur when using administrative commands such as:
-- tmsh run util fips-util init
-- fipsutil init
-- tmsh run util fips-util loginreset -r
-- fipsutil loginreset -r
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
+ vCMP guest on i5820-DF / i7820-DF
+ vCMP guest on 10350v-F
Impact:
BIG-IP is unable to communicate with the onboard HSM.
Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.
Immediately before doing this:
-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:
sys fipsuser f5cu {
password $M$Et$b3R0ZXJzCg==
}
Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.
Fixed Versions:
12.1.6, 14.1.4, 15.1.3, 16.0.1.1
953729-2 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
953677-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
953393-2 : TMM crashes when performing iterative DNS resolutions.
Links to More Info: BT953393
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes and produces a core file.
Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.
To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.
The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).
Fix:
TMM no longer crashes.
Fixed Versions:
15.1.2.1, 16.0.1.1
952557-2 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com
Links to More Info: BT952557
Component: Access Policy Manager
Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.
Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.
Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.
Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.
For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.
Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.
Fixed Versions:
14.1.4, 15.1.3
952545-2 : 'Current Sessions' statistics of HTTP2 pool may be incorrect
Links to More Info: BT952545
Component: Service Provider
Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552
Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.
Workaround:
None.
Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
952509-2 : Cross origin AJAX requests are blocked in case there is no Origin header
Links to More Info: BT952509
Component: Application Security Manager
Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.
Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.
Impact:
Request is blocked.
Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.
Fix:
Check referrer header also when modifying CORS headers.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
951133-2 : Live Update does not work properly after upgrade★
Links to More Info: BT951133
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
950917-1 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Links to More Info: BT950917
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4
950849-4 : B4450N blades report page allocation failure.★
Links to More Info: BT950849
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This occurs on B4450N blades regardless of configuration.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You must perform the workaround on each blade installed in the system.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands:
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences kernel page allocation failures on B4450 (A114) blades.
Fixed Versions:
14.1.4.4, 15.1.3.1
950077-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
949889-3 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
949721-2 : QUIC does not send control frames in PTO packets
Links to More Info: BT949721
Component: Local Traffic Manager
Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.
Conditions:
A control frame is in-flight when the PTO timer fires.
Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.
Workaround:
None.
Fix:
Retransmittable control frames are now sent when the PTO timer fires.
Fixed Versions:
15.1.4.1, 16.0.1.2
949593-3 : Unable to load config if AVR widgets were created under '[All]' partition★
Links to More Info: BT949593
Component: Application Visibility and Reporting
Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.
Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.
Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.
Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':
# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config
This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.
Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
949477-1 : NTLM RPC exception: Failed to verify checksum of the packet
Links to More Info: BT949477
Component: Access Policy Manager
Symptoms:
NTLM authentication fails with the error:
RPC exception: Failed to verify checksum of the packet.
Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.
Impact:
User authentication fails.
Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.
2. Disable encryption for nlad:
# vim /etc/bigstart/startup/nlad
change:
exec /usr/bin/${service} -use-log-tag 01620000
to:
exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no
3. Restart nlad to make the change effective, and to force the schannel to be re-established:
# bigstart restart nlad
Fixed Versions:
14.1.4.4, 15.1.4.1
949145-5 : Improve TCP's response to partial ACKs during loss recovery
Links to More Info: BT949145
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
948805-1 : False positive "Null in Request"
Links to More Info: BT948805
Component: Application Security Manager
Symptoms:
A false positive violation "Null in Request" is thrown erroneously.
Conditions:
-- BIG-IP receives a query string in the "Referrer" header
Impact:
False positive violation "Null in Request" is thrown
Workaround:
None
Fix:
Fixed a false positive violation.
Fixed Versions:
14.1.4.5, 15.1.4.1
948757-2 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
Links to More Info: BT948757
Component: Local Traffic Manager
Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.
Conditions:
A snat-translation address is configured with ARP enabled.
Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.
Workaround:
None.
Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1
948717-3 : F5-pf_daemon_cond_restart uses excessive CPU★
Links to More Info: BT948717
Component: TMOS
Symptoms:
The script /etc/init.d/f5-pf_daemon_cond_restart spawns a lot of ephemeral processes that collectively use about 10-15% of a core, regardless of the number of cores.
This is contributing to higher CPU usage after upgrading from an earlier version
Conditions:
On upgrade to a 15.1.x version, high CPU usage is observed.
Impact:
Higher CPU utilization on control plane, typically the equivalent of about 10-15% (of one core) extra.
Workaround:
None.
Fixed Versions:
15.1.3.1
948573-4 : Wr_urldbd list of valid TLDs needs to be updated
Links to More Info: BT948573
Component: Traffic Classification Engine
Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.
Conditions:
New TLD is being queried
Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.
Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
948417-2 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic
Links to More Info: BT948417
Component: Performance
Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)
Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking
Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)
Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)
Individual VMs & VMs in an availability set
First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
Azure CLI
az vm deallocate \
--resource-group myResourceGroup \
--name myVM
Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.
Once stopped, disable Accelerated Networking on the NIC of your VM:
Azure CLI
az network nic update \
--name myNic \
--resource-group myResourceGroup \
--accelerated-networking false
Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
Azure CLI
az vm start --resource-group myResourceGroup \
--name myVM
Fixed Versions:
15.1.4
948113-3 : User-defined report scheduling fails
Links to More Info: BT948113
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
948073-2 : Dual stack download support for IP Intelligence Database
Links to More Info: BT948073
Component: Advanced Firewall Manager
Symptoms:
IP Intelligence cannot function if the BIG-IP management IP network is strict IPv6.
Conditions:
- IP Intelligence License installed
- Management IP is configured with only IPv6 addresses.
Impact:
The BIG-IP systems configured with IPv6 management networks cannot use IP Intelligence features even though they have installed IP Intelligence licenses.
Workaround:
None
Fix:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.
Behavior Change:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.
Fixed Versions:
15.1.4
947925-1 : TMM may crash when executing L7 Protocol Lookup per-request policy agent
Links to More Info: BT947925
Component: SSL Orchestrator
Symptoms:
TMM may crash when executing the L7 Protocol Lookup per-request policy agent.
Conditions:
-- APM or SSL Orchestrator is licensed and provisioned.
-- L7 Protocol Lookup agent is included in the per-request policy for APM/SWG use cases.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM does not crash anymore when executing the L7 Protocol Lookup agent in the per-request policy.
Fixed Versions:
14.1.4.3, 15.1.4
947865-2 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
Links to More Info: BT947865
Component: TMOS
Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:
err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer
Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.
Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.
Fixed Versions:
14.1.4, 15.1.3
947529-2 : Security tab in virtual server menu renders slowly
Links to More Info: BT947529
Component: TMOS
Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.
Conditions:
Large number of virtual servers using the same ASM policy
Impact:
Loading of Security tab of a virtual server takes a long time
Workaround:
NA
Fix:
Security tab of a virtual server loads fast
Fixed Versions:
14.1.4.4, 15.1.4.1
947341-1 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
Links to More Info: BT947341
Component: Application Security Manager
Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------
2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.
Conditions:
ASM/AVR provisioned
Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.
Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
2. To identify the empty partitions, look into:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"
3. For every partition that is empty, manually (or via shell script) execute this sql:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"
Note: <empty_partition_name> must be substituted with the partition name, for example p100001.
4. Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5. pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
This release increases the default 'open_files_limit' to '10000'.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2
946953-1 : HTTP::close used in iRule might not close connection.
Links to More Info: BT946953
Component: Local Traffic Manager
Symptoms:
HTTP::close used in an iRule might not close the connection. For example:
when HTTP_REQUEST {
HTTP::close
HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
}
Conditions:
Using HTTP::close along with HTTP::respond
Impact:
HTTP connection can be re-used.
Workaround:
Explicitly add close header in the HTTP::respond. For example:
HTTP::respond 200 content "OK" Connection close
Fix:
Fixed an issue where HTTP::close might not close a connection.
Fixed Versions:
15.1.3, 16.0.1.1
946745-2 : 'System Integrity: Invalid' after Engineering Hotfix installation
Links to More Info: BT946745
Component: TMOS
Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.
Fixed Versions:
14.1.4, 15.1.3
946185-1 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★
Links to More Info: BT946185
Component: iApp Technology
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
946125-2 : Tmm restart adds 'Revoked' tokens to 'Active' token count
Links to More Info: BT946125
Component: Access Policy Manager
Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)
Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm
Impact:
User is denied access even though token limit per user is not reached
Fix:
Fixed an issue where users were unable to log in after a tmm restart.
Fixed Versions:
14.1.4.4, 15.1.4
946089-2 : BIG-IP might send excessive multicast/broadcast traffic.
Links to More Info: BT946089
Component: TMOS
Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.
Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.
Impact:
Excessive multicast/broadcast traffic.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
946081-1 : Getcrc tool help displays directory structure instead of version
Links to More Info: BT946081
Component: Application Security Manager
Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.
Conditions:
Displaying help in getcrc utility.
Impact:
Version information is not displayed.
Fix:
Getcrc utility help now displays version information.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
945997-2 : LTM policy applied to HTTP/2 traffic may crash TMM
Links to More Info: BT945997
Component: Local Traffic Manager
Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.
Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
945853-2 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession
Links to More Info: BT945853
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during a configuration change.
Conditions:
This occurs under the following conditions:
-- Create/modify/delete multiple virtual servers in quick succession.
-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes during a configuration change.
Fixed Versions:
15.1.3
945789-1 : Live update cannot resolve hostname if IPv6 is configured.
Links to More Info: BT945789
Component: Application Security Manager
Symptoms:
Live update does not work when BIG-IP DNS is configured to use IPv6.
Conditions:
BIG-IP DNS uses IPv6.
Impact:
-- Unable to install latest updates to signatures.
-- Unable to import user-defined signatures.
Workaround:
If possible, use IPv4 for DNS.
An alternative workaround could be to configure a working IPv4 address in the "/etc/hosts" file, by issuing the following command from the advanced shell (bash):
echo "165.160.15.20 callhome.f5.net" >> /etc/hosts
Fix:
Replaced deprecated gethostbyname which does not work well with IPv6 with getaddrinfo.
Fixed Versions:
15.1.4.1
945265-4 : BGP may advertise default route with incorrect parameters
Links to More Info: BT945265
Component: TMOS
Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.
Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.
Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.
Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
944785-2 : Admd restarting constantly. Out of memory due to loading malformed state file
Links to More Info: BT944785
Component: Anomaly Detection Services
Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.
Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.
Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption
Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD
If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD
Fix:
No more memory corruption, no OOM nor ADMD restarts.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.2
944641-1 : HTTP2 send RST_STREAM when exceeding max streams
Links to More Info: BT944641
Component: Local Traffic Manager
Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.
Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.
Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.
Workaround:
None.
Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.
Fixed Versions:
14.1.4, 15.1.4, 16.0.1.1
944513-2 : Apache configuration file hardening
Links to More Info: BT944513
Component: TMOS
Symptoms:
Apache configuration file did not follow security best practice.
Conditions:
Normal system operation with httpd enabled.
Impact:
Apache configuration file did not follow security best practice.
Workaround:
None
Fix:
Apache configuration file has been hardened to follow security best practice.
Fixed Versions:
15.1.4
944441-2 : BD_XML logs memory usage at TS_DEBUG level
Links to More Info: BT944441
Component: Application Security Manager
Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)
Conditions:
These messages can occur when XML/JSON profiles are configured.
Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.
Workaround:
None
Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
943913-3 : ASM attack signature does not match
Links to More Info: K30150004, BT943913
Component: Application Security Manager
Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.
Conditions:
- ASM enabled
- Undisclosed attack signature variation
Impact:
ASM attack signature does not match or trigger further processing.
Workaround:
N/A
Fix:
ASM now processes traffic as expected.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
943669-1 : B4450 blade reboot
Links to More Info: BT943669
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when needed.
Fixed Versions:
15.1.2
943101-2 : Tmm crash in cipher group delete.
Links to More Info: BT943101
Component: Local Traffic Manager
Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.
Conditions:
Deleting a cipher group associated with multiple profiles.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an issue with cipher group delete.
Fixed Versions:
14.1.3, 15.1.4
942965-2 : Local users database can sometimes take more than 5 minutes to sync to the standby device
Links to More Info: BT942965
Component: Access Policy Manager
Symptoms:
Local db sync to standby devices take more than 5 minutes to sync
Conditions:
High availability (HA) setup
- add a local db user in the active device
- Wait for it to get synced to the standby device
- Sometimes the sync may not happen in 5 minutes.
Impact:
Sync of the changes to the local user db may take several minutes to sync to the standby devices.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.5
942581-1 : Timestamp cookies do not work with hardware accelerated flows
Links to More Info: BT942581
Component: Advanced Firewall Manager
Symptoms:
Time stamp cookies and hardware accelerated flows are mutually exclusive.
Conditions:
Time stamp cookie enabled for TCP flows on a VLAN with hardware offload enabled as well.
Impact:
Reduced traffic throughput and increased CPU usage
Fix:
FPGA and software enhancement to allow hardware accelerate of TCP flows that have time stamp cookie enabled.
Fixed Versions:
15.1.2
942549-2 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Links to More Info: BT942549
Component: TMOS
Symptoms:
During boot of a i15xxx system you see the message:
Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Conditions:
This issue can occur on any i15xxx device, although some devices exhibit the failure consistently and others never exhibit the issue.
Impact:
When this failure occurs in a system, the system is inoperable.
Workaround:
In order to workaround this issue, the system must be updated to install a script that is capable of resetting the hardware device during the HSB load process.
If it's not possible to install an EHF with the updated script or a version of BIG-IP with the fix, then it can be installed manually by providing the fw_update_post.init file and replacing it in /etc/init.d/fw_update_post. It is recommended that the existing fw_update_post is backed-up and this is only done in cases where the EHF or a fixed version of BIG-IP cannot be installed.
Fix:
A 'Dataplane INOPERABLE - Only 7 HSBs found. Expected 8' condition caused by a PCIE linking failure is resolved by an updated HSB load script which correctly resets BIG-IP i15xxx system hardware during boot.
Persistent 'Dataplane INOPERABLE' messages, after this fix is installed, indicate an unrelated failure.
Fixed Versions:
14.1.4.4, 15.1.4.1
942497-1 : Declarative onboarding unable to download and install RPM
Links to More Info: BT942497
Component: TMOS
Symptoms:
Installation of declarative onboarding RPM fails.
Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.
Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.
Workaround:
RPMs must be installed manually.
Fix:
The installation directory was updated to fix the RPM installation issue.
Fixed Versions:
15.1.2.1, 16.0.1.1
942185-2 : Non-mirrored persistence records may accumulate over time
Links to More Info: BT942185
Component: Local Traffic Manager
Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.
Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Persistence records are now reliably expired at the appropriate time.
Fixed Versions:
15.1.4, 16.0.1.2
941929-2 : Google Analytics shows incorrect stats, when Google link is redirected.
Links to More Info: BT941929
Component: Application Security Manager
Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
-- Google link is responded to (by the server) with a redirect.
-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
None
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
941893-3 : VE performance tests in Azure causes loss of connectivity to objects in configuration
Links to More Info: BT941893
Component: TMOS
Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.
Conditions:
Running performance tests of VE in Azure.
Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.
Workaround:
Reboot from the Azure console to restore functionality.
Fixed Versions:
15.1.4
941853-1 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Links to More Info: BT941853
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
941625-1 : BD sometimes encounters errors related to TS cookie building
Links to More Info: BT941625
Component: Application Security Manager
Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:
-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.
-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.
Impact:
The cookie is not built and an error is logged.
Workaround:
None.
Fixed Versions:
15.1.4, 16.1.1
941621-2 : Brute Force breaks server's Post-Redirect-Get flow
Links to More Info: K91414704, BT941621
Component: Application Security Manager
Symptoms:
Brute Force breaks server's Post-Redirect-Get flow
Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.
Impact:
Brute Force breaks server's Post-Redirect-Get flow
Workaround:
None
Fix:
Support PRG mechanism in brute force mitigations.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.1
941481-2 : iRules LX - nodejs processes consuming excessive memory
Links to More Info: BT941481
Component: Local Traffic Manager
Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.
You can check the iRule LX plugins memory usage using the command:
tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):
Memory (bytes)
Total Virtual Size 946.8M
Resident Set Size 14.5K
Conditions:
-- iRulesLX in use.
Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.
Workaround:
Restart the iRule LX plugin that is leaking memory:
tmsh restart ilx plugin <PLUGIN_NAME>
Fixed Versions:
14.1.4.4, 15.1.4
941257-1 : Occasional Nitrox3 ZIP engine hang
Links to More Info: BT941257
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.
You can check if your platform has the nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable http compression
Fixed Versions:
14.1.4.4, 15.1.4
941249-2 : Improvement to getcrc tool to print cookie names when cookie attributes are involved
Links to More Info: BT941249
Component: Application Security Manager
Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server
Conditions:
This is applicable when domain and path cookie attributes are present in response from server
Impact:
ASM cookie name which is displayed is incorrect
Workaround:
None
Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
941169-4 : Subscriber Management is not working properly with IPv6 prefix flows.
Links to More Info: BT941169
Component: Policy Enforcement Manager
Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.
Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).
Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.
Workaround:
None.
Fixed Versions:
14.1.4, 15.1.2.1
941089-3 : TMM core when using Multipath TCP
Links to More Info: BT941089
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
940897-3 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
Links to More Info: BT940897
Component: Application Security Manager
Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".
Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.
Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.
Workaround:
N/A
Fix:
No false positives detected.
Fixed Versions:
12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
940885-2 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter
Links to More Info: BT940885
Component: TMOS
Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.
Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.
Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.
Fix:
Added the CX5 Ex device ID to the BIG-IP's Mellanox SR-IOV driver so that it can be used with that adapter.
Fixed Versions:
14.1.4.4, 15.1.4.1
940665-1 : DTLS 1.0 support for PFS ciphers
Links to More Info: BT940665
Component: Local Traffic Manager
Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.
* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA
Conditions:
DTLS 1.0 is configured in an SSL profile.
Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.
Fixed Versions:
15.1.4, 16.0.1.2
940401-2 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Links to More Info: BT940401
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
940249-2 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached
Links to More Info: BT940249
Component: Application Security Manager
Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.
Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.
Impact:
Data after last allowed element is not masked.
Fix:
Now the values are masked.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
940209 : Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.
Links to More Info: BT940209
Component: Local Traffic Manager
Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, the BIG-IP system may not properly close established server-side connections causing subsequent HTTP/2 requests to stall.
Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.
Impact:
HTTP/2 requests intermittently stall due to the existing server-side TCP connection remaining open.
Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.
Fix:
HTTP/2 requests no longer stall, as the server side TCP connection is properly closed.
Fixed Versions:
14.1.4, 15.1.2
940185-2 : icrd_child may consume excessive resources while processing REST requests
Component: TMOS
Symptoms:
Under certain conditions, icrd_child may consume excessive resources while processing REST requests
Conditions:
- Specially-crafted REST requests
Impact:
Increase in ICRD resource usage over time. Eventually host memory will be exhausted potentially leading to a failover event.
Workaround:
N/A
Fix:
icrd_child now processes REST requests as expected.
Fixed Versions:
14.1.4.5, 15.1.5
940177-1 : Certificate instances tab shows incorrect number of instances in certain conditions
Links to More Info: BT940177
Component: TMOS
Symptoms:
The SSL Certificate instances tab shows an incorrect number of instances when the Cert name and the Key name match. This does not occur when the cert and key are different names.
Conditions:
-- SSL certificate and key names match
-- Viewing the SSL certificate list in the GUI
Impact:
All the custom profiles will be listed when only select instances for ca-bundle cert are expected
Fix:
The correct number of instances of certificates is now displayed.
Fixed Versions:
15.1.5
940021-3 : Syslog-ng hang may lead to unexpected reboot
Links to More Info: BT940021
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.
The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.
Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).
Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.
Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.
Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
939961-2 : TCP connection is closed when necessary after HTTP::respond iRule.
Links to More Info: BT939961
Component: Local Traffic Manager
Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.
Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.
Impact:
TCP connection lives longer than needed.
Workaround:
N/A
Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.
Fixed Versions:
15.1.2, 16.0.1.2
939877-1 : OAuth refresh token not found
Links to More Info: BT939877
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2
939541-2 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
Links to More Info: BT939541
Component: TMOS
Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
TMM no longer shuts down prematurely during initialization.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
939529-2 : Branch parameter not parsed properly when topmost via header received with comma separated values
Links to More Info: BT939529
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
939421-2 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow
938233-2 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
Links to More Info: K93231374
938165-1 : TMM Core after attempted update of IP geolocation database file
Links to More Info: BT938165
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.
Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Revert to using the previously working version of the IP-geolocation file.
For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.
Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
938149-1 : Port Block Update log message is missing the "Start time" field
Links to More Info: BT938149
Component: Advanced Firewall Manager
Symptoms:
Port Block Update log message is missing the "Start time" field.
Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.
Impact:
NAT Log information is not usable for accounting purpose.
Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.
Fixed Versions:
15.1.2, 16.0.1.1
937749-3 : The 'total port blocks' value for NAT stats is limited to 64 bits of range
Links to More Info: BT937749
Component: Advanced Firewall Manager
Symptoms:
The 'total port blocks' value, which can be found in PBA 'tmctl' tables, 'tmsh show', and SNMP, is limited to 64 bits of range. The upper 64 bits of the value are not taken into account.
Conditions:
This always occurs, but affects only systems whose configuration makes the 'total port blocks' value exceed 64 bits of range.
Impact:
Incorrect statistics.
Workaround:
None.
Note: For those who really need this value, it is still possible to manually calculate it, but that is not a true workaround.
Fixed Versions:
15.1.3
937333-2 : Incomplete validation of input in unspecified forms
Component: Global Traffic Manager (DNS)
Symptoms:
Incomplete validation of input in unspecified forms
Conditions:
DNS Provisioned
Impact:
Incomplete validation
Fix:
Proper input validation now performed
Fixed Versions:
14.1.4.4, 15.1.4
937281-3 : SSL Orchestrator pool members are limited to 20 with Standalone license
Links to More Info: BT937281
Component: SSL Orchestrator
Symptoms:
BIG-IP limits the SSL Orchestrator Standalone license to only allow six pool members.
Conditions:
-- SSL Orchestrator add-on license is installed
Impact:
You are only able to configure six pool members in SSLO.
Workaround:
None.
Fix:
BIG-IP supports up to 20 pool members (up from 6) with the SSL Orchestrator standalone license.
Fixed Versions:
15.1.1, 16.0.0.1
936773-2 : Improve logging for "double flow removal" TMM Oops
Links to More Info: BT936773
Component: Local Traffic Manager
Symptoms:
/var/log/tmm contains this entry
notice Oops @ 0x286feeb:1127: double flow removal
Conditions:
The conditions under which this message is logged are unknown or may vary. This item is for logging the flow tuple and virtual server name to aid in diagnosing the cause.
Impact:
None
Fixed Versions:
14.1.4.4, 15.1.4.1
936557-2 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
Links to More Info: BT936557
Component: Local Traffic Manager
Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.
Conditions:
This issue occurs when the following conditions are true:
-- Standard TCP virtual server.
-- TCP profile with Verified Accept enabled.
-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.
Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.
Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.
Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.
Fixed Versions:
14.1.4.5, 15.1.4.1
936125-2 : SNMP request times out after configuring IPv6 trap destination
Links to More Info: BT936125
Component: TMOS
Symptoms:
SNMP request is times out.
Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.
Impact:
No response is returned for SNMP request.
Workaround:
Restart SNMP daemon by running the following TMSH command:
restart sys service snmpd
Fix:
N/A
Fixed Versions:
15.1.3, 16.0.1.1
935801-4 : HSB diagnostics are not provided under certain types of failures
Links to More Info: BT935801
Component: TMOS
Symptoms:
In rare cases where the HSB detects an error and triggers an high availability (HA) failover, HSB-specific diagnostic data is not provided.
An example are XLMAC errors, which can be seen in the LTM logs:
<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.
Conditions:
The HSB detects an internal error.
Impact:
There is less HSB data for analysis when an internal HSB occurs.
Workaround:
None.
Fix:
Dump HSB registers on all HSB initiated high availability (HA) failovers.
Fixed Versions:
14.1.4.5, 15.1.2
935593-4 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
Links to More Info: BT935593
Component: Local Traffic Manager
Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.
Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.
Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.
Workaround:
Do not use TCP timestamp rewrite.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
935293-2 : 'Detected Violation' Field for event logs not showing
Links to More Info: BT935293
Component: Application Security Manager
Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.
Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.
Impact:
You cannot see the violation details.
Workaround:
Disabling parameter learning helps.
Note: This happens only with a large number of parameters. Usually it works as expected.
Fix:
The eventlog is reserving space for violations.
Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
935249-2 : GTM virtual servers have the wrong status
Links to More Info: BT935249
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).
Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.
Fix:
The HTTP status code is now correctly searched only in the first line of the response.
Fixed Versions:
15.1.5
934993-2 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams
Links to More Info: BT934993
Component: Local Traffic Manager
Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.
Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.
Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.
Workaround:
None.
Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.
Fixed Versions:
15.1.2, 16.0.1.1
934941-2 : Platform FIPS power-up self test failures not logged to console
Links to More Info: BT934941
Component: TMOS
Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.
Conditions:
A FIPS failure occurs during the power-up self test.
Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.
Workaround:
None.
Fixed Versions:
14.1.3.1, 15.1.3
934721-2 : TMM core due to wrong assert
Links to More Info: BT934721
Component: Application Visibility and Reporting
Symptoms:
TMM crashes with a core
Conditions:
AFM and AVR provisioned and collecting ACL statistics.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.
Fix:
Fixed a tmm crash related to ACL statistics
Fixed Versions:
15.1.2.1, 16.0.1.1
934461-2 : Connection error with server with TLS1.3 single-dh-use.
Links to More Info: BT934461
Component: Local Traffic Manager
Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.
Conditions:
14.1 with TLS1.3 single-dh-use.
Impact:
Connection failure in 14.1 versions.
Workaround:
Disable single-dh-use, or disable tls1.3.
Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.
Fixed Versions:
14.1.3, 15.1.4
934393-2 : APM authentication fails due to delay in sessionDB readiness
Links to More Info: BT934393
Component: Access Policy Manager
Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.
Conditions:
-- APM configured.
-- SAML SP configured.
Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.
Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all
Note: Restarting all services causes temporary traffic disruption.
Fix:
The sessionDB readiness has been corrected so that authentication succeeds.
Fixed Versions:
14.1.3, 15.1.4
934241-2 : TMM may core when using FastL4's hardware offloading feature
Links to More Info: BT934241
Component: TMOS
Symptoms:
TMM cores.
Conditions:
FastL4's hardware offloading is used.
Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.
Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.
Workaround:
Disable PVA/EPVA on all FastL4 profiles
Fix:
Fix the internal logic error.
Fixed Versions:
15.1.0.5
934065-1 : The turboflex-low-latency and turboflex-dns are missing.
Links to More Info: BT934065
Component: TMOS
Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.
Conditions:
The turboflex-low-latency or turboflex-dns in use.
Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.
Workaround:
None.
Fix:
The turboflex-low-latency and turboflex-dns profiles are restored.
Fixed Versions:
15.1.3, 16.0.1.2
933777-1 : Context use and syntax changes clarification
Links to More Info: BT933777
Component: Application Visibility and Reporting
Symptoms:
There are two context and syntax-related issues:
-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.
-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.
Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.
Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.
Workaround:
None
Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
933461-4 : BGP multi-path candidate selection does not work properly in all cases.
Links to More Info: BT933461
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
933409-2 : Tomcat upgrade via Engineering Hotfix causes live-update files removal★
Links to More Info: BT933409
Component: TMOS
Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.
Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.
Impact:
Live-update functionality does not work properly.
Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.
Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
933405-2 : Zonerunner GUI hangs when attempting to list Resource Records
Links to More Info: K34257075, BT933405
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.
Conditions:
Attempt to list Resource Records in Zonerunner GUI.
Impact:
Zonerunner hangs.
Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.
Fixed Versions:
14.1.4, 15.1.4.1, 16.0.1.1
933129-2 : Portal Access resources are visible when they should not be
Links to More Info: BT933129
Component: Access Policy Manager
Symptoms:
For Access Policy created with Customization type: modern, Portal Access resource is still present on user's webtop after the checkbox "Publish on Webtop" is disabled in config
Conditions:
-- Access Policy created with Customization type: modern
-- Disable the checkbox "Publish on Webtop" for any Portal Access resource
Impact:
Disabled Portal Access resource visible on the webtop when it should be hidden.
Workaround:
Re-create Access Policy with Customization type: standard
Fix:
Disabled Portal Access resource is hidden on user's webtop
Fixed Versions:
15.1.4.1
932937-2 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
Links to More Info: BT932937
Component: Local Traffic Manager
Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.
Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.
Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.
Workaround:
Use an iRule to prevent connections from hanging:
when HTTP_REJECT {
after 1
}
Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
932825-2 : Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device
Links to More Info: BT932825
Component: Local Traffic Manager
Symptoms:
When the standby system in a High Availability (HA) group becomes active, it sends out gratuitous ARPs to advertise its ownership of IP addresses and direct traffic to itself. In rare conditions, when becoming active, other processes may send out traffic before Gratuitous ARPs are generated.
Conditions:
-- HA configured
-- Protocols in use that generate frequent and fast signaling messages
Impact:
This has been observed as an issue for IPsec during failover, causing tunnel stability issues after failover. No other protocols are known to be affected by the issue.
Workaround:
None
Fix:
When the standby device in an HA pair becomes active, Gratuitous ARPs are prioritized over other traffic.
Fixed Versions:
15.1.1
932737-2 : DNS & BADOS high-speed logger messages are mixed
Links to More Info: BT932737
Component: Anomaly Detection Services
Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.
Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.
Impact:
Reporting will be confusing.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
932497-3 : Autoscale groups require multiple syncs of datasync-global-dg
Links to More Info: BT932497
Component: TMOS
Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.
Conditions:
Browser Challenges update image is automatically downloaded.
Impact:
Peers are not synced.
Workaround:
Manually sync datasync-global-db group.
Fix:
Perform full sync for each change when having multiple live update changes in a row.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
932485-3 : Incorrect sum(hits_count) value in aggregate tables
Links to More Info: BT932485
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
932437-2 : Loading SCF file does not restore files from tar file★
Links to More Info: BT932437
Component: TMOS
Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.
Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:
01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.
Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles
Impact:
Restoring SCF does not restore contents of file objects.
Workaround:
None.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
932233-2 : '@' no longer valid in SNMP community strings
Links to More Info: BT932233
Component: TMOS
Symptoms:
The '@' character is no longer valid in SNMP community strings.
Conditions:
Attempting to use the '@' character in SNMP community strings.
Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.
Workaround:
Use a community string that does not contain the '@' character.
Fixed Versions:
15.1.2, 16.0.1.1
932213-2 : Local user db not synced to standby device when it is comes online after forced offline state
Links to More Info: BT932213
Component: Access Policy Manager
Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.
Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.
Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.
Workaround:
None
Fix:
Fixed the issue by handling the forced offline scenario.
Fixed Versions:
14.1.4.5, 15.1.4.1
932137-5 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Links to More Info: BT932137
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
932133-2 : Payloads with large number of elements in XML take a lot of time to process
Links to More Info: BT932133
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
932033 : Chunked response may have DATA frame with END_STREAM prematurely
Links to More Info: BT932033
Component: Local Traffic Manager
Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, BIG-IP systems may send the END_STREAM flag before transmitting a whole payload.
Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.
Impact:
A browser may not receive the whole payload, or it may not recognize that the payload has been delivered fully (partially prior to the DATA frame with END_STREAM flag, partially after the frame).
Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.
Fix:
BIG-IP systems no longer send a DATA frame with END_STREAM flag prematurely when a connection to a client is congested.
Fixed Versions:
14.1.4, 15.1.2
930905-4 : Management route lost after reboot.
Links to More Info: BT930905
Component: TMOS
Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.
Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).
-- The instance is rebooted.
Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.
Workaround:
Use either of the following workarounds:
-- Delete the route completely and reinstall the route.
-- Restart mcpd:
bigstart restart mcpd
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
930741-2 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
Links to More Info: BT930741
Component: TMOS
Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.
One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.
Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.
Impact:
Traffic disruption caused by the reboot.
Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2
930385-3 : SSL filter does not re-initialize when an OCSP object is modified
Links to More Info: BT930385
Component: Local Traffic Manager
Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.
Then, modify the OCSP object to DNS resolver ns2.
After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.
Conditions:
An OCSP object is configured and modified.
Impact:
The wrong nameserver is used after modification to the OCSP object.
Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.
Fixed Versions:
14.1.3, 15.1.4
930005-2 : Recover previous QUIC cwnd value on spurious loss
Links to More Info: BT930005
Component: Local Traffic Manager
Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.
Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.
Impact:
Inefficient use of bandwidth in the presence of packet reordering.
Workaround:
None.
Fix:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.
Behavior Change:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.
Fixed Versions:
15.1.3, 16.0.1.1
929213-1 : iAppLX packages not rolled forward after BIG-IP upgrade★
Links to More Info: BT929213
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
Fix:
All installed package management LX such as AS3, DO, telemetry, failover extension, service discovery are available after upgrade
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
929077-2 : Bot Defense allow list does not apply when using default Route Domain and XFF header
Links to More Info: BT929077
Component: Application Security Manager
Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.
Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.
Impact:
Request from an IP address that is on the allow list is blocked.
Workaround:
Allow the IP address using an iRule.
Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
929001-3 : ASM form handling improvements
Links to More Info: K48321015, BT929001
Component: Application Security Manager
Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.
Conditions:
- Brute force protection is configured
Impact:
Enforcement not triggered as expected.
Workaround:
N/A
Fix:
ASM now processes forms as expected.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
928857-2 : Use of OCSP responder may leak X509 store instances
Links to More Info: BT928857
Component: Local Traffic Manager
Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fixed Versions:
14.1.4, 15.1.3
928805-2 : Use of OCSP responder may cause memory leakage
Links to More Info: BT928805
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fixed Versions:
14.1.4, 15.1.3
928789-2 : Use of OCSP responder may leak SSL handshake instances
Links to More Info: BT928789
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.
Workaround:
No workaround.
Fixed Versions:
14.1.4, 15.1.3
928717-3 : [ASM - AWS] - ASU fails to sync
Links to More Info: BT928717
Component: Application Security Manager
Symptoms:
Live Update configuration is not updated.
Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.
Impact:
Automatic signature updates (ASU) fail to sync.
Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:
1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.
Fixed Versions:
14.1.4.4, 15.1.4
928697-2 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
Links to More Info: BT928697
Component: TMOS
Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.
Conditions:
The initiator sends more than one proposal.
Impact:
Diagnosing connection issues is more difficult.
Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.
Fixed Versions:
15.1.4, 16.0.1.2
928685-2 : ASM Brute Force mitigation not triggered as expected
Links to More Info: K49549213, BT928685
Component: Application Security Manager
Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.
Conditions:
- ASM enabled
- Brute Force mitigation enabled
Impact:
Brute Force mitigation is not triggered as expected.
Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when ASM_REQUEST_DONE
{
if { [catch { HTTP::username } ] } {
log local0. "ERROR: bad username";
ASM::raise bad_auth_header_custom_violation
}
}
Fix:
Brute Force mitigation is now triggered as expected.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
928553-3 : LSN64 with hairpinning can lead to a tmm core in rare circumstances
Links to More Info: BT928553
Component: Carrier-Grade NAT
Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.
Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.
Impact:
Tmm cores. Traffic disrupted while tmm restarts.
Workaround:
Disable full proxy config of hairpinning.
Fix:
Tmm does not crash anymore.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
928029-2 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis
Links to More Info: BT928029
Component: TMOS
Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".
Conditions:
Run "switchboot" command
Impact:
A confusing popup message is displayed.
Workaround:
NA
Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"
Fixed Versions:
14.1.3, 15.1.4
927993-1 : Built-in SSL Orchestrator RPM installation failure
Links to More Info: K97501254, BT927993
Component: SSL Orchestrator
Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:
Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.
Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.
Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.
Workaround:
Step 1. Run the following commands in the BIG-IP command line:
# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')
# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')
# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1
# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done
# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
---
Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.
---
Step 3. Run the following commands in the BIG-IP command line:
# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2
---
Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.
Fix:
Built-in SSL Orchestrator RPM installation failure
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1
927941-5 : IPv6 static route BFD does not come up after OAMD restart
Links to More Info: BT927941
Component: TMOS
Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"
Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.
Impact:
BFD session is not shown in 'show bfd session'.
Workaround:
Restart tmrouted:
bigstart restart tmrouted
Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
927901-4 : After BIG-IP reboot, vxnet interfaces come up as uninitialized
Links to More Info: BT927901
Component: TMOS
Symptoms:
1. After BIG-IP reboots, the vxnet interfaces come up as uninitialized.
2. The driver does not log any issues:
echo "device driver [client-specific driver info] mlxvf5" >> /config/tmm_init.tcl
Conditions:
Running BIG-IP Virtual Edition (VE) v15.1.0.4 software.
Impact:
Vxnet driver requires manual intervention after reboot.
Workaround:
Tmsh enable/disable interface brings it back up until next reboot.
Fixed Versions:
15.1.0.5
927617-2 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
Links to More Info: BT927617
Component: Application Security Manager
Symptoms:
A valid request that should be passed to the backend server is blocked.
Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.
-- The cookie header that contain the valid cookie value is encoded to base64.
Impact:
A request is blocked that should not be.
Workaround:
Disable 'Base64 Decoding' for the desired cookie.
Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
927033-2 : Installer fails to calculate disk size of destination volume★
Links to More Info: BT927033
Component: TMOS
Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:
error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.
Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:
[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map
Impact:
Unable to successfully upgrade.
Workaround:
Create the expected symlink manually:
cd /dev/md
ln -s ../md127 _none_\:0
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
926997-1 : QUIC HANDSHAKE_DONE profile statistics are not reset
Links to More Info: BT926997
Component: Local Traffic Manager
Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.
Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.
Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.
Workaround:
Restart tmm to reset all statistics:
Impact of Workaround: Traffic disrupted while tmm restarts.
bigstart restart tmm
Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.
Fixed Versions:
15.1.1, 16.0.1
926973-1 : APM / OAuth issue with larger JWT validation
Links to More Info: BT926973
Component: Access Policy Manager
Symptoms:
When the access profile type is OAuth-RS or ALL, and sends a request with a Bearer token longer than 4080 bytes in the Authorization header to the virtual server, OAuth fails with ERR_NOT_SUPPORTED.
Conditions:
Bearer token longer than 4080 bytes
Impact:
APM oauth fails with ERR_NOT_SUPPORTED.
Workaround:
None.
Fix:
OAuth can now handle bearer tokens longer than 4080 bytes.
Fixed Versions:
15.1.5
926929-3 : RFC Compliance Enforcement lacks configuration availability
Links to More Info: BT926929
Component: Local Traffic Manager
Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.
Conditions:
The configuration has a virtual server with an HTTP profile.
Impact:
Some applications that require certain constructions after a header name may not function.
Workaround:
None
Fix:
A configuration item has been introduced to manage RFC-compliance options.
In releases 13.1.4, 14.1.4, 15.1.2.1 and 16.0.1.2 and in subsequent releases in those families, a global flag is used to control the enforcement:
sys db tmm.http.rfc.allowwsheadername
The possible values are "enabled" and "disabled"; the default is "enabled".
In release 16.1.0 and subsequent releases, there are two per-profile options; these have been added to the Configuration Utility's configuration page for HTTP profiles, in the 'Enforcement' section:
-- Enforce RFC Compliance
-- Allow Space Header Name
The following sample output shows how the RFC-compliance and whitespace-enforcement settings might appear in tmsh, if enabled:
(tmos)# list ltm profile http http-wsheader
ltm profile http http-wsheader {
app-service none
defaults-from http
enforcement {
allow-ws-header-name enabled
rfc-compliance enabled
}
proxy-type reverse
}
Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
926593-2 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
Links to More Info: BT926593
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.
Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.
Impact:
IPv6 virtual servers are marked down unexpectedly.
Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
925989 : Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4★
Links to More Info: BT925989
Component: Local Traffic Manager
Symptoms:
After upgrade to v15.1.0.4, config does not load. Logs show:
-- err mcpd[11863]: 01b50049:3: FipsUserMgr Error: Master key load failure.
-- err mcpd[11863]: 01070712:3: Caught configuration exception (0), FIPS 140 operations not available on this system.
-- err tmsh[14528]: 01420006:3: Loading configuration process failed.
Conditions:
-- Upgrading to v15.1.0.4.
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
Cannot upgrade to v15.1.0.4, and the system is offline.
Important: Although you cannot prevent this from happening (except by not upgrading to 15.1.0.4), you can boot back into the previous configuration to recover BIG-IP system operation.
Workaround:
None.
Fixed Versions:
15.1.0.5
925573-6 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted
Links to More Info: BT925573
Component: Access Policy Manager
Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.
Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.
Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.4, 15.1.3
924945-3 : Fail to detach HTTP profile from virtual server
Links to More Info: BT924945
Component: Application Visibility and Reporting
Symptoms:
The virtual server might stay attached to the initial HTTP profile.
Conditions:
Attaching new HTTP profiles or just detaching an existing one.
Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.
Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.
Fixed Versions:
15.1.3, 16.0.1.2, 16.1.1
924929-2 : Logging improvements for VDI plugin
Links to More Info: BT924929
Component: Access Policy Manager
Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.
Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts
Impact:
Event names are not displayed in the APM log.
Workaround:
None.
Fix:
Event names along with the exceptions are also seen in the APM log file.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
924857-1 : Logout URL with parameters resets TCP connection
Links to More Info: BT924857
Component: Access Policy Manager
Symptoms:
TCP connection reset when 'Logout URI Include' configured.
Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
/logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
/logoff.html?a=b
Impact:
TCP connection resets, reporting BIG-IP APM error messages.
'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.
Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.
Workaround:
None
Fix:
The system now ignores unsupported query parameters.
Fixed Versions:
14.1.4.5, 15.1.2, 16.0.1.2
924521-2 : OneConnect does not work when WEBSSO is enabled/configured.
Links to More Info: BT924521
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.
Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.
Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server-side connections.
Fixed Versions:
14.1.4.3, 15.1.4
924493-2 : VMware EULA has been updated
Links to More Info: BT924493
Component: TMOS
Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.
Conditions:
The EULA is presented to the user when deploying an OVF template.
Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).
Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.
Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.
Fix:
The EULA presented in VMware was out of date and has been updated.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
924429-2 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
Links to More Info: BT924429
Component: TMOS
Symptoms:
While restoring a UCS archive, you get an error similar to the following example:
/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.
The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.
This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.
Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.
Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.
Workaround:
None.
Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
924349-2 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP
Component: Service Provider
Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.
Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses
Impact:
Unable to see multiple HostIPAddress in CER/CEA
Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
924301-1 : Incorrect values in REST response for DNS/SIP
Links to More Info: BT924301
Component: Application Visibility and Reporting
Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.
Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached
Impact:
An incorrect value is calculated in the REST response.
Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation
Fixed Versions:
15.1.2, 16.0.1.1
923301-2 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group
Links to More Info: BT923301
Component: Application Security Manager
Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.
Conditions:
Automatic installation of ASU on manual sync setup.
Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.
Workaround:
Manually sync the device group.
Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
923125-2 : Huge amount of admd processes caused oom
Links to More Info: BT923125
Component: Anomaly Detection Services
Symptoms:
The top command shows that a large number of admd processes are running.
Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.
Impact:
Memory is exhausted.
Workaround:
Restart admd:
bigstart restart admd
Fix:
This issue no longer occurs.
Fixed Versions:
14.1.3.1, 15.1.2
922785-2 : Live Update scheduled installation is not installing on set schedule
Links to More Info: BT922785
Component: Application Security Manager
Symptoms:
A scheduled live update does not occur at the scheduled time.
Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.
Impact:
Automated installation does not initiate
Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
922665-2 : The admd process is terminated by watchdog on some heavy load configuration process
Links to More Info: BT922665
Component: Anomaly Detection Services
Symptoms:
The watchdog process in the BIG-IP ASM monitors terminates the admd process.
Conditions:
On some heavy load configuration process, such as version upgrade.
Impact:
Restart of admd daemon. The restarts may be continuous. No stress-based anomaly detection or behavioral statistics aggregation until admd restarts.
Workaround:
For the case of continuous restarts, a partial solution is to disable admd during busy periods such as upgrades. To do so, issue the following two commands, in sequence, after the upgrade is complete:
bigstart stop admd
bigstart start admd
Fixed Versions:
14.1.4.5, 15.1.5
922597-2 : BADOS default sensitivity of 50 creates false positive attack on some sites
Links to More Info: BT922597
Component: Anomaly Detection Services
Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.
Conditions:
This can occur for some requests that have high latency and low TPS.
Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.
Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500
For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.
The results is that the attack is declared later than for the default value, but it is declared and the site is protected.
Fix:
Default sensitivity value 500 now illuminates false positive DoS attacks declaration.
Fixed Versions:
14.1.4, 15.1.3
922297-2 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs
Links to More Info: BT922297
Component: TMOS
Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.
You see the following log entries in /var/log/tmm:
-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...
In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:
-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...
Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.
Impact:
TMM does not start.
Workaround:
Configure fewer network interfaces or vCPUs.
Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).
Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
922261-2 : WebSocket server messages are logged even it is not configured
Links to More Info: BT922261
Component: Application Security Manager
Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.
Impact:
Remote logging server overloaded with unexpected WebSocket messages.
Workaround:
Set response-logging=illegal in all remote logging profiles.
Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
922185-1 : LDAP referrals not supported for 'cert-ldap system-auth'★
Links to More Info: BT922185
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
922105-3 : Avrd core when connection to BIG-IQ data collection device is not available
Links to More Info: BT922105
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
921881-2 : Use of IPFIX log destination can result in increased CPU utilization
Links to More Info: BT921881
Component: Local Traffic Manager
Symptoms:
-- Increased baseline CPU.
- The memory_usage_stats table shows a continuous increase in mds_* rows.
Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.
Impact:
Increased baseline CPU may result in exhaustion of CPU resources.
Workaround:
Limiting changes to associated configuration can slow the effects of this issue.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2
921721-1 : FIPS 140-2 SP800-56Arev3 compliance
Links to More Info: BT921721
Component: Local Traffic Manager
Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.
Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.
Impact:
BIG-IP will comply with the older standard.
Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.
Fixed Versions:
14.1.3, 15.1.3
921677-2 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
Links to More Info: BT921677
Component: Application Security Manager
Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:
Bot defense profile <profile full name> error: match-order should be unique.
Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.
2. Delete item with the value: match-order 2 (in tmsh), and save.
3. Switch to the GUI, add new allow list item, and save.
Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.
Workaround:
Drag between two items, and then drag back.
Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
921625-2 : The certs extend function does not work for GTM/DNS sync group
Links to More Info: BT921625
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.
As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.
The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.
You might see messages similar to the following:
-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....
Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.
-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.
Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.
Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
921421-3 : iRule support to get/set UDP's Maximum Buffer Packets
Links to More Info: BT921421
Component: Local Traffic Manager
Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.
Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.
Impact:
Unable to dynamically change the max buffer packets setting in an iRule.
Workaround:
None
Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts
Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
921369 : Signature verification for logs fails if the log files are modified during log rotation
Links to More Info: BT921369
Component: TMOS
Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.
Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs
Impact:
Signature verification may fail on rotated log files.
Fix:
Fixed an issue with signature verification failing on valid log files.
Fixed Versions:
15.1.1
921365-1 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby
Links to More Info: BT921365
Component: TMOS
Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.
Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs
This is a timing issue and can occur intermittently during a normal failover.
Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.
Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).
Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.
Fixed Versions:
15.1.4, 16.1.2
921361-2 : SSL client and SSL server profile names truncated in GUI
Links to More Info: BT921361
Component: TMOS
Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.
Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.
Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.
Note: The fields remain at the limited width even when the browser window is maximized.
Workaround:
Use tmsh to see the full SSL client and SSL server name.
Fixed Versions:
15.1.1, 16.0.1.1
921181 : Wrong error message upon bad credential stuffing configuration
Links to More Info: BT921181
Component: BIG-IP Risk Engine
Symptoms:
When you try to configure credential stuffing and provide invalid parameters, you see a misleading error:
HTML Tag-like Content in the Request URL/Body
Conditions:
Configuration of bad ApplicationID, Access Token or wrong service type, generates a validation error, but the error message is confusing.
Impact:
A misleading error is displayed.
Workaround:
None.
Fix:
Wrong error message upon bad credential stuffing configuration has been corrected.
Fixed Versions:
15.1.2.1
921065 : BIG-IP systems not responding to DPD requests from initiator after failover
Links to More Info: BT921065
Component: TMOS
Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.
Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.
Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.
Workaround:
None.
Fix:
Fixed an issue with the BIG-IP system not responding to DPD requests after failover.
Fixed Versions:
15.1.4
920961-2 : Devices incorrectly report 'In Sync' after an incremental sync
Links to More Info: BT920961
Component: Application Security Manager
Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.
Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).
Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.
Workaround:
Modify the underlying LTM policy to be 'legacy':
# tmsh modify ltm policy <LTM Policy Name> legacy
Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
920361-2 : Standby device name sent in Traffic Statistics syslog/Splunk messages
Links to More Info: BT920361
Component: Advanced Firewall Manager
Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.
Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.
Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.
Workaround:
None.
Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.
Fixed Versions:
14.1.3.1, 15.1.1
920301-1 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy
Links to More Info: BT920301
Component: TMOS
Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.
Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.
Impact:
High CPU Usage.
Workaround:
None.
Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.
Fixed Versions:
14.1.3.1, 15.1.2
920197-3 : Brute force mitigation can stop mitigating without a notification
Links to More Info: BT920197
Component: Application Security Manager
Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.
Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).
Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2
920149-1 : Live Update default factory file for Server Technologies cannot be reinstalled
Links to More Info: BT920149
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1
919745-2 : CSV files downloaded from the Dashboard have the first row with all 'NaN
Links to More Info: BT919745
Component: TMOS
Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'
Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.
Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.
Workaround:
None.
Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.
Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1
919553-2 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
Links to More Info: BT919553
Component: Global Traffic Manager (DNS)
Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.
Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
919465-2 : A dwbld core on configuration changes on IP Intelligence policy
Links to More Info: BT919465
Component: Advanced Firewall Manager
Symptoms:
A dwbld core occurs on configuration changes on IP Intelligence policy.
Conditions:
Configuration changes on IP Intelligence policy with assigned feed-list.
Impact:
A dwbld restart. Enforcement of dynamic white/black configuration does not occur while dwbld restarts.
Workaround:
None.
Fix:
Feed-list entries should not be present in list of entries with expiration.
Fixed Versions:
15.1.5
919381-1 : Extend AFM subscriber aware policy rule feature to support multiple subscriber groups
Component: Advanced Firewall Manager
Symptoms:
Currently AFM does not have support to match rules against multiple subscriber policies
Conditions:
-- AFM provisioned
-- You wish to match rules against multiple subscriber policies
Impact:
AFM rules cannot be matched against multiple subscriber policies
Workaround:
None
Fix:
Enhancing the AFM rules matching against multiple subscriber policies
Fixed Versions:
15.1.2.1
919305-2 : Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS
Links to More Info: BT919305
Component: TMOS
Symptoms:
Appliance mode does not enable on BIG-IP 14.1.x tenants deployed on VELOS
Conditions:
A BIG-IP 14.1.3 tenant is deployed on VELOS with Appliance Mode enabled.
Impact:
The appliance mode restriction is not working as expected. The root account still has bash access.
Fix:
Appliance mode will function when configured on a BIG-IP tenant deployed on VELOS
Fixed Versions:
15.1.4
919301-3 : GTP::ie count does not work with -message option
Links to More Info: BT919301
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
919001-2 : Live Update: Update Available notification is shown twice in rare conditions
Links to More Info: BT919001
Component: Application Security Manager
Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.
Conditions:
This can be encountered on the first load of the Live Update page.
Impact:
Notification is shown twice.
Workaround:
None.
Fix:
Notification is shown only once in all cases.
Fixed Versions:
14.1.2.8, 15.1.2, 16.0.1.1
918933-2 : The BIG-IP ASM system may not properly perform signature checks on cookies
Links to More Info: K88162221, BT918933
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
918717-2 : Exception at rewritten Element.innerHTML='<a href></a>'
Links to More Info: BT918717
Component: Access Policy Manager
Symptoms:
If the "href" attribute of an anchor tag in a web application does not have any value, an exception will be thrown.
Conditions:
-- Rewrite enabled
-- The href attribute of an anchor tag on a web page does not have a value, for example:
<script>
d = document.createElement('div')
try {
d.innerHTML = "<a href b=1>click</a>"
}catch(e){
alert(e.message);
}
</script>
Impact:
Web page does not load properly.
Workaround:
Find the "href" attributes of anchor tag and give some empty value to it:
Before:
<a href></a>
After:
<a href=""></a>
Fix:
Fixed an issue with rewrite of anchors that contain an empty href attribute.
Fixed Versions:
15.1.4.1
918597-5 : Under certain conditions, deleting a topology record can result in a crash.
Links to More Info: BT918597
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
918317-2 : SSL Orchestrator resets subsequent requests when HTTP services are being used.
Links to More Info: BT918317
Component: SSL Orchestrator
Symptoms:
When connections are reused for subsequent requests, the subsequent requests might get aborted with reset cause 'connector service reconnected'.
Conditions:
SSL Orchestrator with HTTP services and multiple requests in a connection.
Impact:
Subsequent requests might get aborted with reset cause 'connector service reconnected'.
Workaround:
None
Fix:
SSL Orchestrator no longer aborts subsequent requests in the same connection.
Fixed Versions:
14.1.4.4, 15.1.4
918209-3 : GUI Network Map icons color scheme is not section 508 compliant
Links to More Info: BT918209
Component: TMOS
Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.
Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.
Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.
Workaround:
None.
Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.
Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1
918169-1 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
Links to More Info: BT918169
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when all of the following conditions are true:
-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).
-- The server's HTTP response does not terminate with a newline.
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by performing any one of the following actions:
-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.
-- Ensure the server's HTTP response ends with a newline.
Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.
Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
918097-3 : Cookies set in the URI on Safari
Links to More Info: BT918097
Component: Application Security Manager
Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.
Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.
Impact:
A cookie is set on the URL.
Workaround:
None.
Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.
Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.
This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable
Default value is the original behavior (enable), which sets the cookie in the URl.
NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
918081-1 : Application Security Administrator role cannot create parent policy in the GUI
Links to More Info: BT918081
Component: Application Security Manager
Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created
Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.
Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.
Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.
Fix:
The Application Security Administrator role can now create the parent policy when required.
Fixed Versions:
15.1.1, 16.0.1.1
917005-5 : ISC BIND Vulnerability: CVE-2020-8619
Links to More Info: K19807532
916969-3 : Support of Microsoft Identity 2.0 platform
Links to More Info: BT916969
Component: Access Policy Manager
Symptoms:
BIG-IP does not support Template for Microsoft Identity Platform 2.0.
Conditions:
This is encountered if you want to use Template for Microsoft Identity Platform 2.0 as an identity provider.
Impact:
Unable to configure Microsoft Identity Platform 2.0 on BIG-IP.
Workaround:
OAuth provider has a custom template which provides the ability to configure and discover using new endpoints.
Fixed Versions:
14.1.4, 15.1.3
916781-1 : Validation error while attaching DoS profile to GTP virtual
Links to More Info: BT916781
Component: Service Provider
Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.
Conditions:
Attach DoS security profile to GTP virtual server.
Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.
Workaround:
None.
Fix:
Create GTP virtual profile and attach DoS security profile to it. No validation error should be reported.
Fixed Versions:
15.1.4, 16.0.1
916753-2 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core
Links to More Info: BT916753
Component: Global Traffic Manager (DNS)
Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.
Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:
RESOLV::lookup @/Common/my_dns_virtual www.example.com
Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.
For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:
instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53
Fixed Versions:
15.1.2, 16.0.1.1
916589-2 : QUIC drops 0RTT packets if CID length changes
Links to More Info: BT916589
Component: Local Traffic Manager
Symptoms:
QUIC sometimes rejects valid 0RTT packets.
Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.
Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.
Workaround:
None.
Fix:
Fixed an issue with 0RTT packets when using QUIC.
Fixed Versions:
15.1.0.5, 16.0.1.1
915957-1 : The wocplugin may get into a restart loop when AAM is provisioned
Links to More Info: BT915957
Component: Local Traffic Manager
Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.
Conditions:
Application Acceleration Manager (AAM) is provisioned
Impact:
AAM is not functional
Workaround:
None
Fix:
The wocplugin is now correctly provisioned and runs without restarts.
Fixed Versions:
14.1.3, 15.1.2
915825-2 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
Links to More Info: BT915825
Component: TMOS
Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.
Configuration error: Can't associate folder (/User/Drafts) folder does not exist.
Conditions:
This occurs in the following scenario:
1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.
Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.
Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1
915773-1 : Restart of TMM after stale interface reference
Links to More Info: BT915773
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
915713-2 : Support QUIC and HTTP3 draft-29
Links to More Info: BT915713
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.
Conditions:
Browser requests draft-29.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-29 and draft-28, and has removed draft-27 support.
Fixed Versions:
15.1.1, 16.0.1.1
915689-1 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
Links to More Info: BT915689
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.
Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.
Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.
Workaround:
None.
Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915605-6 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★
Links to More Info: K56251674, BT915605
Component: Local Traffic Manager
Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.
tmsh show software status will report the status for the target volume as one of the following:
-- Could not access configuration source.
-- Unable to get hosting system product info.
Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.
Impact:
Unable to upgrade or more generally install an image on a new or existing volume.
Workaround:
Re-mount /usr as read-only:
mount -o remount,ro /usr
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
915509-1 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
Links to More Info: BT915509
Component: Access Policy Manager
Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).
Conditions:
RADIUS Auth with 'show-extended-error' enabled.
Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.4.1
915497-2 : New Traffic Class Page shows multiple question marks.
Links to More Info: BT915497
Component: TMOS
Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.
Conditions:
This is encountered when creating a new Traffic Class.
Impact:
Multi-byte characters are displayed incorrectly.
Workaround:
None.
Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.
Fixed Versions:
14.1.3.1, 15.1.0.5, 16.0.1.1
915489-2 : LTM Virtual Server Health is not affected by iRule Requests dropped
Links to More Info: BT915489
Component: Anomaly Detection Services
Symptoms:
Virtual Server Health should not take into account deliberate drop requests.
Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.
Impact:
Server Health reflects it is overloading status more precisely.
Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.
Fix:
Virtual Server Health is no longer affected while dropping requests using iRules.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
915305-5 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
Links to More Info: BT915305
Component: TMOS
Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.
Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.
Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.
Workaround:
Use static routing to provide a path to remote tunnel endpoint.
Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
915281-2 : Do not rearm TCP Keep Alive timer under certain conditions
Links to More Info: BT915281
Component: Local Traffic Manager
Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.
Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.
Impact:
Continuous rearming results in consuming CPU resources unnecessarily.
Workaround:
None.
Fix:
Rearming of TCP Keep Alive timer is improved.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
914761-3 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
Links to More Info: BT914761
Component: TMOS
Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:
Unexpected Error: UCS saving process failed.
Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.
Impact:
UCS file is not successfully saved and backup fails.
Workaround:
None.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1.1
914681-2 : Value of tmm.quic.log.level can differ between TMSH and GUI
Links to More Info: BT914681
Component: Local Traffic Manager
Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.
Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.
Impact:
Misleading log level displayed in the GUI.
Workaround:
Use TMSH to set and view values for tmm.quic.log.level.
Fix:
GUI values for tmm.quic.log.level are now displayed properly.
Fixed Versions:
15.1.0.5, 16.0.1.1
914649-3 : Support USB redirection through VVC (VMware virtual channel) with BlastX
Links to More Info: BT914649
Component: Access Policy Manager
Symptoms:
USB is unavailable after opening VMware View Desktop.
Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client
Impact:
USB is unavailable after opening VMware View Desktop
Workaround:
None.
Fix:
USB is now available after opening VMware View Desktop
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
914293-3 : TMM SIGSEGV and crash
Links to More Info: BT914293
Component: Anomaly Detection Services
Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.
Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.
Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.
Fix:
Fixed a tmm crash related to iRules and Behavioral DoS policies.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
914277-2 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
Links to More Info: BT914277
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.
Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.
Fix:
Automatic downloads are quietly synced and do not have an impact on the device group sync status.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.0.1.2
914245-2 : Reboot after tmsh load sys config changes sys FPGA firmware-config value
Links to More Info: BT914245
Component: TMOS
Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.
Chmand reports errors:
chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]
Conditions:
Running either of the following commands:
tmsh load sys config
/etc/init.d/fw_update_post reload
Impact:
Firmware update fails.
Workaround:
Use this procedure:
1. Mount /usr:
mount -o rw,remount /usr
2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload
3. Reload systemctl:
systemctl daemon-reload
4. Reload the file:
/etc/init.d/fw_update_post reload
Fix:
Added the reload option in fw_update_post service file.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2
914081-1 : Engineering Hotfixes missing bug titles
Links to More Info: BT914081
Component: TMOS
Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).
-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.
Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.
Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.
Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).
Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.
For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.
Fix:
BIG-IP Engineering Hotfixes now include the summary titles for fixed bugs that have been published via Bug Tracker.
Fixed Versions:
14.1.4, 15.1.3
913849-1 : Syslog-ng periodically logs nothing for 20 seconds
Links to More Info: BT913849
Component: TMOS
Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.
Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)
Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.
Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.
Workaround:
None.
Fix:
F5 patched syslog-ng to use a lower 1-second, 0-retries timeout back in 13.0.0, but this patch was made ineffective by the upgrade to centos 7 in 14.1.0. This fixes the patch so that it works again.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
913829-4 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
Links to More Info: BT913829
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.
For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.
Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.
Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.
You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
913761-2 : Security - Options section in navigation menu is visible for only Administrator users
Links to More Info: BT913761
Component: Application Security Manager
Symptoms:
The Security - Options section in the left navigation menu is visible for only for user accounts configured with the Administrator role.
Conditions:
You logged in as a user configured with a role other than Administrator.
Impact:
No direct access to many settings that are available only for user account configured with the Administrator role.
Workaround:
Direct links to the pages work for those with the appropriate roles.
Fix:
Security - Options section is available for all user roles when at least one of the following is enabled:
-- ASM
-- DoS
-- FPS
-- AFM
Fixed Versions:
15.1.1, 16.0.1.2
913757-1 : Error viewing security policy settings for virtual server with FTP Protocol Security
Links to More Info: BT913757
Component: Application Security Manager
Symptoms:
The system reports an error message when trying to navigate to 'Security :: Policies' under virtual server properties:
An error has occurred while trying to process your request.
Conditions:
-- An FTP or SMTP profile with protocol security enabled is attached to a virtual server.
-- Attempt to navigate to 'Security :: Policies'.
Impact:
-- No policies appear. You cannot perform any operations on the 'Security :: Policies' screen.
-- The following error message appears instead:
An error has occurred while trying to process your request.
Workaround:
As long as an FTP or SMTP profile with protocol security enabled is defined under virtual server properties (in another words, it is attached to a virtual server), this issue recurs. There are no true workarounds, but you can avoid the issue by using any of the following:
-- Use another profile, such as HTTP.
-- Set the FTP/SMTP profile under the virtual server settings to None.
-- Remove the profile via the GUI or the CLI (e.g., you can remove the profile from the virtual server in tmsh using this command:
tmsh modify ltm virtual /Common/test-vs { profiles delete { ftp_security } }
Fix:
You can now attach FTP or SMTP profile with protocol security enabled and navigate to 'Security :: Policies' without error.
Fixed Versions:
15.1.2.1, 16.0.1.1
913729-5 : Support for DNSSEC Lookaside Validation (DLV) has been removed.
Links to More Info: BT913729
Component: Global Traffic Manager (DNS)
Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.
Conditions:
Attempting to use DLV.
Impact:
Cannot use DLV.
Workaround:
None. DLV is no longer supported.
Fix:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV). If you roll forward a configuration that contains this feature, the system removes it from the configuration and prints a log message.
Behavior Change:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV).
Fixed Versions:
15.1.4, 16.0.1.2
913453-5 : URL Categorization: wr_urldbd cores while processing urlcat-query
Links to More Info: BT913453
Component: Traffic Classification Engine
Symptoms:
The webroot daemon (wr_urldbd) cores.
Conditions:
This can occur while passing traffic when webroot is enabled.
Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.
Workaround:
None.
Fix:
Fixed a core with wr_urldb.
Fixed Versions:
14.1.4.4, 15.1.4
913433-3 : On blade failure, some trunked egress traffic is dropped.
Links to More Info: BT913433
Component: TMOS
Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.
Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)
Workaround:
None.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
913413-3 : 'GTP::header extension count' iRule command returns 0
Links to More Info: BT913413
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
Fix:
'GTP::header extension count' command now returns number of header extension correctly.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
913373-2 : No connection error after failover with MRF, and no connection mirroring
Links to More Info: BT913373
Component: Service Provider
Symptoms:
-- Unable to establish MRF connection after failover.
-- Error reports 'no connection'.
Conditions:
- MRF configured.
- Using iRule for routing.
-- Failover occurs.
Impact:
Unable to establish new connection until existing sessions time out. No message is reported explaining the circumstances.
Workaround:
Any of the following:
-- Enable connection mirroring on the virtual server.
-- Disable session mirroring.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
913249-2 : Restore missing UDP statistics
Links to More Info: BT913249
Component: Local Traffic Manager
Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
Conditions:
Viewing UDP statistics.
Impact:
Unable to view these UDP statistics.
Workaround:
None.
Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
913137-1 : No learning suggestion on ASM policies enabled via LTM policy
Links to More Info: BT913137
Component: Application Security Manager
Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.
Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.
This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.
Impact:
No learning suggestions.
Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.
Fix:
Policy builder now classifies non-bot traffic and applies learning suggestions.
Fixed Versions:
15.1.2, 16.0.1.1
913085-1 : Avrd core when avrd process is stopped or restarted
Links to More Info: BT913085
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
912945-2 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Links to More Info: BT912945
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
Fix:
Fixed an issue with client SSL profile selection.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
912425-3 : Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash
Links to More Info: BT912425
Component: Local Traffic Manager
Symptoms:
Modification of in-TMM monitors may result in TMM crashing, or the changes to the monitor configuration not taking effect, or only taking effect for some monitor instances.
Conditions:
TMM may crash under some of the following conditions:
-- Performing configuration sync
-- Deleting and recreating monitor and SSL profile configurations.
Changes to monitor configuration may not take effect under the following conditions:
-- Modifying the SSL profile assigned to a monitor.
-- A monitor instance is currently in progress.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Disable in-TMM monitors.
Fix:
This issue is now fixed.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
912289-1 : Cannot roll back after upgrading on certain platforms★
Links to More Info: BT912289
Component: Local Traffic Manager
Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
- BIG-IP v12.1.6 or later in the v12.x branch of code
- BIG-IP v13.1.4 or later in the v13.x branch of code
- BIG-IP v14.1.4 or later in the v14.x branch of code
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
-- Upgrade the software to one of the following software versions:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
-- Attempt to roll back to a previous version.
Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.
Workaround:
None.
Fix:
Contact F5 Support for the reversion process if this is required.
Behavior Change:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
The particular platforms are:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
The particular software versions are:
+ BIG-IP v12.1.6 or later in the v12.x branch of code
+ BIG-IP v13.1.4 or later in the v13.x branch of code
+ BIG-IP v14.1.4 or later in the v14.x branch of code
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
Fixed Versions:
12.1.6, 14.1.4, 15.1.1
912149-5 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Links to More Info: BT912149
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/:
asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
912089-2 : Some roles are missing necessary permission to perform Live Update
Links to More Info: BT912089
Component: Application Security Manager
Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.
Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.
Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.
Workaround:
None.
Fix:
The following roles can now perform live-update:
- Administrator
- Web Application Security Administrator
- Resource Administrator
- Application Security Operations Administrator
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
912001-3 : TMM cores on secondary blades of the Chassis system.
Links to More Info: BT912001
Component: Global Traffic Manager (DNS)
Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:
tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307
Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.
Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.
Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
911809-2 : TMM might crash when sending out oversize packets.
Links to More Info: BT911809
Component: TMOS
Symptoms:
TMM crashes with an assert; Drop assertion similar to the following:
notice panic: ../dev/ndal/ndal.c:758: Assertion "pkt length cannot be greater than MAX_PKT_LEN" failed.
Conditions:
-- Xnet driver is used in BIG-IP Virtual Edition (VE).
-- TMM tries to send oversize packets.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.3.1, 15.1.2
911729-2 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value
Links to More Info: BT911729
Component: Application Security Manager
Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.
Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.
Impact:
Redundant learning suggestion is issued.
Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.
Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2
911141-3 : GTP v1 APN is not decoded/encoded properly
Links to More Info: BT911141
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.
Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
911041-3 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
Links to More Info: BT911041
Component: Local Traffic Manager
Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.
Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.
Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.
Fixed Versions:
14.1.3.1, 15.1.2.1, 16.0.1.2
910653-5 : iRule parking in clientside/serverside command may cause tmm restart
Links to More Info: BT910653
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.
Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.
For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.
Fix:
iRule parking in clientside/serverside command no longer causes tmm to restart.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
910633-1 : Continuous 'neurond restart' message on console
Links to More Info: BT910633
Component: Performance
Symptoms:
Neurond continuous restart after some TurboFlex configuration changes.
Conditions:
TurboFlex configuration modifications change underlying firmware without automatic reboot triggered.
Impact:
Features that utilize Neuron are not available.
Workaround:
Reboot the system.
Fixed Versions:
15.1.4
910521-2 : Support QUIC and HTTP draft-28
Links to More Info: BT910521
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-25 and draft-27. IETF has released draft-28.
Conditions:
Browser requests draft-28.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-28 and draft-27, and has removed draft-25 support.
Fixed Versions:
15.1.0.5, 16.0.1
910517-1 : TMM may crash while processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic
Conditions:
- Client HTTP profile
- Server SSL profile
- Server HTTP/2 profile
- Undisclosed request conditions
Impact:
TMM may crash, leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes HTTP traffic as expected
Fixed Versions:
14.1.4.5, 15.1.4.1
910417-2 : TMM core may be seen when reattaching a vector to a DoS profile
Links to More Info: BT910417
Component: Advanced Firewall Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.
Fixed Versions:
14.1.4, 15.1.2, 16.0.1.2
910253-2 : BD error on HTTP response after upgrade★
Links to More Info: BT910253
Component: Application Security Manager
Symptoms:
After upgrade, some requests can cause BD errors on response:
BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040
IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Upgrading BIG-IP systems to v15.0.0 or later from versions earlier than v15.0.0.
-- ASM policy is configured on a virtual server.
Impact:
For some requests, the response can arrive truncated or not arrive at all.
Workaround:
Add an iRule that deletes ASM cookies:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Note: Performing this workaround affects cookie-related violations (they may need to be disabled to use this workaround), session, and login protection.
Fixed Versions:
15.1.3, 16.0.1.1
910201-3 : OSPF - SPF/IA calculation scheduling might get stuck infinitely
Links to More Info: BT910201
Component: TMOS
Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.
Conditions:
SPF/IA calculation gets suspended;
This occurs for various reasons; BIG-IP end users have no influence on it occurring.
Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.
Workaround:
Restart the routing daemons:
# bigstart restart tmrouted
Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.
If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
910177 : Poor HTTP/3 throughput
Links to More Info: BT910177
Component: Local Traffic Manager
Symptoms:
HTTP/3 throughput is poor.
Conditions:
Virtual Server configured with an HTTP/3 profile.
Impact:
Performance might be severely degraded.
Workaround:
There is no alternative other than not using the HTTP/3 profile.
Fix:
Erroneously enabled debug logs are now turned off, so performance is improved.
Fixed Versions:
15.1.0.4
910097-2 : Changing per-request policy while tmm is under traffic load may drop heartbeats
Links to More Info: BT910097
Component: Access Policy Manager
Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash
Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
909673 : TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms
Links to More Info: BT909673
Component: TMOS
Symptoms:
TMM crashes when VLAN SYN cookie feature is used.
Conditions:
-- Configuring for VLAN SYN cookie use.
-- Running on iSeries i2800/i2600 and i4800/i4600 platforms.
Impact:
Tmm crashes and traffic processing stops. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
VLAN SYN cookie processing now functions as expected.
Fixed Versions:
15.1.0.4
909237-6 : CVE-2020-8617: BIND Vulnerability
Links to More Info: K05544642
909197-3 : The mcpd process may become unresponsive
Links to More Info: BT909197
Component: TMOS
Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.
Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.
Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
Fixed handling of malformed messages by mcpd, so the problem should no longer occur.
Fixed Versions:
14.1.4, 15.1.4.1, 16.0.1.1
909161-3 : A core file is generated upon avrd process restart or stop
Links to More Info: BT909161
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
908873-1 : Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core
Links to More Info: BT908873
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached.
-- Certain scenarios where the proxy goes into passthrough mode.
This was encountered during internal testing of a certain iRule configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
15.1.2
908621-2 : Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core
Links to More Info: BT908621
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached to it.
-- Certain scenarios where the proxy goes into passthrough mode.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now correctly manages proxy handling of passthrough mode in specific scenarios, so the tmm crash no longer occurs.
Fixed Versions:
14.1.4.1, 15.1.2
908601-2 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
Links to More Info: BT908601
Component: TMOS
Symptoms:
When the BIG-IP system boots, mcpd continually restarts.
Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.
Impact:
The BIG-IP system is unable to complete the boot process and become active.
Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.
Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.
You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.
If the system is already in the defective state, use this shell command, and then reboot:
touch /.tmos.platform.init
The problem should be resolved.
Fix:
Running 'diskinit' from MOS with the '--style=volumes' option no longer causes continuous mcpd restarts.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2
908517-3 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
Links to More Info: BT908517
Component: TMOS
Symptoms:
LDAP authentication fails with an error message:
err nslcd[2867]: accept() failed: Too many open files
Conditions:
This problem occurs when user-template is used instead of Bind DN.
Impact:
You cannot logon to the system using LDAP authentication.
Workaround:
None.
Fix:
LDAP authentication now succeeds when user-template is used.
Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1
908065-2 : Logrotation for /var/log/avr blocked by files with .1 suffix
Links to More Info: BT908065
Component: Application Visibility and Reporting
Symptoms:
AVR logrotate reports errors in /var/log/avr:
error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged
Conditions:
Files ending with .1 exist in the log directory.
Impact:
Logrotate does not work. This might fill the disk with logs over time.
Workaround:
Remove or rename all of the .1 log files.
Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
908021-1 : Management and VLAN MAC addresses are identical
Links to More Info: BT908021
Component: TMOS
Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.
Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.
Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.
Workaround:
None.
Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.3
907765-1 : BIG-IP system does not respond to ARP requests if it has a route to the source IP address
Links to More Info: BT907765
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system receives an ARP request from a source IP address for which it has a route configured, the BIG-IP system does not give an ARP reply.
Conditions:
-- BIG-IP system receives an ARP who-is request for one of its self ip addresses.
-- The source IP address is in a different network, and the BIG-IP system has an L3 route configured for it.
Impact:
BIG-IP does not send an ARP reply.
Workaround:
None.
Fix:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.
Behavior Change:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.
Fixed Versions:
15.1.4
907549-1 : Memory leak in BWC::Measure
Links to More Info: BT907549
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
Memory is not leaked.
Fixed Versions:
15.1.0.5
907337-2 : BD crash on specific scenario
Links to More Info: BT907337
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
A specific scenario that results in memory corruption.
Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.
Workaround:
None.
Fix:
This BD crash no longer occurs.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
907025-3 : Live update error" 'Try to reload page'
Links to More Info: BT907025
Component: Application Security Manager
Symptoms:
When trying to update Attack Signatures. the following error message is shown:
Could not communicate with system. Try to reload page.
Conditions:
Insufficient disk space to update the Attack Signature.
Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.
Workaround:
This following procedure restores the database to its default, initial state:
1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.
2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script
3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.
4. Add the following lines to create the live update database schema and set the SA user as expected:
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC
5. Restart the tomcat process:
bigstart restart tomcat
Fixed Versions:
14.1.4.5, 15.1.5
906889-4 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Links to More Info: BT906889
Component: TMOS
Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:
Packets In 2 shows as 016 in the GUI
Packets Out 0 shows as 8 in the GUI
Workaround:
View statistics in tmsh.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
906885-1 : Spelling mistake on AFM GUI Flow Inspector screen
Links to More Info: BT906885
Component: Advanced Firewall Manager
Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.
Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).
Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.
Workaround:
None.
Fixed Versions:
14.1.2.8, 15.1.2.1
905557-1 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
Links to More Info: BT905557
Component: Global Traffic Manager (DNS)
Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.
Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure HSL with only a single log destination.
Fixed Versions:
14.1.4, 15.1.2
904845-2 : VMware guest OS customization works only partially in a dual stack environment.
Links to More Info: BT904845
Component: TMOS
Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).
By default, DHCP is enabled on the management interface.
During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.
Conditions:
Applying a customization profile to VMware VM in a dual stack environment.
Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.
Workaround:
Configure the mgmt interface addresses using the config script.
Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1
904785-1 : Remotely authenticated users may experience difficulty logging in over the serial console
Links to More Info: BT904785
Component: TMOS
Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user
Conditions:
-- Remote authentication (e.g., RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.
Impact:
Remotely authenticated users cannot log in over the serial console.
Workaround:
Using either of the following workaround:
-- Log in over SSH instead
-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
904705-2 : Cannot clone Azure marketplace instances.
Links to More Info: BT904705
Component: TMOS
Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.
Conditions:
Applies to any Azure marketplace instance.
Impact:
Cannot clone Azure marketplace instances.
Workaround:
None.
Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
904593-1 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
Links to More Info: BT904593
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the primary device, before the primary has a chance to sync the configuration to the new device, causing the configuration in the primary device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
Impact:
Configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
Fixed Versions:
14.1.2.7, 15.1.0.5
904373-3 : MRF GenericMessage: Implement limit to message queues size
Links to More Info: BT904373
Component: Service Provider
Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.
Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.
Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.
Workaround:
None.
Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.
Fixed Versions:
14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
904133-1 : Creating a user-defined signature via iControl REST occasionally fails with a 400 response code
Links to More Info: BT904133
Component: Application Security Manager
Symptoms:
Creating user-defined signature via iControl REST occasionally fails with a 400 response code.
Conditions:
You create a user-defined signature via iControl REST via this endpoint:
POST https://<BIG-IP>/mgmt/tm/asm/signatures
Impact:
Signature creation fails with 400 response code:
{
"code": 400,
"message": "remoteSender:10.10.10.10, method:POST ",
"originalRequestBody": "{...}",
"referer": "10.10.10.10",
"restOperationId": 6716673,
"kind": ":resterrorresponse"
}
Fix:
Creating user-defined signatures via REST works correctly.
Fixed Versions:
14.1.4.4, 15.1.4.1
904053-2 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never
Links to More Info: BT904053
Component: Application Security Manager
Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.
Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.
Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.
Workaround:
Disable Learning mode for the Policy disables Cookie hashing.
Note: This affects all learning, not just Cookie hashing.
Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
904041-2 : Ephemeral pool members may be incorrect when modified via various actions
Links to More Info: BT904041
Component: Local Traffic Manager
Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.
For example:
A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.
B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.
Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"
Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.
Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.
Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.
For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.
Fix:
FQDN ephemeral pool members now better reflect expected states after the corresponding FQDN template pool member is modified by one of several actions such as config load, config sync and BIG-IP restart.
Fixed Versions:
14.1.4.5, 15.1.4.1
903905-2 : BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances
Links to More Info: BT903905
Component: Access Policy Manager
Symptoms:
The TMM process might eventually run out of memory, which can result in a disruption in BIG-IP services.
Conditions:
-- BIG-IP device has been running for 8 weeks or longer without a TMM restart or system reboot.
-- The BIG-IP system's internal risk-policy subsystem (used by the security features) has not been configured to communicate with an external risk-policy server.
-- In a vCMP configuration, the BIG-IP 'host' instance is susceptible, since no security features can be configured in its context.
-- A BIG-IQ device running any BIG-IQ v8.x release prior to 8.1.0.1 is also susceptible.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None.
Fix:
Default configuration of security mechanism no longer causes memory leak in TMM.
Fixed Versions:
15.1.0.3
903581-1 : The pkcs11d process cannot recover under certain error condition
Links to More Info: BT903581
Component: Local Traffic Manager
Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.
Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.
Impact:
SSL handshake failure.
Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d
Fix:
Allow pkcs11d to re-initialize on error.
Fixed Versions:
15.1.2.1
903573 : AD group cache query performance
Links to More Info: BT903573
Component: Access Policy Manager
Symptoms:
Active Directory queries are slow.
Conditions:
-- Active Directory (AD) authentication used
-- There are lots of AD caches in the environment, and users are in deeply nested groups.
Impact:
Active Directory query time can be excessive.
Fix:
Improved AD cache optimization.
Fixed Versions:
15.1.4
903561-3 : Autodosd returns small bad destination detection value when the actual traffic is high
Links to More Info: BT903561
Component: Advanced Firewall Manager
Symptoms:
Bad destination detection threshold cannot accurately reflect the actual traffic pattern.
Conditions:
-- Enable bad destination and fully automatic mode.
-- Actual traffic is high.
Impact:
A small bad destination detection value is returned.
Workaround:
None.
Fix:
Fixed the threshold update algorithm.
Fixed Versions:
14.1.4, 15.1.3
903357-2 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
Links to More Info: BT903357
Component: Application Security Manager
Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.
Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.
Impact:
Bot Defense list page loading time can take more than 30 seconds.
Workaround:
None.
Fixed Versions:
14.1.2.7, 15.1.1, 16.0.1.1
902485-3 : Incorrect pool member concurrent connection value
Links to More Info: BT902485
Component: Application Visibility and Reporting
Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.
Conditions:
This is encountered when viewing the pool-traffic report.
Impact:
Incorrect stats reported in the pool-traffic report table
Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:
From this:
formula=round(sum(server_concurrent_conns),2)
Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)
Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
902417-2 : Configuration error caused by Drafts folder in a deleted custom partition★
Links to More Info: BT902417
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1
902401-5 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device
Links to More Info: BT902401
Component: TMOS
Symptoms:
The ospfd process generates a core.
Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.
Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.
Workaround:
None.
Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
901929-2 : GARPs not sent on virtual server creation
Links to More Info: BT901929
Component: Local Traffic Manager
Symptoms:
When a virtual server is created, GARPs are not sent out.
Conditions:
-- Creating a new virtual server.
Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.
Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.
Fix:
GARPs are now sent when a virtual server is created.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
901061-2 : Safari browser might be blocked when using Bot Defense profile and related domains.
Links to More Info: BT901061
Component: Application Security Manager
Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.
Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.
Impact:
Some requests might be blocked.
Workaround:
None.
Fix:
Set the cookie so all requests in the target domain will contain it.
Fixed Versions:
14.1.2.8, 15.1.1, 16.0.1
901041-3 : CEC update using incorrect method of determining number of blades in VIPRION chassis★
Links to More Info: BT901041
Component: Traffic Classification Engine
Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.
Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.
Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.
Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.
Workaround:
Install the package manually on each slot.
Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.
Fixed Versions:
15.1.4, 16.0.1.2
900933-1 : IPsec interoperability problem with ECP PFS
Links to More Info: BT900933
Component: TMOS
Symptoms:
IPsec tunnels fails to remain established after initially working.
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.
This may also immediately present as a problem when trying to establish a second tunnel to the same peer.
Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).
Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.
Workaround:
Do not use ECP for PFS.
Fix:
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.0.1.2
900797-2 : Brute Force Protection (BFP) hash table entry cleanup
Links to More Info: BT900797
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.
Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.
Workaround:
N/A
Fix:
Mitigated entries are kept in the hash table.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900793-1 : APM Brute Force Protection resources do not scale automatically
Links to More Info: K32055534, BT900793
Component: Application Security Manager
Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.
Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.
Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.
Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.
Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900789-2 : Alert before Brute Force Protection (BFP) hash are fully utilized
Links to More Info: BT900789
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.
Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.
Impact:
No alert is sent when entries are evicted.
Workaround:
None.
Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.
Fixed Versions:
13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
899009 : Azure Active Directory deployment fails on BIG-IP 15.1
Links to More Info: BT899009
Component: Access Policy Manager
Symptoms:
In restnoded.log you see an error:
severe: [[azureUtils] ] Cannot get key data. Worker not available :/tm/access/certkey-file-helper/available, details: URI path /tm/access/certkey-file-helper/available not registered. Please verify URI is supported and wait for /available suffix to be responsive.
Conditions:
Azure Active Directory is enabled.
Impact:
Azure Active Directory can not be deployed on BIG-IP 15.1
Fixed Versions:
15.1.2.1
898997-2 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
Links to More Info: BT898997
Component: Service Provider
Symptoms:
GTP message parsing fails and log maybe observed as below:
GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).
Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes
Impact:
- message parsing fails, traffic maybe interupted
Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes
Fixed Versions:
14.1.2.7, 15.1.1, 16.0.1
898929-4 : Tmm might crash when ASM, AVR, and pool connection queuing are in use
Links to More Info: BT898929
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file.
Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Disable connection queuing on the pool.
Fixed Versions:
14.1.4.5, 15.1.5
898741-2 : Missing critical files causes FIPS-140 system to halt upon boot
Links to More Info: BT898741
Component: Application Security Manager
Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.
Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing
Impact:
System halts during boot because of sys-eicheck.py failure.
Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.
If the missing files are due to missing signature update files:
- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.
Fixed Versions:
14.1.2.7, 15.1.1
898705-5 : IPv6 static BFD configuration is truncated or missing
Links to More Info: BT898705
Component: TMOS
Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.
-- IPv6 static BFD configuration entries go missing during a daemon restart.
Conditions:
IPv6 static BFD configuration.
Impact:
The IPv6 static BFD configuration does not persist during reloads.
-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.
Workaround:
None.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
898461-2 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
Links to More Info: BT898461
Component: TMOS
Symptoms:
The following SCTP iRule commands:
-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port
Are unavailable in the following MRF iRule events:
-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS
Attempts to use these commands in these events result in errors similar to:
01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].
Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.
Impact:
Unable to use these iRule commands within these iRule events.
Workaround:
None.
Fix:
These iRule commands are now available within these iRule events.
Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1.1
898441-1 : Enable logging of IKE keys
Links to More Info: BT898441
Component: TMOS
Symptoms:
IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.
Conditions:
-- The BIG-IP system has an IPsec IKEv2 tunnel configured.
-- debug level logging is enabled.
Impact:
Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.
Workaround:
None, although the remote peer may log this information.
Fix:
Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.
Fixed Versions:
14.1.4.4, 15.1.4
898365-1 : XML Policy cannot be imported
Links to More Info: BT898365
Component: Application Security Manager
Symptoms:
XML Export does not work in configurations that have metacharacters or method overrides defined on URLs.
Conditions:
A policy that has metacharacter or method overrides defined on a URL is exported to XML format.
Impact:
Such a policy cannot be imported.
Workaround:
Use binary export/import or move/remove the problematic elements from the XML file:
* <mandatory_body>
* <operation_id>
Fix:
XML Policy export generates files that correctly correspond to the expected schema and can be imported.
Fixed Versions:
15.1.4
898093-2 : Removing one member from a WideIP removes it from all WideIPs.
Links to More Info: BT898093
Component: Global Traffic Manager (DNS)
Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.
Conditions:
Use the 'Remove' button.
Impact:
Unintended configuration changes via GUI.
Workaround:
Use the 'Manage' button, rather than the 'Remove' button.
Fixed Versions:
15.1.1
897509-1 : IPsec SAs are missing on HA standby, leading to packet drops after failover
Links to More Info: BT897509
Component: TMOS
Symptoms:
IPsec Security Associations (SAs) are missing on the standby high availability (HA) device.
Conditions:
-- HA mirroring is configured
-- IKEv2 tunnels are started
Impact:
During an HA failover, IPsec tunnels may be disrupted because the newly active device is not aware of some IPsec SAs.
Workaround:
None
Fix:
IPsec SAs are now mirrored correctly to the HA standby device. Note that HA failover for IPsec tunnels is only supported when IKEv2 tunnels are in use.
Fixed Versions:
15.1.4.1
896917 : The fw_zone_stat 'Hits' field may not increment in some scenarios
Links to More Info: BT896917
Component: Advanced Firewall Manager
Symptoms:
The fw_zone_stat 'Hits' field does not reflect the current stats.
Conditions:
When the firewall rule has multiple VLANs defined as destinations (in a zone).
Impact:
The counter for all VLANs does not hit : fw_zone_stat. The corresponding stat value does not increment.
Workaround:
None.
Fixed Versions:
15.1.0.5
896861-2 : PTR query enhancement for RESOLVER::name_lookup
Links to More Info: BT896861
Component: Global Traffic Manager (DNS)
Symptoms:
Currently RESOLVER::name_lookup does not have PTR reverse domain mapping.
Conditions:
RESOLVER::name_lookup needs an additional iRule to make PTR query work
Impact:
Need an additional iRule to convert to reverse IP PTR query to work
Workaround:
Use an iRule to convert ip address reverse mapping
Fix:
Address IP address reverse mapping for PTR query
Fixed Versions:
15.1.3, 16.0.1.1
896817-2 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
Links to More Info: BT896817
Component: TMOS
Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:
01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.
Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.
Impact:
Unable to replace configuration using TMSH's 'replace' verb.
Workaround:
None.
Fix:
When merging a configuration that modifies the list of iRules a virtual server uses using the TMSH 'replace' verb, no error is encountered.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
896709-3 : Add support for Restart Desktop for webtop in VMware VDI
Links to More Info: BT896709
Component: Access Policy Manager
Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.
Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.
Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.
Workaround:
None.
Fix:
APM now supports restart desktop option on webtop for VMware VDI.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
896553-3 : On blade failure, some trunked egress traffic is dropped.
Links to More Info: BT896553
Component: TMOS
Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.
Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)
Workaround:
Attach interfaces to all blades.
Fix:
Failed blades are detected within a second.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3
896473-2 : Duplicate internal connections can tear down the wrong connection
Links to More Info: BT896473
Component: TMOS
Symptoms:
Handling of duplicate internal connections can tear down and clean up the newest connection. Instead it should always remove the oldest.
Conditions:
When internal connections are re-established.
Impact:
The cleanup of previous connections may incorrectly tear down the new connection. Error messages are reported in the log when this happens, for example:
Duplicate connections between BCM56XXD1 and stpd7749-2. Closing the new one.
Workaround:
None.
Fix:
The system now always removes the oldest connection.
Fixed Versions:
15.1.3
896285-2 : No parent entity in suggestion to add predefined-filetype as allowed filetype
Links to More Info: BT896285
Component: Application Security Manager
Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.
Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.
Impact:
No parent entity appears in the sugestion.
Workaround:
None.
Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.
Fixed Versions:
14.1.2.7, 15.1.2, 16.0.1.1
896217-2 : BIG-IP GUI unresponsive
Links to More Info: BT896217
Component: TMOS
Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.
Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.
Impact:
GUI becomes unresponsive.
Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
896125-2 : Reuse Windows Logon Credentials feature does not work with modern access policies
Links to More Info: BT896125
Component: Access Policy Manager
Symptoms:
Client users are not automatically logged on to the Edge client using previously entered Microsoft Windows credentials, while client users on Windows computers are prompted with a logon page to enter the credentials.
Conditions:
-- Access policy "customization type" should be set to "modern"
-- In connectivity profile, click Customize Package :: Windows.
-- Under Available Components, select the check box to enable User Logon Credentials Access Service.
Impact:
Unable to automatically logon to Edge client and user is prompted for credentials
Workaround:
Use standard access policy in the virtual server.
Fixed Versions:
15.1.4
895837-3 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified
Links to More Info: BT895837
Component: TMOS
Symptoms:
Virtual server configured with:
-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0
-- The configuration uses a destination port list.
Conditions:
Modify the virtual server's port-list to a different one.
Impact:
Mcpd generates a core, and causes services to restart and failover.
Workaround:
None.
Fix:
Mcpd no longer crashes when modifying a traffic-matching-criteria's destination port list.
Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1
895781-2 : Round Robin disaggregation does not disaggregate globally
Links to More Info: BT895781
Component: TMOS
Symptoms:
Traffic is not disaggregated uniformly as expected.
Conditions:
-- A multi-blade chassis with one HSB.
-- Traffic is received on blade one.
-- The imbalance is more pronounced when the IP variation is small.
Impact:
Some TMMs may use relatively more CPU.
Workaround:
None.
Fix:
Traffic is now disaggregated uniformly in a round robin fashion.
Fixed Versions:
15.1.4
895557-2 : NTLM profile logs error when used with profiles that do redirect
Links to More Info: BT895557
Component: Local Traffic Manager
Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).
When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.
Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).
Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.
For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2
895153 : HTTP::has_responded returns incorrect values when using HTTP/2
Links to More Info: BT895153
Component: Local Traffic Manager
Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always return the value 'false'.
Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.
Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.
Workaround:
None.
Fix:
HTTP::has_responded is now properly detected in iRules where HTTP/2 is used.
Fixed Versions:
14.1.3.1, 15.1.2
894885-3 : [SAML] SSO crash while processing client SSL request
Links to More Info: BT894885
Component: Access Policy Manager
Symptoms:
-- Tmm crashes while processing a client SSO request.
-- Graphs show a high SWAP consumption and there are also some OOM events, although the process being terminated is avrd.
Log messages:
-- notice sod[4759]: 01140045:5: HA reports tmm NOT ready.
-- notice sod[4759]: 010c0050:5: Sod requests links down.
Conditions:
SAML SSO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a crash that occurred while handling SSL Orchestrator traffic.
Fixed Versions:
14.1.4.2, 15.1.4
894565-1 : Autodosd.default crash with SIGFPE
Links to More Info: BT894565
Component: Access Policy Manager
Symptoms:
The autodosd process crashes occasionally due to the division by zero.
Conditions:
It happens when the autodosd process receives zero value from tmm.
Impact:
Autodosd is rebooted.
Fix:
The autodosd process does not crash with SIGFPE.
Fixed Versions:
14.1.4, 15.1.3
893885-3 : The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation
Links to More Info: BT893885
Component: TMOS
Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.
Conditions:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on Trusted Platform Module (TPM)-supported BIG-IP platforms.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status.
Fixed Versions:
14.1.4, 15.1.3
893721-2 : PEM-provisioned systems may suffer random tmm crashes after upgrading★
Links to More Info: BT893721
Component: Traffic Classification Engine
Symptoms:
TMM crashes with SIGSEGV and a core file is written to /var/core/
Conditions:
This affects systems where PEM is provisioned and where the classification engine is running.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
None
Fixed Versions:
14.1.4.2, 15.1.4
893281-3 : Possible ssl stall on closed client handshake
Links to More Info: BT893281
Component: Local Traffic Manager
Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.
Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.
Impact:
Some ssl client connection remain until idle timeout.
Fix:
Allow transmit of any pending crypto during ssl shutdown.
Fixed Versions:
14.1.2.7, 15.1.0.5
893061-2 : Out of memory for restjavad
Links to More Info: BT893061
Component: Application Security Manager
Symptoms:
REST framework not available due to Out of memory error
Conditions:
Long list of Live Update installations
Impact:
Live Update GUI is not responding.
Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)
# tmsh modify sys db provision.extramb value 1000
2) Allow restjavad to access the extra memory:
# tmsh modify sys db restjavad.useextramb value true
3) Save the config:
# tmsh save sys config
4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.
5) Increase the restjavad maxMessageBodySize property:
# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
"maxMessageBodySize": 134217728,
"localhostRestnodedConnectionLimit": 8,
"defaultEventHandlerTimeoutInSeconds": 60,
"minEventHandlerTimeoutInSeconds": 15,
"maxEventHandlerTimeoutInSeconds": 60,
"maxActiveLoginTokensPerUser": 100,
"generation": 6,
"lastUpdateMicros": 1558012004824502,
"kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
"selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}
Ensure the command returns output showing the limit has been increased (as shown above).
6) Reboot the unit.
Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1
892941-2 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
Links to More Info: K20105555, BT892941
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fixed Versions:
14.1.4, 15.1.2, 16.0.1.1
892937-2 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
Links to More Info: K20105555, BT892937
Component: Access Policy Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fixed Versions:
14.1.4, 15.1.1, 16.0.1
892677-1 : Loading config file with imish adds the newline character
Links to More Info: BT892677
Component: TMOS
Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.
In particular, this affects the bigip_imish_config Ansible module.
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Regex expressions are not created properly.
Workaround:
You can use either of the following workarounds:
-- Delete and re-add the offending commands using the imish interactive shell.
-- Restart tmrouted:
bigstart restart tmrouted
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
892653-1 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
Links to More Info: BT892653
Component: Application Security Manager
Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI
Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html
Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.
Fixed Versions:
14.1.2.7, 15.1.0.5, 16.0.1