BIG-IP Release Information

Version: 16.0.0
Build: 12.0

Known Issues in BIG-IP v16.0.x

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
912221	CVE-2020-12662 CVE-2020-12663	K37661551	CVE-2020-12662 & CVE-2020-12663
909237	CVE-2020-8617	K05544642	CVE-2020-8617: BIND Vulnerability
909233	CVE-2020-8616	K97810133	DNS Hardening
871633	CVE-2020-5859	K61367237	TMM may crash while processing HTTP/3 traffic
852445	CVE-2019-6477	K15840535	Big-IP : CVE-2019-6477 BIND Vulnerability
846917	CVE-2019-10744	K47105354	lodash Vulnerability: CVE-2019-10744
846365	CVE-2020-5878	K35750231	TMM may crash while processing IP traffic
839453	CVE-2019-10744	K47105354	lodash library vulnerability CVE-2019-10744
838677	CVE-2019-10744	K47105354	lodash library vulnerability CVE-2019-10744
830401	CVE-2020-5877	K54200228	TMM may crash while processing TCP traffic with iRules
819197	CVE-2019-13135	K20336394	BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189	CVE-2019-13136	K03512441	BIGIP: CVE-2019-13136 ImageMagick vulnerability
873469	CVE-2020-5889	K24415506	APM Portal Access: Base URL may be set to incorrectly
864109	CVE-2020-5889	K24415506	APM Portal Access: Base URL may be set to incorrectly
842829	CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468	K04367730	Multiple tcpdump vulnerabilities
838881	CVE-2020-5853	K73183618	APM Portal Access Vulnerability: CVE-2020-5853
832021	CVE-2020-5888	K73274382	Port lockdown settings may not be enforced as configured
832017	CVE-2020-5887	K10251014	Port lockdown settings may not be enforced as configured
829121	CVE-2020-5886	K65720640	State mirroring default does not require TLS
829117	CVE-2020-5885	K17663061	State mirroring default does not require TLS
825449	CVE-2020-5884	K72540690	State mirroring default does not require TLS
816413	CVE-2019-1125	K31085564	CVE-2019-1125: Spectre SWAPGS Gadget
789921	CVE-2020-5881	K03386032	TMM may restart while processing VLAN traffic
887637	CVE-2019-3815	K22040951	Systemd-journald Vulnerability: CVE-2019-3815
868097	CVE-2020-5891	K58494243	TMM may crash while processing HTTP/2 traffic
846157	CVE-2020-5862	K01054113	TMM may crash while processing traffic on AWS
823893	CVE-2020-5890	K03318649	Qkview may fail to completely sanitize LDAP bind credentials
818177	CVE-2019-12295	K06725231	CVE-2019-12295 Wireshark Vulnerability
755785	CVE-2018-16658	K40523020	CVE-2018-16658 kernel: Information leak in cdrom_ioctl_drive_status
748122	CVE-2018-15333	K53620021	BIG-IP Vulnerability CVE-2018-15333
746091	CVE-2019-19151	K21711352	TMSH Vulnerability: CVE-2019-19151
858537	CVE-2019-1010204	K05032915	CVE-2019-1010204: Binutilis Vulnerability
760723	CVE-2015-4037	K64765350	Qemu Vulnerability
905905	CVE-2020-5904	K31301245	TMUI CSRF vulnerability CVE-2020-5904
895881	CVE-2020-5903	K43638305	BIG-IP TMUI XSS vulnerability CVE-2020-5903
895993	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895981	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
900757	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902
895525	CVE-2020-5902	K52145254	TMUI RCE vulnerability CVE-2020-5902

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
876937	1-Blocking		DNS Cache not functioning
867257	2-Critical		CONNECT_RESET_ERROR is reported when Subroutine Timeout is reached for HTTP connections
816233	2-Critical		Session and authentication cookies should use larger character set
890421	3-Major		New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★
890229	3-Major		Source port preserve setting is not honoured
889505-1	3-Major		Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available
888569-1	3-Major		Added PBA stats for total number of free PBAs, and percent free PBAs
883597	3-Major		Add a way to look up URLs in one specified custom category
870389	3-Major		Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
867793	3-Major		BIG-IP sending the wrong trap code for BGP peer state
867633	3-Major		Need to be able to set a higher Subroutine timeout value
866073	3-Major		Add option to exclude stats collection in qkview to avoid very large data files
859089	3-Major		TMSH allows SFTP utility access
858229	3-Major		XML with sensitive data gets to the ICAP server
858189	3-Major		Make restnoded/restjavad/icrd timeout configurable with sys db variables.
837837	3-Major		SSH Client Requirements Hardening
788757	3-Major		Multicast bridging over L2 wire transparent vlan-group (LACP STP LLDP)
691499	3-Major		GTP::ie primitives in iRule to be certified
663946	3-Major		The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
811057	4-Minor		Message Routing Framework Improvement: Added source port mode to transport config
751032	4-Minor		TCP receive window may open too slowly after zero-window
745465	4-Minor		The tcpdump file does not provide the correct extension
743726	4-Minor		GTM virtual server status shows incorrect monitor IP address

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
882557	1-Blocking		TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
864513	1-Blocking	K48234609	ASM policies may not load after upgrading to 14.x or later from a previous major version★
860245	1-Blocking		SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x
858173	1-Blocking		SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1
851733	1-Blocking		Tcpdump messages (warning, error) are sent to stdout instead of stderr
891477-1	2-Critical		No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
884921	2-Critical		Tcpdump capture with very large packet (size close to 65535 bytes) can cause tmm to core
882757	2-Critical		sflow_agent crash SIGABRT in the cleanup flow
876957	2-Critical		Reboot after tmsh load sys config changes sys FPGA firmware-config value
872673	2-Critical		TMM can crash when processing SCTP traffic
865329	2-Critical		WCCP crashes on "ServiceGroup size exceeded" exception
860517	2-Critical		MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
860349	2-Critical		Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
854493	2-Critical		Kernel page allocation failures messages in kern.log
849405	2-Critical		LTM v14.1.2.1 does not log after upgrade★
842865	2-Critical		Add support for Auto MAC configuration (ixlv)
841953	2-Critical		A tunnel can be expired when going offline, causing tmm crash
841577	2-Critical		iControl REST hardening
841333	2-Critical		TMM may crash when tunnel used after returning from offline
831821	2-Critical		Corrupted DAG packets causes bcm56xxd core on VCMP host
829677	2-Critical		.tmp files in /var/config/rest/ may cause /var directory exhaustion
829277	2-Critical		A Large /config folder can cause memory exhaustion during live-install★
811701	2-Critical		AWS instance using xnet driver not receiving packets on an interface.
811149	2-Critical		Remote users are unable to authenticate via serial console.
808277	2-Critical		Root's crontab file may become empty
805417	2-Critical		Unable to enable LDAP system auth profile debug logging
796601	2-Critical		Invalid parameter in errdefsd while processing hostname db_variable
788057	2-Critical		MCPD may crash while processing syncookies
605675	2-Critical		Sync requests can be generated faster than they can be handled
593536	2-Critical	K64445052	Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
914081	3-Major		Engineering Hotfixes missing bug titles
896553	3-Major		On blade failure, some trunked egress traffic is dropped.
896473	3-Major		Duplicate internal connections can tear down the wrong connection
895781	3-Major		Round Robin disaggregation does not disaggregate globally
891721	3-Major		Anti-Fraud Profile URLs with query strings do not load successfully
891337	3-Major		'save_master_key(master): Not ready to save yet' errors in the logs
880009	3-Major		Tcpdump does not export the TLS1.3 early secret
879001	3-Major		LDAP data is not updated consistently which might affect authentication.
878893	3-Major		During system shutdown it is possible the for sflow_agent to core
877145	3-Major		Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException
873641	3-Major		Re-offloading of TCP flows to hardware does not work
871657	3-Major		Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
867181	3-Major		ixlv: double tagging is not working
867013	3-Major		Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
866925	3-Major		The TMM pages used and available can be viewed in the F5 system stats MIB
865241	3-Major		Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
864321	3-Major		Default Apache testing page is reachable at <mgmt-ip>/noindex
862693	3-Major		PAM_RHOST not set when authenticating BIG-IP using iControl REST
860317	3-Major		JavaScript Obfuscator can hang indefinitely
858769	3-Major		Net-snmp library must be upgraded to 5.8 in order to support SHA-2
856953	3-Major		IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
853161	3-Major		Restjavad has different behavior for error responses if the body is over 2k
852001	3-Major		High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
851785	3-Major		BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
851393	3-Major		Tmipsecd leaves a zombie rm process running after starting up
850997	3-Major		'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
850777	3-Major		BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
850357	3-Major		LDAP - tmsh cannot add config to nslcd.conf
849157	3-Major		An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck
846441	3-Major		Flow-control is reset to default for secondary blade's interface
846137	3-Major		The icrd returns incorrect route names in some cases
845057	3-Major		Azure walinuxagent has been updated to v2.2.42.
843597	3-Major		Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
842189	3-Major		Tunnels removed when going offline are not restored when going back online
842125	3-Major		Unable to reconnect outgoing SCTP connections that have previously aborted
841721	3-Major		BWC::policy detach appears to run, but BWC control is still enabled
841649	3-Major		Hardware accelerated connection mismatch resulting in tmm core
841277	3-Major		C4800 LCD fails to load after annunciator hot-swap
838901	3-Major		TMM receives invalid rx descriptor from HSB hardware
838297	3-Major		Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
832665	3-Major		The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
830717-1	3-Major		Appdata logical volume cannot be resized for some cloud images★
830481	3-Major		SSL TMUI hardening
829317	3-Major		Memory leak in icrd_child due to concurrent REST usage
829193	3-Major		REST system unavailable due to disk corruption
828873-1	3-Major		Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
827293	3-Major		TMM may crash running remote tcpdump
826265	3-Major		The SNMPv3 engineBoots value restarts at 1 after an upgrade
821309	3-Major		After an initial boot, mcpd has a defunct child "systemctl" process
819261	3-Major		Log HSB registers when parts of the device becomes unresponsive
816229	3-Major		Kernel Log Messages Logged Twice
815921	3-Major		Fix martian addresses as per RFC6890
812981	3-Major		MCPD: memory leak on standby BIG-IP device
812493	3-Major		When engineID is reconfigured, snmp and alert daemons must be restarted★
811789	3-Major		Device trust UI hardening
811053	3-Major		REBOOT REQUIRED prompt appears after failover and clsh reboot
810821	3-Major		Management interface flaps after rebooting the device
810381	3-Major		The SNMP max message size check is being incorrectly applied.
809657	3-Major		HA Group score not computed correctly for an unmonitored pool when mcpd starts
807005	3-Major		Save-on-auto-sync is not working as expected with large configuration objects
803237	3-Major		PVA does not validate interface MTU when setting MSS
802685	3-Major		Unable to configure performance HTTP virtual server via GUI
802281	3-Major		Gossip shows active even when devices are missing
795649	3-Major		Loading UCS from one iSeries model to another causes FPGA to fail to load
793121	3-Major		Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
789181	3-Major		Link Status traps are not issued on VE based BIG-IP systems
785741	3-Major	K19131357	Unable to login using LDAP with 'user-template' configuration
784733-5	3-Major		GUI LTM Stats page freezes for large number of pools
767737	3-Major		Timing issues during startup may make an HA peer stay in the inoperative state
760622	3-Major		Allow Device Certificate renewal from BIG-IP Configuration Utility
755197	3-Major		UCS creation might fail during frequent config save transactions
754932	3-Major		New SNMP MIB, sysVlanIfcStat, for vlan statistics.
754924	3-Major		New vlan statistics added.
746861	3-Major		SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★
746758	3-Major		Qkview produces core file if interrupted while exiting
743234	3-Major		Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
742628	3-Major	K53843889	Tmsh session initiation adds increased control plane pressure
737098	3-Major		ASM Sync does not work when the configsync IP address is an IPv6 address
719555-2	3-Major		Interface listed as 'disable' after SFP insertion and enable
718230	3-Major		Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
639606	3-Major		If mcpd fails to load DNSSEC keys then signing does not happen and no error logged
627760	3-Major		gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
569859	3-Major		Password policy enforcement for root user when mcpd is not available
539385	3-Major		When logging, if the length of argument value is very long, log buffer overflows.
440599	3-Major		Added DB Variable to configure 'difok' variable in password policy
884165	4-Minor		Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG
882713	4-Minor		BGP SNMP trap has the wrong sysUpTime value
880325	4-Minor		Change help text for Untrusted Cert Response Control and Expired Cert Response Control in ServerSSL OLH
878469	4-Minor		System uptime in bgpBackwardTransNotification is incorrect
856961	4-Minor		INTEL-SA-00201 MCE vulnerability CVE-2018-12207
853101	4-Minor		ERROR: syntax error at or near 'FROM' at character 17
851017	4-Minor		Running service --status-all hangs on db5 errror
846521	4-Minor		Config script does not refresh management address entry properly when alternating between dynamic and static
831293	4-Minor		SNMP address-related GET requests slow to respond.
819429	4-Minor		Unable to scp to device after upgrade: path not allowed
818297-1	4-Minor		OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
804309	4-Minor		[api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
802421-1	4-Minor		The /var partition may become 100% full requiring manual intervention to clear space
774617	4-Minor		SNMP daemon reports integer truncation error for values greater than 32 bits
755317	4-Minor		/var/log logical volume may run out of space due to agetty error message in /var/log/secure
726427-1	4-Minor		Linux kernel vulnerability: CVE-2015-8830
722230	4-Minor		Cannot delete FQDN template node if another FQDN node resolves to same IP address
713614	4-Minor		Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)
583084	4-Minor	K15101680	iControl produces 404 error while creating records successfully
849085	5-Cosmetic		Lines with only asterisks filling message and user.log file
767269-6	5-Cosmetic		Linux kernel vulnerability: CVE-2018-16884

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
913537	2-Critical		Memory leak with WebSocket connections
912289	2-Critical		Cannot roll back after upgrading on certain platforms★
908873	2-Critical		Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core
908621	2-Critical		Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to TMM core
889209	2-Critical		Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
886085	2-Critical		TMM may crash while processing UDP traffic
882157	2-Critical		One thread of pkcs11d consumes 100% without any traffic.
879409	2-Critical		TMM core with mirroring traffic due to unexpected interface name length
876801	2-Critical		Tmm crash: invalid route type
870273	2-Critical		TMM may consume excessive resources when processing SSL traffic
868349	2-Critical		TMM may crash while processing iRules with MQTT commands
866481	2-Critical		TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode
864897	2-Critical		TMM may crash when using "SSL::extensions insert"
860881	2-Critical		TMM can crash when handling a compressed response from HTTP server
858429-1	2-Critical		BIG-IP system sending ICMP packets on both virtual wire interface
851857	2-Critical		HTTP 100 Continue handling does not work when it arrives in multiple packets
851581	2-Critical		Server-side detach may crash TMM
851345	2-Critical		The TMM may crash in certain rare scenarios involving HTTP/2
846217	2-Critical		Translucent vlan-groups set local bit in destination MAC address
842937	2-Critical		TMM crash due to failed assertion 'valid node'
842053	2-Critical		Added the ability for the iRule [HTTP::version] command to report HTTP2 and HTTP3 versions
841469	2-Critical		Application traffic may fail after an internal interface failure on a VIPRION system.
839749	2-Critical		Virtual server with specific address list might fail to create via GUI
839401	2-Critical		Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
830797	2-Critical		Standby high availability (HA) device passes traffic through virtual wire
812525	2-Critical	K27551003	HTTP parsing restrictions
763145	2-Critical		TMM Crash when using certain HTTP iRules with HTTP Security Profile
726518	2-Critical		Tmsh show command terminated with CTRL-C can cause TMM to crash.
715032-4	2-Critical		iRulesLX Hardening
705768	2-Critical		dynconfd may core and restart with multiple DNS name servers configured
474797-2	2-Critical		Nitrox crypto hardware may attempt soft reset while currently resetting
895649	3-Major		Improve TCP analytics goodput reports
892073	3-Major		TLS1.3 LTM policy rule based on SSL SNI is not triggered
888113	3-Major		HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy
886737	3-Major		QUIC unable to send stream FIN
886049	3-Major		Mcpd validation for proxy ssl and don't-insert-empty-fragments
883529	3-Major		HTTP/2 Method OPTIONS allows "*" (asterisk) as an only value for :path
883513	3-Major		Support for QUIC and HTTP/3 draft-27
879025	3-Major		When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions
878925	3-Major		SSL connection mirroring failover at end of TLS handshake
873677	3-Major		LTM policy matching does not work as expected
872965	3-Major		HTTP/3 does not support draft-25
872721	3-Major		SSL connection mirroring intermittent failure with TLS1.3
872685	3-Major		Some HTTP/3 streams terminate early
869401	3-Major		With virtual-wire, lldpd warns 'Received LLDPDU from an unknown interface :12.1'
864441	3-Major		OpenSSL vulnerabilities: CVE-2019-1547, CVE-2019-1551, CVE-2019-1552, CVE-2019-1563
863165	3-Major		Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
862597	3-Major		Improve MPTCP's SYN/ACK retransmission handling
862557	3-Major		Client-ssl profiles derived from clientssl-quic fail validation
860005	3-Major		Ephemeral nodes/pool members may be created for wrong FQDN name
858301	3-Major	K27551003	HTTP RFC compliance now checks that the authority matches between the URI and Host header
858297	3-Major	K27551003	HTTP requests with multiple Host headers are rejected if RFC compliance is enabled
858285	3-Major	K27551003	HTTP parsing of Request URIs with spaces in them has changed
857845	3-Major		ASSERTs in hudproxy_tcp_repick() converted into an OOPS
853613	3-Major		Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
853145	3-Major		TMM cores in certain scenarios with SSL Forward Proxy Bypass
852953	3-Major		Accept Client Hello spread over multiple QUIC packets
852873-1	3-Major		Proprietary Multicast PVST+ packets are forwarded instead of dropped
852861	3-Major		TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario
851789	3-Major		SSL monitors flap with client certs with private key stored in FIPS
851477	3-Major		Memory allocation failures during proxy initialization are ignored leading to TMM cores
851445	3-Major		QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams
851353	3-Major		Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request
851101	3-Major		Unable to establish active FTP connection with custom FTP filter
851045	3-Major		LTM database monitor may hang when monitored DB server goes down
850973	3-Major		Improve QUIC goodput for lossy links
850933	3-Major		Improve QUIC rate pacing functionality
850873	3-Major		LTM global SNAT sets TTL to 255 on egress.
850145	3-Major		Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
848777	3-Major		Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
848405	3-Major		TMM may consume excessive resources while processing compressed HTTP traffic
847325	3-Major		Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.
843105	3-Major		Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP)
838353	3-Major		MQTT monitor is not working in route domain.
836661-3	3-Major		Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
834373	3-Major		Possible handshake failure with TLS 1.3 early data
834257	3-Major		TMM may crash when processing HTTP traffic
832885	3-Major		Self-IP hardening
828601	3-Major		IPv6 Management route is preferred over IPv6 tmm route
825245	3-Major		SSL::enable does not work for server side ssl
824433	3-Major		Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
820333	3-Major		LACP working member state may be inconsistent when blade is forced offline
818853	3-Major		Duplicate MAC entries in FDB
818833	3-Major		TCP re-transmission during SYN Cookie activation results in high latency
816881	3-Major		Serverside conection may use wrong VLAN when virtual wire is configured
813701	3-Major		Proxy ARP failure
810533-1	3-Major		SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
809701	3-Major		Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist
809597	3-Major		Memory leak in icrd_child observed during REST usage
801497-1	3-Major		Virtual wire with LACP pinning to one link in trunk.
790845	3-Major		An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
788753	3-Major		GATEWAY_ICMP monitor marks node down with wrong error code
786517	3-Major		Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
778841	3-Major		Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother
774817	3-Major		ICMP packets are intermittently forwarded out of both VLAN group members
761389	3-Major		Disabled Virtual Server Dropping the Virtual Wire traffic
760406	3-Major		HA connection might stall on Active device when the SSL session cache becomes out-of-sync
760050	3-Major		cwnd warning message in log
758599	3-Major		IPv6 Management route is preferred over IPv6 tmm route
758041	3-Major		Pool Members may not be updated accurately when multiple identical database monitors configured
756101	3-Major		Incorrect stream HTTP statistic values are reported for the TTFB (Time to first byte) fields
724824	3-Major		Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
723306	3-Major		Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
720440-3	3-Major		Radius monitor marks pool members down after 6 seconds
717831	3-Major		TCP4 stack is not supported anymore
717276	3-Major		TMM Route Metrics Hardening
714372	3-Major		Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
709952	3-Major		Disallow DHCP relay traffic to traverse between route domains
705112-7	3-Major		DHCP server flows are not re-established after expiration
608952	3-Major		MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
582666	3-Major		TMM spams ltm log with "01010235:2: Inet port find called for pg 1 with invalid cmp state 0"
859113	4-Minor		Using "reject" iRules command inside "after" may causes core
852373	4-Minor		HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
839245	4-Minor		IPother profile with SNAT sets egress TTL to 255
834217	4-Minor		Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
831813	4-Minor		Improve handling of HTTP/2 GOAWAY frame
824365	4-Minor		Need informative messages for HTTP iRule runtime validation errors
814037	4-Minor		No virtual server name in Hardware Syncookie activation logs.
801705	4-Minor		When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
773253	4-Minor		The BIG-IP may send VLAN failsafe probes from a disabled blade
760695	4-Minor		FastL4 might drop invalid PMTU (ICMP) message
753474	4-Minor		RST cause logging is improved for a specific scenario
751586-2	4-Minor		Http2 virtual does not honour translate-address disabled
750705	4-Minor		LTM logs are filled with error messages while creating/deleting virtual wire configuration
742603	4-Minor		WebSocket Statistics are updated to differentiate between client and server sides
714502	4-Minor		bigd restarts after loading a UCS for the first time

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
856721	3-Major		GUI shows SSL client certificate LDAP authentication module with LTM License
850193	3-Major		Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
905557	2-Critical		Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
850509	2-Critical		'Decryption of the field (privatekey) for object (13079) failed' message
846713	2-Critical		Gtm_add does not restart named
904937	3-Major		Excessive resource consumption in zxfrd
898093	3-Major		Removing one member from a WideIP removes it from all WideIPs.
894081	3-Major		The Wide IP members view in the WebUI may report the incorrect status for a virtual server.
869361	3-Major		Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated
852949	3-Major		GTM SIP Monitors cannot log to /var/log/monitors/
852101	3-Major		Monitor fails.
844689	3-Major		Possible temporary CPU usage increase with unusually large named.conf file
835209	3-Major		External monitors mark objects down
814145	3-Major		GUI SIP monitor fails to create/update when status code is empty
812989	3-Major		Queries with TSIG signatures not matching BIG-IP result in malformed BADSIG answer
807157	3-Major		DNSSEC Key Generation expires if creation of new Generation failed
800265	3-Major		Undefined subroutine in bigip_add_appliance_helper message
789565	3-Major		snmpwalk returns unknown value for gtmServerType
774225	3-Major		mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting
760471	3-Major		GTM iQuery connections may be reset during SSL key renegotiation.
746348	3-Major		On rare occasions, gtmd fails to process probe responses originating from the same system.
724292	3-Major		RRSIG might expire without incrementing external-facing zone SOA serial
716701	3-Major		In iControl REST: Unable to create Topology when STATE name contains space
885869	4-Minor		Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
822393	4-Minor		Prober pool selected on server or data center not being displayed after selection in Internet Explorer
816277	4-Minor		Extremely long nameserver name causes GUI Error
792813	4-Minor		The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet info is not received
755084	4-Minor		Typo in named errdefs
774257	5-Cosmetic		tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
898365	2-Critical		XML Policy cannot be imported
879841	2-Critical		Domain cookie same-site option is missing the "None" as value in GUI and rest
868641	2-Critical		Possible TMM crash when disabling bot profile for the entire connection
865981	2-Critical		ASM GUI and REST become unresponsive upon license change
865461	2-Critical		BD crash on specific scenario
865289	2-Critical		TMM crash following DNS resolve with Bot Defense profile
858025	2-Critical		Proactive Bot Defense does not validate redirected paths
857677	2-Critical		Security policy changes are applied automatically after asm process restart
852437	2-Critical	K25037027	Overly aggressive file cleanup causes failed ASU installation
843801	2-Critical		Like-named previous Signature Update installations block Live Update usage after upgrade★
825413	2-Critical		/var/lib/mysql disk is full
892637	3-Major		Microservices cannot be added or modified
888493-1	3-Major		ASM GUI Hardening
888489-1	3-Major		ASM UI hardening
888285	3-Major		Sensitive positional parameter not masked in 'Referer' header value
888261	3-Major		Policy created with declarative WAF does not use updated template.
887261	3-Major		JSON schema validation files created from swagger should support "draft-04" only
884425	3-Major		Creation of new allowed HTTP URL is not possible
883853	3-Major		Bot Defense Profile with staged signatures prevents signature update★
883717	3-Major		BD crash on specific server cookie scenario
883669	3-Major		Memory leak in asm_start due to GTM score update
882377	3-Major		ASM Application Security Editor Role User can update/install ASU
880789	3-Major		ASMConfig Handler undergoes frequent restarts
880753	3-Major		Possible issues when using DoSL7 and Bot Defense profile on the same virtual server
875909	3-Major		Added internal parameter to address Chrome samesite default change
874753	3-Major		Filtering by Bot Categories on Bot Requests Log shows 0 events
874153-1	3-Major		Bot Defense 'Web RootKit' Anomaly False Positive using Seznam.cz Browser on iOS
871905	3-Major		Incorrect masking of parameters in event log
868721	3-Major		Transactions are held for a long time on specific server related conditions
868053	3-Major		Live Update service indicates update available when the latest update was already installed
867825	3-Major		Export/Import on a parent policy leaves children in an inconsistent state
867373	3-Major		Methods Missing From ASM Policy
865897	3-Major		Unexpected reset upon long requests when ip is whitelisted
865065	3-Major		Bot Defense "User Agent Spoofing" Anomaly False Positive using Firefox on Fedora
864761	3-Major		GUI: virtual server from NOT Common partition can be selected during creation policy in Common partition
864677	3-Major		ASM causes high mcpd CPU usage
863609	3-Major		Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
862793	3-Major		ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation
862413	3-Major		Broken layout in Threat Campaigns and Brute Force Attacks pages
857633	3-Major		Attack Type (SSRF) appears incorrectly in REST result
854177	3-Major		ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
853989	3-Major		DOSL7 Logs breaks CEF connector by populating strings into numeric fields
853269	3-Major		Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages in case of complex role user
853233	3-Major		GUI: virtual server from Common partition can be selected during policy creation in different partition
853177	3-Major		'Enforcement Mode' in security policy list is shown without value
852429	3-Major		"ASM subsystem error" logged when creating policies
850677	3-Major		Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
850673	3-Major		BD sends bad acks to the bd_agent for configuration
849349	3-Major		Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
849269	3-Major		High CPU usage after Inheritance page opened
848921	3-Major		Config sync failure when importing a Json policy
848757	3-Major		Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload
848445	3-Major		Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★
846181	3-Major		Request samples for some of the learning suggestions are not visible
846073	3-Major		Installation of browser challenges fails through Live Update
846057	3-Major		UCS backup archive may include unnecessary files
845933	3-Major		Unused parameters remain after modifying the swagger file of a policy
844373	3-Major		Learning suggestion details layout broken in some browsers
842161	3-Major		Installation of Browser Challenges fails in 15.1.0
841285	3-Major		Sometimes apply policy is stuck in Applying state
839761	3-Major		Response Body preview hardening
839509	3-Major		Incorrect inheritance treatment in Response and Blocking Pages page
839141	3-Major		Issue with 'Multiple of' validation of numeric values
837341	3-Major		Response and Blocking Pages page: Deception Response pages should not be shown in parent policy
833685	3-Major		Idle async handlers can remain loaded for a long time doing nothing
829029	3-Major		Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
812773	3-Major		Add option to insert security headers for fictive URL responses
809125	3-Major		CSRF false positive
802873	3-Major		Manual changes to policy imported as XML may introduce corruption for Login Pages
799749	3-Major		Asm logrotate fails to rotate
793017	3-Major		Files left behind by failed Attack Signature updates are not cleaned
783165	3-Major		Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
779345	3-Major		Security policy import via REST, to replace an existing policy, that is assigned to an LTM VS. May fail on the peer device
778261	3-Major		CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate
742549	3-Major		Cannot create non-ASCII entities in non-UTF ASM policy using REST
681010	3-Major	K33572148	'Referer' is not masked when 'Query String' contains sensitive parameter
640842	3-Major		ASM end user using mobile might be blocked when CSRF is enabled
882769	4-Minor		Request Log: wrong filter applied when searching by Response contains or Response does not contain
879777-1	4-Minor		Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge
875373	4-Minor		Unable to add domain with leading '.' through webUI, but works with tmsh.
864989	4-Minor		Remote logger violation_details field content appears as "N/A" when violations field is not selected.
858445	4-Minor		Missing confirmation dialog for apply policy in new policy pages
850633	4-Minor		Policy with % in name cannot be exported
844813-1	4-Minor		Inaccurate warning message for DNS resolver in bot profile
842265	4-Minor		Create policy: trusted IP addresses from template are not shown
842029	4-Minor		Unable to create policy: Inherited values may not be changed.
841985	4-Minor		TSUI GUI stuck for the same session during long actions
824093	4-Minor		Parameters payload parser issue
756306	4-Minor		"Illegal parameter location" violation is reported for array parameter and for each item
690998	4-Minor		Validation missing when changing Syslog format from valid to invalid selection for DoS Application Protection
756844	5-Cosmetic		No disallowed Geolocation violation detail entry

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
838709	2-Critical		Enabling DoS stats also enables page-load-time
828937	2-Critical	K45725467	Some systems can experience periodic high IO wait due to AVR data aggregation
547550-1	2-Critical		avrd reports incorrect stat values
880157	3-Major		Unable to set SameSite attribute for AVR session cookie
870957	3-Major		"Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
863161	3-Major		Scheduled reports are sent via TLS even if configured as non encrypted
853537	3-Major		Partial loss of tmstat pool memeber statistics
852577	3-Major		[AVR] Analytic goodput graph between different time period has big discrepancy
838685	3-Major		DoS report exist in per-widget but not under individual virtual
835381	3-Major		HTTP custom analytics profile 'not found' when default profile is modified
833113	3-Major		Avrd core when sending large messages via https
832805	3-Major		AVR should make sure file permissions are correct (tmstat_tables.xml)
830073	3-Major		AVRD may core when restarting due to data collection device connection timeout
787677	3-Major		AVRD stays at 100% CPU constantly on some systems
865053	4-Minor		AVRD core due to a try to load vip lookup when AVRD is down
863069	4-Minor		Avrmail timeout is too small

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
903905	2-Critical		Default configuration of security mechanism causes memory leak in TMM
903257	2-Critical		GUI issues for Access :: Profiles/Policies : Customization : General Customization or Advanced Customization
902141	2-Critical		TMM may crash while processing APM data
891505	2-Critical		TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
889477	2-Critical		Modern customization does not enforce validation at password changing
886729	2-Critical		Intermittent TMM crash in per-request-policy allow-ending agent
882545	2-Critical		Multiple rate-limiting agents sharing the same rate-limiting key config may not function properly
880073	2-Critical		Memory leak on every DNS query made for "HTTP Connector" agent
879401	2-Critical		Memory corruption during APM SAML SSO
876393	2-Critical		General database error while creating Access Profile via the GUI
874949	2-Critical		TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.
871761	2-Critical		Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
871653	2-Critical		Access Policy cannot be created with 'modern' customization
860617	2-Critical		Radius sever pool without attaching the load balancing algorithm will result into core
858349	2-Critical		TMM may crash while processing SAML SLO traffic
838861	2-Critical		TMM might crash once after upgrading SSL Orchestrator★
817137	2-Critical		SSO setting for Portal Access resources in webtop sections cannot be updated.
756540	2-Critical		End-user may not be able to connect to VPN.
579219	2-Critical		Access keys missing from SessionDB after multi-blade reboot.
554978	2-Critical		Multiple HTTP Host headers may circumvent SWG URL Filter Policy
387290	2-Critical		Multidomain SSO shows login page when switching to webtop virtual server
904165	3-Major		APMD may crash while processing certain parameters
884797	3-Major		Portal Access: in some cases data is not delivered via WebSocket connection
883841	3-Major		APM now displays icons of all sizes what Horizon VCS supports.
881641-1	3-Major		Errors on VPN client status window in non-English environment
874449	3-Major		APM does not support adding samesite cookie attribute to APM cookies.
871505	3-Major		Update default anti-fraud profile with new per-request policy logon page URL
866685	3-Major		Empty HSTS headers when HSTS mode for HTTP profile is disabled
866161	3-Major		Client port reuse causes RST when the security service attempts server connection reuse.
866109	3-Major		JWK keys frequency does not support fewer than 60 minutes
857589	3-Major		On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'
853325	3-Major		TMM Crash while parsing form parameters by SSO.
852917	3-Major		Accept-Encoding header is removed when websso form-based is used
852313	3-Major		VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
850277	3-Major		Memory leak when using OAuth
848673	3-Major		Portal Access message event has wrong origin if message originates from split tunneled frame
844781	3-Major		[APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
844685	3-Major		Per-request policy is not exported if it contains HTTP Connector Agent
844281	3-Major		[Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
836213	3-Major		Profile name over 64 characters in length will cause ACCESS::session create to fail
835309	3-Major		Some strings on BIG-IP APM Server pages are not localized
835285	3-Major		Client browser traffic through APM SWG transparent proxy using captive portal might get reset.
834377	3-Major		Unable to upload swagger files with a pattern in description
832881	3-Major		F5 Endpoint Inspection helper app is not updated
832569	3-Major		APM end-user connection reset
831781	3-Major		AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
831517	3-Major		TMM may crash when Network Access tunnel is used
827325	3-Major		JWT token verification failure
827089	3-Major		When a SSL Orchestrator app is deployed, tmm errors are logged in /var/log/apm
825493	3-Major		JWT token verification failure
809637	3-Major		The Native client and the HTML5 View Client version are now logged at info level.
809629	3-Major		APM Portal Access resource URI might not be re-written for some scenarios involving APM per-request policy.
803825-1	3-Major		WebSSO does not support large NTLM target info length
788549	3-Major		APM as AD FS-Proxy feature does not support AD FS 5.0
778321	3-Major		No validation for DNS Address Space entry
773309	3-Major		API Profile: Real swagger can not be loaded with "transaction failed:incomplete command" error message
771961	3-Major		While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
761303	3-Major		Upgrade of standby BIG-IP system results in empty Local Database
761049	3-Major		APM does not support adding SameSite cookie attribute to APM cookies.
744407	3-Major		While the client has been closed, iRule function should not try to check on a closed session
738865	3-Major		MCPD might enter into loop during APM config validation
703818	3-Major		ACED core file during restart
653210	3-Major		Rare resets during the login process
635934	3-Major		Logon (username) field may be blank in APM Reports when using NTLM or Kerberos AAA
470916	3-Major		Using native View clients, cannot launch desktops and applications from multiple VMware back-ends
470346	3-Major		Some IPv6 client connections get RST when connecting to APM virtual
886841	4-Minor		Allow LDAP Query and HTTP Connector for API Protection policies
847109	4-Minor		Very large policies could have problems with re-import
833049	4-Minor		Category lookup tool in GUI may not match actual traffic categorization
744950	4-Minor		Non-utf8 characters in resource descriptions causes malfunction of Resource Assign Dialogue
570129	4-Minor		Removed unused session ID from URL
567503	4-Minor	K03293396	ACCESS::remove can result in confusing ERR_NOT_FOUND logs

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
839389	2-Critical		TMM can crash when connecting to IVS under extreme overload
900905	3-Major		TMM may crash while processing SIP data
868381	3-Major		MRF DIAMETER: Retransmission queue unable to delete stale entries
866021	3-Major		Diameter Mirror connection lost on the standby due to "process ingress error"
853545	3-Major		MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
842625	3-Major		SIP message routing remembers a 'no connection' failure state forever
840821	3-Major		SCTP Multihoming not working within MRF Transport-config connections
825013	3-Major		GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
824149	3-Major		SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
815877	3-Major		Information Elements with zero-length value are rejected by the GTP parser
803809	3-Major		SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
755033	3-Major		Dynamic Routes stats row does not appear in the UI
734369	3-Major		SIP Response routing fails under certain conditions
714828	3-Major	K92710485	Message delivered to the wrong peer if bidirectional persistence is used.
696348	3-Major		"GTP::ie insert" and "GTP::ie append" do not work without "-message" option
866357	4-Minor		Improvement to MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction
862337	4-Minor		Message Routing Diameter profile fails to forward messages with zero length AVPs
860021	4-Minor		GenericMessage no-response messages are wrongly counted as responses in message stats
859721	4-Minor		Using GENERICMESSAGE create together with reject inside periodic after may cause core
851441	4-Minor		Improvement to MRF to enable spreading outgoing connections across TMMs
844169	4-Minor		TMSH context-sensitive help for diameter session profile is missing some descriptions
840097	4-Minor		Improvement to MRF Bidirectional Persistence to instruct logic of default direction
836357	4-Minor		SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
794889	4-Minor		Pool member state force-offline processes persistent connections in Diameter.
788513	4-Minor		Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
710606	4-Minor		Diameter and SIP profile statistics may require "Clear Statistics" button to be clicked twice to get the stats to zero out
845461	5-Cosmetic		MRF DIAMETER: additional details to log event to assist debugging
793005	5-Cosmetic		'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
919465	2-Critical		A dwbld core on configuration changes on IP Intelligence policy
870381	2-Critical		Network Firewall Active Rule page does lot load
850117	2-Critical		Autodosd crash after assigning dos profile with custom signatures to a virtual server
903561	3-Major		Autodosd returns small bad destination detection value when the actual traffic is high
892621	3-Major		Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software
891165	3-Major		Global white list HSB entries stay in offload state after removing Device DoS whitelist
887017-1	3-Major		The dwbl daemon consumes a large amount of memory
882289	3-Major		Could not configure FQDN in DoS Profile DNS NXDOMAIN QUERY Vector
880001	3-Major		TMM may crash while processing L4 behavioral DoS traffic
874797	3-Major		Unable to configure FQDN in device DNS NXDOMAIN QUERY Vector
872645-3	3-Major		Protected Object Aggregate stats are causing elevated CPU usage
872049	3-Major		Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command
871985	3-Major		No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection
870385	3-Major		TMM may restart under large amount traffic load
867749	3-Major		Route Domain Active Rules stats are cleared when a rule list is modified
867745	3-Major		Active Rules for Route Domain are not listed in GUI inline editor
863285	3-Major		Incorrect value (icmpv6) is used when RuleList/Rule/Protocol is set to ICMPv6 via UI.★
852289	3-Major		DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
851745	3-Major		High cpu consumption due when enabling large number of virtual servers
840809	3-Major		If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged
837233	3-Major		"Application Security Administrator" user role cannot manage Dos Profile GUI
813969	3-Major		Network DoS reporting events as 'not dropped' while in fact, events are dropped
685904	3-Major		Firewall Rule hit counts are not auto updated after a Reset is done
594600	3-Major		No validation when delete iRule that is assigned to ACL policy
852929	4-Minor		AFM WebUI Hardening
837101	4-Minor		AVR and BIG-IQ stats show N/A bar for Source IP and domain name on DNS query packet
691772	4-Minor		Protected Object "Add" and "Clone" buttons are hidden on screens with lower resolution

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
845313-1	2-Critical		Tmm crash under heavy load
875401	3-Major		PEM subcriber lookup can fail for internet side new connections

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
888625-1	3-Major		CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks
837269-3	3-Major		Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic
812705	3-Major		'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
803717	3-Major		'Prevent Password Auto-Complete' feature does not work on newer versions of Chrome browser
752154-4	3-Major		Fake keystrokes are not generated in some browsers

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
756082	3-Major		[api-status-warning] ltm/classification/signature-update-schedule is deprecated

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
835517	2-Critical		After upgrading BIG-IP software and resetting HA, gossip may show 'UNPAIRED'★
839597	3-Major		Restjavad fails to start if provision.extramb has large value
837773	3-Major		Restjavad Storage and Configuration Hardening

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
754855	2-Critical		TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile

 

Cumulative fix details for BIG-IP v16.0.0 that are included in this release

919465 : A dwbld core on configuration changes on IP Intelligence policy

Component: Advanced Firewall Manager

Symptoms:
A dwbld core occurs on configuration changes on IP Intelligence policy.

Conditions:
Configuration changes on IP Intelligence policy with assigned feed-list.

Impact:
A dwbld restart. Enforcement of dynamic white/black configuration does not occur while dwbld restarts.

Workaround:
None.

Fix:
Feed-list entries should not be present in list of entries with expiration.

---

914081 : Engineering Hotfixes missing bug titles

Component: TMOS

Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).

-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.

Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.

Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.

Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).

Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.

For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.

Fix:
BIG-IP Engineering Hotfixes now include the summary titles for fixed bugs that have been published via Bug Tracker.

---

913537 : Memory leak with WebSocket connections

Component: Local Traffic Manager

Symptoms:
WebSocket frame memory leak might occur when connections are closed midway during transfer.

Conditions:
- WebSocket profile is attached to the virtual server.
- HTTP and SSL profiles are attached to the virtual server.

Impact:
Memory leak occurs and tmm can crash. Traffic disrupted while tmm restarts.

Workaround:
Remove the WebSocket profile from the virtual server.

Fix:
There is no longer a memory leak with WebSocket connections under these conditions.

---

912289 : Cannot roll back after upgrading on certain platforms★

Component: Local Traffic Manager

Symptoms:
On certain platforms, after upgrade to this release you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

-- Upgrade the software.

-- Attempt to roll back to a previous version.

Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.

Workaround:
None.

---

912221 : CVE-2020-12662 & CVE-2020-12663

Solution Article: K37661551

---

909237 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642

---

909233 : DNS Hardening

Solution Article: K97810133

---

908873 : Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached.
-- Certain scenarios where the proxy goes into passthrough mode.

This was encountered during internal testing of a certain iRule configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

908621 : Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to TMM core

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- Virtual has HTTP and httprouter profiles attached to it.
- Certain scenarios where the proxy goes into passthrough mode.

This was encountered during internal testing of a certain iRule configurations.

Impact:
Traffic disrupted while tmm restarts.

---

905905 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245

---

905557 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure

Component: Global Traffic Manager (DNS)

Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.

Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure HSL with only a single log destination.

---

904937 : Excessive resource consumption in zxfrd

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, zxfrd may consume excessive resources.

Conditions:
-- Provision GTM (Global Traffic DNS).
-- Create one or more zones in the GUI via DNS::Zones::Zones::Zone List.

Impact:
Excessive resources consumption, potentially leading to failover event.

Workaround:
None.

Fix:
zxfrd no longer consumes excessive resources.

---

904165 : APMD may crash while processing certain parameters

Component: Access Policy Manager

Symptoms:
Under certain conditions APMD may crash while processing certain parameters.

Conditions:
-APM active.
-Pre-inspection checks active.

Impact:
APMD crash, leading to a failover event

Workaround:
None.

Fix:
APMD now processes parameters as expected.

---

903905 : Default configuration of security mechanism causes memory leak in TMM

Component: Access Policy Manager

Symptoms:
Over time, memory is allocated by the TMM processes for use as 'xdata' buffers, yet this memory is never de-allocated; it is leaked and becomes unusable. Eventually a disruption of service occurs.

Conditions:
-- The BIG-IP system has been running for 8 weeks or longer without a system restart.

-- The BIG-IP system's internal risk-policy subsystem (used by the security feature modules) has not been configured to communicate with an external risk-policy server.

-- In a vCMP configuration, the BIG-IP 'host' instance is always susceptible, since no security features can be configured in its context.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Default configuration of security mechanism no longer causes memory leak in TMM.

---

903561 : Autodosd returns small bad destination detection value when the actual traffic is high

Component: Advanced Firewall Manager

Symptoms:
Bad destination detection threshold cannot accurately reflect the actual traffic pattern.

Conditions:
-- Enable bad destination and fully automatic mode.
-- Actual traffic is high.

Impact:
A small bad destination detection value is returned.

Workaround:
None.

Fix:
Fixed the threshold update algorithm.

---

903257 : GUI issues for Access :: Profiles/Policies : Customization : General Customization or Advanced Customization

Component: Access Policy Manager

Symptoms:
Error messages when navigating to Access :: Profiles/Policies : Customization : General Customization or Advanced Customization:

Button states incorrect on return from server after button push.

Conditions:
After creation of an Access Profile with Customization Type = modern (which is the default starting with v15.1.0).

Impact:
The GUI for General Customization or Advanced Customization of Access Profiles is not available.

Workaround:
Run the following commands, in sequence, from an SSH session:

cp --preserve=all /var/sam/www/client/customization-source/Common/modern/eps/default_eps.xml /var/sam/www/client/customization-source/Common/modern/eps/default_eps.xml.ORG

sed -e 's|b\&gt\ã|b\>\ã|' /var/sam/www/client/customization-source/Common/modern/eps/default_eps.xml.ORG > /var/sam/www/client/customization-source/Common/modern/eps/default_eps.xml

bigstart restart tomcat

Fix:
The GUI for General Customization or Advanced Customization of Access Profiles now renders correctly.

---

902141 : TMM may crash while processing APM data

Component: Access Policy Manager

Symptoms:
Under certain conditions, TMM may crash while processing APM data.

Conditions:
-- An APM access policy is configured with "Modern" customization.

Impact:
TMM crash, leading to a failover event.

Workaround:
You can use either of the following workarounds:

-- Use Access Policies with "Standard" customization.

Fix:
TMM now processes APM data as expected.

---

900905 : TMM may crash while processing SIP data

Component: Service Provider

Symptoms:
Under certain conditions, TMM may crash while processing SIP data

Conditions:
-SIP ALG profile enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes SIP traffic as expected.

---

900757 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

---

898365 : XML Policy cannot be imported

Component: Application Security Manager

Symptoms:
XML Export does not work in configurations that have metacharacters or method overrides defined on URLs.

Conditions:
A policy that has metacharacter or method overrides defined on a URL is exported to XML format.

Impact:
Such a policy cannot be imported.

Workaround:
Use binary export/import or move/remove the problematic elements from the XML file:
* <mandatory_body>
* <operation_id>

Fix:
XML Policy export generates files that correctly correspond to the expected schema and can be imported.

---

898093 : Removing one member from a WideIP removes it from all WideIPs.

Component: Global Traffic Manager (DNS)

Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.

Conditions:
Use the 'Remove' button.

Impact:
Unintended configuration changes via GUI.

Workaround:
Use the 'Manage' button, rather than the 'Remove' button.

---

896553 : On blade failure, some trunked egress traffic is dropped.

Component: TMOS

Symptoms:
When a blade fails (isn't administratively disabled), other blades take 10 seconds (configured with DB variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades don't have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.

Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)

Workaround:
Attach interfaces to all blades.

Fix:
Failed blades are detected within a second.

---

896473 : Duplicate internal connections can tear down the wrong connection

Component: TMOS

Symptoms:
Handling of duplicate internal connections can tear down and clean up the newest connection. Instead it should always remove the oldest.

Conditions:
When internal connections are re-established.

Impact:
The cleanup of previous connections may incorrectly tear down the new connection. Error messages are reported in the log when this happens, for example:

Duplicate connections between BCM56XXD1 and stpd7749-2. Closing the new one.

Workaround:
None.

Fix:
The system now always removes the oldest connection.

---

895993 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

---

895981 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

---

895881 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305

---

895781 : Round Robin disaggregation does not disaggregate globally

Component: TMOS

Symptoms:
Traffic is not disaggregated uniformly as expected.

Conditions:
-- A multi-blade chassis with one HSB.
-- Traffic is received on blade one.
-- The imbalance is more pronounced when the IP variation is small.

Impact:
Some TMMs may use relatively more CPU.

Workaround:
None.

Fix:
Traffic is now disaggregated uniformly in a round robin fashion.

---

895649 : Improve TCP analytics goodput reports

Component: Local Traffic Manager

Symptoms:
TCP analytics would report very large goodput values under rare conditions.

Conditions:
-- TCP or FastL4 filter is in use.
-- TCP analytics is enabled.
-- A specific sequence number space is observed during the data transfer.

Impact:
TCP reports a very large goodput value to AVR. This also impacts the average goodput reports as the high value reported shifts the average value to considerably large one.

Workaround:
N/A

Fix:
TCP analytics goodput reports are improved.

---

895525 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254

---

894081 : The Wide IP members view in the WebUI may report the incorrect status for a virtual server.

Component: Global Traffic Manager (DNS)

Symptoms:
A virtual server which is actually down and should show red is reported as up and shows green.

Conditions:
This issue happens when a virtual server is marked down by the system due to inheriting the status of its parent link.

Note: This issue only affects Link Controller systems, and not DNS/GTM systems.

Impact:
The WebUI cannot be used to reliably assess the status of Wide IP members (virtual servers).

Workaround:
Use the tmsh utility in one of the following ways to inspect the status of Wide IP members:

# tmsh show gtm pool a members

# tmsh show gtm server virtual-servers

---

892637 : Microservices cannot be added or modified

Component: Application Security Manager

Symptoms:
The 'Add' button is grayed out on Security :: Application Security :: Microservices, where in previous version, minimal microservice creation/modification was available.

Conditions:
-- Navigate to Security :: Application Security :: Microservices.
-- Attempt to add a microservice.

Impact:
Cannot add or modify a microservice in this version, where it was available in previous versions.

Workaround:
None.

Fix:
The 'Add' button is now available to create basic microservices for Application Security.

---

892621 : Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software

Component: Advanced Firewall Manager

Symptoms:
BDoS Signature mitigated in software.

Conditions:
IP packets size metric in BDoS signature.

Impact:
BDoS Signature with IP packet size metric mitigated only in software for IPv6 packets.

Workaround:
None.

Fix:
IP packets size metric bin calculation algorithm for IPv6 packets in software now matches hardware version.

---

892073 : TLS1.3 LTM policy rule based on SSL SNI is not triggered

Component: Local Traffic Manager

Symptoms:
A policy rule based on SSL SNI at SSL client hello is not triggered for a TLS1.3 connection.

Conditions:
-- LTM policy rule specifying SSL client hello SNI.
-- TLS1.3 connection.

Impact:
Policy rule not triggered for TLS1.3.

Workaround:
None.

Fix:
LTM policy rules at client hello SNI are now triggered for TLS1.3.

---

891721 : Anti-Fraud Profile URLs with query strings do not load successfully

Component: TMOS

Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:

010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.

Conditions:
Adding a query string to a URL for an anti-fraud profile.

Impact:
After a BIG-IP config save, loading of new bigip.conf fails.

Workaround:
Follow this procedure:

1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.

Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.

---

891505 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.

Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
When fixed, TMM works as expected and no longer leaks memory.

---

891477-1 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server

Component: TMOS

Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None.

---

891337 : 'save_master_key(master): Not ready to save yet' errors in the logs

Component: TMOS

Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.

Conditions:
UCS load or configuration synchronization that includes encrypted objects.

Impact:
Many errors seen in the logs.

Workaround:
None.

Fix:
Fixed an issue causing 'save_master_key(master): Not ready to save yet' errors.

---

891165 : Global white list HSB entries stay in offload state after removing Device DoS whitelist

Component: Advanced Firewall Manager

Symptoms:
"Global white list HSB entry" in "tmsh show security dos spva-stats" is not equal zero with no address-list as Device DoS whitelist.

Conditions:
Assigning Device DoS whitelist with some entries

Impact:
Entries stays in Device DoS white-list after removing

Fix:
Correct hash calculation for Device whitelist entries

---

890421 : New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★

Component: TMOS

Symptoms:
The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217

Conditions:
When 15.0.1.2 is upgraded to 15.1.0 then the traps would be renumbered.

Impact:
This may be confusing for SNMP clients expecting specific trap IDs.

Workaround:
None.

Fix:
The traps have been correctly numbered in 15.0.1.3.

Behavior Change:
New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers. These traps will be renumbered when you upgrade 15.0.1.2 to 15.1.0.

The Georedundancy traps introduced in 15.0.1.2 with trap IDs in the F5 enterprise MIB of .1.3.6.1.4.1.3375.2.4.0.206 to .1.3.6.1.4.1.3375.2.4.0.211 should have been numbered from .1.3.6.1.4.1.3375.2.4.0.212 to .1.3.6.1.4.1.3375.2.4.0.217

---

890229 : Source port preserve setting is not honoured

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have configured a hash that includes IP addresses, which you can accomplish in any of the following ways:
  + Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
  + By configuring a VLAN's 'CMP Hash' setting to a non-default value.
  + By using a special variable like udp.hash or tcp.hash.
-- The virtual server is configured with source-port preserve (the default).

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

Fix:
Now source-port preserve setting does best effort to preserve the source port.

Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.

The source-port preserve setting now does best effort to preserve the source port.

---

889505-1 : Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available

Component: Advanced Firewall Manager

Symptoms:
Several SNMP OIDs need to be added to provide the total number of port block allocations (PBAs) and the percentage of PBAs that are available.

Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.

Impact:
Need to manually calculate the values.

Workaround:
Make manual calculations from the current stats or configuration.

Fix:
-- Can now directly gather the total number of PBA and percentage of ports available.

There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.

Behavior Change:
The following new MIBs are now available:

F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmLsnPoolStatPercentFreePortBlocksSnmp

F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaTotalPortBlocks
F5-BIGIP-LOCAL-MIB::ltmFwNatDynamicPoolStatPbaPercentFreePortBlocksSnmp

---

889477 : Modern customization does not enforce validation at password changing

Component: Access Policy Manager

Symptoms:
You can change the password even if there are different values in the fields 'New Password' and 'Confirm Password' or if 'Confirm Password' is empty.

Conditions:
-- Access Policy with 'Modern' customization.
-- Configure an access policy with 'Logon Page' and 'AD Auth' agents.
-- When forced to change passwords, type different values in 'New Password' and 'Confirm Password', or leave 'Confirm Password' empty.

Impact:
The system allows the password change, even though the 'New Password' and 'Confirm Password' do not match.

Workaround:
None.

---

889209 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.

Component: Local Traffic Manager

Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.

Conditions:
Enabled sflow receiver is configured.

Impact:
Egress traffic is dropped.

Workaround:
Disable Sflow receiver, save configuration, reboot.

---

888625-1 : CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks

Component: Carrier-Grade NAT

Symptoms:
There is a difference in active port block counter between statistics collected in TMM and actual allocations in 'lsndb list pba'.

Conditions:
The issue happens when the port block allocation process fails after incrementing the active port blocks counter.

Impact:
No functional impact. But the stats counters will be incorrect.

Fix:
Update the active port block counter correctly when port block allocation fails.

---

888569-1 : Added PBA stats for total number of free PBAs, and percent free PBAs

Component: Advanced Firewall Manager

Symptoms:
There are several port block allocation (PBA) statistics that need to be added.

Conditions:
Attempting to retrieve total number of PBAs and percentage of PBAs that are available.

Impact:
Need to manually calculate the values.

Workaround:
Make manual calculations from the current stats or configuration.

Fix:
The first and second item described are available using the 'tmsh show' command, and the third item is available in the tmstat tables (e.g., reported in response to the command 'tmctl lsn_pool_pba_stat' as total_port_blocks).

-- Total number of port blocks available:
The total amount of port blocks available according to the PBA configuration. For example, if you have 3 IP addresses for NAT pool/source translation and blocks of 128 ports, and ports from 1024 to 65535, then this stat indicates that you have a total of 1509 port blocks. This number is the result of (64511 (ports available) / 128 (ports per block)) * 3 (number of IP addresses)).

-- Percentage of port available (percentage is available in TMSH only):
Using the same example, where there are 1509 total blocks and currently are assigned 600 blocks, then there are 909 blocks free. This stat show that are 60.23% of ports available. (100*free ports / total ports).

-- Directly gather the values.
There are new SNMP OIDs from which to pull this data directly. Although there is way to get this information from the current stats or configuration by making some calculations, the SNMP OIDs enables pulling these values directly.

Behavior Change:
The following new tmstat value is now available, in both 'tmctl fw_lsn_pool_pba_stat' and 'tmctl lsn_pool_pba_stat:

    total_port_blocks

The relevant TMSH show commands have been updated to include these new values:

-- Total Port Blocks
-- Percent Free Port Blocks

---

888493-1 : ASM GUI Hardening

Component: Application Security Manager

Symptoms:
The ASM GUI does not follow current best practices.

Conditions:
-ASM provisioned.
-WebUI administrative user.

Impact:
ASM WebUI does not does not follow current best practices.

Workaround:
N/A

Fix:
ASM WebUI does now follows current best practices.

---

888489-1 : ASM UI hardening

Component: Application Security Manager

Symptoms:
The ASM UI for DOS profile does not follow current best practices.

Conditions:
-ASM provisioned.

Impact:
The ASM UI for DOS profile does not follow current best practices.

Workaround:
N/A

Fix:
The ASM UI for DOS profile now follows current best practices.

---

888285 : Sensitive positional parameter not masked in 'Referer' header value

Component: Application Security Manager

Symptoms:
When the URI and 'Referer' header share the same positional parameter, the 'Referer' positional parameter is not masked in logs.

Conditions:
Sending a request with positional parameter in URI and 'Referer' header.

Impact:
'Referer' header positional parameter value is not masked in logs.

Workaround:
None.

Fix:
'Referer' positional parameter value is masked as expected.

---

888261 : Policy created with declarative WAF does not use updated template.

Component: Application Security Manager

Symptoms:
When importing a declarative policy with an updated template, the operation uses the old version of the template, which is saved on the machine.

Conditions:
Declarative policy is created from a user-defined template and then re-created after updating the template.

Impact:
The re-created declarative policy is based on the old template, which is saved without the changes that were made in the template.

Workaround:
Create new template and use it when recreating the declarative policy.

Fix:
While creating the policy, if the saved template on the machine is older than the template file, the system replaces the file on the machine and uses the updated template.

---

888113 : HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy

Component: Local Traffic Manager

Symptoms:
TMM cores in HTTP-MR proxy.

Conditions:
-- HTTP and HTTP Router profiles are configured on the virtual server.
-- HUDEVT_CALLBACK is queued after HUDCTL_ABORT in HTTP-MR proxy.

Impact:
TMM stops processing traffic.

Workaround:
None.

Fix:
HUDEVT_CALLBACK is not queued after HUDCTL_ABORT in HTTP-MR proxy.

---

887637 : Systemd-journald Vulnerability: CVE-2019-3815

Solution Article: K22040951

---

887261 : JSON schema validation files created from swagger should support "draft-04" only

Component: Application Security Manager

Symptoms:
The JSON schema validation file creation from swagger's schema entry fails and errors are logged to /ts/log/asm_config_server.log.

Conditions:
-- API Protection used in a security policy
-- Swaggers's schema entry contains one or more fields that are incompatible between draft-04 and draft-07 of the JSON schema validation spec (e.g.: "exclusiveMinimum")

Impact:
Since BIG-IP is locked to draft-07, a security policy created from swagger file will not include some entities.

Workaround:
No workaround

Fix:
JSON schema validation" files should be referenced to "draft-04" instead of "draft-07

---

887017-1 : The dwbl daemon consumes a large amount of memory

Component: Advanced Firewall Manager

Symptoms:
The dynamic white/black daemon (dwbld) daemon shows very large memory consumption on adding addresses to shun-list.

Conditions:
-- Adding a large number of IP addresses to the shun-list.
-- Viewing dwbl memory usage using:
config # top -p $(pidof dwbld)

Impact:
The dwbl daemon uses a large amount of memory. If memory goes to exhaustion, enforcement of dwbl does not occur.

Workaround:
None.

---

886841 : Allow LDAP Query and HTTP Connector for API Protection policies

Component: Access Policy Manager

Symptoms:
APM has several types of access policies for different deployment types, such as general per-request policies, OAuth policies, full webtop portal policies, and so on. One type of policy is designed for API clients, called API Protection.

API Protection requests are generally authenticated by user information present in an HTTP authorization header. APM then uses this authorization header data to authenticate users against an AAA server.

In addition to authentication, some deployments of API Protection also require authorization decisions to be performed against out-of-band data from external servers, typically group membership data from an external HTTP or LDAP server.

Conditions:
Administrators attempt to use HTTP Connector or LDAP Query in an API Protection type access policy.

Impact:
Administrators are not able to use HTTP Connector or LDAP Query in API Protection policies.

Fix:
Starting with 16.0, APM allows administrators to use HTTP Connector or LDAP Query inside of API Protection policies to make authorization decisions, greatly expanding the flexibility of APM's API Protection feature.

---

886737 : QUIC unable to send stream FIN

Component: Local Traffic Manager

Symptoms:
A stream FIN is never sent and the connection times out.

Conditions:
QUIC has a bidirectional stream waiting to send a FIN when it receives an ACK for the last of the data sent on that stream.

Impact:
Instead of closing when a request is complete, QUIC connections may hang around for the duration of the idle timeout.

Workaround:
None.

Fix:
QUIC will now send a stream FIN when needed.

---

886729 : Intermittent TMM crash in per-request-policy allow-ending agent

Component: Access Policy Manager

Symptoms:
TMM crash.

Conditions:
When user trying to access a URL with unique hostname in the current session.

Impact:
TMM crash. No access to the URL. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This intermittent TMM crash no longer occurs.

---

886085 : TMM may crash while processing UDP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing internally generated UDP traffic.

Conditions:
None.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes internally generated UDP traffic as expected.

---

886049 : Mcpd validation for proxy ssl and don't-insert-empty-fragments

Component: Local Traffic Manager

Symptoms:
BIG-IP does not check that proxy ssl and don't-insert-empty-fragments do not exist together. According to the manual at https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html

*********
Important: For security reasons, when you enable the Proxy SSL setting, the BIG-IP® system automatically disables the Don’t insert empty fragments option. Disabling this option when Proxy SSL is enabled guards against a particular type of cryptographic attack.

Conditions:
SSL profile with proxy-ssl and option don't-insert-empty-fragments enabled.

Impact:
No impact to traffic, but BIG-IQ will reject the BIG-IP configuration since BIG-IQ has this validation.

Workaround:
When proxy-ssl is enabled, disable the option don't-insert-empty-fragments.

Fix:
BIG-IP now validates proxy-ssl cannot be enabled with don't-insert-empty-fragments.

---

885869 : Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime

Component: Global Traffic Manager (DNS)

Symptoms:
iQuery incorrectly interprets iQuery SSL certificate times when they are using GenericTime instead of UTCTime.

Conditions:
An iQuery certificate using GenericTime instead of UTCTime.

Note that this would only occur with a date beyond the year 2049.

Impact:
Internal years are interpreted to be much later than they should be.

Workaround:
Use SSL certificates with UTCTime instead of GenericTime.

Fix:
Fixed an issue in iQuery SSL where GenericTime-formatted years interpreted incorrectly.

---

884921 : Tcpdump capture with very large packet (size close to 65535 bytes) can cause tmm to core

Component: TMOS

Symptoms:
When tcpdump is running to capture packets flowing through tmm, and this traffic being captured involves a very large packet (size close to 65535 bytes), tmm cores.

Conditions:
-- A tcpdump capture is running.
-- The tcpdump trying to capture tmm packets (e.g., tcpdump -i 0.0).
-- The traffic involves a very large packet, close to 65525 bytes.

Impact:
Tmm cores and restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not run tcpdump to capture tmm traffic if packets being captured are close to 65535 bytes in size.

---

884797 : Portal Access: in some cases data is not delivered via WebSocket connection

Component: Access Policy Manager

Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.

Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client

Impact:
Data is not delivered to the client browser via the WebSocket connection.

Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.

---

884425 : Creation of new allowed HTTP URL is not possible

Component: Application Security Manager

Symptoms:
When pressing 'Create' button in
Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs page, the requested page is not loaded.

Conditions:
Policy with about 5000 and more parameters causes long loading time, which results in loading failure.

Impact:
The requested page (New Allowed HTTP URL...) is not loaded.

Workaround:
Use fewer parameters (less than 5000) per policy.

---

884165 : Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG

Component: TMOS

Symptoms:
Frequent config syncs and spamming of logs are occurring on BIG-IP devices in a high availability (HA) configuration.

Conditions:
Datasync CAPTCHA table is re-generated while CAPTCHA is being consumed by users.

Impact:
Sync to the datasync groups cause the sync status of the devices to fluctuate.

---

883853 : Bot Defense Profile with staged signatures prevents signature update★

Component: Application Security Manager

Symptoms:
When a trying to install a new bot defense signature, the installation fails with the following log message:

com.f5.liveupdate.update.dosbotsignatures.file.Update.applyChanges.pl|INFO|Feb 10 13:22:12.924|7347|F5::Dos::BotSignatures::load_from_xml,,Cannot send updated objects to mcp: 01070265:3: The Bot Defense Signature (/Common/Headless Chromium, Chrome) cannot be deleted because it is in use by a Bot Defense Profile Signature Staging.

Conditions:
-- A Bot Defense Profile has a staged signature.
-- The staged signature points to something that does not exist in the update file.

Impact:
The new file cannot be installed.

Workaround:
Enforce the staged signature.

Fix:
Before deleting the signature, the installation process checks to see whether the signature is staged, and if it is, the process unstages it.

---

883841 : APM now displays icons of all sizes what Horizon VCS supports.

Component: Access Policy Manager

Symptoms:
If the application icon's size is not 32x32, a default icon is displayed on the webtop.

Conditions:
1. Open Horizon VCS
2. Associate a custom icon to the application (size other
   than 32x32) and save the changes.
3. Connect to virtual server or Native client

Impact:
A default icon is displayed for the applications which has icons of sizes not supported by APM.

Workaround:
In Horizon VCS, associate the application with an icon that is 32x32.

Fix:
Application icons of all sizes what View Connection Server supports are supported by APM.

---

883717 : BD crash on specific server cookie scenario

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
Server sends many domain cookies with different domains or paths.

Impact:
Traffic distraction, failover.

Workaround:
There is no workaround, except changing the server's cookies.

Fix:
BD does not crash when server sets many different attributes.

---

883669 : Memory leak in asm_start due to GTM score update

Component: Application Security Manager

Symptoms:
Memory usage of asm_start increases steadily by approximately 450 KB per day.

Conditions:
GTM is provisioned (on versions with the fix for ID 864677; otherwise, the issue happens for every configuration).

Impact:
Memory usage of asm_start increases steadily by approximately 450 KB per day.

Workaround:
Restart ASM periodically.

Fix:
Memory usage of asm_start remains stable.

---

883597 : Add a way to look up URLs in one specified custom category

Component: Access Policy Manager

Symptoms:
There is no way to look up URLs in one specified custom category.

Conditions:
Category lookup iRule or agent using custom categories is in the policy

Impact:
There is no way to use iRules to look up URLs in one specified custom category. If there are multiple custom categories and the URL is only in one of them, the Category Lookup agent and iRule will look through all custom categories even if you only want to look in one.

Workaround:
None.

Fix:
You can now use iRules to look up URLs in one specified custom category.

CATEGORY::lookup <url> custom -custom_cat_match <category name>

Behavior Change:
There is now an iRule to look up URLs in one specified custom category.

CATEGORY::lookup <url> custom -custom_cat_match <category name>

---

883529 : HTTP/2 Method OPTIONS allows "*" (asterisk) as an only value for :path

Component: Local Traffic Manager

Symptoms:
HTTP/2 request is not forwarded and RST_STREAM with PROTOCOL_ERROR is sent back to the client.

Conditions:
HTTP/2 request with method OPTIONS and pseudo header :path value equal to something other than "*" (asterisk).

Impact:
HTTP/2 request with Method OPTIONS is limited to :path "*" only. Any other URIs are not forwarded to the server but rejected with RST_STREAM with PROTOCOL_ERROR.

Workaround:
None.

Fix:
HTTP/2 request with Method OPTIONS now allows the URI to be something other than "*". This request is not rejected, but is forwarded to the server.

---

883513 : Support for QUIC and HTTP/3 draft-27

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-24 and draft-25. IETF released draft-27 in February 2020, and major browser vendors have announced they intend to widely deploy support for it, unlike previous drafts.

Conditions:
Browser requests draft-27.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-27. (The QUIC community skipped draft-26), has deleted draft-24 support from the implementation, and deprecates support for draft-25.

---

882769 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters

---

882757 : sflow_agent crash SIGABRT in the cleanup flow

Component: TMOS

Symptoms:
Disabling DHCP on the management port causes sflow_agent to crash.

Conditions:
This does not always occur, but when it does occur, it crashes when disabling DHCP on the management port.

Impact:
sflow_agent crashes.

Workaround:
Do not disable DHCP on the management port

Fix:
Placed the NULL check to in sflow agent admin IP handling code

---

882713 : BGP SNMP trap has the wrong sysUpTime value

Component: TMOS

Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.

Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition

Impact:
The sysUpTime in the trap generated by BGP is incorrect.

Workaround:
None.

Fix:
Fixed an incorrect calculation of sysUpTime.

---

882557 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance

---

882545 : Multiple rate-limiting agents sharing the same rate-limiting key config may not function properly

Component: Access Policy Manager

Symptoms:
When multiple rate-limiting agents share the same rate-limiting key config, removing one agent may cause other agents to not function properly. In case of using tmm.debug, it may generate a core.

Conditions:
-- Multiple rate-limiting agents sharing the same rate-limiting key config.
-- Removing one agent.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not share the same rate-limiting key config among multiple agents.

Fix:
Fixed a tmm core related to multiple rate-limiting agents.

---

882377 : ASM Application Security Editor Role User can update/install ASU

Component: Application Security Manager

Symptoms:
Live Update modifications are allowed for Application Security Editor Role.

Conditions:
Login as Application Security Editor user and try to install ASU.

Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.

---

882289 : Could not configure FQDN in DoS Profile DNS NXDOMAIN QUERY Vector

Component: Advanced Firewall Manager

Symptoms:
GUI configuration for Dos Profile vector is missing functionality to Check, add and delete FQDN's

Conditions:
This occurs in the GUI while creating a new DoS Profile that uses a a DNS NXDOMAIN query vector.

Impact:
You are unable to configure a valid FQDN list

Workaround:
Use TMSH to set configuration

---

882157 : One thread of pkcs11d consumes 100% without any traffic.

Component: Local Traffic Manager

Symptoms:
One thread of pkcs11d consumes 100% without any traffic.

Conditions:
-- The BIG-IP system is licensed with NetHSM, and service pkcs11d is running.
-- The MCDP service is restarted.

Impact:
NetHSM configurations and statistics updates are not updated.

Workaround:
Restart the pkcs11d service:
tmsh restart sys service pkcs11d

Fix:
The system now watches for errors and prevents this error from occurring.

---

881641-1 : Errors on VPN client status window in non-English environment

Component: Access Policy Manager

Symptoms:
If Network Access resource is being accessed using user interface language other than English, JavaScript errors may be shown in VPN client status window.

Conditions:
- Access Policy with languages other than English
- Network Access resource assigned to this Access Policy
- standalone VPN client in non-English environment

Impact:
VPN connection cannot be established.

Fix:
Now standalone VPN client can work correctly in non-English environment

---

880789 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.

Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.

Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None.

Fix:
The botd handler is now restored to a more robust process lifecycle.

---

880753 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server

Component: Application Security Manager

Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.

Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).

Impact:
Some requests might not be processed by the Bot Defense profile.

Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable

Fix:
The mechanism which caused this issue is now correctly enabled.

---

880325 : Change help text for Untrusted Cert Response Control and Expired Cert Response Control in ServerSSL OLH

Component: TMOS

Symptoms:
Help text for Untrusted Cert Response Control and Expired Cert Response Control in ServerSSL OLH needs updating.

Conditions:
1. Go to Local Traffic >> Profiles >> SSL >> Server.
2. Create new or edit existing profile and see help text.

Impact:
Incorrect content.

Workaround:
n/a

Fix:
For both Create and Properties help, updated ignore and mask content for both Expired and Untrusted Certificate Response Control fields.

---

880157 : Unable to set SameSite attribute for AVR session cookie

Component: Application Visibility and Reporting

Symptoms:
When trying to set the 'Samesite' attribute using a Local traffic policy according to https://devcentral.f5.com/s/articles/increased-security-with-first-party-cookies-30715, you are able to set the SameSite attribute for all cookies except for the AVR user session cookie.

Conditions:
-- Use Google Chrome browser.
-- Page load time or user sessions collecting in HTTP Analytics profile is checked for the related virtual server.

Impact:
Can't add SameSite attribute to AVR cookies.

Fix:
Added an internal parameter, avr_cookie_add_attributes, that allows the BIG-IP system administrator to add a string at the end of the AVR Set-Cookie HTTP response header. Using this internal parameter, the administrator can add the SameSite=None string to opt-out from the Chrome browser modificatio, allowing the AVR cookie behave as before. This change is global and affects all AVR system cookies (page load time & user sessions).

---

880073 : Memory leak on every DNS query made for "HTTP Connector" agent

Component: Access Policy Manager

Symptoms:
'plugin' subsystem of TMM leaks memory, when "HTTP Connector" agent performs DNS query.

Conditions:
Access Policy contains "HTTP Connector" agent.

Impact:
Roughly 500 KB is leaked for every 10000 requests.

Workaround:
None.

Fix:
Fixed memory leak in 'plugin' subsystem of TMM.

---

880009 : Tcpdump does not export the TLS1.3 early secret

Component: TMOS

Symptoms:
Users running tcpdump with the 'ssl:v' flag to obtain the early traffic secret are given the early master secret instead.

Conditions:
Run tcpdump with the 'ssl:v' flag.

Impact:
Users cannot decrypt TLS1.3 early data packets.

Workaround:
None.

Fix:
Tcpdump will now output the early traffic secret with the 'ssl' flag. The 'ssl:v' flag will continue to be used for outputting the early master secret.

---

880001 : TMM may crash while processing L4 behavioral DoS traffic

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, TMM may crash while processing L4 behavioral DoS traffic.

Conditions:
-- Enable L4 behavioral DoS.

Impact:
TMM crash, leading to a failover event.

Workaround:
Disable L4 behavioral DoS.

Fix:
TMM now processes L4 behavioral DoS traffic as expected.

---

879841 : Domain cookie same-site option is missing the "None" as value in GUI and rest

Component: Application Security Manager

Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.

Conditions:
You want to have SameSite=none attribute added to a domain cookie.

Impact:
You are unable to set SameSite=None

Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM

---

879777-1 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Component: Application Security Manager

Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.

Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Workaround:
Use "validate in a bulk" option.

Fix:
Retrieving the cookie from the related domain even if the page is qualified.

---

879409 : TMM core with mirroring traffic due to unexpected interface name length

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.

Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the length of the interface name before processing the HA message at the receiver side and ignores the HA message if the interface name length is wrong.

---

879401 : Memory corruption during APM SAML SSO

Component: Access Policy Manager

Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted.

Conditions:
- BIG-IP system is configured as SAML SP.
- External SAML IdP sends SLO request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Fix:
BIG-IP as SAML SP no longer causes memory corruption when handling certain traffic.

---

879025 : When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions

Component: Local Traffic Manager

Symptoms:
When processing server-side TLS traffic, LTM may not enforce certificate chain restrictions as expected. TLS traffic is encrypted as expected but under certain conditions certificate authentication restrictions are not enforced

Conditions:
-Server-side SSL profile.
-Certificate chain validation enabled.

Impact:
LTM may not enforce TLS certificate chain restrictions as expected.

Workaround:
None.

Fix:
LTM now processes server-side TLS traffic as expected.

---

879001 : LDAP data is not updated consistently which might affect authentication.

Component: TMOS

Symptoms:
Change not updated in LDAP when the system auth source ('systemauth.source' DB key/'Auth Source Type') is set to Active Directory.

This change is not applied when the setting is modified (e.g., from local or LDAP to Active Directory, or from Active Directory to LDAP). Instead, the change is applied only when MCPD is rewriting the file for other reasons.

Conditions:
Changing the 'systemauth.source' DB key/'Auth Source Type':
-- From local to Active Directory.
-- From LDAP to Active Directory.
-- From Active Directory to LDAP.

Impact:
LDAP data is not updated consistently, and authentication might fail.

Workaround:
None.

---

878925 : SSL connection mirroring failover at end of TLS handshake

Component: Local Traffic Manager

Symptoms:
In some cases, HTTP requests my fail if system failover occurs immediately after the TLS handshake finishes.

Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.

Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.

Workaround:
None.

Fix:
System now updates the high availability (HA) state at end of the TLS handshake to prevent this issue if failover occurs at end of the handshake but before client/server data.

---

878893 : During system shutdown it is possible the for sflow_agent to core

Component: TMOS

Symptoms:
The shutdown sequence of the sflow_agent can include a timeout waiting for a response that results in an assert and core file.

Conditions:
BIG-IP reboot can cause the sflow_agent to core.

Impact:
There is a core file in the /var/core directory after a system reboot.

Fix:
Fixed an issue causing a core of sflow_agent during shutdown.

---

878469 : System uptime in bgpBackwardTransNotification is incorrect

Component: TMOS

Symptoms:
When BGP peer is going down, BIG-IP is sending the wrong system uptime in the trap bgpBackwardTransNotification being sent.

Conditions:
-- BIG-IP system is configured with a BGP peer connection to a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router goes down.
-- Both devices release an SNMP trap.

Impact:
The BIG-IP system sends the wrong system uptime in the trap sent

Workaround:
None

Fix:
None

---

877145 : Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException

Component: TMOS

Symptoms:
You are unable to log in to iControl REST via /mgmt/toc/.
Also a NullPointerException is logged to /var/log/restjavad log.

Conditions:
This can be encountered intermittently while using iControl REST.

Impact:
Login failure.

Workaround:
None.

Fix:
Fixed an issue related to authenticating to the iControl REST endpoint /mgmt/TOC.

---

876957 : Reboot after tmsh load sys config changes sys FPGA firmware-config value

Component: TMOS

Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.

Chmand reports errors:

chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]

Conditions:
Running either of the following commands:

tmsh load sys config
/etc/init.d/fw_update_post reload

Impact:
Firmware update fails.

Workaround:
Use this procedure:

1. Mount /usr:
mount -o rw,remount /usr

2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload

3. Reload systemctl:
systemctl daemon-reload

4. Reload the file:
/etc/init.d/fw_update_post reload

Fix:
Added the reload option in fw_update_post service file.

---

876937 : DNS Cache not functioning

Component: TMOS

Symptoms:
DNS queries are not being cached on the BIG-IP device.

Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache).
-- Device receives DNS queries.

Impact:
DNS queries are forwarded, but the BIG-IP system does not cache them.

Workaround:
None.

Fix:
DNS queries are now cached when DNS Cache is enabled.

Behavior Change:
Full DNS cache functionality has been restored. This results in performance degradation. You might notice it in OCSP performance, when compared to releases in which full DNS cache functionality is not present.

By default, DNS cache is disabled. To recapture performance, enable DNS cache.

---

876801 : Tmm crash: invalid route type

Component: Local Traffic Manager

Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:

tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **

Conditions:
The issue is intermittent.

1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.

Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.

---

876393 : General database error while creating Access Profile via the GUI

Component: Access Policy Manager

Symptoms:
While trying to create an Access profile, the GUI reports a general database error. There are errors in /var/log/tomcat:

profiles.ProfileUtils$SettingsHandler:error - java.sql.SQLException: Column not found: SOURCE in statement [INSERT into
profile_access

Conditions:
This occurs when you try to create an Access Profile of type SSO from the GUI.

Impact:
You are unable to create the profile using the GUI.

Workaround:
You can create the Access Profile using TMSH.

tmsh create access access_test_sso type sso accept-languages add { en } sso-name sso_test1

Fix:
Access Profile of type SSO can now be created and edited from the GUI.

---

875909 : Added internal parameter to address Chrome samesite default change

Component: Application Security Manager

Symptoms:
False-positive violations related to domain cookies enforcement (such as modified domain cookies, dynamic parameters extractions).

Conditions:
-- Using Google Chrome browser.
-- The ASM protected site is sending cookies (that are configured as enforced) with resources that are accessible through third party sites.

Impact:
False-positive violations.

Workaround:
An iRule can add the SameSite=None attribute to ASM generated cookies with the Set-cookie command.

Fix:
Added an internal parameter, ts_cookie_add_attrs, that allows the BIG-IP system administrator to add a string at the end of the ASM Set-Cookie HTTP response header. Using this internal parameter, the administrator can add the SameSite=None string to opt-out from the Chrome browser modification and have the ASM cookie behave as before. This change is global and affects all ASM system cookies, except those set via JavaScript.

---

875401 : PEM subcriber lookup can fail for internet side new connections

Component: Policy Enforcement Manager

Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.

Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm

Impact:
PEM subscriber lookup can fail on the internet side

Workaround:
No workaround.

Fix:
PEM subcriber lookup now always succeeds for internet side new connections,

---

875373 : Unable to add domain with leading '.' through webUI, but works with tmsh.

Component: Application Security Manager

Symptoms:
It is possible to create certain domain matches with leading dot '.' in tmsh, but not in the GUI.

Conditions:
Advanced WAF bot signature configuration with domain with a leading . character.

Impact:
You are unable to use the GUI to create custom bot-defense signatures.

Workaround:
Use tmsh to add custom bot-defense signatures as follows:

tmsh create security bot-defense signature ockerdocker category Crawler domains add {.ockerdocker} rule "headercontent:\"Google_Analytics_Snippet_Validator\"; useragentonly; nocase;"

---

874949 : TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.

Component: Access Policy Manager

Symptoms:
TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent.

Conditions:
Client traffic is run through virtual server with APM per-request policy that contains empty variable assign agent.

Impact:
TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When client traffic is run through virtual server with APM per-request policy that contains empty variable assign agent, TMM will not crash.

---

874797 : Unable to configure FQDN in device DNS NXDOMAIN QUERY Vector

Component: Advanced Firewall Manager

Symptoms:
The GUI for device vector is missing functionality to Check, add and delete FQDN's

Conditions:
This is encountered in the GUI in the DNS tab while viewing the DNS NXDOMAIN Query vector.

Impact:
You are unable to configure a valid FQDN list

Workaround:
Use TMSH to set configuration

---

874753 : Filtering by Bot Categories on Bot Requests Log shows 0 events

Component: Application Security Manager

Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.

When filtering for only Bot Category: Browser Automation, nothing Shows up.

Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log

Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.

Workaround:
None.

Fix:
Filtering by Bot Categories on Bot Requests Log is now fixed on the GUI page.

---

874449 : APM does not support adding samesite cookie attribute to APM cookies.

Component: Access Policy Manager

Symptoms:
The Chrome browser (i.e version 80 ) changes the way it treats the samesite cookie attribute to be complaint, according to https://tools.ietf.org/html/draft-west-cookie-incrementalism-00

In this case, if the server does not set the samesite cookie attribute, the browser will treat the cookie attribute as equivalent to "samesite=Lax", which changes the behavior of how the cookie is shared with the domain, which did not originally set the cookie.

Conditions:
APM is configured.

Impact:
The latest browser (eg : chrome80 ) will stop sending the APM cookie back to the different domain, if it does not find the samesite cookie attribute for APM cookies.

Workaround:
Custom irule to add samesite cookie attribute to the APM cookies in HTTP_RESPONSE_RELEASE.

---

874153-1 : Bot Defense 'Web RootKit' Anomaly False Positive using Seznam.cz Browser on iOS

Component: Application Security Manager

Symptoms:
When using Bot Defense profile with browser verification, and sending a request using Seznam.cz Browser - 'Web RootKit' anomaly is detected and the client is blocked.

Conditions:
-- Bot Defense profile is used, with a 'Verify After Access' or 'Verify Before Access' Browser Validation.
-- Request is sent using Seznam.cz browser on iOS.

Impact:
The client is blocked.

Workaround:
Change the bigDB variable for minimum web rootkit allowed to a higher value. This allows all web rootkited browsers.

tmsh modify sys db botdefense.min_rootkit_functions value 100

Fix:
Disable Web Rootkit tests for Seznam.cz browser on iOS.
Note: Fix is valid only when not using Device ID Collection.

---

873677 : LTM policy matching does not work as expected

Component: Local Traffic Manager

Symptoms:
Policy matching may fail to work as expected

Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.

This may also be triggered by very complex policies with large numbers of rules.

Impact:
LTM policy matching does not work as expected.

Workaround:
None.

Fix:
LTM Policy matching now works correctly with large complex policies containing many rules or conditions.

---

873641 : Re-offloading of TCP flows to hardware does not work

Component: TMOS

Symptoms:
Once Hardware evicts the EPVA TCP flows due to Idle timeout, tmm does not reinsert the flows back when it receives a packet belonging to that flow.

Conditions:
This occurs when the TCP connection is kept idle for ~20 seconds.

Impact:
Performance can be impacted. Hardware acceleration will be disabled for the flows once the flow is removed from hardware due to Idle timeout.

Fix:
Fix will re-offload the flows to HW once SW starts receiving packets due to HW eviction of flows by Idle timeout.

---

873469 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506

---

872965 : HTTP/3 does not support draft-25

Component: Local Traffic Manager

Symptoms:
Clients attempting to connect with QUIC version 25 and ALPN h3-25 are unable to connect.

Conditions:
An end user client attempts to connect using QUIC version 25 and ALPN h3-25.

Impact:
Attempts to use HTTP/3 with some clients may fail.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-24 and draft-25.

---

872721 : SSL connection mirroring intermittent failure with TLS1.3

Component: Local Traffic Manager

Symptoms:
Intermittent failure of standby connection mirroring TLS1.3 handshake.

Conditions:
TLS1.3 and connection mirroring. More easily reproduces with ecdsa signature.

Impact:
Standby device fails tls handshake, active success so connection succeeds but not mirrored.

Fix:
Standby device now uses correct signature size if it differs from active device.

---

872685 : Some HTTP/3 streams terminate early

Component: Local Traffic Manager

Symptoms:
Some HTTP/3 streams are terminated with a FIN before all the requested data is delivered.

Conditions:
-- Send multiple HTTP3 requests on different streams simultaneously.
-- The back-end in server is NGINX.

Note: This might happen with other web servers as well.

Impact:
Data transfer is incomplete.

Workaround:
Update the server-side connection to HTTP/2.

Fix:
Fixed an issue where some HTTP/3 streams were being terminated early.

---

872673 : TMM can crash when processing SCTP traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing SCTP traffic.

Conditions:
-- SCTP listener enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes SCTP traffic as expected.

---

872645-3 : Protected Object Aggregate stats are causing elevated CPU usage

Component: Advanced Firewall Manager

Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.

Conditions:
AFM, ASM, or DoS features are provisioned.

Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.

Workaround:
None.

---

872049 : Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command

Component: Advanced Firewall Manager

Symptoms:
Value in mitigation thresholds are above infinite value (4294967295)

Conditions:
Multiplier based mitigation mode for Dos static vectors after run relearn thresholds command

Impact:
Incorrect display value for DoS thresholds in GUI and tmctl

Fix:
Do not apply multiplayer for infinite threshold value (4294967295).

---

871985 : No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection

Component: Advanced Firewall Manager

Symptoms:
There are no hardware mitigation for DoS attacks

Conditions:
Auto-threshold mode and detection for attacked destinations should be activate for DoS static vector

Impact:
DoS attack mitigation performed only by software

Fix:
Improved search in already hardware offloaded entities

---

871905 : Incorrect masking of parameters in event log

Component: Application Security Manager

Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.

Conditions:
The request contains a CSRF token and sensitive parameters.

Impact:
Sensitive parameters values can be masked incorrectly in the event log.

Workaround:
None.

Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.

---

871761 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.

---

871657 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.

---

871653 : Access Policy cannot be created with 'modern' customization

Component: Access Policy Manager

Symptoms:
Per-Request Policy (PRP) Access Policy with Customization Type set to Modern cannot be created due to internal error.

Conditions:
Creating a PRP Access Policy with Customization Type set to Modern.

Impact:
Administrator cannot use modern customization.

Workaround:
1. In bigip.conf find the following line:

     apm policy customization-source /Common/standard { }

2. Add the following line:

     apm policy customization-source /Common/modern { }

3. Save the changes.

4. Load the config:

     tmsh load sys config

Fix:
Now modern customization can be used for any Access Policy.

---

871633 : TMM may crash while processing HTTP/3 traffic

Solution Article: K61367237

---

871505 : Update default anti-fraud profile with new per-request policy logon page URL

Component: Access Policy Manager

Symptoms:
Cannot access an application that is protected by APM and FPS.

Conditions:
When DataSafe logon protection is enabled with per-request policy added on virtual server.

Impact:
You cannot get access to the application.

Workaround:
Add the URL /subsession_logon_submit.php3* to the access-logonpage-protection-datasafe profile.

Fix:
Fixed an issue with per-request logon policy.

---

870957 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.

---

870389 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images

Component: TMOS

Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.

Conditions:
This applies to deployments that use declarative onboarding for configuration.

Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.

Workaround:
The workaround is to manually extend the /var logical volume.

For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.

Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.

Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.

---

870385 : TMM may restart under large amount traffic load

Component: Advanced Firewall Manager

Symptoms:
TMM occasionally restarts when running heavy workload. The crash is a timing based issue between different tmm threads, and thus happens only occasionally.

Conditions:
-- AFM is provisioned with dos functionality
-- When BIG-IP is under heavy workload

Impact:
Traffic disrupted while tmm restarts.

Fix:
After fix, no more tmm restarts.

---

870381 : Network Firewall Active Rule page does lot load

Component: Advanced Firewall Manager

Symptoms:
The page (content frame) is blank and nothing is visible

Conditions:
This occurs when viewing the Active Rule page.

Impact:
You are unable to view active Rules in UI

---

870273 : TMM may consume excessive resources when processing SSL traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources when processing SSL traffic.

Conditions:
-- Client authentication is enabled on client-side SSL.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
TMM now processes SSL traffic as expected.

---

869401 : With virtual-wire, lldpd warns 'Received LLDPDU from an unknown interface :12.1'

Component: Local Traffic Manager

Symptoms:
Erroneous warning messages from lldpd about internal system interfaces:

    hostname warning lldpd[12345]: 01570005:4: Received LLDPDU from an unknown interface :11.1

Conditions:
-- Link Layer Discovery Protocol (LLDP) is enabled.
-- Virtual-wire configured.

Impact:
Continual warning messages from lldpd.

Workaround:
None.

Fix:
This error conditions has been corrected.

---

869361 : Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated

Component: Global Traffic Manager (DNS)

Symptoms:
Load balance methods for Link Controller inbound wide IP are always set to default values when the load balancing method is updated through GUI.

Conditions:
-- Multiple inbound wide IPs are configured;
-- Load balancing methods are updated through GUI once.

Impact:
Unable to manage wide IPs through the GUI.

Workaround:
Use tmsh to manage Inbound WideIPs.

---

868721 : Transactions are held for a long time on specific server related conditions

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.

Fix:
Add a check for this scenario so transactions will be released correctly.

---

868641 : Possible TMM crash when disabling bot profile for the entire connection

Component: Application Security Manager

Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.

Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.

Fix:
TMM no longer crashes when disabling bot defense profile for the entire connection.

---

868381 : MRF DIAMETER: Retransmission queue unable to delete stale entries

Component: Service Provider

Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.

Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.

---

868349 : TMM may crash while processing iRules with MQTT commands

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing iRules for MQTT profiles.

Conditions:
-MQTT profile.
-MQTT iRule.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes MQTT iRules as expected.

---

868097 : TMM may crash while processing HTTP/2 traffic

Solution Article: K58494243

---

868053 : Live Update service indicates update available when the latest update was already installed

Component: Application Security Manager

Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.

Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.

Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.

Workaround:
None.

Fix:
The Live Update service no longer displays a false message regarding updates available.

---

867825 : Export/Import on a parent policy leaves children in an inconsistent state

Component: Application Security Manager

Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.

Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.

Impact:
The children on the different devices are left unexpectedly in different states.

Fix:
Import/Replace for a parent policy for sections that remain inherited will now delete elements that were removed from the parent policy instead of disinheriting them.

---

867793 : BIG-IP sending the wrong trap code for BGP peer state

Component: TMOS

Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.

Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.

Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.

Workaround:
None.

Fix:
BIG-IP now sends the correct trap code for BGP peer state.

Behavior Change:
The bgpPeerState for bgpBackwardTransNotification now reports the state after the state machine transition, i.e., the state that is being transition into. In earlier releases, it reported the state prior to the state machine transition, which would always report idle because all backwards state transitions are into idle.

---

867749 : Route Domain Active Rules stats are cleared when a rule list is modified

Component: Advanced Firewall Manager

Symptoms:
In the Active Rules page, when you select a Route Domain context, then modify this policy to add a new rule and then cancel the new rule, the new rule is removed, but the count values of the other rules are reset to 0.

Conditions:
New rule is canceled before addition.

Impact:
Active Rules stats are cleared when a rule list is modified. Incorrect stats are reported.

Workaround:
None.

---

867745 : Active Rules for Route Domain are not listed in GUI inline editor

Component: Advanced Firewall Manager

Symptoms:
Route domain does not show attached policies.

Conditions:
This occurs in the foloowjg scenario:

1. Configure Route domain with Firewall policy.

2. In Security :: Network Firewall :: Active rules, select specified Route Domain to view policy details.

3. Set the Inline Rule Editor option in Security :: Options :: Network Firewall :: Firewall Options Inline Rule Editor to Enabled.

Impact:
Cannot see policy information for Route Domains.

Workaround:
Use legacy Active rules editor. To do so, set the Security :: Options :: Network Firewall :: Firewall Options Inline Rule Editor option to Disabled.

---

867633 : Need to be able to set a higher Subroutine timeout value

Component: Access Policy Manager

Symptoms:
The Subroutine Timeout value for a Per-Request Access Policy cannot be set higher than 300 seconds (5 minutes).

Conditions:
This is encountered while configuring per-request access policies.

Impact:
You are unable to set a subroutine timeout value longer than five minutes.

Workaround:
None.

Fix:
Maximum allowed value for Subroutine Timeout in Per-Request Access Policy was increased to 900 seconds (15 minutes).

Behavior Change:
The maximum allowed value for Subroutine Timeout in a Per-Request Access Policy is now 900 seconds (15 minutes). In previous releases, it was 300 seconds (5 minutes).

---

867373 : Methods Missing From ASM Policy

Component: Application Security Manager

Symptoms:
If the ASM http-methods are missing from the MCP configuration, importing an XML ASM policy creates a policy that has no allowed methods and will block all traffic.

Conditions:
-- BIG-IP system configuration is loaded without the required asm_base.conf.
-- An XML ASM policy is loaded.

Impact:
All traffic is blocked for the policy.

Workaround:
Recreate the required methods (GET, POST, etc.) in the policy.

Fix:
Lack of defined ASM http-methods in MCP no longer affects policy loading.

---

867257 : CONNECT_RESET_ERROR is reported when Subroutine Timeout is reached for HTTP connections

Component: Access Policy Manager

Symptoms:
The system reports a CONNECT_RESET_ERROR when the Subroutine Timeout is reached for HTTP connections.

Conditions:
You do not proceed with a policy action within a subroutine until the subroutine timeout interval is reached.

Impact:
You cannot complete Per-Request Policy definition after a long period of inactivity.

Workaround:
None.

Fix:
You can now restart the Per-Request Policy Subroutine for a certain period after Subroutine Timeout is reached. The previous behavior was to reject requests for expired subroutine with CONNECTION_RESET_ERROR.

Behavior Change:
You can now restart the Per-Request Policy Subroutine for a certain period after the subroutine timeout interval passes. The previous behavior was to reject requests when the expired Subroutine Timeout was reached for HTTP connections, at which point the system reported the CONNECTION_RESET_ERROR.

---

867181 : ixlv: double tagging is not working

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.

Fix:
Both VLAN tags are now present in packets.

---

867013 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.

---

866925 : The TMM pages used and available can be viewed in the F5 system stats MIB

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.

---

866685 : Empty HSTS headers when HSTS mode for HTTP profile is disabled

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.

Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.

Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:

when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
        HTTP::header remove "Strict-Transport-Security"
    }
}

Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.

---

866481 : TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode

Component: Local Traffic Manager

Symptoms:
TMM may sometimes core when HTTPMR proxy attempts to go into passthrough mode

Conditions:
-- HTTP profile is attached to the virtual.
-- httprouter profile is attached to the virtual.
-- HTTP goes into passthrough mode for any of the variety of reasons.

Impact:
Traffic disrupted while tmm restarts.

---

866357 : Improvement to MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction

Component: Service Provider

Symptoms:
MRF DIAMETER is not DIAMETER-application aware. It does not have application-specific business logic. When creating a DIAMETER solution, BIG-IP operators often need to write iRule scripts that remove a session persistence entry at the end of a transaction.

Conditions:
Some applications require removal of the persistence entry upon successful completion of a transaction. Other applications require removal upon unsuccessful completion of a transaction.

Impact:
iRule script is required.

Workaround:
Systems requiring automatic removal of a session persistence entry must write iRule scripts that inspect the answer message for its success and then use the DIAMETER::persist reset iRule command.

Fix:
It is not possible to instruct the system to automatically remove a persistence entry based on the result status of a answer message.

---

866161 : Client port reuse causes RST when the security service attempts server connection reuse.

Component: Access Policy Manager

Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.

Conditions:
-- Service profile is attached to virtual server.
   or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.

---

866109 : JWK keys frequency does not support fewer than 60 minutes

Component: Access Policy Manager

Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:

01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.

Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.

Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.

Workaround:
Use a value of 60 minutes or higher.

Fix:
Auto discovery frequency now supported values lower than 60 minutes.

---

866073 : Add option to exclude stats collection in qkview to avoid very large data files

Component: TMOS

Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:

qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938

Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.

Impact:
Qkview files may not be able to be parsed by the iHealth service.

Also, memory allocation error messages may be displayed when generating qkview.

Workaround:
None.

Fix:
Qkview now has a -x option that can be used to exclude statistics collection in the stat_module.xml file.

Behavior Change:
Qkview now has a -x option that can be used to exclude statistics collection.

---

866021 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.

---

865981 : ASM GUI and REST become unresponsive upon license change

Component: Application Security Manager

Symptoms:
When there is a license change at the same time as a security update (ex. Threat Campaigns or Attack Signatures), the system can reach a deadlock which blocks some operations, eventually leading to all the REST threads becoming blocked and unresponsive.

Conditions:
A license change occurs at the same time as a security update (ex. Threat Campaigns or Attack Signatures).

Impact:
ASM user interfaces are unresponsive.

Workaround:
Kill asm_config_server.pl or restart ASM

Fix:
Fixed the deadlock race condition.

---

865897 : Unexpected reset upon long requests when ip is whitelisted

Component: Application Security Manager

Symptoms:
Unexpected reset upon big requests when ip is whitelisted

Conditions:
The request exceeds max buffer size violation is turned on.
The source IP is set to never block.

Impact:
The request is answered with a reset.

Workaround:
A workaround is to turn on session tracking on the same policy. You may turn off all the other properties for the session tracking (so it won't do anything).

Fix:
Added more scenarios where unblock can't actually happen and the long request will be enforced only in the headers.

---

865461 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.

---

865329 : WCCP crashes on "ServiceGroup size exceeded" exception

Component: TMOS

Symptoms:
Under general usage; WCCP crashes with a "ServiceGroup size exceeded" exception.

Conditions:
Have WCCP service groups configured.

Impact:
WCCP throws an exception and crashes.

Workaround:
None.

---

865289 : TMM crash following DNS resolve with Bot Defense profile

Component: Application Security Manager

Symptoms:
TMM may crash when Bot Defense is enabled and network DNS is configured.

Conditions:
This can occur when is Bot Defense enabled and network DNS is configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
TMM no longer crashes when Bot Defense is enabled and network DNS is configured.

---

865241 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.

---

865065 : Bot Defense "User Agent Spoofing" Anomaly False Positive using Firefox on Fedora

Component: Application Security Manager

Symptoms:
Firefox browser, when running on Fedora Distribution, which accesses the Virtual Server which has Bot Defense profile could trigger a false positive of the "User Agent Spoofing" anomaly.

Conditions:
-- Bot Defense profile is associated with the Virtual Server
-- Client uses Firefox running on Fedora GNU/Linux

Impact:
The client may get blocked.

Workaround:
On the Bot Defense Profile, add an exception to "User Agent Spoofing" with the action set to Alarm or None.

Fix:
Firefox browsers running on Fedora GNU/Linux no longer trigger the User Agent Spoofing anomaly.

---

865053 : AVRD core due to a try to load vip lookup when AVRD is down

Component: Application Visibility and Reporting

Symptoms:
AVRD cores during startup.

Conditions:
Avrd receives a SIGTERM while it is starting.

Impact:
This can lead to an AVRD core.

Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.

---

864989 : Remote logger violation_details field content appears as "N/A" when violations field is not selected.

Component: Application Security Manager

Symptoms:
When remote logger is enabled and violation_details field is selected for output, but violations field is not selected - content of violation_details field appears as "N/A".

Conditions:
- Remote logger is enabled;
- violation_details field is selected for output;
- violations field is not selected for output;
- violation is detected and reported to remote logger.

Impact:
Remote logger will not contain violation_details in report.

Workaround:
Enable violations field for remote logging.

Fix:
ASM code was fixed to report violation_details field independently of violations field.

---

864897 : TMM may crash when using "SSL::extensions insert"

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
iRule with "SSL::extensions insert"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

864761 : GUI: virtual server from NOT Common partition can be selected during creation policy in Common partition

Component: Application Security Manager

Symptoms:
If you create a policy in the Common partition, then virtual servers from the other non-Common partitions are visible and can be selected when they should not be visible.

Conditions:
1)Create partition First
2)Create default policy with virtual server in partition First
3)Switch partition to Common
4)Go to "Security ›› Application Security : Security Policies : Policies List"
5)Create new policy and look at list of available virtual servers to select

Impact:
Virtual server from non-Common partitions can be selected during creation of a policy in the Common partition

Workaround:
N/A

Fix:
Only virtual servers from Common partition can be selected during creation policy in Common partition.

---

864677 : ASM causes high mcpd CPU usage

Component: Application Security Manager

Symptoms:
-- CPU utilization is high on the odd-numbered cores.

-- Messages appear at 60-second intervals in /var/log/ts/asm_start.log:
update_GTM_score

Conditions:
-- One or more virtual servers have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.

Impact:
Elevated CPU usage.

Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.

-- Restart ASM:
bigstart restart asm

Fix:
This issue has been resolved so that CPU usage is no longer elevated under these conditions.

---

864513 : ASM policies may not load after upgrading to 14.x or later from a previous major version★

Solution Article: K48234609

Component: TMOS

Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.

Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.

Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.

Workaround:
You can use either of the following workarounds.

-- Remove ASM Policies while upgrading:
  1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
  2. Upgrade.
  3. Reassociate each ASM Security Policy with its original virtual server.

-- Restore the UCS on a new boot location after upgrade:
  1. Prior to upgrade, create a UCS.
  2. Upgrade or create a new instance of the software version at the target location.
  3. Restore the UCS at the new location.

Fix:
ASM policies now load as expected after upgrading to 14.x or later from a previous major version.

---

864441 : OpenSSL vulnerabilities: CVE-2019-1547, CVE-2019-1551, CVE-2019-1552, CVE-2019-1563

Component: Local Traffic Manager

Symptoms:
[1] Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
[2] For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters
[3] Compute ECC cofactors if not provided during EC_GROUP construction (CVE-2019-1547)
[4] Document issue with installation paths in diverse Windows builds (CVE-2019-1552)
[5] Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)

Conditions:
[1] Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
[2] For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters
[3] Compute ECC cofactors if not provided during EC_GROUP construction (CVE-2019-1547)
[4] Document issue with installation paths in diverse Windows builds (CVE-2019-1552)
[5] Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)

Impact:
[1] Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
[2] For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters
[3] Compute ECC cofactors if not provided during EC_GROUP construction (CVE-2019-1547)
[4] Document issue with installation paths in diverse Windows builds (CVE-2019-1552)
[5] Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)

Workaround:
None

Fix:
Upgrade OpenSSL to 1.0.2u

---

864321 : Default Apache testing page is reachable at <mgmt-ip>/noindex

Component: TMOS

Symptoms:
For BIG-IP v14.1.x and later, the default testing page of the Apache web-server is accessible at <mgmt-ip>/noindex.

Conditions:
This is encountered when navigating to the /noindex page from the web browser.

Impact:
Limited information about the Apache web server and its operating system is available to users with access to the mgmt port interface.

Workaround:
None.

Fix:
/noindex now returns a 403 Forbidden Error Response.

---

864109 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506

---

863609 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies

Component: Application Security Manager

Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.

Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes

Impact:
There are differences after deploy.

Workaround:
Discover and deploy again from BIG-IQ

Fix:
Changes are deployed from BIG-IQ without causing unexpected changes.

---

863285 : Incorrect value (icmpv6) is used when RuleList/Rule/Protocol is set to ICMPv6 via UI.★

Component: Advanced Firewall Manager

Symptoms:
/config/bigip_base.conf fails with following error

Syntax Error:(/config/bigip_base.conf at line: 619) "ip-protocol" unknown protocol "icmpv6"

Conditions:
From WebUI, user configures Rule List -> Rule -> Protocol and selects "icmpv6" from drop down

Impact:
Failure to load configuration during upgrade or discovery by BIG-IQ

Workaround:
Set the protocol attribute via tmsh

 modify security firewall rule-list test rules modify { test { ip-protocol ipv6-icmp } }

---

863165 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.

---

863161 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.

---

863069 : Avrmail timeout is too small

Component: Application Visibility and Reporting

Symptoms:
AVR report mailer times out prematurely and reports errors:

AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.

Conditions:
Configure reports, which will be sent to e-mail

Impact:
Error response from SMTP server, and the report is not sent

Workaround:
Increase timeout in avrmail.php via bash commands

Fix:
The timeout was increased in avrmail.php

---

862793 : ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation

Component: Application Security Manager

Symptoms:
When ASM detects "virus" (with help of external icap server), the response page will be JS-Challenge instead of blocking.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Anti-Virus protection enabled in ASM policy.
-- ASM finds a virus in a request.

Impact:
-- End user client gets JS-Challenge response instead of blocking page.
-- End user does not see ASM support ID.
-- Browser can run the JavaScript and resend the request to ASM, which is then forwarded to the backend server.

Workaround:
None.

Fix:
The software now replies with the blocking page, including the ASM support ID.

---

862693 : PAM_RHOST not set when authenticating BIG-IP using iControl REST

Component: TMOS

Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp

Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }

2. modify auth source type to radius
tmsh modify auth source { type radius }

3. try to authenticate to BIG-IP using iControl REST

Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id

---

862597 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.

---

862557 : Client-ssl profiles derived from clientssl-quic fail validation

Component: Local Traffic Manager

Symptoms:
After configuring a clientssl-quic profile, you get a validation error:

01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/clientssl-f5quic-udp).

Conditions:
This can occur when using the clientssl-quic built-in profile to build a profile that can serve HTTP/3 over QUIC.

Impact:
You are unable to configure a clientssl profile to work with HTTP/3 + QUIC that is also customized to serve the right certificate, etc.

Workaround:
Modify the clientssl-quic profile to have the following properties:
    cipher-group quic
    ciphers none
This requires the following additional config objects:
ltm cipher group quic {
    allow {
        quic { }
    }
}
ltm cipher rule quic {
    cipher TLS13-AES128-GCM-SHA256,TLS13-AES256-GCM-SHA384
    description "Ciphers usable by QUIC"
}

Fix:
Update the built-in configuration to pass validation.

---

862413 : Broken layout in Threat Campaigns and Brute Force Attacks pages

Component: Application Security Manager

Symptoms:
Horizontal scroll added to the page unnecessarily.

Conditions:
This occurs when viewing the Threat Campaigns or Brute Force Attacks page in any browser

Impact:
The horizontal scroll bar breaks the intended page layout.

Workaround:
N/A

Fix:
Layout fixed

---

862337 : Message Routing Diameter profile fails to forward messages with zero length AVPs

Component: Service Provider

Symptoms:
Message Routing Diameter profile does not forward diameter messages that include an AVP with a zero (0) length data field.

Conditions:
-- A virtual server with an Message Routing Diameter Profile.
-- A diameter message containing an AVP with a zero length data field.

Impact:
Diameter messages with zero length AVPs are not forwarded as expected.

Workaround:
None.

Fix:
Message Routing Diameter now forwards diameter messages containing zero length AVPs.

---

860881 : TMM can crash when handling a compressed response from HTTP server

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.

---

860617 : Radius sever pool without attaching the load balancing algorithm will result into core

Component: Access Policy Manager

Symptoms:
Tmm crashes after configuring a radius server pool.

Conditions:
-- Radius server pool exists
-- Radius server pool does not have a designated load balancing algorithm.

Impact:
TMM will core while radius accounting stops. Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Pool selection counter gets incremented and message will be freed.

---

860517 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.

---

860349 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication

Component: TMOS

Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .

The /var/log/secure will show :

/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145

/var/log/daemon.log will show ;

/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.


> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault

Conditions:
LDAP/nslcd config , remote authentication , user-template used

The values within user-template include white spaces :

example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org

Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.

Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon

---

860317 : JavaScript Obfuscator can hang indefinitely

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process

Fix:
Datasyncd daemon kills hanging obfuscator processes if they stop responding.

---

860245 : SSL Orchestrator configuration not synchronized across HA peers after upgrade from 14.1.2.x

Component: TMOS

Symptoms:
The SSL Orchestrator configuration is not synced properly across the high availability (HA) configuration.

The REST framework versions are different on the devices.

Conditions:
-- BIG-IP devices configured for HA.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.

Impact:
SSL Orchestrator configuration does not sync across BIG-IP HA peers.

Workaround:
The following steps are required on all HA, first on the active and then on the standby BIG-IP devices.

1. Open a BIG-IP terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded

Fix:
The following procedure is always required when upgrading from BIG-IP v14.1.2:

Perform the following on both/all HA peers, first on the active and then on the standby BIG-IP device.

1. Open a BIG-IP terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded

---

860021 : GenericMessage no-response messages are wrongly counted as responses in message stats

Component: Service Provider

Symptoms:
When using GenericMessage with no-response enabled, the messages are considered neither requests nor responses, but they are being counted as responses in the message stat counters.

Conditions:
Using Generic Message with no-response enabled, sending messages, and viewing the stats produced.

Impact:
Confusing logging of no-response messages as responses may spark concern over the lack of corresponding request messages logged in the stats.

Workaround:
None.

Fix:
Added a new set of stats for 'other' messages. This category corresponds to the count for messages that are considered neither requests nor responses.

---

860005 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.

---

859721 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core

---

859113 : Using "reject" iRules command inside "after" may causes core

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using "reject" iRules command inside "after" no longer cause core.

---

859089 : TMSH allows SFTP utility access

Component: TMOS

Symptoms:
The TMSH configuration shell allows users with the Resource Administrator role access to the SFTP command-line utility.

Conditions:
Administrative users with TMSH access and the Resource Administrator role.

Impact:
Resource Administrators have access to the SFTP utility.

Workaround:
None.

Fix:
TMSH no longer allows users with the Resource Administrator role to access the SFTP utility.

Behavior Change:
TMSH users in the Resource Administrator role no longer have access to the SFTP utility. Users may be granted to the Administrator role to provide SFTP access from inside TMSH.

---

858769 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2

Component: TMOS

Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.

Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.

Impact:
The longer keys lengths for SNMPv3 cannot be used.

Fix:
With the net-snmp 5.8 libraries there is SHA-2 support for longer SHA and AES keys. New options are: SHA-224, 256, 384, and 512 and AES-192, 192-C, 256, 256-C.

---

858537 : CVE-2019-1010204: Binutilis Vulnerability

Solution Article: K05032915

---

858445 : Missing confirmation dialog for apply policy in new policy pages

Component: Application Security Manager

Symptoms:
There is no confirmation dialog for applying a policy.

Conditions:
This occurs when visiting any policy page available from the policies list.

Impact:
Without a confirmation dialog, it is easier to apply a policy by mistake

Workaround:
N/A

Fix:
Confirmation dialog was added to prevent user from running Apply policy by mistake

---

858429-1 : BIG-IP system sending ICMP packets on both virtual wire interface

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.

---

858349 : TMM may crash while processing SAML SLO traffic

Component: Access Policy Manager

Symptoms:
Under certain conditions, TMM may crash while processing SAML SLO traffic.

Conditions:
-SAML SLO configured.

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes SAML SLO traffic as expected.

---

858301 : HTTP RFC compliance now checks that the authority matches between the URI and Host header

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
It is possible to have an absolute URI with an authority different from that in the Host header. The HTTP profile by default does not verify that these are the same.

Conditions:
HTTP profile is enabled.
A request contains an absolute URI with an authority different from that in the Host header.

Impact:
HTTP requests with mismatched authority and Host headers are forwarded to back-end servers.

Workaround:
None.

Fix:
The HTTP RFC compliance option now rejects requests with an absolute URI that contains an authority different than that in the Host header.

HTTP PSM's "invalid host" option now checks that the authorities match between the URI and Host header.

---

858297 : HTTP requests with multiple Host headers are rejected if RFC compliance is enabled

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
HTTP requests with multiple Host headers may confuse servers. The HTTP parser currently uses the last header of a given name in a header block, whereas other software may not. This miss-match in parsing may lead to a security hole.

Note that many servers reject such requests. Such servers are not vulnerable to this kind of attack.

Conditions:
HTTP profile enabled.
Multiple Host headers exist in a HTTP request.

Impact:
HTTP requests with multiple host headers may be forwarded to back-end servers.

Workaround:
None.

Fix:
If HTTP RFC compliance is enabled on the HTTP profile, then a request that has multiple Host headers will be rejected.

HTTP PSM can now be configured to reject multiple Host headers.

---

858285 : HTTP parsing of Request URIs with spaces in them has changed

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
An HTTP request URI with a white-space character in it is malformed. The HTTP parser now will handle this as a HTTP/0.9 style request, rather than a HTTP/1.x request.

Conditions:
The uri in an HTTP request has a horizontal tab or space character within it.

Impact:
The detected HTTP version changes. HTTP version 0.9 may be blocked by other security modules. This allows detection and blocking of this kind of malformed HTTP requests.

Workaround:
None.

Fix:
HTTP request URI's with white-space in them are now parsed as HTTP/0.9 style requests. Such requests do not have headers, so only the first line will be emitted to the server.

Other security modules may disallow HTTP/0.9 style requests. In particular, if the HTTP profile RFC compliance option is enabled, then this form of request will be rejected.

---

858229 : XML with sensitive data gets to the ICAP server

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.

---

858189 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.

Component: Device Management

Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.

Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.

Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.

Workaround:
None.

Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.

Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:

restnoded.timeout
restjavad.timeout
icrd.timeout

The default value is 60 seconds for each of these.

---

858173 : SSL Orchestrator RPM not installed on HA-peer after upgrade from 14.1.2.1

Component: TMOS

Symptoms:
With BIG-IP devices configured in high availability (HA) mode, with SSL Orchestrator configured, when upgrading from v14.1.2 to v15.1.x or newer, the SSL Orchestrator configuration is not synced properly across the HA configuration.

This problem is caused by a REST framework sync issue between the devices in the high availability (HA) pair.

Conditions:
-- BIG-IP devices configured in HA mode.
-- SSL Orchestrator configured.
-- Upgrading from v14.1.2 to v15.1.x or newer.

Impact:
SSLO configuration not syncing across the BIG-IP HA pair.

Workaround:
The following steps are required on both HA peers, first on the active and then on the standby BIG-IP device.

1. Open a terminal session with admin/root level access.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded

Fix:
The following procedure is always required when upgrading from 14.1.2:

Perform the following on both HA peers, first on the active and then on the standby BIG-IP device.

1. Open a terminal session with admin/root level access on BIG-IP.
2. Run the following commands, in the order specified:

bigstart stop restjavad
rm -rf /shared/em/ssl.crt/*
bigstart start restjavad
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
restcurl -X DELETE shared/gossip-conflicts
restcurl -X DELETE shared/device-certificates
restcurl -X POST -d '{"generateKeyPair": true}' shared/device-key-pair
bigstart restart restjavad restnoded

---

858025 : Proactive Bot Defense does not validate redirected paths

Component: Application Security Manager

Symptoms:
Under certain conditions, Proactive Bot Defense may redirect clients to an unvalidated path.

Conditions:
-Proactive Bot Defense enabled.

Impact:
Clients may be redirected to an unvalidated path.

Workaround:
None.

Fix:
Proactive Bot Defense now validates redirected paths as expected.

---

857845 : ASSERTs in hudproxy_tcp_repick() converted into an OOPS

Component: Local Traffic Manager

Symptoms:
Hudproxy_tcp_repick() asserts that no data is present.

Example of assertion in /var/log/tmm:
notice panic: ../modules/hudproxy/tcp/tcp_proxy.c:1610: Assertion "server drained" failed.

Conditions:
If data is present, then assertion fails.

Example of how to recreate ("server drained" failed):
-The virtual server uses an iRule containing both the TCP::collect and LB::detach statements.
-The LB::detach statement is not applied in a USER_REQUEST or USER_RESPONSE event.
-The server-side connection is detached before the TCP::collect has been drained.

Impact:
BIG-IP fails to process traffic when asserts fail.

Workaround:
There is no work around.
To avoid ("server drained" failed):
-Use TCP::notify to generate a USER_REQUEST or USER_RESPONSE event, and detach the server connection within the event.
For more information, refer to DevCentral iRules on TCP::notify.

Fix:
Convert ASSERT statements into OOPS statements. OOPS logs according to the log db variable setting and allows for a core if the db key is set.

db variables:
tmm.oops
tmm.coredump

---

857677 : Security policy changes are applied automatically after asm process restart

Component: Application Security Manager

Symptoms:
Changes in security policy are applied after ASM restart. This may activate unintended enforcement.

Conditions:
Restart ASM.

Impact:
Potentially unintended activation of new security entities.

Workaround:
None.

---

857633 : Attack Type (SSRF) appears incorrectly in REST result

Component: Application Security Manager

Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.

Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.

Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.

Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:

DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";

---

857589 : On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed'

Component: Access Policy Manager

Symptoms:
On the Citrix Workspace app, clicking 'Refresh Apps' after signing out fails with message "Refresh Failed" with v15.1.x

Conditions:
-- Running the Citrix Workspace all.
-- Clicking 'Refresh Apps' after signing out.
-- Running software v15.1.x.

Impact:
The system reports a 'Refresh failed' error, and the app must to be reset.

Workaround:
None.

Fix:
The system now shows a prompt/pop-up for credentials and signs-in successfully.

---

856961 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Component: TMOS

Symptoms:
This is a known issue.
A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor.

Conditions:
This is hardware issue and following processors are vulnerable.
Xeon
Pentium Gold
Core X-series
Core i
Celeron G

Impact:
A privileged guest user may use this flaw to induce a hardware Machine Check Error (MCE) that halts the host processor and results in a denial-of-service (DoS) scenario.

Workaround:
There is no workaround.

Fix:
Fix to mitigate CVE-2018-12207 has been included under linux kernel source.

---

856953 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1

Component: TMOS

Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.

Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.

Fix:
TMM no longer cores.

---

856721 : GUI shows SSL client certificate LDAP authentication module with LTM License

Component: Performance

Symptoms:
GUI shows SSL client certificate LDAP authentication module with LTM License.

Conditions:
-- BIG-IP LTM Good-level license installed.
-- Active licenses include APM-limited and APM Web.
-- Below configuration object in GUI lists 'SSL client certificate LDAP' in drop-down.

Local Traffic :: Profiles :: Authentication :: Configurations :: New Authentication Configuration

Impact:
'SSL client certificate LDAP' is visible in GUI with 'LTM only' licensed. It should not be visible without APM.

Workaround:
None.

Fix:
GUI now lists 'SSL client certificate LDAP' only when APM module is allocated. This is correct behavior.

---

854493 : Kernel page allocation failures messages in kern.log

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.

---

854177 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.

---

853989 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields

Component: Application Security Manager

Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.

Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual

Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.

Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.

Fix:
Dosl7 code has been fixed and do not populate string to the ArcSight numeric type fields anymore.

---

853613 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.

Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.

---

853545 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.

Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.

---

853537 : Partial loss of tmstat pool memeber statistics

Component: Application Visibility and Reporting

Symptoms:
When a pool contains members with the same IP but different route domain, the statistics are reported only for the first member.

Conditions:
A pool contains members with same IP but different route domain.

Impact:
Partial loss of pool member statistics.

Workaround:
A pool should not contain members from different route domains.

Fix:
The route domain within a pool should be aggregated.

---

853325 : TMM Crash while parsing form parameters by SSO.

Component: Access Policy Manager

Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.

Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.

Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.

Workaround:
Do not use Passthrough mode with SSO.

Fix:
TMM does not crash when Passthrough mode is enabled in SSO, and SSO receives any valid form in a response.

---

853269 : Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages in case of complex role user

Component: Application Security Manager

Symptoms:
Incorrect access privileges to "Policy List" and "Security Policy Configuration" pages are given

Conditions:
User has a complex role, e.g. ASM Admin in partition A and Guest in partition B

Impact:
User with complex role gets incorrect privileges in "Policy List" and "Security Policy Configuration" pages

Workaround:
N/A

Fix:
Users with complex role user get correct access privileges to "Policy List" and "Security Policy Configuration" pages

---

853233 : GUI: virtual server from Common partition can be selected during policy creation in different partition

Component: Application Security Manager

Symptoms:
If you create a policy in a partition other than Common, then virtual servers from the Common partition are visible and can be selected when they should not be visible.

Conditions:
1)Create default policy with virtual server in partition Common
2)Create partition First
3)Go to "Security ›› Application Security : Security Policies : Policies List"
4)Select partition First
5)Create new policy and look at list of available virtual servers to select

Impact:
Virtual server from Common partition can be selected during creation policy in different partition

Workaround:
N/A

Fix:
Virtual server from Common partition can not be selected during creation policy in different partition. Only virtual server from the same partition can be selected.

---

853177 : 'Enforcement Mode' in security policy list is shown without value

Component: Application Security Manager

Symptoms:
The 'Enforcement Mode' field in the security policy list has no value.

Conditions:
Security policy list in the GUI is sorted by 'last modified'.

Impact:
Security policy list page has empty 'Enforcement Mode' field.

Workaround:
None.

---

853161 : Restjavad has different behavior for error responses if the body is over 2k

Component: TMOS

Symptoms:
The error Response body from iControl REST is truncated at 2048 characters. If an iControl REST response sends an error that is longer than 2048 characters, the truncated response will not contain valid JSON.

Conditions:
This occurs when iControl REST error messages are longer than 2048 characters.

Impact:
The error response body is deformed when the length of the error body is more than 2k characters

Fix:
Restjavad no longer truncates error response messages at 2048 characters.

---

853145 : TMM cores in certain scenarios with SSL Forward Proxy Bypass

Component: Local Traffic Manager

Symptoms:
TMM cores in certain scenarios with SSL Forward Proxy Bypass.

Conditions:
-- Virtual server with SSL profiles.
-- SSL Forward proxy is enabled.
-- SSL Forward proxy bypass is enabled.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
In SSL Forward proxy, profile in SSL context may be dropped. Check for NULL before accessing the profile.

---

853101 : ERROR: syntax error at or near 'FROM' at character 17

Component: TMOS

Symptoms:
After clicking UI Security :: Network Firewall : Active Rules, /var/log/ltm reports the following error message:
--warning postgres ERROR: syntax error at or near 'FROM' at character 17.

Conditions:
Enabled turboflex-security and AFM module.

Impact:
-- Possible leak of postgres database connections.
-- A warning log message is created, but the system continues to function normally.

Workaround:
None.

Fix:
Correct isAFMProvisioned check was added to wrap database connection deallocation

---

852953 : Accept Client Hello spread over multiple QUIC packets

Component: Local Traffic Manager

Symptoms:
A QUIC connection does not complete the handshake successfully when the Client Hello spans multiple initial packets.

Conditions:
-- QUIC is in use.
-- A Client Hello is received that spans multiple packets.

Impact:
QUIC is unable to process a Client Hello that spans multiple packets.

Workaround:
None.

Fix:
QUIC now accepts a Client Hello that spans multiple packets.

---

852949 : GTM SIP Monitors cannot log to /var/log/monitors/

Component: Global Traffic Manager (DNS)

Symptoms:
You see an error in /var/log/gtm:

err big3d[8363]: 01330021:3: When creating an external monitor, failed to redirect stderr to /var/log/SIP__Common_my_sip_tls.::ffff:10.10.10.10..5061.log : Permission denied

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Error messages and inability to fully log.

Workaround:
None.

Fix:
Fixed an issue preventing GTM SIP monitor issues from logging to /var/log/monitors/.

---

852929 : AFM WebUI Hardening

Component: Advanced Firewall Manager

Symptoms:
The AFM WebUI does not follow current best practices.

Conditions:
-- AFM provisioned.
-- Administrative user authenticated.

Impact:
AFM WebUI does not follow current best practices.

Workaround:
None.

Fix:
AFM WebUI now follows current best practices.

---

852917 : Accept-Encoding header is removed when websso form-based is used

Component: Access Policy Manager

Symptoms:
Service published behind LTM-APM virtual server type, with forms-based single sign-on showing ??? characters for non-English languages.

Conditions:
-- Form-based single sign-on (SSO) is configured for a virtual server.
-- Non-English characters exist.

Impact:
The Accept-Encoding header may be removed.

Workaround:
Add the following iRule:
when HTTP_REQUEST_RELEASE {
  if { [HTTP::header exists "Accept-Encoding"] } {
    HTTP::header replace "Accept-Encoding" "gzip, deflate"
  } else {
    HTTP::header insert "Accept-Encoding" "gzip, deflate"
  }
}

Fix:
Accept-Encoding header is removed only when the log level for SSO is set to Debug. Accept-Encoding remains untouched for all other log levels.

---

852873-1 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Component: Local Traffic Manager

Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.

Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.

Workaround:
None.

Fix:
Traffic with Destination MAC as PVST+ (01:00:0c:cc:cc:cd) or STP (01:80:c2:00:00:00) is sent to the BIG-IP system, egress traffic is monitored to check that MAC is dropped when either or both of the following db variables is enabled or vice-versa:
bcm56xxd.rules.badpdu_drop
bcm56xxd.rules.lldp_drop

---

852861 : TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario

Component: Local Traffic Manager

Symptoms:
TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL and httprouter profiles.
-- 0-RTT connection resumption in progress.

Impact:
TMM cores intermittently.

Workaround:
No workaround.

Fix:
Defer sending of early keys from SSL to QUIC. This results in delaying of ingress decryption. HTTP/3 is initialized before receiving decrypted data.

---

852577 : [AVR] Analytic goodput graph between different time period has big discrepancy

Component: Application Visibility and Reporting

Symptoms:
The incorrect goodput value is showing on the GUI > Analytics > TCP > Goodput.

Conditions:
AVR is provisioned
Running TCP related traffic (with the amount that can exceeds the MAX_INT value in any aggregation level).

Impact:
AVR statistics for TCP goodput may be incorrect.

Workaround:
There is no workaround at this time.

Fix:
Goodput field has changed to be 64bit instead of 32bit.

---

852445 : Big-IP : CVE-2019-6477 BIND Vulnerability

Solution Article: K15840535

---

852437 : Overly aggressive file cleanup causes failed ASU installation

Solution Article: K25037027

Component: Application Security Manager

Symptoms:
Directory cleanup for for failed Attack Signature Updates (ASU) is too aggressive and may delete needed files in the middle of installation itself, which causes the update to fail.

Conditions:
An ASU runs at the same time as the file cleanup task.

Impact:
The ASU fails to complete successfully.

Workaround:
The default clean interval is 300 seconds (5 minutes).

1. Run the following command to monitor the clean activity:
#tailf /var/log/ts/asmcrond.log | grep CleanFiles

2. Watch for following message in the log:
asmcrond|INFO|Mar 20 21:54:44.389|24036|F5::PeriodicTask::Base::run,,Running Task: CleanFiles

3. Upgrade the ASU immediately.


If 5 minutes is not enough, you can increase the clean interval.

1. Adjust the interval in the /etc/ts/tools/asmcrond.cfg file:

From:
[CleanFiles]
Interval=300

To:
[CleanFiles]
Interval=3000

Important: Do not set Interval too high. 50 minutes (3000 seconds) should be enough.

2. Restart the asmcrond by killing the process. It respawns after several seconds.
ps -ef | grep asmcrond
kill <pid>

3. Monitor the asmcrond.log until you see another Cleanfiles log message.
# tailf /var/log/ts/asmcrond.log | grep CleanFiles

4. Install the ASU; the temp files can stay in the folder for 50 minutes.

5. After the ASU is installed, change the interval back to 300 and restart asmcrond.

6. Make sure asmcrond has been started correctly.
# ps -ef | grep asmcrond
# tailf /var/log/ts/asmcrond.log

Fix:
The directory cleanup does not clean up files that are being actively used for an installation.

---

852429 : "ASM subsystem error" logged when creating policies

Component: Application Security Manager

Symptoms:
After creating certain security policies, errors are logged to /var/log/asm:

crit g_server_rpc_handler_async.pl[2328]: 01310027:2: ASM subsystem error
(asm_config_server.pl,F5::DbUtils::insert_data_to_table): Row 7 of table PLC.PL_SUGGESTIONS is missing viol_index () -- skipping
N

Conditions:
This occurs when creating security policy based on the following security templates:
- drupal
- owa
- sharepoint
- wordpress

Impact:
Misleading errors are logged in ASM log file; they can be safely ignored.

---

852373 : HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection breaks and Tcl error is logged in /var/log/ltm similar to the following:

TCL error: /Common/http2_disable <CLIENT_ACCEPTED> - Unknown error (line 1) (line 1) invoked from within "HTTP2::disable".

Conditions:
Any of the following Tcl commands are used in any iRule event: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside.

Impact:
HTTP/2 traffic is not passed to the serverside.

Workaround:
Do not use the following Tcl commands: HTTP2::enable, HTTP2::enable clientside, HTTP2::disable, HTTP2::disable clientside

Fix:
When the previously mentioned Tcl commands are used in appropriate HTTP iRule events, such as CLIENT_ACCEPTED, HTTP/2 filter is put into passthrough mode and traffic is delivered to the server.

---

852313 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.

Fix:
Fixed an issue, where 'VMware View Logon Page' agent configured with 'Kerberos Authentication' does not process logon requests after some time.

---

852289 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector

Component: Advanced Firewall Manager

Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.

Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.

Impact:
DNS over TCP is DDoS attack is not mitigated correctly.

Workaround:
Using DNS DoS vector to mitigate the attack.

Fix:
The attack mitigation by sweep and flood vector is accurate.

---

852101 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.

---

852001 : High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously

Component: TMOS

Symptoms:
When using more than 4 BIG-IP devices connected in a device cluster, and adding 2 more devices to the trust domain, the mcpd processes of each device may get into a sync loop. This causes mcpd to reach up to 90% CPU utilization during this time, and causes other control-plane functionality to halt. This state may last 10-20 minutes in some cases, or continuous in other cases.

Conditions:
-- More than 4 BIG-IP devices are configured in a trust domain configuration.
-- Adding at least 2 more devices to the trust domain, one after the other, without waiting for the full sync to complete.
-- ASM, FPS, or DHD (DOS) is provisioned.

Impact:
High CPU utilization, GUI, TMSH, and REST API not responding or slow-responding, other system processes halted.

Workaround:
When adding a BIG-IP device to the trust domain, before adding any other device, wait a few minutes until the sync is complete, and no more sync logs display in /var/log/ltm.

Fix:
MCPD no longer utilizes high CPU resources when adding simultaneously 4 or more devices to CMI.

---

851857 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.

---

851789 : SSL monitors flap with client certs with private key stored in FIPS

Component: Local Traffic Manager

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.

Fix:
Optimized FIPS API calls to improve performance of SSL monitors.

---

851785 : BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/13: page allocation failure: order:2, mode:0x204020

After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the appliance 10350V-F D112.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to 128 MB (131072 KB).

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences excessive kernel page allocation failures.

---

851745 : High cpu consumption due when enabling large number of virtual servers

Component: Advanced Firewall Manager

Symptoms:
Observed autodosd CPU burst

Conditions:
Enable autodosd and a large number of virtual servers

Impact:
High cpu utilization in autodosd

Workaround:
Disable autodosd

Fix:
Has been fixed in 15.1

---

851733 : Tcpdump messages (warning, error) are sent to stdout instead of stderr

Component: TMOS

Symptoms:
Tcpdump error and warning messages are sent to stdout. This causes issues when the packet capture is sent to a file, and standard programs such as Wireshark do not understand the error message strings and error.

Conditions:
-- tcpdump used to capture packets.
-- tcpdump stdout redirected to a file.
-- The capture file is read by standard packet parse-and-display tools wuch as Wireshark .

Impact:
Captures cannot be analyzed from the capture file

Workaround:
None.

Fix:
Tcpdump messages are now sent to stderr. Packet dumps continue to be in stdout. A capture file contains only captured packets, and can be analyzed by any tool that understands pcap format (wuch as Wireshark, tshark etc.)

---

851581 : Server-side detach may crash TMM

Component: Local Traffic Manager

Symptoms:
TMM crash with 'server drained' panic string.

Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.

Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.

Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.

-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.

Fix:
TMM does not crash no matter when the server-side detach is triggered.

---

851477 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.

Fix:
Memory allocation failures are now detected and virtual server ends up in DENY state. No connections are accepted in this state.

---

851445 : QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams

Component: Local Traffic Manager

Symptoms:
QUIC profile has a field for maximum uni-streams. This represents the number of concurrent uni-streams that the peer can create. If HTTP/3 is also configured on the virtual, then the value for uni-streams should ne >=3. The peer should be able to create at least 3 uni-streams, for control, encoder and decoder.

Conditions:
QUIC, HTTP/3, SSL and httprouter profiles are configured on the virtual. QUIC client tries to establish a connection with Big-IP. HTTP/3 is negotiated in ALPN.

Impact:
If fewer than 3 max uni-streams are configured, HTTP/3 transactions will not be successful.

Workaround:
Configure correct value of max uni-streams in QUIC profile.

Fix:
Validation added to prevent a value of less than 3 to be configured when HTTP/3 is also on the virtual.

---

851441 : Improvement to MRF to enable spreading outgoing connections across TMMs

Component: Service Provider

Symptoms:
In systems with a low number of connections, these connections may all exist on the same TMM. This causes uneven CPU usage and prematurely limits maximum message throughput.

Conditions:
-- Systems with a low number of connections.
-- Connections are not evenly distributed between TMMs.
-- This issue is exacerbated when the maximum message throughput is set to a lower value.

Impact:
-- Uneven CPU usage.
-- The system will likely not reach the expected throughput.

Workaround:
None.

Fix:
With this change, the system can be configured to create new outgoing connections on a different TMM than the TMM that is processing the traffic. This enables better CPU distribution and higher throughput.

---

851393 : Tmipsecd leaves a zombie rm process running after starting up

Component: TMOS

Symptoms:
After booting the system, you notice zombie 'rm' processes:

$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm

Restarting tmipsecd will kill the zombied process but will start a new one.

Conditions:
-- IPsec is enabled.
-- Booting up the system.

Impact:
A zombie 'rm' process exists. There should be no other impact.

Workaround:
None.

---

851353 : Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request

Component: Local Traffic Manager

Symptoms:
Invalid pseudo header or malformed header in an HTTP/3 request should result in resetting of the stream with error code of HTTP3_GENERAL_PROTOCOL_ERROR. Instead the connection is reset with HTTP3_UNEXPECTED_FRAME error code.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL, and httprouter profiles.
-- HTTP/3 header frame from client with invalid or malformed header is received.

Impact:
Connection is reset with incorrect error code, instead of just the individual stream.

Workaround:
No workaround.

Fix:
Correct return code is now propagated from the parser function.

---

851345 : The TMM may crash in certain rare scenarios involving HTTP/2

Component: Local Traffic Manager

Symptoms:
The HTTP/2 Gateway configuration is used without the HTTP MRF Router.

The TMM may crash in rare scenarios when a stream is being torn down.

Conditions:
-- HTTP/2 is configured in the Gateway scenario.
-- The HTTP MRF Router is not used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes in rare scenarios when a stream is being torn down.

---

851101 : Unable to establish active FTP connection with custom FTP filter

Component: Local Traffic Manager

Symptoms:
Unable to establish active FTP connection with custom FTP filter.

Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.

Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.

Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.

---

851045 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.

---

851017 : Running service --status-all hangs on db5 errror

Component: TMOS

Symptoms:
Whenever service --status-all command is given on the BIG-IP system, it hangs with the following error.

-- error: db5 error(-30969) from dbenv->open: BDB0091 DB_VERSION_MISMATCH: Database environment version mismatch
-- error: cannot open Packages index using db5 - (-30969)
-- error: cannot open Packages database in /shared/lib/rpm
-- error: db5 error(-30969) from dbenv->open: BDB0091 DB_VERSION_MISMATCH: Database environment version mismatch
-- error: cannot open Packages database in /shared/lib/rpm
-- package f5optics is not installed

Conditions:
Running the service --status-all command.

Impact:
Command hangs, which prevents seeing the entire service status.

Workaround:
None.

---

850997 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page

Component: TMOS

Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.

Conditions:
Viewing the page at:

System :: High Availability : Fail-safe : System

Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.

Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.

---

850973 : Improve QUIC goodput for lossy links

Component: Local Traffic Manager

Symptoms:
QUIC gets lower goodput compared to TCP when tested on lossy links.

Conditions:
The tested links are lossy (e.g, 0.1% loss probability).

Impact:
QUIC completes the data transfer in longer time.

Workaround:
N/A

Fix:
QUIC achieves similar or better goodput compared to TCP on lossy links.

---

850933 : Improve QUIC rate pacing functionality

Component: Local Traffic Manager

Symptoms:
QUIC rate pacing becomes dis-functional under some conditions.

Conditions:
- QUIC rate pacing is in use.
- Packet size becomes slightly larger than available rate pacing bytes.

Impact:
QUIC rate pacing becomes noneffective which leads to sending data more bursty.

Workaround:
N/A

Fix:
QUIC rate pacing does not become dis-functional under some conditions anymore.

---

850873 : LTM global SNAT sets TTL to 255 on egress.

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.

---

850777 : BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config

Component: TMOS

Symptoms:
After rebooting BIG-IP Virtual Edition (VE) deployed on a cloud provider, the instance enters LICENSE INOPERATIVE state.

Errors similar to one below are seen in an LTM log:

err chmand[4770]: Curl request to metadata service failed with error(7): 'Couldn't connect to server'.

Conditions:
- Static management IP address configuration.
- Instance is restarted.

Impact:
Instance is not operational after restart.

Workaround:
After instance is fully booted, reload the license with 'reloadlic'.

Fix:
In case of 1 NIC with static route, issuing "bigstart restart mcpd" will not be enough to bring system to the licensed state, issue "reboot" instead.

---

850677 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.

Fix:
This release supports REST access in non-UTF-8 policies.

---

850673 : BD sends bad acks to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
The bd_agents stops sending configuration in the middle of startup or a configuration change.
The policy maybe incomplete in the bd causing a wrong enforcement.

Conditions:
This is a rare issue and the exact conditions that trigger it are unknown.

Impact:
Bd_agent hangs or restarts which may cause a complete asm restart (and failover).
A partial policy may exist in bd causing improper enforcement.

Workaround:
Export and import the policy in case the policy is enforced incorrectly and un-assigning / re-assigning does not help.

Fix:
Fixed inconsistency scenario between bd and bd_agent.

---

850633 : Policy with % in name cannot be exported

Component: Application Security Manager

Symptoms:
Policies with characters that are encoded with urlencode in name cannot be exported in GUI

Conditions:
Policies has characters that are encoded with urlencode in name

Impact:
Policy cannot be exported in GUI

Workaround:
Most policies can be cloned, and during clone user can select name without special characters. Then cloned policy can be exported.

Fix:
All policies can be exported in GUI

---

850509 : 'Decryption of the field (privatekey) for object (13079) failed' message

Component: Global Traffic Manager (DNS)

Symptoms:
During config load or system start-up, you see the following error:

01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.

Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.

Impact:
Unable to view TSIG keys. Configuration cannot be loaded.

Workaround:
None.

Fix:
When master key changes, TSIG keys are now properly re-encrypted, so this problem no longer exists.

---

850357 : LDAP - tmsh cannot add config to nslcd.conf

Component: TMOS

Symptoms:
nslcd comes as a dependency package for the nss-pam-ldapd and nslcd.conf file contains the configuration information for running nslcd.
tmsh does not support modification of nslcd.conf to include some options.

Conditions:
This would be encountered only if you wanted to do modify the nslcd configurations

Impact:
You are unable to modify nslcd configuration for some options.
 This prevents the ability to use certain ldap-based remote authentication techniques.

Workaround:
Modify nslcd.conf file to include configuration changes manually and restart the nslcd daemon with systemctl restart nslcd

---

850277 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.

---

850193 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues

Component: Performance

Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.

Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.

Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.

Workaround:
None.

---

850145 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.

Fix:
If a connection to the server has been established, pipelined requests are now processed immediately and not queued.

---

850117 : Autodosd crash after assigning dos profile with custom signatures to a virtual server

Component: Advanced Firewall Manager

Symptoms:
When attaching dos profile to virtual server, it will crash occasionally.

Conditions:
-- AFM is provisioned
-- Performing profile attachment

Impact:
Autodosd crashes and restarts.

Fix:
Add addtional check to eliminate race condition.

---

849405 : LTM v14.1.2.1 does not log after upgrade★

Component: TMOS

Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.

Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.

Impact:
Logs are not generated and sysstat.service is not running.

Workaround:
Once the BIG-IP system starts up, check for failed services:

systemctl list-units --failed

If results show sysstat.service as FAILED, run the following command:

restorecon -Rv /var/log/sa6 && systemctl start sysstat

---

849349 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db

Component: Application Security Manager

Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy

Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.

Impact:
Web application flow might fail.

Workaround:
Attach an iRule:

when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}

Fix:
Adding an option to disable CSP headers modification via sys db.

---

849269 : High CPU usage after Inheritance page opened

Component: Application Security Manager

Symptoms:
After you visit the Policy Inheritance page, there is high CPU usage in the browser until you leave the policies page.

Conditions:
This occurs when opening the Policy Inheritance page for a policy that does not have a parent.

Impact:
High CPU usage by browser

Workaround:
N/A

Fix:
Normal CPU usage for in policy pages

---

849157 : An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck

Component: TMOS

Symptoms:
The outgoing SCTP connection does not expire after attempting to INIT the maximum number of times. It then becomes stuck and does not expire when it reaches its idle-timeout, and cannot be manually deleted.

Conditions:
An outgoing SCTP connection is permitted to attempt the INIT retransmit the maximum number of times configured with no responses (accepting or aborting) from the target endpoint.

Impact:
Stale SCTP connections are left in the system and start to use up memory. Traffic may be interrupted in certain configurations, as the system thinks it is still attempting to bring up the lost SCTP connection and does not ever try to create a new one.

Workaround:
To clear the stale connections, restart tmm:
bigstart restart tmm

Note: Restarting tmm causes an interruption to traffic.

Fix:
SCTP connections now expire properly after the maximum number of INITs have been attempted and can no longer get stuck in this case.

---

849085 : Lines with only asterisks filling message and user.log file

Component: TMOS

Symptoms:
/var/log/message and /var/log/user.log files have lines that only contain asterisks.

For example:

Nov 12 10:40:57 bigip1 **********************************************

Conditions:
Snmp query an OID handled by sflow, for example:

snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1

Impact:
The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.

Workaround:
You have two options:
-- Filter out all sflow_agent log messages
-- Filter out all messages that contain a newline '\n' or carriage return character '\r'.

Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround.

=============================================
Solution #1 - Filter out all sflow_agent logs:

1) remount /usr as read+write:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl

4a) Open syslog.tmpl for edit:
vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

  For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_not_sflow {
not match ("sflow_agent" value("$PROGRAM"));
};

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_not_sflow);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':
tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only
    mount -o ro,remount /usr

=============================================
Solution #2 - Filter out all messages with \n or \r:

1) remount /usr as r+w:
    mount -o rw,remount /usr

2) Make a backup copy of the template:
    cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig

3) Add write permissions to the template:
    chmod +w /usr/share/defaults/config/templates/syslog.tmpl

4) Add the filter to syslog.tmpl:

4a) Open syslog.tmpl for edit:
    vi /usr/share/defaults/config/templates/syslog.tmpl

4b) Add the new filter after the filter f_messages:
filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

   For example:
filter f_messages {
level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO)
and not facility(auth, authpriv, cron, daemon, mail, news)
and not message("WA");
};

filter f_no_multi_line {
not (message('\n') or message('\r'));
    };

4c) Add the filter to the log that sends all source local message to the syslog pipe:
log {
source(local);
filter(f_no_multi_line);
destination(d_syslog_pipe);
}

5) Save the changes and quit vi.

6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice':

tmsh modify /sys syslog daemon-from info
tmsh modify /sys syslog daemon-from notice

7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf.

8) remount /usr as read-only:
    mount -o ro,remount /usr

Fix:
The sflow log message that was a multiline message has been changed so that it is no longer multiline.

---

848921 : Config sync failure when importing a Json policy

Component: Application Security Manager

Symptoms:
Importing a json policy to a BIG-IP that is in a device group machine causes errors on the other devices, which leads to a sync failure.

Conditions:
This can occur when a json policy is imported to a BIG-IP that is in a device group

Impact:
Config sync fails.

Fix:
Peer devices will receive only the initial import call.

---

848777 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.

Component: Local Traffic Manager

Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:

-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

Conditions:
-- Create Custom partition.
-- Create Custom Route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port.
-- Now, try to Sync to high availability (HA) peer.

Impact:
Sync fails with error. Configuration will not sync to peer node.

Workaround:
None.

Fix:
Configuration now syncs to peer node successfully.

---

848757 : Link between 'API protection profile' and 'Security Policy' is not restored after UCS upload

Component: Application Security Manager

Symptoms:
Link between 'API protection profile' and 'Security Policy' created with swagger based 'API protection profile' preserved in UCS file. This link is not restored after UCS upload.

Conditions:
UCS upload.

Impact:
'API protection profile' has no link to related security policy.

Workaround:
None.

---

848673 : Portal Access message event has wrong origin if message originates from split tunneled frame

Component: Access Policy Manager

Symptoms:
Unexpected exceptions, and other issues can be visible dependent on web-application internal logic.

Conditions:
Portal Access message hat originates from a split tunneled frame; for example, in a split tunneling configuration:

    REWRITE
      *://*
    BYPASS
      *://*twitter*
      *://*twimg*

Impact:
Web-application does not operate as expected. Messages sent from the iframe with src=http://twitter.com to the main window with URL http://my.company.com can cause exception when receiving data.

Workaround:
Use a custom iRule to handle this situation.

Fix:
Portal Access message event now has the correct origin if the message originates from a split tunneled frame.

---

848445 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer

---

848405 : TMM may consume excessive resources while processing compressed HTTP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing compressed HTTP traffic.

Conditions:
-- At least one virtual server with an http-compression profile is configured on BIG-IP.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
By removing the compression profile from the virtual servers, possible interruptions of service may be avoided.

Fix:
TMM now processes compressed HTTP traffic as expected.

---

847325 : Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.

Component: Local Traffic Manager

Symptoms:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions

Conditions:
A oneconnect profile is combined with certain persist profiles on a virtual server.

The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

The persistence types that are affected are
Source Address (but not hash-algorithm carp)
Destination Address (but not hash-algorithm carp)
Universal
Cookie (only cookie hash)
Host
SSL session
SIP
Hash (but not hash-algorithm carp)

Impact:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions

---

847109 : Very large policies could have problems with re-import

Component: Access Policy Manager

Symptoms:
Policy exported and then imported with Syntax Error:

Import error: Syntax Error:(/shared/tmp/apmom/import/p--11-02--07-34-31--208.conf at line: 976) "src-subnet" unexpected argument.

Conditions:
Elements in policy are very large (e.g., 100 KB).

Note: This is a rarely occurring issue.

Impact:
Unable to import policy.

Workaround:
None.

Fix:
Policy can now be exported and then import successfully.

---

846917 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354

---

846713 : Gtm_add does not restart named

Component: Global Traffic Manager (DNS)

Symptoms:
Running gtm_add failed to restart the named daemon.

Conditions:
Run gtm_add to completion.

Impact:
Named is not restarted. No BIND functionality.

Workaround:
Restart named:
bigstart start named

Fix:
Fixed an issue preventing 'named' from restarting after running the gtm_add script.

---

846521 : Config script does not refresh management address entry properly when alternating between dynamic and static

Component: TMOS

Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.

Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.

Impact:
Remote management access is lost after DHCP lease expires.

Workaround:
Restart BIG-IP after changing the management IP address.

---

846441 : Flow-control is reset to default for secondary blade's interface

Component: TMOS

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.

---

846365 : TMM may crash while processing IP traffic

Solution Article: K35750231

---

846217 : Translucent vlan-groups set local bit in destination MAC address

Component: Local Traffic Manager

Symptoms:
Translucent vlan-groups may set the locally-unique bit in a destination MAC address when sending traffic to a pool member/client.

Conditions:
On versions earlier than 15.0.0:
- Translucent vlan-group is in use.

On v15.0.0 and later:
-- Translucent vlan-group is in use.
-- The connection.vgl2transparent db variable is enabled.

Impact:
Traffic handled by translucent vlan-groups may not work properly.

Workaround:
On versions earlier than 15.0.0, there is no workaround.

-- On version 15.0.0 and later, you can disable the connection.vgl2transparent db variable to mitigate the problem:

tmsh modify sys db connection.vgl2transparent value disable

Note: connection.vgl2transparent is disabled by default.

---

846181 : Request samples for some of the learning suggestions are not visible

Component: Application Security Manager

Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.

Conditions:
'Learning Suggestion' created from only one 'Request Log' record.

Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section

Workaround:
None.

---

846157 : TMM may crash while processing traffic on AWS

Solution Article: K01054113

---

846137 : The icrd returns incorrect route names in some cases

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.

Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.

---

846073 : Installation of browser challenges fails through Live Update

Component: Application Security Manager

Symptoms:
Live Update of Browser Challenges fails installation.

Live Update provides an interface on the F5 Downloads site to manually install or configure automatic installation of various updates to BIG-IP ASM components, including ASM Attack Signatures, Server Technologies, Browser Challenges, and others.

Conditions:
-- From the F5 Downloads side, select a software version.
-- Click BrowserChallengesUpdates.
-- Attempt to download and install Download BrowserChallenges<version_number>.im.

Note: Browser Challenges perform browser verification, device and bot identification, and proactive bot defense.

Impact:
Browser Challenges update file cannot be installed.

Workaround:
None.

Fix:
Browser Challenges update file can now be installed via Live Update.

---

846057 : UCS backup archive may include unnecessary files

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/

---

845933 : Unused parameters remain after modifying the swagger file of a policy

Component: Application Security Manager

Symptoms:
After you update the swagger file of a policy, some parameters that are not defined in the updated swagger may remain in the policy.

Conditions:
1. Policy contains global parameters that were added manually
2. All the URL parameters are deleted in the new swagger file

Impact:
Traffic to these parameters will not raise a violation ILLEGAL PARAMETER as expected

Workaround:
The leftover parameters need to be removed manually

---

845461 : MRF DIAMETER: additional details to log event to assist debugging

Component: Service Provider

Symptoms:
There are not enough details in log events when stale pending requests are removed.

Conditions:
An answer message is not received before the configured timeout has been reached.

Impact:
The set of arguments in the log message do not have enough information to debug why the message was not responded to.

Workaround:
None.

Fix:
New details have been added to help debug why the message was not responded to.

---

845313-1 : Tmm crash under heavy load

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to PEM subscriber IDs.

---

845057 : Azure walinuxagent has been updated to v2.2.42.

Component: TMOS

Symptoms:
Some onboarding features are not available in the version of walinuxagent earlier than v2.2.42.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.42.

---

844813-1 : Inaccurate warning message for DNS resolver in bot profile

Component: Application Security Manager

Symptoms:
Bot profile requires a DNS resolver to fully operate. The DNS resolver needs to be under the default Route-Domain. A warning message displays when there is no DNS resolver, but it does not state that the DNS resolver should be configured for the default Route-Domain.

Conditions:
-- Bot defense profile (with signature enforcement) is in use.
-- DNS resolver is configured under a non-default Route-Domain.

Impact:
Warning message is inaccurate: a DNS resolver is configured (under a different route domain), but the feature does not fully operate.

Workaround:
Configure the DNS resolver under the default Route-Domain.

Fix:
This release contains a warning message that indicates that the DNS resolver should be configured under the default Route-Domain.

---

844781 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection

Component: Access Policy Manager

Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.

Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384

Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.

Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/

Fix:
Fixed an issue with an SELinux policy blocking Portal Access from processing web applications traces.

---

844689 : Possible temporary CPU usage increase with unusually large named.conf file

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.

Fix:
ZoneRunner does not issue a reload command when zones are checked for updates, so no CPU usage increases occur.

---

844685 : Per-request policy is not exported if it contains HTTP Connector Agent

Component: Access Policy Manager

Symptoms:
Per-request policy cannot be exported if it contains an HTTP Connector agent.

Conditions:
-- Create a Per Request Policy.
-- In the sub-routine section, create a new sub-routine and
   attach HTTP Connector to that sub-routine.
-- After the policy creation is done, export the policy.

Impact:
Per-request policy cannot be exported and reports an error.

Workaround:
None.

Fix:
Create a valid HTTP Connector agent in tmsh and the per request policy gets exported as expected.

---

844373 : Learning suggestion details layout broken in some browsers

Component: Application Security Manager

Symptoms:
One of the suggestion details is placed incorrectly, out of alighment.

Conditions:
This occurs when you open the details for learning suggestion, e.g., based on refinement.

Impact:
Refinement title is out of line.

Workaround:
Use a different browser, if needed.

Fix:
Learning suggestion details layout now appears correctly.

---

844281 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.

Component: Access Policy Manager

Symptoms:
Java applets are not patched when accessed through APM Portal Access.

/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.

/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.

Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.

Impact:
Java applets cannot be patched by APM Portal Access rewriter.

Workaround:
None.

Fix:
Fixed an issue with SELinux policy blocking Portal Access code from reading Java Patcher certificates.

---

844169 : TMSH context-sensitive help for diameter session profile is missing some descriptions

Component: Service Provider

Symptoms:
The tmsh context-sensitive help content for the following diameter session attributes is missing:
-- respond-unroutable
-- retransmission-action
-- retransmission-queue-limit-high
-- retransmission-queue-limit-low
-- retransmission-queue-max-bytes
-- retransmission-queue-max-messages

Conditions:
When attempting in tmsh to list a diameter session profile followed by a question mark for context-sensitive help- for example:
list ltm message-routing diameter profile session <sess-name> ?

Impact:
The specified attributes are no described.

Workaround:
These are the missing descriptions:

-- respond-unroutable: When selected (enabled), messages that do not match any known route will be transformed into an error answer message and sent to the originator of the request. When disabled, unroutable request messages are routed back to the connection where they came from. The default value is disabled.

-- retransmission-action: Specifies the action performed when retransmission has been triggered for a request message. The options are:
  1) Disabled: Retransmission is disabled. This is the default action.
  2) Busy: An answer message is generated with a TOO_BUSY result code and returned to the originator of the request.
  3) Unable: An answer message is generated with an UNABLE_TO_DELIVER result code and returned to the originator of the request.
  4) Retransmit: The request message will be retransmitted.

-- retransmission-queue-limit-high: Specifies the high watermark for the retransmission queue (in percentage). If the retransmission queue exceeds this limit, the transport window will begin closing. A value of 0 will disable closing the transport window. Valid range from 0 to 100. The default value is 90.

-- retransmission-queue-limit-low: Specifies the low watermark for the retransmission queue (in percentage). If the retransmission queue drops below this limit, the transport window will reopen. Valid range from 0 to 100. The default value is 60.

-- retransmission-queue-max-bytes: Specifies the maximum number of bytes that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 131072 bytes.

-- retransmission-queue-max-messages: Specifies the maximum number of messages that can be stored in a connections retransmission queue. A value of 0 will disable this limit. The default value is 1024 messages.

Fix:
The missing descriptions have been added to tmsh and now display properly.

---

843801 : Like-named previous Signature Update installations block Live Update usage after upgrade★

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.

---

843597 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.

Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0

Fix:
We now ensure that the default setting for the vmxnet3 driver MTU is 9000.

---

843105 : Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP)

Component: Local Traffic Manager

Symptoms:
The BIG-IP system can now be configured to collect multicast statistics for LACP, STP, and LLDP. It is controlled by a sys db variable:

l2.virtualwire.multicast.stats

It is enabled by default.

Conditions:
This is encountered when L2 wire transparent VLAN groups are configured.

Impact:
The ability to collect and read multicast statistics makes it easier to debug l2 wire setups.

Multicast statistics can be viewed in the following tmctl table:
tmctl -w250 tmm/l2_mcast_stat

Workaround:
None.

Fix:
Added new stats available like:
tmctl -w250 tmm/l2_mcast_stat

---

842937 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.

Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.

---

842865 : Add support for Auto MAC configuration (ixlv)

Component: TMOS

Symptoms:
Mac addresses are forced to be the same for ixlv trunks.

Conditions:
This happens when ixlv trunks are used.

Impact:
Mac addresses may not be as depicted on the device.

Workaround:
None.

Fix:
Unicast mac filters are used for ixlv trunks.

---

842829 : Multiple tcpdump vulnerabilities

Solution Article: K04367730

---

842625 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.

---

842265 : Create policy: trusted IP addresses from template are not shown

Component: Application Security Manager

Symptoms:
If there are trusted IP addresses in the selected template, they are not shown in GUI during policy creation

Conditions:
Create user-defined template from policy with trusted IP addresses.

Impact:
If you manually enter the same IP addresses that were in template, you may get an error message after policy creation

Workaround:
None.

Fix:
Trusted IP addresses from template are shown in policy create.

---

842189 : Tunnels removed when going offline are not restored when going back online

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
Configuration including tunnels.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.

---

842161 : Installation of Browser Challenges fails in 15.1.0

Component: Application Security Manager

Symptoms:
Browser Challenges default installation fails in 15.1.0 after upgrade or resetting back to default.

BIG-IP software v15.1.0 ships with a BrowserChallenges_20191121_043810.im file that does not have a proper encryption, and when trying to install the file via the Live Update page the following error occurs:

gpg: WARNING: unsafe ownership on homedir `/ts/share/negsig/gpg_asm_sigfile_installer'
gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20
      "asm_sigfile_installer"
gpg: Signature made Thu 21 Nov 2019 02:38:10 PM IST using RSA key ID BC67BA01
gpg: Can't check signature: No public key

Conditions:
Live Update file BrowserChallenges_20191121_043810.im has a different status than 'Currently Installed'.

Impact:
If the file 'BrowserChallenges_20191121_043810.im ' is the newest file then upgrade is not applicable.

Workaround:
None

Fix:
Browser Challenges update file can now be installed via Live Update.

---

842125 : Unable to reconnect outgoing SCTP connections that have previously aborted

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

Fix:
SCTP connections can now be halted and recreated to the same endpoint.

---

842053 : Added the ability for the iRule [HTTP::version] command to report HTTP2 and HTTP3 versions

Component: Local Traffic Manager

Symptoms:
The iRule [HTTP::version] command will incorrectly report "1.1" when HTTP2 traffic is encountered.

Conditions:
--Client or server sends HTTP2 request/response.
--iRule with [HTTP::version] command is present on the virtual server

Impact:
The incorrect version will be reported by the [HTTP::version] iRule command when it sees HTTP2 traffic.

Workaround:
--Use the [HTTP2::version] command
--Use an if/else to verify that HTTP2 is being used. "if {[HTTP2::version] != 0}"

Fix:
The [HTTP::version] iRule command has been updated to return "2.0" or "3.0" if the corresponding HTTP2 or HTTP3 traffic is seen.

---

842029 : Unable to create policy: Inherited values may not be changed.

Component: Application Security Manager

Symptoms:
When you create a new child policy you see the following error in the GUI:

Could not update the Policy. Inherited values may not be changed.

Conditions:
1. Parent policy created using the Fundamental Template
  a. Differentiate between HTTP/WS and HTTPS/WSS URLs is Disabled
  b. Auto-Added Signature Accuracy set to High.
2. Parent policy contains a custom filter-based signature.
3. Child policy is created from the parent policy assigned.

Impact:
You are unable to create a policy via the GUI.

Workaround:
Use direct REST API calls or tmsh.

Fix:
Create policy will not fail.

---

841985 : TSUI GUI stuck for the same session during long actions

Component: Application Security Manager

Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).

Conditions:
Long-running task is performed, such as export/import/update signatures.

Impact:
GUI is unresponsive for that session.

Workaround:
If you need to continue working during long task is performed, you can log in via another browser.

---

841953 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes under these conditions.

---

841721 : BWC::policy detach appears to run, but BWC control is still enabled

Component: TMOS

Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.

Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.

Impact:
The detached policy continues to work.

Fix:
Fixed in Jasper

---

841649 : Hardware accelerated connection mismatch resulting in tmm core

Component: TMOS

Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.

Conditions:
A FastL4 virtual server that has hardware acceleration enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable hardware acceleration.

---

841577 : iControl REST hardening

Component: TMOS

Symptoms:
iControl REST does not implement current best practices.

Conditions:
-Authenticated administrative users of iControl REST.

Impact:
iControl REST does not implement current best practices.

Workaround:
None.

Fix:
iControl REST now implements current best practices.

---

841469 : Application traffic may fail after an internal interface failure on a VIPRION system.

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.

Fix:
The system now includes the enhancement for the 'standalone chassis which belongs to a pool' use-case, as discussed under the Workaround section.

---

841333 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

---

841285 : Sometimes apply policy is stuck in Applying state

Component: Application Security Manager

Symptoms:
The word "Applying" is displayed long after the policy has been applied.

Conditions:
This can occur when applying policies.

Impact:
It appears that Apply policy is stuck, when it is not.

Workaround:
Refresh the page, or look for the log entry in /var/log/asm

ASMConfig change: Apply Policy Task Apply Policy Task [update]: Status was set to COMPLETED.

Fix:
Apply policy state is shown correctly in GUI

---

841277 : C4800 LCD fails to load after annunciator hot-swap

Component: TMOS

Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.

Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.

Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.

Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable

2. Wait 10 seconds.

3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.

This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.

Fix:
The LCD now automatically reloads once a functioning annunciator card is inserted into the left slot and the top bezel is replaced. It may take up to 10 seconds for the LCD to return to normal functionality.

---

840821 : SCTP Multihoming not working within MRF Transport-config connections

Component: Service Provider

Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.

Conditions:
Usage of SCTP multi-homing with a MRF transport-config.

Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
THe system is now able to create outgoing SCTP multihoming connections using a transport-config to define the connection.

---

840809 : If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged

Component: Advanced Firewall Manager

Symptoms:
When subscriber info changes, the log events for LSN_PB_UPDATE are not logged.

Conditions:
If subscriber info changes, for example, if a client is sending a radius message with IMSI A - LSN_PB_UPDATE logs are observed. And later when the IMSI is changed to B and another radius message is sent from the client, then LSN_PB_UPDATE log events are not observed.

Impact:
LSN_PB_UPDATE are not logged.

Fix:
Fix will send LSN_PB_UPDATE even if subscriber info is changed

---

840097 : Improvement to MRF Bidirectional Persistence to instruct logic of default direction

Component: Service Provider

Symptoms:
MRF Bidirectional Persistence makes assumptions when determining the direction to forward a message that matches a persistence entry. For some systems, the algorithm used forwards the message to the wrong endpoint.

Conditions:
-- Using MRF Bidirectional Persistence.
-- The system is attempting to forward a message that matches a persistence entry.

Impact:
Messages from the server or an alternate server are not identified as needing to be forwarded to the client. Instead they are incorrectly forwarded to back to the server.

Workaround:
None. This is an improvement.

Fix:
A new iRule command has been added to enable you to specify the direction of travel for the message if a persistence record is found.

---

839761 : Response Body preview hardening

Component: Application Security Manager

Symptoms:
The Response Body preview UI does not follow current best practices.

Conditions:
Authenticated administrative user interacts with the Response Body preview page.

Impact:
Current best practices not implemented.

Workaround:
None.

Fix:
The Response Body preview UI now implements current best practices.

---

839749 : Virtual server with specific address list might fail to create via GUI

Component: Local Traffic Manager

Symptoms:
When a user tries to create a virtual server with address list, it might fail with below shown error:

01b90011:3: Virtual Server /Common/VS1's Traffic Matching Criteria /Common/testvs1 illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/testvs2 destination address, source address, service port.

Conditions:
-- One or more virtual servers that were created via the GUI already exist on the BIG-IP system.
-- Attempt to use the GUI to create another virtual server with address list.

Impact:
Cannot create the virtual server.

Workaround:
Create the virtual server via tmsh:

-- First create the traffic matching criteria using the address list.
-- Then use the traffic matching criteria to create a virtual server.

Fix:
You can now create virtual servers with address lists directly from the GUI.

---

839597 : Restjavad fails to start if provision.extramb has large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad every few seconds typically due to failure to start and reports messages in daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
  + above ~2700-2800MB for v12.1.0 and earlier.
  + above ~2900-3000MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extrammb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad

---

839509 : Incorrect inheritance treatment in Response and Blocking Pages page

Component: Application Security Manager

Symptoms:
Deception Response Pages is not inherited, but if common response pages are inherited, you are unable to save changes.

Conditions:
-- Deception Response Pages features licensed.
-- Parent policy selected with inheritance of response pages.

Impact:
Deception Response Pages cannot be modified.

Workaround:
None.

Fix:
Inheritance is treated correctly in Response and Blocking Pages page.

---

839453 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354

---

839401 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.

Fix:
GARPs are sent out as expected.

---

839389 : TMM can crash when connecting to IVS under extreme overload

Component: Service Provider

Symptoms:
TMM might crash while attempting to connect internally to an internal virtual server (IVS) and the connection setup cannot be completed due to internal factors.

Conditions:
-- Extreme overload such that TMM is out of memory, or some other internal condition that prevents connection setup.
-- Connection to an internal virtual server is attempted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not crash while connecting to an IVS under extreme overload.

---

839245 : IPother profile with SNAT sets egress TTL to 255

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.

Fix:
TTL is now decremented by 1 on forwarded packets.

---

839141 : Issue with 'Multiple of' validation of numeric values

Component: Application Security Manager

Symptoms:
'Multiple of' validation of numeric values may not be correct in some scenarios.

Conditions:
-- Create default policy from API Security template.
-- Create default decimal parameter with 'Multiple of'=5.
-- Send request to /index.php?param=0.

Impact:
'Multiple of' validation of numeric values does not block as expected.

Workaround:
None.

Fix:
'Multiple of' validation of numeric values fixed to work in all enabled scenarios.

---

838901 : TMM receives invalid rx descriptor from HSB hardware

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.

---

838881 : APM Portal Access Vulnerability: CVE-2020-5853

Solution Article: K73183618

---

838861 : TMM might crash once after upgrading SSL Orchestrator★

Component: Access Policy Manager

Symptoms:
TMM might crash due to SIGABRT.

Conditions:
-- Session check agent is present in APM per-request policy.
-- APM Access Profile scope changes during SSL Orchestrator upgrade.
-- This issue can occur for SSL Orchestrator upgrades from 14.x to 15.x and above.

Impact:
TMM might crash once. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Session check agent now exits and terminates the flow.

---

838709 : Enabling DoS stats also enables page-load-time

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.

---

838685 : DoS report exist in per-widget but not under individual virtual

Component: Application Visibility and Reporting

Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.

Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.

Impact:
GUI widgets report errors and cannot show stats.

Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:

1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
   $ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/

2. Change permissions to allow modifying it:
   $ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

3. Change the file to include the fix:
   $ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
   $ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

4. Verify that the fix is as expected:
   $ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php

   (** You should see two lines modified:
       1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
       2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')

5. Revert permissions of the file:
   $ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

6. Log out and log back into the GUI, so that the new version of the file loads.

Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.

---

838677 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354

---

838353 : MQTT monitor is not working in route domain.

Component: Local Traffic Manager

Symptoms:
MQTT monitor fails when non-default route domains are used.

Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use

Impact:
Mqtt monitor does not work in route domain.

---

838297 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.

---

837837 : SSH Client Requirements Hardening

Component: TMOS

Symptoms:
In some configurations, BIG-IP systems allow the use of DSA keys for SSH authentication.

Conditions:
Terminal Access (SSH) enabled for users with DSA keys.

Impact:
DSA keys are allowed for authentication, exposing BIG-IP to the limitations of this key format, including potential compromise of the authenticated session.

Workaround:
For ssh key based authentications, DSA keys should not be used.

Fix:
ssh-dss is disabled from supported authentication methods. It can be enabled under BIGIP using command tmsh modify sys sshd { include '"HostKeyAlgorithms +ssh-dss"' }

Behavior Change:
ssh-dss is now disabled by default from supported SSH authentication methods. It can be explicitly enabled under BIG-IP using command: tmsh modify sys sshd { include '"HostKeyAlgorithms +ssh-dss"' }

---

837773 : Restjavad Storage and Configuration Hardening

Component: Device Management

Symptoms:
The restjavad component does not follow current best coding practices.

Conditions:
-REST endpoints in use

Impact:
The restjavad component does not follow current best coding practices.

Workaround:
None.

Fix:
The restjavad component now follows current best coding practices.

---

837341 : Response and Blocking Pages page: Deception Response pages should not be shown in parent policy

Component: Application Security Manager

Symptoms:
Deception Response pages shown and editable in parent policy.

Conditions:
-- Deception Response Pages feature is licensed and enabled.
-- You are editing the parent policy.

Impact:
Deception Response pages cannot be updated from the parent policy, thus any update of response pages fails with error.

Workaround:
None.

Fix:
Deception Response pages not shown in parent policy.

---

837269-3 : Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic

Component: Carrier-Grade NAT

Symptoms:
When hosts send ICMP unreachable error messages and processed by the BIG-IP system, subsequent good UDP packets do not get the persistence LSN translation address.

Conditions:
-- Virtual server with FW NAT or CGNAT configuration to accept UDP traffic.
-- Client or/and server randomly sends ICMP unreachable messages.

Impact:
LSN persistence issues. UDP packets from the same client IP address may not get the same translation address every time, even though there exists a persistence entry in the table

Workaround:
None.

Fix:
Processing ICMP unreachable packets no longer causes FWNAT/CGNAT persistence issues with UDP traffic.

---

837233 : "Application Security Administrator" user role cannot manage Dos Profile GUI

Component: Advanced Firewall Manager

Symptoms:
BIG-IP GUI users in "Application Security Administrator" role are not allowed to manage DoS profile page and settings.

Conditions:
This affects users logged in with the "Application Security Administrator" role

Impact:
DoS profiles cannot be edited from GUI

Workaround:
Either change user role to allow managing DoS profile or edit profiles from tmsh

---

837101 : AVR and BIG-IQ stats show N/A bar for Source IP and domain name on DNS query packet

Component: Advanced Firewall Manager

Symptoms:
AVR and BIG-IQ stats show an N/A bar for Source IP and domain name fields on DNS query packets, while the correct IP and domain name is shown in other bars.

Conditions:
-- AFM is provisioned.
-- DNS traffic is processed.

Impact:
No functional impact, but incorrect and redundant results are shown in AVR.

Workaround:
None.

Fix:
Incorrect and redundant N/A bar has been removed.

---

836661-3 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.

Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.

Workaround:
None.

---

836357 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.

---

836213 : Profile name over 64 characters in length will cause ACCESS::session create to fail

Component: Access Policy Manager

Symptoms:
TMM resets ACCESS::session create iRule commands after assigning an access profile to it.

Conditions:
-- Access profile name is longer than 64 characters (including partition and app name if applicable)
-- ACCESS::session create iRule used

Impact:
ACCESS:session create iRule will fail; connection will reset.

Workaround:
Make sure the Access profile name is less than 64 characters when using ACCESS::session create iRule command.

Fix:
Buffer used to store Access profile name has been increased. Max is now 1024.

---

835517 : After upgrading BIG-IP software and resetting HA, gossip may show 'UNPAIRED'★

Component: Device Management

Symptoms:
After upgrading BIG-IP software and reconfiguring high availability (HA), gossip may show 'UNPAIRED' and the REST endpoint /resolver/device-groups/tm-shared-all-big-ips/devices/ may show only one device.

Conditions:
-- This has been observed during upgrade from 14.x.x to 15.x.x.
-- Reconfigure HA.
-- View gossip results and REST endpoint output.

Impact:
The gossip output shows 'UNPAIRED', and the REST endpoint reports only one decide. SSL Orchestrator does not work as expected

Workaround:
If gossip shows 'UNPAIRED' after upgrade, you may need to do following at both devices:

1. Delete existing device information:
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
 
2. Force update:
bigstart restart restjavad
restcurl -X POST -d '{}' tm/shared/bigip-failover-state

---

835381 : HTTP custom analytics profile 'not found' when default profile is modified

Component: Application Visibility and Reporting

Symptoms:
Adding SMTP config to default HTTP analytics profile results in config parsing failures for child profiles that are assigned to virtual servers. Removing SMTP config resolves the issue. The 'tmsh load sys config' command fails with the following error:

-- 01020036:3: The requested profile (/Common/child-analytics) was not found.
-- Unexpected Error: Validating configuration process failed.

Conditions:
-- Child analytics profile applied to virtual server.
-- Parent analytics profile contains SMTP config.

Impact:
Loading configuration might fail.

Workaround:
None.

Fix:
The system now avoids setting SMTP field for child profiles on MCP validation when in load/merge phase.

---

835309 : Some strings on BIG-IP APM Server pages are not localized

Component: Access Policy Manager

Symptoms:
Some text in APM Server pages, such as the logout page, are presented in English even when using a different language.

Conditions:
Use APM with a localized language, and certain strings for pages like logout, Webtop, or EPS, would still be in English.

Impact:
Some strings are displayed in English instead of localized language.

Workaround:
None.

Fix:
BIG-IP APM Server pages have been updated to include translations for all the affected strings.

---

835285 : Client browser traffic through APM SWG transparent proxy using captive portal might get reset.

Component: Access Policy Manager

Symptoms:
Client browser traffic through APM Secure Web Gateway is being reset by APM SWG.

Conditions:
-- APM SWG transparent proxy is configured with captive portal. -- Client browser sends redirect to original URI on a TCP connection that was opened before access policy completion on captive portal.

Impact:
The connection is reset.

Fix:
Client browser sending redirect traffic on a TCP connection opened before access policy completion on captive portal will not get RST and traffic will be processed successfully by the BIG-IP.

---

835209 : External monitors mark objects down

Component: Global Traffic Manager (DNS)

Symptoms:
Object to which the external monitor is attached is marked down.

Conditions:
Executing external monitors trying to access something without appropriate permissions.

Impact:
Object to which the external monitor is attached is marked down.

Workaround:
None.

Fix:
This issue no longer occurs.

---

834377 : Unable to upload swagger files with a pattern in description

Component: Access Policy Manager

Symptoms:
While uploading a swagger file, you get an error:

java.net.ProtocolException: status:400, body:{"code":400,"message":"transaction failed:\"-\" unknown
property","errorStack":[],"apiError":2}

Conditions:
A description field in the swagger file contains a hyphen with a space on each side, for example:
"description" : "{\n\"documentTypeName\": \"problem - here\"}

Impact:
BIG-IP reports the error that the pattern is not accepted.

Workaround:
None.

Fix:
Fixed an error loading swagger files.

---

834373 : Possible handshake failure with TLS 1.3 early data

Component: Local Traffic Manager

Symptoms:
During TLS 1.3 early data handshake, a code alert and handshake failure may occur

Conditions:
TLS 1.3 with early data resumption.

Impact:
Handshake failure.

Workaround:
Turn off early data.

Fix:
Fixes a possible TLS 1.3 early data handshake failure and code alert.

---

834257 : TMM may crash when processing HTTP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic.

Conditions:
A virtual with standard HTTP profile is configured.

Impact:
When TMM crashes it causes a failover event and may interrupt traffic processing.

Workaround:
None.

Fix:
TMM now processes HTTP traffic as expected.

---

834217 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.

Component: Local Traffic Manager

Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.

Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).

Impact:
Degraded TCP performance.

Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).

Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.

---

833685 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.

---

833113 : Avrd core when sending large messages via https

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash

---

833049 : Category lookup tool in GUI may not match actual traffic categorization

Component: Access Policy Manager

Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).

Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.

Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.

Workaround:
None.

---

832885 : Self-IP hardening

Component: Local Traffic Manager

Symptoms:
Self-IP handling for IPv6 link-local addresses does not follow current best practices.

Conditions:
Self-IP with IPv6 link-local address.

Impact:
BIG-IP does not implement current best practices for IPv6 link-local addresses.

Workaround:
None.

Fix:
BIG-IP now implements current best practices for IPv6 link-local addresses.

---

832881 : F5 Endpoint Inspection helper app is not updated

Component: Access Policy Manager

Symptoms:
F5 Endpoint Inspection helper app is not updated, but other components such as F5 VPN helper App is auto updated.

Conditions:
Use a browser to establish VPN

Impact:
End users cannot to receive bug fixe or feature enhancement updates.

Workaround:
Download and install F5 Endpoint Inspection helper from BIG-IP.

https://APM_SERVER/public/download/f5epi_setup.exe

Fix:
F5 Endpoint Inspection helper app is auto updated.

---

832805 : AVR should make sure file permissions are correct (tmstat_tables.xml)

Component: Application Visibility and Reporting

Symptoms:
By building rpm of avrd, few cfg files get wrong set of permissions (executable)

Conditions:
Any build of avrd rpm

Impact:
Apparently not having the right set of permissions can lead to system half

Workaround:
Change permissions on file:

# chmod -x /etc/avr/tmstat_tables.xml

Fix:
AVR build the rpm cfg files with the right set of permissions, instead of building them as executable file, building them in 644 mode.

---

832665 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools will not be available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools will not be available.

Workaround:
None.

Fix:
The version of open-vm-tools has been updated to 10.1.5.

---

832569 : APM end-user connection reset

Component: Access Policy Manager

Symptoms:
When the URL being accessed exceeds a length of 8 KB, the BIG-IP resets the connection.

Conditions:
-- APM deployed with a per-request policy.
-- The per-request policy includes a category lookup.

Impact:
The APM end-user connection is reset, and the system posts an error message in /var/log/apm:

-- crit tmm[23363]: 01790601:2: [C] 10.62.118.27:65343 -> 65.5.55.254:443: Maximum URL size exceeded.

Workaround:
None.

---

832021 : Port lockdown settings may not be enforced as configured

Solution Article: K73274382

---

832017 : Port lockdown settings may not be enforced as configured

Solution Article: K10251014

---

831821 : Corrupted DAG packets causes bcm56xxd core on VCMP host

Component: TMOS

Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.

Conditions:
Unknown.

Impact:
Device goes offline, traffic disruption.

---

831813 : Improve handling of HTTP/2 GOAWAY frame

Component: Local Traffic Manager

Symptoms:
After an HTTP/2 transaction, HTTP/2 'Out Of Memory Error"' stat 'Goaway reason' is incremented even though no GOAWAY frames were sent.

Conditions:
-- HTTP/2 configured on the client side and server side.
- HTTPROUTER configured.

Impact:
HTTP/2 stats incorrectly imply that GOAWAY frames are sent due to memory issues.

Workaround:
None.

Fix:
HTTP/2 GOAWAY frame handling is improved.

---

831781 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode

Component: Access Policy Manager

Symptoms:
Both AD Query and LDAP Auth/Query fails.

Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.

Impact:
Users may not be able to login to APM, and hence service is disrupted.

Workaround:
None.

Fix:
Users are now able to login to APM.

---

831517 : TMM may crash when Network Access tunnel is used

Component: Access Policy Manager

Symptoms:
TMM may crash.

Conditions:
-- APM session is established.
-- Network Access tunnel is established and used;

Impact:
APM end users experience Network Access tunnel disconnected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a tmm crash.

---

831293 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.

---

830797 : Standby high availability (HA) device passes traffic through virtual wire

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.

Fix:
Although you can create this configuration, the standby no longer forwards any traffic, which prevents the traffic loop and potential network outage.

---

830717-1 : Appdata logical volume cannot be resized for some cloud images★

Component: TMOS

Symptoms:
When resizing the appdata logical volume, the change may not be honored. This is because sometimes the disk metadata does not support the change without unmounting and remounting the disk.

Conditions:
This issue applies to deployments that provision multiple modules requiring a large appdata logical volume.

Impact:
The appdata logical volume cannot be resized, so you must reduce the number of modules and the associated provisioning level so that the existing appdata logical volume size does support them.

Workaround:
None.

Fix:
Logic was added to disk resizing to account for scenarios where the disk must be unmounted and then remounted to make the change. If the disk must be unmounted and remounted, this also requires a reboot (automatic).

---

830481 : SSL TMUI hardening

Component: TMOS

Symptoms:
The SSL TMUI does not implement current best practices.

Conditions:
-Authenticated administrative user accessing SSL TMUI,

Impact:
The SSL TMUI does not implement current best practices.

Fix:
The SSL TMUI now implements current best practices.

---

830401 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228

---

830073 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.

---

829677 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker

The fix also includes automatic removal of unused tmp files.

---

829317 : Memory leak in icrd_child due to concurrent REST usage

Component: TMOS

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
Memory slowly leaks in icrd_child.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.

---

829277 : A Large /config folder can cause memory exhaustion during live-install★

Component: TMOS

Symptoms:
- live install can fail at around 96%
- system memory can be exhausted and the kernel will kill processes as a result.

Conditions:
During live-install, if configuration roll-forward is enabled, and the uncompressed ucs size is larger than the available memory.

Impact:
The kernel will kill any number of processes; any/all critical applications could become non-functional.

Workaround:
Make sure there are no un-intended large files included in the configuration. Any file stored under /config is considered part of the configuration.

If the configuration is, as intended, on the same order of magnitude as total system memory, do not roll it forward as part of live install. Instead, save it manually and restore it after rebooting to the new software.

to turn off config roll forward; setdb liveinstall.saveconfig disable

to save/restore configuration manually; see
https://support.f5.com/csp/article/K13132

---

829193 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.

---

829121 : State mirroring default does not require TLS

Solution Article: K65720640

---

829117 : State mirroring default does not require TLS

Solution Article: K17663061

---

829029 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error

Component: Application Security Manager

Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.

Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.

Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.

Workaround:
Retry the subsequent REST calls.

---

828937 : Some systems can experience periodic high IO wait due to AVR data aggregation

Solution Article: K45725467

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).


Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 20000. Set it to 2148 on systems with fewer than or equal to CPU 16 cores.

---

828873-1 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor

Component: TMOS

Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.

Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.

Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.

Workaround:
Steps:

1. Mount the drive:
mount -o rw,remount /usr

2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty

3. Reload the daemon:
systemctl daemon-reload

4. Restart the service:
systemctl restart f5-label

Fix:
The I/O device has been changed to the default input device '/dev/null' to resolve the issue.

---

828601 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

Fix:
IPv6 routes now prioritize TMM interfaces.

---

827325 : JWT token verification failure

Component: Access Policy Manager

Symptoms:
JWT token verification failure with error -1.

Conditions:
Token size larger than 4080.

Impact:
Request rejected and the log message simply says 'unknown error -1.'

Workaround:
None.

Fix:
The 4080 token size limitation is removed.

---

827293 : TMM may crash running remote tcpdump

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
-- Tcpdump is run with the --remote-dest parameter.
-- The destination address is routed via a VLAN, whose cmp-hash setting has been changed from default to src-ip.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not route remote tcpdump operations via a VLAN with non-default cmp-hash settings.

Fix:
Remote tcpdump now works via VLANs with any cmp-hash setting.

---

827089 : When a SSL Orchestrator app is deployed, tmm errors are logged in /var/log/apm

Component: Access Policy Manager

Symptoms:
If you deploy a layer 3 outbound or inbound app, the deployment will go fine but some errors will be logged in /var/log/apm:

err tmm[21184]: 0187005b:3: Access Policy(/Common/ssloP_myTest01.app/ssloP_myTest01_per_req_policy) update: Customization group set can be only assigned to Access policy of type per-request or api-protection

notice tmm3[21184]: 01490562:5: /Common/sslo_myTest01.app/sslo_myTest01_end_allow_ag: /Common/sslo_myTest01.app/sslo_myTest01_end_allow agent update can not be resolved.

Conditions:
Provision SSL Orchestrator, deploy l3 outbound or l3 inbound

Impact:
The app deploys successfully, but you will see some ambiguous errors in the log. These log messages can be ignored.

Fix:
Add new condition check, if access policy type is SSL Orchestrator policy, access-per-request cgs wrong assign exception will not be printed in log.

---

826265 : The SNMPv3 engineBoots value restarts at 1 after an upgrade

Component: TMOS

Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.

Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.

Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.

Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):

tmsh modify sys snmp include 'engineBoots n'

2. Restart SNMPD.

Fix:
This issue has been fixed: the engineBoots value is now kept as part of the configuration.

---

825493 : JWT token verification failure

Component: Access Policy Manager

Symptoms:
JSON Web Token (JWT) verification failure with error -1.

Conditions:
Token size larger than 4080.

Impact:
Request is rejected.

Workaround:
None.

Fix:
Fixed an issue with JWT token verificaton.

---

825449 : State mirroring default does not require TLS

Solution Article: K72540690

---

825413 : /var/lib/mysql disk is full

Component: Application Security Manager

Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.

Conditions:
ASM provisioned

Impact:
/var/lib/mysql can run out of disk space

Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
   Note that existing brute force username and IPs reporting data will be lost.

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"

2. Add row_limit for the two tables to avoid the same issue in the future.

Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml

  PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
    row_limit: 100000
    order_by: brute_force_mitigated_username_id

  PRX.BRUTE_FORCE_MITIGATED_IPS:
    row_limit: 100000
    order_by: brute_force_mitigated_ip_id

Restart clean_db process (there is no impact of restarting this process)

# pkill -f clean_db

Wait 30 sec, and make sure the process came back

# ps aux | grep clean_db

---

825245 : SSL::enable does not work for server side ssl

Component: Local Traffic Manager

Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.

Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.

Impact:
The connection will close instead of completing.

Workaround:
Do not use a disabled server-ssl profile in this situation.

Fix:
The SSL::enable iRule works as expected in the above scenario.

---

825013 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.

Fix:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands now return correct data.

---

824433 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.

There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.

Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.

Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.

Workaround:
None.

Fix:
New HTTP2 and HTTP3 request/response statistic fields have been added to the HTTP profile. These report the correct request/response stats from the GUI, TMSH, iControl (SOAP), and SNMP components.

---

824365 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.

---

824149 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.

---

824093 : Parameters payload parser issue

Component: Application Security Manager

Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.

Conditions:
-- ASM in use.
-- Request contains multipart headers.

Impact:
Incorrect policy enforcement.

Workaround:
None.

Fix:
This release fixes an issue related to multipart requests.

---

823893 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649

---

822393 : Prober pool selected on server or data center not being displayed after selection in Internet Explorer

Component: Global Traffic Manager (DNS)

Symptoms:
Selected prober pool not visible on server or data center in Internet Explorer or Edge

Conditions:
This occurs when you have a prober pool configured for a data center or server, and you are viewing them in the GUI using Internet Explorer or Edge.

Impact:
The prober pool is not displayed.

Workaround:
Use Chrome or Firefox as browser

---

821309 : After an initial boot, mcpd has a defunct child "systemctl" process

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.

---

820333 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.

---

819429 : Unable to scp to device after upgrade: path not allowed

Component: TMOS

Symptoms:
SCP of file to the BIG-IP system results in error:
path not allowed

Conditions:
Issue occurs when both conditions are present:
-- The BIG-IP user has shell tmsh or shell none access.
-- The scp operation is performed on a non-symlink location present under scp whitelist (/config/ssh/scp.whitelist).

For example:
scp to /var/tmp succeeds
scp to /shared/tmp fails with 'path not allowed'.

Impact:
Cannot copy files to symlinks present under whitelist.

Workaround:
None.

---

819261 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive, and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

---

819197 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394

---

819189 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441

---

818853 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.

---

818833 : TCP re-transmission during SYN Cookie activation results in high latency

Component: Local Traffic Manager

Symptoms:
Issue is reported at the following system setup:

client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet

-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.

Conditions:
Haredware SYN Cookie is enabled on FastL4 profile

Impact:
High latency is observed.

Workaround:
Disable the SYN Cookie on the FastL4 profile

---

818297-1 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Component: TMOS

Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.

In /var/log/openvswitch/ovsdb-server.log:

...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).

Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.

Impact:
Permission denied, SSL connection failure.

Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };

Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t

Step 4: Apply the policy:
# semodule -i openvswitch_t.pp

Fix:
SELinux policy rules for openvswitch module have been added.

---

818177 : CVE-2019-12295 Wireshark Vulnerability

Solution Article: K06725231

---

817137 : SSO setting for Portal Access resources in webtop sections cannot be updated.

Component: Access Policy Manager

Symptoms:
SSO setting for Portal Access (PA) resource assigned to any webtop section cannot be updated due to the following error:

No such atomic attribute:name in class:webtop_section_webtop_section_resource

Configuration with such a resource cannot be transferred to another BIG-IP system due to the same error.

Conditions:
BIG-IP system configuration with the following objects:
-- SSO configuration (any type).
-- PA resource with resource item.
-- The webtop section with the PA resource.
-- Full webtop.
-- Per-session access policy with resource assignment agent which assigns webtop, webtop section, and PA resource.

Impact:
Configuration cannot be updated or transferred.

Workaround:
Delete webtop sections from the configuration and re-create them after transfer / upgrade / update process.

Fix:
Now APM configuration with Portal Access resources in webtop sections can be transferred or upgraded.

---

816881 : Serverside conection may use wrong VLAN when virtual wire is configured

Component: Local Traffic Manager

Symptoms:
Server syn is flowing on the wrong VLAN, when tmm tries to establish a server connection. The BIG-IP system sends RST packets of unmatched VLAN/MAC combination

Conditions:
-- Virtual wire is configured .
-- Clientside data and handshake come in on different VLANs.

Impact:
Some client connections fail to establish

Workaround:
None.

---

816413 : CVE-2019-1125: Spectre SWAPGS Gadget

Solution Article: K31085564

---

816277 : Extremely long nameserver name causes GUI Error

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long nameserver and tsig key name gives an error in the GUI while viewing:

-- Bad Request. Your browser sent a request that this server could not understand.
-- Request-URI Too Long. The requested URL's length exceeds the capacity limit for this server.

Conditions:
When nameserver and tsig key name length exceeds 3300 characters.

Impact:
The GUI reports an error when you try to view them. Youa re unable to view nameserver and tsig keys having extremely long names.

Workaround:
Create nameserver and tsig keys with shorter names, preferably fewer than 255 characters.

Fix:
Nameserver and tsig key names are now validated, so this error no longer occurs.

---

816233 : Session and authentication cookies should use larger character set

Component: TMOS

Symptoms:
The session and authentication cookies are created using a limited character set.

Conditions:
Creating session and authentication cookies.

Impact:
Cookies are created with a less broad character set than they could be.

Workaround:
None.

Fix:
JSESSIONIDs and AuthCookies are created using a wider character set.

Behavior Change:
This release changes the format of the BIGIPAuthCookie and JSESSIONID cookies to use a larger alphabet during encoding (case sensitive alphanumeric).

---

816229 : Kernel Log Messages Logged Twice

Component: TMOS

Symptoms:
You see duplicate log messages in /var/log/kern.log

Conditions:
This can be encountered when viewing /var/log/kern.log right after startup in BIG-IP versions dating back to 14.1.0

Impact:
Viewing ('cat'ing) kern.log results in duplicated log messages in the buffer.

Fix:
Fixed an issue with duplicated log messages in /var/log/kern.log.

---

815921 : Fix martian addresses as per RFC6890

Component: TMOS

Symptoms:
BIG-IP LTM v14.1.0 does not update the route for 128.0.0.0/1 network via BGP UPDATE message

Conditions:
Send BGP UPDATE message for 128.0.0.0/1 network to the BIG-IP

Impact:
BIG-IP does not update the route

Workaround:
Incorporate martian address compliance as per RFC6890

Fix:
BGP routing UPDATES works with 128.0.0.0/1 network and similar ones as allowed by RFC6890

---

815877 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.

---

814145 : GUI SIP monitor fails to create/update when status code is empty

Component: Global Traffic Manager (DNS)

Symptoms:
GUI reports 'General database error.', and SIP monitor is not created/updated.

Conditions:
-- Select a status code list value for additional status codes option.
-- Do not add any status codes or remove all existing status codes.

Impact:
GUI reports an error. Unable to create/update SIP monitor using GUI.

Workaround:
Change the value of Additional status code options to 'None' if you do not want to add any status codes.

Fix:
The system now presents an Alert Message when trying to create or update a SIP monitor without a Status Code when the Status Code List is selected.

---

814037 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.

---

813969 : Network DoS reporting events as 'not dropped' while in fact, events are dropped

Component: Advanced Firewall Manager

Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.

Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.

Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped

Workaround:
There is no workaround at this time.

Fix:
AVR Reporting now shows proper value.

---

813701 : Proxy ARP failure

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.

---

812989 : Queries with TSIG signatures not matching BIG-IP result in malformed BADSIG answer

Component: Global Traffic Manager (DNS)

Symptoms:
In certain circumstances, it is possible that queries to the BIG-IP system with a TSIG key name, which matches a TSIG key on the BIG-IP system, but carries a different signature, the the BIG-IP system responds with a malformed BADSIG answer

Conditions:
-- Queries to the BIG-IP system are made with a TSIG key name matching a TSIG key on the BIG-IP system,
-- The signature on the TSIG key differs.

Impact:
The BIG-IP system answers with a malformed BADSIG warning; this is an example from the dig command:

;; Warning: Message parser reports malformed message packet.
;; Couldn't verify signature: tsig indicates error.

Workaround:
None.

Fix:
Delete TSIG info after the TSIG error is detected and processed.

---

812981 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.

---

812773 : Add option to insert security headers for fictive URL responses

Component: Application Security Manager

Symptoms:
When ASM blocks any of the HTTP requests, then the HTTP security headers are missed in ASM internal response. (e.g. blocking page, captcha, and all other fictive url's of ASM, including BOT Defense, and L7DOS).

Conditions:
- ASM provisioned and configured with a policy.
- Traffic arrives which violates the ASM policy

Impact:
ASM internal responses are anomalous for penetration testing and vulnerability assessment tools.

Workaround:
Create iRules to insert needed security headers into ASM blocked/internal responses

---

812705 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic

Component: Carrier-Grade NAT

Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.

Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.

Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.

Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.

---

812525 : HTTP parsing restrictions

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
When parsing HTTP the following non-compliant behavior was accepted:
White-space before a colon in a header name.
Bad characters in HTTP/2 URIs

Conditions:
HTTP profile enabled.

Impact:
Non-compliant HTTP traffic is accepted and forwarded to pool members.

Workaround:
None.

Fix:
HTTP parsing was more lenient than that required by the RFC. HTTP parsing now is more strict.

In addition, version handling of non-HTTP protocols like RTSP/2.0 is now somewhat altered.

---

812493 : When engineID is reconfigured, snmp and alert daemons must be restarted★

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd

---

811789 : Device trust UI hardening

Component: TMOS

Symptoms:
Improved device trust UI input sanitization

Conditions:
-ConfigSync in use

Impact:
Improved device trust UI input sanitization

Workaround:
None

Fix:
Improved device trust UI input sanitization

---

811701 : AWS instance using xnet driver not receiving packets on an interface.

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver.

Use The following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed

---

811149 : Remote users are unable to authenticate via serial console.

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.

---

811057 : Message Routing Framework Improvement: Added source port mode to transport config

Component: Service Provider

Symptoms:
A source port mode is not configurable for the source port of a transport config in Message Routing Framework (MRF), but is configurable for the source port of a virtual server.

Conditions:
Set the source port in a transport config for an MRF profile.

Impact:
Inconsistent configuration options for similar connection settings in MRF.

Fix:
Added a source port mode to the transport config configurations settings.

Behavior Change:
A source-port-mode attribute has been added to transport-config containing the same enum fields of the virtual server's source-port attribute: change, preserve, and preserve-strict

---

811053 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.

---

810821 : Management interface flaps after rebooting the device

Component: TMOS

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.

Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.

---

810533-1 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile

Component: Local Traffic Manager

Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.

Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.

Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.

Workaround:
Specify a valid server name in the server name field of the client SSL profile.

---

810381 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.

---

809701 : Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist

Component: Local Traffic Manager

Symptoms:
In BIG-IP GUI iRule definitions, when hovering over HTTP::proxy, the help text mentions 'HTTP::proxy dest', which is an invalid command.

Conditions:
The system displays incorrect information when the iRule help text is visible.

Impact:
The help text mentions 'HTTP::proxy dest', which is an invalid command option.

Workaround:
Do not use the invalid 'HTTP::proxy dest' command.

Fix:
The help text now shows 'HTTP::proxy', which is correct.

---

809657 : HA Group score not computed correctly for an unmonitored pool when mcpd starts

Component: TMOS

Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.

Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).

Impact:
Incorrect HA Group score.

Workaround:
Remove the unmonitored pools from the HA group and re-add them.

---

809637 : The Native client and the HTML5 View Client version are now logged at info level.

Component: Access Policy Manager

Symptoms:
You can now see the VMware Native Client and HTML5 versions logged at info level.

Conditions:
-- Open VMware Native Client and connect to the virtual server.
-- At info log level, the Native Client version is logged.


-- Open browser and connect to virtual server (APM webtop).
-- At info log level, the HTML client version is logged.

Impact:
You can now see the version of the client at info level. This is helpful if the APM end users use an older version or a vulnerable client.

Workaround:
No workaround.

Fix:
You can now see the VMware Native Client and HTML5 versions logged at info level.

The version might not be printed if the end user uses an older version of client (earlier than or equal to v4.5).

---

809629 : APM Portal Access resource URI might not be re-written for some scenarios involving APM per-request policy.

Component: Access Policy Manager

Symptoms:
APM Portal Access resource URI might not be re-written for some scenarios involving APM per-request policy.

Conditions:
Two connections from same client IP are executing simultaneously in APM per-request policy subroutine and trying to access APM portal access resource.

Impact:
The client session that first finishes the APM per-request policy subroutine will be redirected a re-written resource URI for portal access resource. All other sessions that simultaneously entered the subroutine will not be redirected to a re-written resource URI for portal access resource and instead will be redirected to the backend server URI.

Workaround:
None.

Fix:
All client IP based sessions that are simultaneously executing inside the subroutine, will see a re-written URI when trying to access APM portal access resource.

---

809597 : Memory leak in icrd_child observed during REST usage

Component: Local Traffic Manager

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- THe icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.

---

809125 : CSRF false positive

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm

---

808277 : Root's crontab file may become empty

Component: TMOS

Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.

Conditions:
Low disk space on the /var filesystem.

Impact:
System and user entries in root's crontab file stop executing.

Workaround:
None.

---

807157 : DNSSEC Key Generation expires if creation of new Generation failed

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC Key generation expires when new generation failed to be created.

Conditions:
BIG-IP configured with rolling DNSSEC Key and following conditions are met:
1. New DNSSEC Key generation not created due to failure, so only one generation remains for the DNSSEC Key.
2. The old DNSSEC Key generation is nearly expired.

Impact:
The last DNSSEC Key generation expires and the Key does not have any generation. As a result, BIG-IP fails to sign RRs with the DNSSEC Key.

Workaround:
New DNSSEC Key can be created to trigger creation of new generation.

Fix:
DNSSEC Key generation never expires if that generation is the last one for the DNSSEC Key.

---

807005 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration it not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.

---

805417 : Unable to enable LDAP system auth profile debug logging

Component: TMOS

Symptoms:
Beginning in version 14.1.0, LDAP debugging must be performed on nslcd logs and not pam_ldap logs; however, it is not possible to enable debug logging on nslcd via the configuration file.

Conditions:
This would be encountered only if you (or F5 Support) wanted to do troubleshooting of LDAP connections by enabling debug logging.

Impact:
LDAP system authentication 'debug' parameter does not provide sufficient levels of debug logs, but there is no functional impact to normal system operation.

Workaround:
To enable debug logging and have the system post log messages to the SSH/console window, start the nslcd process with -d option, which causes nslcd to run in the foreground until you press control-c to stop it:

   systemctl stop nslcd
   nslcd -d

Note: The -d setting does not persist, so each time you want to log debug output, you must complete this procedure.

You can increase the amount of debug output by specifying additional -d options (up to 3), e.g., '-ddd' or '-d -d -d'.

When done, stop nslcd with control-c, and then restart it with the default options via the normal systemctl daemon:

   systemctl start nslcd

Fix:
The nslcd logs are now visible on /var/log/secure file.

---

804309 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument

Component: TMOS

Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:

[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy

Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.

Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.

Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false

tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false

---

803825-1 : WebSSO does not support large NTLM target info length

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.

---

803809 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.

---

803717 : 'Prevent Password Auto-Complete' feature does not work on newer versions of Chrome browser

Component: Fraud Protection Services

Symptoms:
Newer versions of Chrome browser (v75+) show the 'Save Password' dialog, even though the 'Prevent Password Auto-Complete' option is enabled.

Conditions:
- Provision 'Fraud Protection Service'.
- License 'Application Layer Encryption'.
- Create a parameter with 'Substitute Value' enabled.
- Enable 'Prevent Password Auto-Complete'.

Impact:
The browser saves the masked password, which prevents the end-user from logging in to the protected page.

Workaround:
No workaround is available.

Fix:
The browser will no longer ask to save the end-user's password and he will be able to log in to the protected page.

---

803237 : PVA does not validate interface MTU when setting MSS

Component: TMOS

Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.

Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.

Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.

Workaround:
Increase MTU size.

---

802873 : Manual changes to policy imported as XML may introduce corruption for Login Pages

Component: Application Security Manager

Symptoms:
Manual changes to a policy imported as XML may introduce corruption for Response Pages. The following log appears:
ASM subsystem error (asm_config_server.pl ,F5::PrepareConf::Policy::prepare_alternate_response_file_tbl): failed to parse response headers - please check response page.

Conditions:
-- XML policy file is missing a response header.
-- Import the policy.

Impact:
The affected reponse page is not returned for traffic as expected, and an error is reported instead.

Workaround:
Mitigation:
Ensure that response_header exists in XML policy file before import.

Workaround:
Go to the affected policy's Response Pages: Login Page, click Save and then click Apply Policy.

---

802685 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }

---

802421-1 : The /var partition may become 100% full requiring manual intervention to clear space

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

---

802281 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

---

801705 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.

---

801497-1 : Virtual wire with LACP pinning to one link in trunk.

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.

---

800265 : Undefined subroutine in bigip_add_appliance_helper message

Component: Global Traffic Manager (DNS)

Symptoms:
When using the -a switch with bigip_add (which instructs bigip_add to use bigip_add_appliance_helper), the script terminates with an error:
   Undefined subroutine &gtm_env::get_unique_certs called at /usr/local/bin/bigip_add_appliance_helper line 113.

Conditions:
Use the bigip_add script with the -a switch in appliance mode.

Impact:
BIG-IP_add fails in appliance mode, reporting an error message.

Workaround:
None.

---

799749 : Asm logrotate fails to rotate

Component: Application Security Manager

Symptoms:
ASM logrotate reports errors in /var/log/asm.:

error: error creating output file /ts/log//bd.log.1: File exists

Conditions:
Files ending with .1 exists in the logs directories.

Impact:
Logrotate does not work. May fill disk with logs over time.

Workaround:
Remove or rename all of the .1 logs.

---

796601 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.

---

795649 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system

---

794889 : Pool member state force-offline processes persistent connections in Diameter.

Component: Service Provider

Symptoms:
When a Diameter pool member is marked force-offline, it continues to process persistent connections.

Conditions:
Configure pool member state to force-offline, before initiating Diameter connections.

Impact:
Pool member continues to process persistent connections after being forced offline.

Fix:
Force offline is working as expected, processing only active connections. A new stat "Messages dropped due to Force Offline" has been introduced in Router stats for DIAMETER, SIP, MQTT and HTTP.

---

793121 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.

---

793017 : Files left behind by failed Attack Signature updates are not cleaned

Component: Application Security Manager

Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.

Conditions:
Attack Signature update encounters an error during installation.

Impact:
This can eventually lead to disk space issues.

Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.

Fix:
These directories are now included in the periodic file cleanup task.

---

793005 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.

Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.

---

792813 : The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet info is not received

Component: Global Traffic Manager (DNS)

Symptoms:
When subnet info is not received, iRule command 'DNS::ends0 subnet address' reports a Tcl error. Because that is optional information, the command should not report an error.

Conditions:
-- iRule command 'DNS::ends0 subnet address'.
-- DNS request is received without subnet info.

Impact:
Using the iRule command 'DNS::edns0 subnet address' reports a Tcl error.

Workaround:
None.

Fix:
The command now returns an empty string instead of reporting a Tcl error.

---

790845 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.

Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.

---

789921 : TMM may restart while processing VLAN traffic

Solution Article: K03386032

---

789565 : snmpwalk returns unknown value for gtmServerType

Component: Global Traffic Manager (DNS)

Symptoms:
If you run the command 'snmpwalk -v 2c -c public localhost F5-BIGIP-GLOBAL-MIB::gtmServerType', the system returns the value of 17. There is no definition in the F5 MIB for value 17. This is an omission in the MIB file: 17 represents the BIG-IP system.

Conditions:
- Configure GTM with at least 1 LTM server object.
- Run the following command:
snmpwalk -v 2c -c public localhost F5-BIGIP-GLOBAL-MIB::gtmServerType

Impact:
snmpwalk returns:
F5-BIGIP-GLOBAL-MIB::gtmServerType."/Common/aaa" = INTEGER: 17, even though there is no gtmServerType defined for 17 in the MIB.

In this case, you can infer that 17 refers to the BIG-IP system.

Workaround:
None.

---

789181 : Link Status traps are not issued on VE based BIG-IP systems

Component: TMOS

Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.

Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).

Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.

On a VE-based BIG-IP system, these logs and traps do not occur.

An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.

Workaround:
None.

Fix:
VE now issues link status messages (which will cause traps to be issued) when interfaces on VEs are administratively disabled and enabled. The underlying interface status impacted by cables being plugged/unplugged must be monitored on the underlying system (the hypervisor) and is not logged by VE. If an interface on VE is not configured, then it is in the uninitialized state. If the interface in that state is disabled/enabled, the Link status message issued on enable is Link DOWN.

---

788757 : Multicast bridging over L2 wire transparent vlan-group (LACP STP LLDP)

Component: Local Traffic Manager

Symptoms:
F5 recommends using transparent behavior in high availability (HA) configuration with L2 wire transparent vlan-group. With earlier releases, this was not easily accomplished and required physically moving cables to achieve the functionality. In this release, the functionality is provided.

Conditions:
Always for HA (Active-Standby L2 wire setup).

Impact:
These settings improve L2 wire behavior for HA configurations. In previous releases, the workaround is to configure internal and external trunks on the BIG-IP system, with each trunk containing interface members connecting to switch (or switch-pair implementing vPC/mLAG), and then define virtual wire with the two trunks as members. However, this workaround requires you to move cables, which makes the insertion of BIG-IP system not L2 transparent.

Workaround:
None.

Fix:
This release provides ether-level multicast transparency for L2 wire SSL Orchestrator configurations, which is managed by the following sys db var:

-- Use this db variable to enable the functionality:
l2.virtualwire.multicast.bridging default enable
-- Use this db variable to keep make the standby silent:
l2.virtualwire.standby.bridging default disable
-- Use this db variable to collect statistics on the traffic: [l2.virtualwire.multicast.stats] default=enable
enable collect multicast statistic

Behavior Change:
This release provides ether-level multicast transparency for L2 wire SSL Orchestrator configurations, which is managed by the following sys db var:

-- Use this db variable to enable the functionality:
l2.virtualwire.multicast.bridging default enable
-- Use this db variable to keep make the standby silent:
l2.virtualwire.standby.bridging default disable
-- Use this db variable to collect statistics on the traffic: [l2.virtualwire.multicast.stats] default=enable
enable collect multicast statistic

---

788753 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.

---

788549 : APM as AD FS-Proxy feature does not support AD FS 5.0

Component: Access Policy Manager

Symptoms:
APM, when configured as Active Directory Federation Services (AD FS) proxy, does not support AD FS 5.0.

Conditions:
APM is configured as AD FS proxy.

Impact:
You cannot use newer Microsoft Windows Server releases that support AD FS 5.0 and take advantage of new features.

Workaround:
None.

Fix:
APM now can be configured as proxy for AD FS 5.0.

---

788513 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.

---

788057 : MCPD may crash while processing syncookies

Component: TMOS

Symptoms:
Under certain conditions, MCPD may crash while processing syncookies.

Conditions:
-Multi-blade VIPRION.

Impact:
MCPD crash, leading to a failover event.

Workaround:
None.

Fix:
MCPD now processes syncookies as expected.

---

787677 : AVRD stays at 100% CPU constantly on some systems

Component: Application Visibility and Reporting

Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.

Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.

Impact:
System performance degrades.

Workaround:
Restart TMM:
bigstart restart tmm

Fix:
Added processing that prevents AVRD from entering endless loops.

---

786517 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.

---

785741 : Unable to login using LDAP with 'user-template' configuration

Solution Article: K19131357

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.

---

784733-5 : GUI LTM Stats page freezes for large number of pools

Component: TMOS

Symptoms:
When a configuration has approximately 5400 pools and 40,000 pool members, navigating to the GUI page to look at stats for all or one pool, the GUI page may freeze indefinitely.

Conditions:
Configurations with large number of pools and pool members, e.g., 5400 pools and/or 40,000 pool members.

Impact:
Cannot view pool or pool member stats in GUI.

Workaround:
Use iControl REST or TMSH to retrieve stats for such a large number of pools or pool members.

Fix:
The stats page now returns data for configurations of large numbers of pools and pool members, though a Timeout window may pop up after 30-seconds for big queries. You can dismiss that Timeout window, and the stats display as expected.

---

783165 : Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile

Component: Application Security Manager

Symptoms:
When creating a whitelist in the Bot Defense profile with url "Any" - after modifying the Bot Defense log profile, the whitelist does not apply anymore.

Conditions:
-- Bot Defense profile is attached to the Virtual Server
-- Adding a whitelist to the Bot Defense profile with url "Any"
-- Modifying the Bot Defense profile afterwards.

Impact:
Whitelist does not apply - users from the defined IP/GEO location might be blocked.

Workaround:
Delete and add the whitelist after modifying the profile.

Fix:
Keep the whitelist as is when updating bot profile.

---

779345 : Security policy import via REST, to replace an existing policy, that is assigned to an LTM VS. May fail on the peer device

Component: Application Security Manager

Symptoms:
Security policy import via REST, to replace an existing policy, that is assigned to an LTM virtual server might fail on the peer device, with an error in asm log:
----------------------------
-- crit g_server.pl[16565]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): MCP Validation error - 01071726:3: Cannot deactivate policy '/Common/new_test3_policy'. It is in use by ltm policy '/Common/asm_auto_l7_policy__vs_dvwa'.
----------------------------

Conditions:
-- Having an Active/Standby configuration.
-- Single sync-failover device group.
-- ASM sync enabled.
-- Incremental auto-sync set.
-- Having security policy assigned to a virtual server and devices In-Sync.

POST https://localhost/mgmt/tm/asm/tasks/import-policy
{
    "fullPath": "/Common/existing_security_policy_name",
    "file": "<?xml version=\"1.0\"... HUGE POLICY ...</policy>\n"
}

Impact:
Security policy import via REST, to replace an existing policy, that is assigned to an LTM virtual server might fail on the peer device

Workaround:
Issue a manual full sync, from the device where the policy was imported to via REST to the device group.

---

778841 : Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother

Component: Local Traffic Manager

Symptoms:
Traffic is not passing in virtual wire when virtual server type is configured as standard, protocol set to "All Protocols" and the IP profile is ipother.

Conditions:
-- Virtual wire is configured
-- Virtual server type is standard
-- IP profile is ipother

Impact:
Virtual wire traffic matching the virtual server is dropped.

---

778321 : No validation for DNS Address Space entry

Component: Access Policy Manager

Symptoms:
The GUI allows an admin to enter an IP address in DNS Address Space fields. This causes an exception and prevents the Edge Client from connecting when using machine tunnels.

Conditions:
The UI accepts an IP Address as valid input, when it should not.

If the network access profile is used for the Edge Client, the network works as expected, so essentially the Edge Client ignore the invalid configuration.

However, if the same network access profile is used for a Machine Tunnel, the Machine Tunnel creates an exception and the VPN does not load.

Impact:
Machine Tunnels fail to connect when DNS Address Space is configured, and although the log message written on the client is helpful in resolving the issue, the misconfiguration should not be allowed.

Workaround:
Remove the IP address in DNS Address Space field.

Fix:
Validation was added to prevent IP addresses from being added to DNS Address Space and DNS Exclude Address Space.

---

778261 : CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate

Component: Application Security Manager

Symptoms:
CPB Connection (between BIG-IP and BIG-IQ logging node) is not refreshed to use the new certificate / new domain name to validate the certificate.

Conditions:
Either:
-- BIG-IQ logging node domain name updated.
-- BIG-IQ logging node webd certificate is replaced (and updated using webd restart).

Impact:
CPB Connection (between BIG-IP and BIG-IQ logging node) remains the same and is not refreshed to use the new certificate.

Workaround:
Restart Policy Builder on the BIG-IP system:

killall -s SIGHUP pabnagd

Fix:
Policy Builder now resets the connection upon update of BIG-IQ logging node certificate / domain name.

---

774817 : ICMP packets are intermittently forwarded out of both VLAN group members

Component: Local Traffic Manager

Symptoms:
ICMP packets sent out on the wrong interface.

Conditions:
BIG-IP system is configured in VLAN group-based L2 transparent mode.

Impact:
The ICMP packet sent out on the wrong VLAN is dropped by the receiving router because the destination MAC address does not match that of the router. Typically, a topology for asymmetric traffic flows across VLAN groups has VLAN asymmetry built in using routers.

Workaround:
None.

---

774617 : SNMP daemon reports integer truncation error for values greater than 32 bits

Component: TMOS

Symptoms:
Some values sent to SNMP can grow too large over time, causing an integer truncation error.

Conditions:
Values greater than 32 bits sent to SNMP.

Impact:
SNMP values are truncated. An error message is logged in var/log/daemon.log:

err snmpd[20680]: truncating integer value > 32 bits

Workaround:
No current workaround.

---

774257 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Component: Global Traffic Manager (DNS)

Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:

tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A

tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A

Conditions:
This occurs when running the following tmsh commands:

tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt

Impact:
The output type is printed twice

Workaround:
None.

Fix:
The output becomes like this after fix:

gtm pool a emptypool

gtm wideip a testwip.f5.com

---

774225 : mcpd can get in restart loop if making changes to DNSSEC key on other GTM while the primary GTM is rebooting

Component: Global Traffic Manager (DNS)

Symptoms:
mcpd is in a restart loop after creating an internal DNSSEC FIPS key on a secondary GTM while rebooting the primary DNSSEC key generator GTM (gtm.peerinfolocalid==0).

Conditions:
New DNSSEC internal FIPS key is created and assigned to DNSSEC zone when BIG-IP system with gtm.peerinfolocalid==0 is down.

Impact:
mcpd is in a restart loop.

Workaround:
For maintenance window operations, set DNSSEC peer leader to the unit that will remain UP while rebooting the primary key generator in sync group (gtm.peerinfolocalid==0).

# tmsh modify gtm global-settings general peer-leader <gtm-server-name>


After the reboot is complete, all devices are back up, and everything looks good in the configs, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none


If there are two GTM units: GTM1 (having gtm.peerinfolocalid == 0), GTM2, and you are going to reboot GTM1, then before rebooting, run the following command to configure the DNSSEC peer-leader setting:

# tmsh modify gtm global-settings general peer-leader GTM2


After reboot, clear the peer-leader setting:

# tmsh modify gtm global-settings general peer-leader none

---

773309 : API Profile: Real swagger can not be loaded with "transaction failed:incomplete command" error message

Component: Access Policy Manager

Symptoms:
When uploading a valid swagger file (OpenAPI version 2.0) to create an API Protection profile, the operation fails with an error message:
info: [AccessDeployConfigWorker] Error in submitting transaction: Error: transaction failed:incomplete command.

Conditions:
The swagger file contains quotation marks that are not escaped, e.g., the swagger file has description fields similar to the following examples.

JSON:
"description": "this quote \" will error"

YAML:
description: 'this quote " will error'

Impact:
The operation produces the error. This prevents the API Protection profile from being created using the swagger file, which is very inconvenient. This error also affects the AGC API Protection use case.

Workaround:
You can manually add the escape characters to the swagger file so that this error does not occur. Using the examples for JSON and YAML, this is how to fix them:

JSON:
"description": "this quote \\\" won't error"

YAML:
description: 'this quote \" won't error'

---

773253 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.

---

771961 : While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core

Component: Access Policy Manager

Symptoms:
If the device is active at the time and is passing traffic, if the SSL Orchestrator configuration is deleted, tmm can core.

Conditions:
SSL Orchestrator device is active and passing traffic while being deleted.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm core related to deleting SSL Orchestrator.

---

767737 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.

---

767269-6 : Linux kernel vulnerability: CVE-2018-16884

Component: TMOS

Symptoms:
Linux kernel NFS41+ subsystem use-after-free vulnerability when node have NFSv41+ mounts inside several net namespaces.

Conditions:
NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic.

Impact:
BIG-IP is not exposed to this vulnerability. use-after-free causes system panic, subsequent system reset.

Workaround:
None.

Fix:
Updated kernel to include patches for CVE-2018-16884.

---

763145 : TMM Crash when using certain HTTP iRules with HTTP Security Profile

Component: Local Traffic Manager

Symptoms:
TMM could crash with core when HTTP Security Profile (Protocol Security, PSM) is on the Virtual Server, and using an iRule with either the HTTP::redirect or HTTP::respond commands, together with HTTP::disable on the same event. This is normally an incorrectly written iRule, but TMM crashes in this case.

Conditions:
-- HTTP Security Profile is used.
-- iRules contain HTTP::disable command and either HTTP::redirect or HTTP::respond on the same event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Edit the iRules to prevent calling HTTP::disable together with HTTP::respond or HTTP::redirect.

---

761389 : Disabled Virtual Server Dropping the Virtual Wire traffic

Component: Local Traffic Manager

Symptoms:
When a virtual server is disabled, it drops the traffic on the virtual wire.

Conditions:
Virtual wire is configured and corresponding virtual server is disabled.

Impact:
Virtual wire traffic which is matching the disabled virtual wire is dropped.

Fix:
If the virtual server is blocked, virtual wire traffic ignores the configured virtual server and uses the default virtual wire server(_vlangroup).
Traffic will not be dropped.

---

761303 : Upgrade of standby BIG-IP system results in empty Local Database

Component: Access Policy Manager

Symptoms:
Upgrade of standby BIG-IP system results in empty Local Database.

Conditions:
This happens on standby device in a high availability (HA) setup.

Impact:
All previously existing local users disappear from the standby device. If a failover happens, then none of the local users will be able to login now.

Workaround:
To trigger a full database dump from the active BIG-IP system that returns the standby device's database to its original state, on the standby device, do the following:

1. Reboot.
2. Switch to a new installation volume.
3. Force stop the localdbmgr process:
bigstart stop localdbmgr
4. Wait at least 15 minutes.
5. Restart the localdbmgr:
bigstart restart localdbmgr

---

761049 : APM does not support adding SameSite cookie attribute to APM cookies.

Component: Access Policy Manager

Symptoms:
The Chrome browser version 80 changes the way it treats the SameSite cookie attribute to be complaint, according to https://tools.ietf.org/html/draft-west-cookie-incrementalism-00.

In this case, if the server does not set the SameSite cookie attribute, the browser treats the cookie attribute as equivalent to "samesite=Lax", which changes the behavior of how the cookie is shared with the domain, which did not originally set the cookie.

Conditions:
APM is configured.

Impact:
The latest browser (e.g., Chrome 80) stops sending the APM cookie back to the different domain, if it does not find the SameSite cookie attribute for APM cookies.

Workaround:
Use a customer iRule to add the SameSite cookie attribute to the APM cookies in HTTP_RESPONSE_RELEASE.

---

760723 : Qemu Vulnerability

Solution Article: K64765350

---

760695 : FastL4 might drop invalid PMTU (ICMP) message

Component: Local Traffic Manager

Symptoms:
In an n-path deployment, FastL4 might drop invalid PMTU (ICMP) messages.

Conditions:
N-path (Direct Server Return) is configured.

Impact:
FastL4 might drop invalid PMTU (ICMP) message. As BIG-IP does not see the full handshake, this is expected.

Fix:
The db key TM.FastL4_invalid_pmtu_passthrough was added to allow for this situation.

---

760622 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt

Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.

---

760471 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.

---

760406 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync

Component: Local Traffic Manager

Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.

Conditions:
This might occur in either of the following scenarios:

Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.


Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.

Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.

-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.

In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.

-- The HA system performance becomes degraded due to SSL connection timeout.

Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.

-- Set device management sync type to Automatic with incremental sync.

---

760050 : cwnd warning message in log

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: cwnd too low.

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.

---

758599 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.

---

758041 : Pool Members may not be updated accurately when multiple identical database monitors configured

Component: Local Traffic Manager

Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.

As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected pool members members may be marked with the correct state.

Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each database monitor with some unique value within the 'send' and 'recv' parameters.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}

Fix:
The system now correctly updates pool members when multiple identical database monitors are configured.

---

756844 : No disallowed Geolocation violation detail entry

Component: Application Security Manager

Symptoms:
The disallowed geolocation does not have an entry for violation details in remote logging.

Conditions:
While blocking requests from disallowed geolocation and viewing remote logger for details.

Impact:
No details for geolocation violation in the remote logger.

Workaround:
None.

Fix:
Now geolocation violation shares details in the remote logger.

---

756540 : End-user may not be able to connect to VPN.

Component: Access Policy Manager

Symptoms:
When a virtual server without a connectivity profile is accessed with the request for a file pre/config.php, an invalid file is cached in the BIG-IP system's HTTP cache.

When the same request is later sent to a virtual server that does contain a connectivity profile, the invalid file from the cache is returned, which results in VPN connection failure.

Conditions:
-- APM is configured.
-- Virtual server without connectivity profile is configured.
-- Another Virtual server with connectivity profile is configured.
-- The first virtual server is accessed with an HTTP request for pre/config.php?version=2.0.
-- Then second virtual server is accessed with same request.

Impact:
End-user may not be able to use the VPN.

Workaround:
When the issue occurs, run the following command on the BIG-IP command line in order to clear the cache:

tmsh delete ltm profile ramcache all

Fix:
The caching functionality has been updated to ignore the caching of invalid files.

---

756306 : "Illegal parameter location" violation is reported for array parameter and for each item

Component: Application Security Manager

Symptoms:
When OpenApi2 (Swagger) array parameter receives an illegal location, the violation is reported both for the array parameter, and for each element of array.

Conditions:
- API security policy has an array parameter configured
- The array parameter is sent in location different from expected

Impact:
Excessive "illegal location" violations are reported in log.

Workaround:
N/A

Fix:
ASM code was fixed to report the "illegal location" violation only on the array parameter, not on each element.

---

756101 : Incorrect stream HTTP statistic values are reported for the TTFB (Time to first byte) fields

Component: Local Traffic Manager

Symptoms:
Incorrect stream HTTP statistic values are reported for TTFB (Time to first byte), which includes the Avg Client TTFB, Min Client TTFB, and Max Client TTFB. This displays incorrect values for the statistics graphs and tables containing these fields.

Conditions:
-- An HTTP Analytics profile is attached to the virtual server.
-- Basic HTTP/2 traffic is sent to the virtual server.

Impact:
Incorrect values for the TTFB statistic graphs and tables within the HTTP Analytics profile are seen.

Workaround:
None.

Fix:
The correct stream HTTP statistic values are now reported for the TTFB (Time to first byte) fields.

---

756082 : [api-status-warning] ltm/classification/signature-update-schedule is deprecated

Component: Traffic Classification Engine

Symptoms:
A tmsh warning is logged to /var/log/ltm:
  warning tmsh[29177]: 01420013:4: [api-status-warning] ltm/classification/signature-update-schedule is deprecated.

Conditions:
Issue occurs when system is booting and when config is saved.

Impact:
The benign message is reported. This warning is benign, so you can safely ignore it.

Workaround:
None.

Fix:
Fixed an erroneous warning that signature-update-schedule is deprecated that was occurring on system start.

---

755785 : CVE-2018-16658 kernel: Information leak in cdrom_ioctl_drive_status

Solution Article: K40523020

---

755317 : /var/log logical volume may run out of space due to agetty error message in /var/log/secure

Component: TMOS

Symptoms:
An agetty error message is output to the /var/log/secure log fil every 10 seconds while the instance remains on:

 agetty[<process_id>]: /dev/tty0 ttyS0: No such file or directory.

Conditions:
This agetty error message is an issue on all BIG-IP Virtual Edition and Cloud instances. It is not configuration-dependent.

Impact:
This may fill the /var/log/secure log file. When /var/log is full, certain system services may degrade or become unresponsive (e.g., DNS).

Workaround:
Manually extend the /var/log logical volume.

For more information, see Increase disk space for BIG-IP VE :: https://clouddocs.f5.com/cloud/public/v1/shared/disk_space.html.

Fix:
The issue causing the agetty error message in /var/log/secure has been resolved.

---

755197 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.

Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.

---

755084 : Typo in named errdefs

Component: Global Traffic Manager (DNS)

Symptoms:
The errdefs string for NAMED_CANCEL_ERR has a typo in it - says "chages" instead of "changes"

Conditions:
Whenever the error condition occurred and the error message was shown.

Impact:
Misspelling in error output.

Workaround:
NA.

Fix:
Fixed a typo.

---

755033 : Dynamic Routes stats row does not appear in the UI

Component: Service Provider

Symptoms:
From UI, when navigate to the following path:
Statistics ›› Module Statistics : Local Traffic ›› Profiles Summary : Diameter Router.
The stat for 'Current number of dynamic routes' does not appear.

Conditions:
Any condition

Impact:
Unable to view dynamic routes statistics in the GUI

Workaround:
Look at the statistics from tmsh

Fix:
Dynamic Routes stats row is displayed properly in the UI

---

754932 : New SNMP MIB, sysVlanIfcStat, for vlan statistics.

Component: TMOS

Symptoms:
None.

Conditions:
None.

Impact:
None.

Fix:
SysVlanIfcStat includes many of the same fields from the ifXTable, with a few additions. Notably, the new MIB includes PVA statistics.

---

754924 : New vlan statistics added.

Component: TMOS

Symptoms:
The tmsh command 'show net vlan' only displays statistics for each VLAN's interface, and not each VLAN's statistics.

Conditions:
This is encountered when running the command 'tmsh show net vlan'

Impact:
You are unable to view PVA statistics.

Fix:
The tmsh command 'show net vlan' now displays each vlan's statistics, including PVA statistics.

---

754855 : TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile

Component: Protocol Inspection

Symptoms:
Under certain conditions, TMM may crash while processing traffic with a FastL4 virtual with the Protocol Inspection Profile attached.

Conditions:
-FastL4 Virtual
-Protocol Inspection Profile

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes FastL4 traffic with the Protocol Inspection Profile as expected.

---

753474 : RST cause logging is improved for a specific scenario

Component: Local Traffic Manager

Symptoms:
A RST with an 'Unknown reason' is logged for a specific sequence of packets.

Conditions:
- TCP, SSL, HTTP, HTTP/2, and HTTPROUTER are configured on the virtual server.

Impact:
The RST does not indicate the root cause of the issue.

Workaround:
N/A

Fix:
A descriptive RST cause message is appended to the log/pcap.

---

752154-4 : Fake keystrokes are not generated in some browsers

Component: Fraud Protection Services

Symptoms:
When Keylogger protection is enabled, some browsers (e.g., Microsoft Internet Explorer v11) may show the 'caps lock is on' warning on the password field of a login page.

Conditions:
Keylogger protection is enabled on a protected URL.

Impact:
Capslock warning is displayed, even when caps lock is off, or it may not be displayed when caps lock is on.

Workaround:
None.

Fix:
The 'caps lock' indicator now shows correctly.

---

751586-2 : Http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.

Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.

Impact:
The traffic is still translated to the destination address to the pool member.

Workaround:
None.

Fix:
Translate-address disabled is working correctly now.

---

751032 : TCP receive window may open too slowly after zero-window

Component: Local Traffic Manager

Symptoms:
After a zero-window, TCP reopens its receive window with init-rwnd * mss bytes if sys db tm.tcpinitwinafterxon is enabled and grows it as data is received. For a TCP connection with a large receive window, reaching the receive window limit might take some RTTs due to init-rwnd is limited to 64.

Conditions:
-- A TCP profile with large receive window size.
-- A zero-window is sent.
-- TCP receive window is reopened when data is drained.

Impact:
TCP does not have the functionality to reopen it's receive window more aggressively if needed which might result in longer transfer times.

Fix:
A new sys db (tm.tcpinitwinmultiplierafterxon) is introduced to provide TCP the functionality to reopen it's receive window more aggressively after zero-window.

Behavior Change:
A new sys db (tm.tcpinitwinmultiplierafterxon) has been introduced to provide TCP the functionality to reopen it's receive window more aggressively after zero-window. It has a default minimum value of 1 and can be increased to a maximum of 100.

---

750705 : LTM logs are filled with error messages while creating/deleting virtual wire configuration

Component: Local Traffic Manager

Symptoms:
LTM logs are filled with error messages when creating/deleting virtual wire config.

Conditions:
Virtual wire is created and then deleted.

Impact:
Error messages are getting logged to ltm.

Fix:
Log messages for virtual wire interfaces are not being seen.

---

748122 : BIG-IP Vulnerability CVE-2018-15333

Solution Article: K53620021

---

746861 : SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★

Component: TMOS

Symptoms:
The SFP interfaces do not come up or flap up and down repeatedly on BIG-IP 2000/4000 on boot up when both SFP interfaces are populated.

When interface flaps state changes such as those below are logged in ltm log:
info pfmand[PID]: 01660009:6: Link: 2.1 is UP
info pfmand[PID]: 01660009:6: Link: 2.1 is DOWN

Conditions:
Both SFP interfaces, 2.1 and 2.2, on BIG-IP 2000/4000 are populated.

This is typically observed after an upgrade to an affected version.

Impact:
Traffic cannot be sent/received from these interfaces.

Workaround:
None.

Fix:
The interfaces now come up successfully. Occasional link bounce may be seen on reboot.

---

746758 : Qkview produces core file if interrupted while exiting

Component: TMOS

Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.

Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.

Impact:
A core file is produced.

Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.

---

746348 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.

---

746091 : TMSH Vulnerability: CVE-2019-19151

Solution Article: K21711352

---

745465 : The tcpdump file does not provide the correct extension

Component: TMOS

Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.

Conditions:
Whenever tcpdump is generated and downloaded.

Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.

Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.

Fix:
File name changed to support.tcpdump.tar.gz.

Behavior Change:
The tcpdump file has a different name and file extension - support.tcpdump.tar.gz

---

744950 : Non-utf8 characters in resource descriptions causes malfunction of Resource Assign Dialogue

Component: Access Policy Manager

Symptoms:
APM resource that has 0xfc (u-umlaut) from 8859-15 in description field is causing error in the Visual Policy Editor resource assignment.

Conditions:
This occurs when you manually edit an APM resource (hex edit of bigip.conf) and replaces u-umlaut with 0xfc

Impact:
Error on Visual Policy Editor while trying to edit advanced resource assign agent: "Unable to find rootNode 'message' in Load response for 'editActionDialogue'... Dialogue loading has failed."

Workaround:
Do not manually change utf8 characters in APM resource descriptions of of bigip.conf

Fix:
This issue has been fixed

---

744407 : While the client has been closed, iRule function should not try to check on a closed session

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.

Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.

---

743726 : GTM virtual server status shows incorrect monitor IP address

Component: Global Traffic Manager (DNS)

Symptoms:
If a prober pool is assigned to a datacenter/server/virtual server after the monitor for that virtual server has already run on a non-prober-pool-member, the virtual server status (tooltip or 'tmsh show') does not update to show that probes are being sent from a prober-pool-member.

Conditions:
-- Prober pool assigned to a datacenter/server/virtual server.
-- Assignment occurs after that virtual server's monitor has already run on a non-prober-pool-member.

Impact:
The virtual server tooltip and results from the 'tmsh show' command display possibly stale information.

Workaround:
Remove and re-add monitor to the virtual server.

Fix:
Not updating this information is intentional as an optimization. Therefore, the fix is to remove the IP info from virtual server status to avoid potential stale information being presented.

The information is still preserved in debug log messages, etc.

Behavior Change:
Previously, the virtual server tooltip and results from the 'tmsh show' command did not update to show that probes were being sent from a prober-pool-member, if the monitor was assigned after the monitor already ran on a non-prober-pool-member. In this release, the tooltip and 'tmsh show' command do not report the IP info, so there is no possibility for presenting stale information or creating BIG-IP user confusion.

Not updating this information is intentional as an optimization. The information is still preserved in debug log messages, etc.

---

743234 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons

Component: TMOS

Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.

Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'

Impact:
The SNMPv3 value does not take effect.

Workaround:
Restart the daemons after changing the EngineID:

restart /sys service snmpd
restart /sys service alertd

Note: The SNMP daemon should be restarted before the Alert daemon.

Fix:
The new EngineID is used after being configured, and no longer requires daemon restart.

---

742628 : Tmsh session initiation adds increased control plane pressure

Solution Article: K53843889

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash

---

742603 : WebSocket Statistics are updated to differentiate between client and server sides

Component: Local Traffic Manager

Symptoms:
The WebSocket feature has statistics that records the number of each type of frame seen. These statistics do not differentiate between client and server sides.

Conditions:
The WebSocket profile is used to add WebSocket protocol parsing.

Impact:
WebSocket Traffic Statistics may be misleading

Workaround:
None.

Fix:
WebSocket statistics now differentiate between client and server side.

---

742549 : Cannot create non-ASCII entities in non-UTF ASM policy using REST

Component: Application Security Manager

Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.

Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.

Workaround:
Use UTF-8.

---

738865 : MCPD might enter into loop during APM config validation

Component: Access Policy Manager

Symptoms:
Mcpd crashes after a config sync.

Conditions:
This can occur during configuration validation when APM is configured.

Impact:
Mcpd may take too long to validate the APM configuration and is killed by watchdog, causing a core

Workaround:
Use the Visual Policy Editor to configure access policy instead of tmsh commands.

The Visual Policy Editor does not allow policies to be created if they contain loops.

Fix:
Fixed an mcpd crash related to policy loop detection in APM.

---

737098 : ASM Sync does not work when the configsync IP address is an IPv6 address

Component: TMOS

Symptoms:
If the configsync IP address of the device is configured to be an IPv6 address, changes in ASM configuration do not synchronize across the cluster.

Conditions:
Devices in a Device Group have an IPv6 address set as their configsync IP address.

Impact:
ASM configuration does not synchronize across the Device Group.

Workaround:
Set the configsync IP address to be an IPv4 address and restart the asm_config_server process. To restart the asm_config_server process, run the following command:
pkill -f asm_config_server

---

734369 : SIP Response routing fails under certain conditions

Component: Service Provider

Symptoms:
SIP Response is not sent to the client.

Conditions:
-- 'honor-via' is enabled.
-- SIP Client sends a SIP Request.
-- SIP client connection is closed.

Impact:
Honor via results in routing the message to the next VIA entry but does not have enough information to route the message. SIP Response is not forwarded to the client.

Workaround:
None.

Fix:
Now, the information needed to connect to the originating device is available, so the SIP Response can be forwarded to the client. There is a small CPU performance penalty with this fix and throughput may be affected if CPU usage is already near 100%.

---

726518 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.

---

726427-1 : Linux kernel vulnerability: CVE-2015-8830

Component: TMOS

Symptoms:
AIO write triggers integer overflow in some protocols.

Conditions:
Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO. BIG-IP software versions based on CentOS6 and CentOS7 are impacted by this vulnerability.

Impact:
Denial of service.

Workaround:
None.

Fix:
Kernel updated to patch for CVE-2015-8830.

---

724824 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync

Component: Local Traffic Manager

Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.

Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.

Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.

Impact:
Monitor status on the peer devices is reported incorrectly.

Workaround:
Any of the following three options will correct reporting status on the peer devices:

-- Restart bigd

-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.

-- Disable and then re-enable the FQDN node

Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.

---

724292 : RRSIG might expire without incrementing external-facing zone SOA serial

Component: Global Traffic Manager (DNS)

Symptoms:
When a zone that is DNSSEC signed is copied to a slave via AXFR, each RRSET gets an RRSIG that has an expiration time. If the zone is otherwise static and the default expiration and publication times are configured, the RRSIGs on the slave will expire before the xfr-soa-serial gets updated by a key rollover event.

Conditions:
xfr-soa-serial is updated when RRSIGs expire, so that slave servers get a new copy of the zone when the RRSIG expires.

Impact:
DNSSEC signed zones fail verification if any clients use a slave DNS server for a static zone.

Workaround:
Set RRSIG validity time equal to or greater than the ZSK rollover time.

---

723306 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on a different partition.

Fix:
'tmsh load /sys config' no longer reports incorrect errors.

---

722230 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.

---

720440-3 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.

Fix:
The maximum length of time that the radius probe will wait for has been increased from 6 seconds to 30 seconds.

---

719555-2 : Interface listed as 'disable' after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface

---

718230 : Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented

Component: TMOS

Symptoms:
In certain circumstances, attaching a BIG-IP monitor type to a non-BIG-IP server with already defined virtual servers is allowed by the system when it should not be allowed.

Conditions:
Attempting to attach a BIG-IP monitor type to a non-BIG-IP server.

Impact:
The BIG-IP monitor can be added to a non-BIG-IP server without error. This causes a configuration load error, such as after a reboot, tmm restart, or tmsh load sys config, and results in an error message such as:

-- localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all gtm-only" - failed. -- Loading schema version: 12.1.3 Loading schema version: 12.1.5.1 01071033:3: Server (/Common/generic_server_object) contains monitor (/Common/bigiptest) which is an invalid type. Unexpected Error: Loading configuration process failed.

Workaround:
None.

Fix:
The system now disallows attaching BIG-IP monitors to a non-BIG-IP GTM server

---

717831 : TCP4 stack is not supported anymore

Component: Local Traffic Manager

Symptoms:
Starting from this release, TMM will only maintain one TCP stack (TCP) instead of two (TCP4 and TCP). In the last few BIG-IP versions, TCP stack has been already the default stack. TCP4 stack will not be supported going forward for better maintenance. Mirroring between an older version of BIG-IP and versions going forward would be functional if both BIG-IP's are using the TCP stack.

Conditions:
For maintenance purposes, the number of TCP stacks is being reduced to one.

Impact:
TCP4 stack is not supported.

Workaround:
N/A

Fix:
TCP4 stack is not supported anymore.

---

717276 : TMM Route Metrics Hardening

Component: Local Traffic Manager

Symptoms:
TMM does not follow current best practices for route metrics.

Conditions:
TMM does not follow current best practices for route metrics.

Impact:
TMM does not follow current best practices for route metrics.

Workaround:
None.

Fix:
TMM now follows current best practices for route metrics.

---

716701 : In iControl REST: Unable to create Topology when STATE name contains space

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.

Conditions:
STATE name contains a space (e.g., New Mexico).

Impact:
Unable to create a topology record using iControl REST.

Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.

Fix:
Now you can access topology with states whose names contain spaces. To do so, use double quotes to enclose the name. For example, for 'CA/British Columbia':

curl -k -u admin:admin -H "Content-Type: application/json" https://10.15.67.170/mgmt/tm/gtm/topology -X POST -d '{"name": "ldns: state \"CA/British Columbia\" server: pool /Common/test_pool", "order": 1, "score": 1}' | python3 -m json.tool

curl -k -u admin:admin -H "Content-Type: application/json" https://10.15.67.170/mgmt/tm/gtm/topology/ldns:%20state%20%22CA~British%20Columbia%22%20server:%20pool%20~Common~test_pool?ver=15.1.0 | python3 -m json.tool

---

715032-4 : iRulesLX Hardening

Component: Local Traffic Manager

Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.

Conditions:
-iRulesLX in use

Impact:
iRulesLX does not follow current best practices.

Workaround:
None.

Fix:
iRulesLX now follows current best practices.

---

714828 : Message delivered to the wrong peer if bidirectional persistence is used.

Solution Article: K92710485

Component: Service Provider

Symptoms:
A message may be delivered to the wrong peer if bidirectional persistence is used. The existing algorithm for selecting the direction to forward a message that matches a bidirectional persistence entry may send the message to the wrong peer.

Conditions:
-- Bidirectional persistence is configured.
-- A pool of server devices is sharing the same state.
-- One server is down.
-- The other server uses the same session to send the message to another peer.

Impact:
LTM may send the message to the wrong peer.

Workaround:
Use an iRule to route/deliver the message, or don't share the state between servers.

---

714502 : bigd restarts after loading a UCS for the first time

Component: Local Traffic Manager

Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.

Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check

Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.

Workaround:
System runs as expected after the bigd restart, and the user need not take any action.

---

714372 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.

---

713614 : Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Component: TMOS

Symptoms:
Warning similar to below, referencing a non-floating self IP:
Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only)

Conditions:
Virtual Server is defined using the same IP address as a non-floating self IP.

Impact:
Virtual Server does not fail over with floating traffic group as expected.

---

710606 : Diameter and SIP profile statistics may require "Clear Statistics" button to be clicked twice to get the stats to zero out

Component: Service Provider

Symptoms:
In UI, when navigate to the following profiles under "Statistics ›› Module Statistics : Local Traffic ›› Profiles Summary"
- Diameter Router
- Diameter Session
- SIP Router
- SIP Session

"Clear Statistics" button may not work properly. You may need to click the button twice, or refresh the page, after clicking the button. Otherwise, stats may not be reset.

Conditions:
This is encountered when trying to clear the statistics.

Impact:
Statistics are sometimes not cleared on the first attempt.

Workaround:
Click "Clear Statistics" button twice or refresh the UI after clicking "Clear Statistics"
or use tmsh

Fix:
"Clear Statistics" button works properly.

---

709952 : Disallow DHCP relay traffic to traverse between route domains

Component: Local Traffic Manager

Symptoms:
DHCP traffic can traverse between route domains, e.g., when working with a route domain with a parent. Under certain circumstances, this is not desired.

Conditions:
DHCP relay in use on a route domain with a parent relationship or strict isolation disabled.

Impact:
The DHCP server side flow might get established to the parent route domain, and will persist even after the route in its own route domain becomes available again.

Workaround:
There is no workaround at this time.

Fix:
A db key has been introduced, tmm.dhcp.routedomain.strictisolate, which allows enforcement of route domain traversal if desired/configured.

---

705768 : dynconfd may core and restart with multiple DNS name servers configured

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query while multiple DNS name servers are configured or the list of DNS name servers is changed.

Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.

Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.

Workaround:
This issue occurs rarely. There is currently no known workaround.

---

705112-7 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.

---

703818 : ACED core file during restart

Component: Access Policy Manager

Symptoms:
During shutdown ACED occasionally produces a core file.

Conditions:
A race condition during shutdown occasionally produces a core file.

Impact:
RSA SecurID authentication fails briefly while ACED restarts.

Workaround:
The core file can be ignored.

Fix:
A race condition in ACED that caused a core file during shutdown has been fixed.

---

696348 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option

Component: Service Provider

Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:

[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]

Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option

Impact:
The commands still be executed during runtime but the warning message may confuse user.

Fix:
There is no warning message when using "GTP::ie insert" and "GTP::ie append" without "-message" option.

---

691772 : Protected Object "Add" and "Clone" buttons are hidden on screens with lower resolution

Component: Advanced Firewall Manager

Symptoms:
When the inspector panel is opened, the buttons are not visible.

Conditions:
Screen resolutions lower than 1920x1080

Impact:
Cannot add or clone a new protected object

Workaround:
Collapse Inspector or scroll protected object list table to the left

---

691499 : GTP::ie primitives in iRule to be certified

Component: Service Provider

Symptoms:
The following commands in iRules are created and available but not officially tested and approved:

GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove

Conditions:
Using the following iRule commands:

GTP::ie set instance/value
GTP::ie insert
GTP::ie append
GTP::ie remove

Impact:
Although you can use these iRule commands, their functionality has not been tested and approved.

Workaround:
None.

Fix:
GTP::ie primitives in iRule are now certified.

Behavior Change:
Certified pre-existing iRules:

-- GTP::ie set instance <ie-path> <instance>
  Assigns <instance> to the information element (IE) instance at <ie-path>.

-- GTP::ie set value <ie-path> <value>
  Assigns <value> to the IE value at <ie-path>.

-- GTP::ie insert <ie-path> <type> <instance> <value>
  Inserts a new IE of type <type> and instance <instance> with value <value> at <ie-path>

-- GTP::ie append [<ie-path>] <type> <instance> <value>
  Appends a new IE of type <type> and instance <instance> with value <value> to the end of embeded IE of grouped-IE specified by <ie-path> or to the end of message if the grouped-IE <ie-path> is absent.

-- GTP::ie remove <ie-path>
  Removes IE specified by <ie-path>.

---

690998 : Validation missing when changing Syslog format from valid to invalid selection for DoS Application Protection

Component: Application Security Manager

Symptoms:
The BIG-IP's High Speed Logging (HSL) configuration supports three syslog formats for log destinations: in TMUI syslog, in tmsh RFC5424 or leave blank as it is the default; TMUI BSD Syslog, tmsh RFC3164; and TMUI Legacy BIG-IP, tmsh legacy_bigip. The only supported format for DoS Application Protection is syslog/RFC5424. If you have not previously assigned a security logging profile to a Protected Object using a DoS Profile with the HTTP family of vectors enabled, configuration validation will prevent you from assigning a security logging profile with the incorrect syslog format. However, once the correct configuration has been made, no further validation takes place and a configuration with invalid syslog settings will be accepted. Log messages will not be sent.

Conditions:
You have a Protected Object with a DoS Protection profile with the HTTP family enabled.

You have an HSL configuration using a remote-syslog destination using format syslog/RFC5424, and a Security Logging profile that references the publisher in that HSL configuration.

You then update the remote-syslog destination to use another syslog format.

Impact:
Loss of logging data.

Workaround:
Continue using the supported syslog format: syslog/rfc5424.

Fix:
The system now validates that when using a Remote Syslog destination for Application DoS logs, only the Syslog/rfc5424 format is allowed.

---

685904 : Firewall Rule hit counts are not auto updated after a Reset is done

Component: Advanced Firewall Manager

Symptoms:
When a rule is selected and the "Reset Count" button is clicked, the command is executed but rule stats are not updated in the UI

Conditions:
This occurs when resetting rule hit count stats in the UI.

Impact:
Incorrect (stale) statistics are seen

Workaround:
Refresh the page

---

681010 : 'Referer' is not masked when 'Query String' contains sensitive parameter

Solution Article: K33572148

Component: Application Security Manager

Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.

Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.

-- 'Query String' contains the defined sensitive parameter.

Impact:
"Referer" header contains unmasked value of the sensitive parameter.

Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.

Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.

---

663946 : The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Component: Advanced Firewall Manager

Symptoms:
On a vCMP platform with host and guest using different BIG-IP versions, when DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- vCMP platform with host and guest using different BIG-IP versions.
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
You can use any of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
-- Disable hardware offload with sys db Dos.VcmpHWdos.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.

Fix:
The hardware DoS offload is by default disabled on vCMP guests. To enable hardware DoS offload, within the guest, set sys db dos.vcmphwdos to true.

Behavior Change:
A new sys db Dos.VcmpHWdos is added to BIG-IP. By default the value is false. Under the default value hw dos is disabled on VCMP platform. Users will need to enable the sys db within the guest to access the hw dos functionality.

---

653210 : Rare resets during the login process

Component: Access Policy Manager

Symptoms:
On rare occasions, the login process resets and a NULL sresult message will be logged in /var/log/apm:

-- notice tmm[18397]: 01490505:5: /Common/ltm-apm_main_irules:Common:448568c9: Get license - Unexpected NULL session reply. Resetting connection.

Conditions:
A race condition allows license information to be processed out of order.

Impact:
The system resets the client connection attempt. The APM end user client must retry the login process.

Workaround:
Have the APM end user client retry the login operation.

---

640842 : ASM end user using mobile might be blocked when CSRF is enabled

Component: Application Security Manager

Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.

Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.

Impact:
Client is blocked.

Workaround:
None.

Fix:
Enabling access for specific mobile application.

---

639606 : If mcpd fails to load DNSSEC keys then signing does not happen and no error logged

Component: TMOS

Symptoms:
MCPD successfully loads configuration when it's not able to decrypt DNSSEC Key generation.

Conditions:
MCPD loads configuration with DNSSEC Key generation encrypted by master key which has been changed.

Impact:
The configuration successfully loads but BIG-IP is not able to sign Resource Records.

Fix:
MCPD throw error if not able to decrypt private text of DNSSEC Key generation with current master key.

---

635934 : Logon (username) field may be blank in APM Reports when using NTLM or Kerberos AAA

Component: Access Policy Manager

Symptoms:
NTLM AAA and Kerberos AAA fail to display the Logon field in Access Reports. (Access :: Overview :: Access Reports :: (run report)).

The user sessions will succeed but the username will be blank in the APM Access Reports.

Conditions:
Using the Access session reports when end users are authenticated via NTLM or Kerberos AAA.

Impact:
Access :: Overview :: Access Reports :: (run report)
The Logon Name field in the report will be empty.

Please Note:
There is a real-time view of active sessions available that successfully displays the username in the User field:
Access :: Profiles/Policies :: Active Sessions

Workaround:
Using the VPE: After the AAA action, and before the Allow terminal, add a Variable Assign action with the following properties:

session.logon.last.username = return [mcget {session.logon.last.username}]

This forces the username to be assigned to the session data and it will be displayed correctly in the reports.

Fix:
Usernames are now reported correctly on the APM Reports page for APM end users authenticated via certain HTTP methods such as NTLM and Kerberos.

---

627760 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.

Fix:
Fixed issue prevent FIPS card synchronization through gtm_add when a DNSSEC key of the same name already exists on both GTMs.

---

608952 : MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2

Component: Local Traffic Manager

Symptoms:
MSSQL health monitor always shows down.

Conditions:
The Microsoft SQL server that is being monitored has disabled support for legacy security protocols, and supports only versions TLSv1.1 and TLSv1.2.

Impact:
MSSQL monitor is unable to perform health checking when SQL Server is configured to require TLSv1.1 or TLSv1.2.

Workaround:
None.

---

605675 : Sync requests can be generated faster than they can be handled

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.

---

594600 : No validation when delete iRule that is assigned to ACL policy

Component: Advanced Firewall Manager

Symptoms:
When an iRule is deleted, BIG-IP does not throw error even when it is configured under ACL policy.

Conditions:
-- AFM is provisioned
-- iRule is configured under an ACL Policy.
-- iRule is deleted

Impact:
iRule gets deleted without error. Later, the ACL policy won't be able to access the iRule.

Fix:
Added validation and an error message when an iRule is deleted which is configured under an ACL policy.
"The irule (/Common/iRule1) cannot be deleted because it is in use by a fw_rule (rule1) in Policy (/Common/policy11)."

---

593536 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Solution Article: K64445052

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.

---

583084 : iControl produces 404 error while creating records successfully

Solution Article: K15101680

Component: TMOS

Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.

Conditions:
Creating GTM topology record without using full path via iControl.

Impact:
Resulting code/information is not compatible with actual result.

For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.

Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.

Fix:
The system now compares both names, ignoring the partition '/Common' if the exact comparison fails.

---

582666 : TMM spams ltm log with "01010235:2: Inet port find called for pg 1 with invalid cmp state 0"

Component: Local Traffic Manager

Symptoms:
/var/log/ltm is spammed with below shown logs:

Mar 23 08:21:52 slot2/technetium crit tmm[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0
Mar 23 08:21:53 slot2/technetium crit tmm3[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0
Mar 23 08:21:53 slot2/technetium crit tmm3[13305]: 01010235:2: Inet port find called for pg 1 with invalid cmp state 0

Conditions:
One or more blades are administratively disabled on a chassis system.

Impact:
Detrimental to TMM performance.

Fix:
/var/log/ltm should no longer be spammed with these critical logs.

---

579219 : Access keys missing from SessionDB after multi-blade reboot.

Component: Access Policy Manager

Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.

Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.

Impact:
Some Access subkeys may be missing after the reboot.

Workaround:
Reboot the primary blade.

---

570129 : Removed unused session ID from URL

Component: Access Policy Manager

Symptoms:
/vdesk/webtop/index.html URL includes the full session ID.

Conditions:
Use APM version older than v7.1.4.0 or older to establish VPN.

Impact:
Potential exposure of session ID via URL.

Workaround:
Upgrade to newer version of APM client.

Fix:
Removed unused session ID from URL

---

569859 : Password policy enforcement for root user when mcpd is not available

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.

Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.

Impact:
Root password may be set to a string that does not comply with the current password policy.

Workaround:
None.

Fix:
The system now enforces the password policy for root user, even when mcpd is not available.

---

567503 : ACCESS::remove can result in confusing ERR_NOT_FOUND logs

Solution Article: K03293396

Component: Access Policy Manager

Symptoms:
When using the iRule command ACCESS::remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.

The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.

Conditions:
An iRule using the command ACCESS::remove, and the end-user does a POST.

Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.

Workaround:
None.

Fix:
ACCESS::remove no longer results in confusing ERR_NOT_FOUND logs.

---

554978 : Multiple HTTP Host headers may circumvent SWG URL Filter Policy

Component: Access Policy Manager

Symptoms:
If an HTTP request contains multiple Host headers, the first one will be used to determine the destination IP when using an SWG Explicit Proxy. The last Host header is used by SWG to make a URL Filter policy decision.

If the last Host header is allowed by the applied URL Filter policy, the request will be allowed. The request although will be send to the destination specified by the first Host header is blocked by the URL Filter policy, thereby circumventing the URL Filter Policy applied to the request.

Conditions:
An HTTP request is made to the an APM Explicit Proxy with 2 or more HTTP Host headers.

Impact:
A may send custom HTTP requests with multiple HTTP Host headers to gain access to a site that is being blocked by the applied URL Filter policy.

---

547550-1 : avrd reports incorrect stat values

Component: Application Visibility and Reporting

Symptoms:
AVR has some uint32 counters for DoS statistics both in HW and SW. And these counters were getting overflowed with time.

Conditions:
When the box is running under heavy DoS traffic for few hours, DoS counters can overflow.

Impact:
Impact would only be seen on some DoS stats but functionality wise everything works fine without any issue.

Workaround:
There was no workaround.

Fix:
Counter overflow is now handled correctly for both HW and SW DoS.

---

539385 : When logging, if the length of argument value is very long, log buffer overflows.

Component: TMOS

Symptoms:
If Access Policy event logs include long string arguments (greater than 8 KB), the log buffer grows while processing each log parameter. The log information can overflow to other files such as user.log and message.log.

Conditions:
-- Larger value for log parameters (mainly of string type).
-- The parameters are very long (greater than 8 KB), for example, assigning big strings into session variables.

Impact:
Log information gets truncated, and some amount spills over to user.log and message.log.

Workaround:
None.

---

474797-2 : Nitrox crypto hardware may attempt soft reset while currently resetting

Component: Local Traffic Manager

Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.

Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.

Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.

Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.

To disable hardware-based crypto acceleration issue the following command:

tmsh modify sys db tmm.ssl.cn.shunt value disable

Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.

Fix:
A crypto soft reset attempt is now allowed to complete before another soft reset attempt can occur.

---

470916 : Using native View clients, cannot launch desktops and applications from multiple VMware back-ends

Component: Access Policy Manager

Symptoms:
If APM is configured to protect multiple VMware resources (VCS servers), you can launch desktops and applications only from the first resource. Attempts to launch desktop or applications from other resources result in error.

Conditions:
-- APM is configured to protect multiple VMware resources (VCS servers).
-- You attempt to launch a desktop or application using the native VMware client.

Impact:
Cannot access desktops and applications from multiple VMware back-ends.

Workaround:
Use HTML5 client instead.

Fix:
APM now supports launching of desktops and applications from multiple View resources using native View clients.

Note: Linux and Mac are not supported, as VMware has yet to add support for mid-parameter on Linux and Mac native clients.

---

470346 : Some IPv6 client connections get RST when connecting to APM virtual

Component: Access Policy Manager

Symptoms:
IPv6 clients connecting to APM virtual server that renders some page, e.g., logon page, webtop, or message box, might get connection resets.

Conditions:
IPv6 client has the last 4 bytes of the IP address set to some special-purpose address, e.g., multicast address.

Impact:
Client connection is reset.

Workaround:
Change the last 4 bytes of the client IPv6 address to avoid the IPv4 special-address range.

Fix:
All IPv6 clients can now connect through APM virtual server, regardless of the values of the last 4 bytes of the address.

---

440599 : Added DB Variable to configure 'difok' variable in password policy

Component: TMOS

Symptoms:
The difok variable enforces the number of characters that must differ between a user's old password and new password. Prior to this release, the number of characters that must differ was not configurable, and just stayed at the default value.

Conditions:
Attempting to configure a required number of characters a new password must differ from the old.

Impact:
The number of characters that were required to differ between an old and new password were set by default and could not be configured.

Workaround:
None.

Fix:
This release adds a db variable that allows for configuration of the difok variable from TMSH using the command:

modify /sys db password.difok value <value>

---

387290 : Multidomain SSO shows login page when switching to webtop virtual server

Component: Access Policy Manager

Symptoms:
Issue # 1
When you click on the webtop (which accesses the root URL of the application) that shares a multi-domain SSO with the virtual server (with a webtop resource assigned), the existing session is deleted and you must re-authenticate.

Issue # 2
When you access the virtual server (with an access policy attached) and the webtop UI opens, if you then opens a new tab and access the same virtual server, the existing session is deleted and you must re-authenticate.

Conditions:
-- APM is configured.
-- A configured virtual server that assigns a webtop.
-- A webtop link that shares an access profile with that virtual server.
-- You click this webtop link.

Impact:
Existing APM session is deleted and you are required to re-authenticate.

Workaround:
None.

Fix:
The existing session now continues, and you are not required to re-authenticate under these conditions.

---

Known Issues in BIG-IP v16.0.x


TMOS Issues

ID Number	Severity	Solution Article(s)	Description
915305-6	2-Critical		Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
910201-4	2-Critical		OSPF - SPF/IA calculation scheduling might get stuck infinitely
908517-4	2-Critical		LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
896217-1	2-Critical		BIG-IP GUI unresponsive
888341-8	2-Critical		HA Group failover may fail to complete Active/Standby state transition
886693-4	2-Critical		System may become unresponsive after upgrading★
871561-6	2-Critical		Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'
858877	2-Critical		SSL Orchestrator config sync issues between HA-pair devices
856713-4	2-Critical		IPsec crash during rekey
837637-5	2-Critical		Orphaned bigip_gtm.conf can cause config load failure after upgrading★
799001-8	2-Critical		Sflow agent does not handle disconnect from SNMPD manager correctly
785017-5	2-Critical		Secondary blades go offline after new primary is elected
780437-7	2-Critical		Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777389-6	2-Critical		In a corner case, for PostgreSQL monitor MCP process restarts
769581-6	2-Critical		Timeout when sending many large requests iControl Rest requests
767877-1	2-Critical		TMM core with Bandwidth Control on flows egressing on a VLAN group
750588	2-Critical		While loading large configurations on BIG-IP systems, some daemons may core intermittently.
739507-4	2-Critical		How to recover from a failed state due to FIPS integrity check
737322-5	2-Critical		tmm may crash at startup if the configuration load fails
718573-4	2-Critical		Internal SessionDB invalid state
621260-8	2-Critical		mcpd core on iControl REST reference to non-existing pool
382363-2	2-Critical	K30588577	min-up-members and using gateway-failsafe-device on the same pool.
919401-1	3-Major		Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed
919317-6	3-Major		NSM consumes 100% CPU processing nexthops for recursive ECMP routes
919185-1	3-Major		Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed
918693-5	3-Major		Wide IP alias validation error during sync or config load
918409-1	3-Major		BIG-IP i15600 / i15800 does not monitor all TMMs for heartbeat failures
915825-1	3-Major		Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
915557-1	3-Major		The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
915497-1	3-Major		New Traffic Class Page shows multiple question marks.
914645-4	3-Major		Unable to apply LTM policies to virtual servers after running "mount -a"
913849-2	3-Major		Syslog-ng periodically logs nothing for 20 seconds
913829-5	3-Major		i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
913573-3	3-Major		Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.
909505-4	3-Major		Creating LTM data group external object fails.
909485-4	3-Major		Deleting LTM data-group external object incorrectly reports 200 when object fails to delete
909197-2	3-Major		The mcpd process may become unresponsive
908753-2	3-Major		Password memory not effective even when password policy is configured
908601-1	3-Major		System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
907549-2	3-Major		Memory leak in BWC::Measure
906505-1	3-Major		Display of LCD System Menu cannot be configured via GUI on iSeries platforms
904845-1	3-Major		VMware guest OS customization works only partially in a dual stack environment.
904041-1	3-Major		Ephemeral pool members are missing from pool of Common partition when reloading configuration for current partition
903265-4	3-Major		Single user mode faced sudden reboot
902401-1	3-Major		OSPFd SIGSEGV core when ospf clear is done on remote device
901989-1	3-Major		Boot_marker writes to /var/log/btmp
900933-3	3-Major		IPsec interoperability problem with ECP PFS
900485-1	3-Major		Syslog-ng 'program' filter does not work
899933-1	3-Major		Listing property groups in TMSH without specifying properties lists the entire object
899085-7	3-Major		Configuration changes made by Certificate Manager role do not trigger saving config
898705-6	3-Major		IPv6 static BFD configuration is truncated or missing
898577-1	3-Major		Executing a command in "mgmt tm" using iControl REST results in tmsh error
898461-1	3-Major		Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
896817-1	3-Major		iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
895837-4	3-Major		Mcpd crash when a traffic-matching-criteria destination-port-list is modified
894545-1	3-Major		Creating a virtual server in the GUI with a destination address list and 'All Ports' can erroneously conflict with other virtual servers
893885-4	3-Major		The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation
893341-4	3-Major		BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445★
892445-1	3-Major		BWC policy names are limited to 128 characters
891221-1	3-Major		Router bgp neighbor password CLI help string is not helpful
889029-1	3-Major		Unable to login if LDAP user does not have search permissions
888081-5	3-Major		BIG-IP VE Migration feature fails for 1NIC
887117-3	3-Major		Invalid SessionDB messages are sent to Standby
887089-2	3-Major		Upgrade can fail when filenames contain spaces
886689-7	3-Major		Generic Message profile cannot be used in SCTP virtual
886649-1	3-Major		Connections stall when dynamic BWC policy is changed via GUI and TMSH
886273-4	3-Major		Unanticipated restart of TMM due to heartbeat failure
884729-1	3-Major		The vCMP CPU usage stats are incorrect
883149-2	3-Major		The fix for ID 439539 can cause mcpd to core.
882609-2	3-Major		ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
881085-4	3-Major		Intermittent auth failures with remote LDAP auth for BIG-IP managment
880625-4	3-Major		Check-host-attr enabled in LDAP system-auth creates unusable config
879969-6	3-Major		FQDN node resolution fails if DNS response latency >5 seconds
879405-3	3-Major		Incorrect value in Transparent Nexthop property
871705-7	3-Major		Restarting bigstart shuts down the system
865177-5	3-Major		Cert-LDAP returning only first entry in the sequence that matches san-other oid
862937-4	3-Major		Running cpcfg after first boot can result in daemons stuck in restart loop★
862525-7	3-Major		GUI Browser Cache Timeout option is not available via tmsh
858197-5	3-Major		Merged crash when memory exhausted
844925-4	3-Major		Command 'tmsh save /sys config' fails to save the configuration and hangs
844085-5	3-Major		GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
842669-5	3-Major		Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
839121-4	3-Major		A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★
820845-5	3-Major		Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
814585-8	3-Major		PPTP profile option not available when creating or modifying virtual servers in GUI
807337-6	3-Major		Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
806073-8	3-Major		MySQL monitor fails to connect to MySQL Server v8.0
803833-6	3-Major		On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★
798885-5	3-Major		SNMP response times may be long due to processing burden of requests
797829-7	3-Major		The BIG-IP system may fail to deploy new or reconfigure existing iApps
796605	3-Major		GUI gives error when saving UCS or other operation takes more than 5 minutes
788577-8	3-Major		BFD sessions may be reset after CMP state change
783113-8	3-Major		BGP sessions remain down upon new primary slot election
780745-4	3-Major		TMSH allows creation of duplicate community strings for SNMP v1/v2 access
778041-4	3-Major		tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
775797-4	3-Major		Previously deleted user account might get authenticated
760354-2	3-Major		Continual mcpd process restarts after removing big logs when /var/log is full
759737-4	3-Major		Control and Analysis Plane CPU usage statistics may be inaccurate
759564-1	3-Major		GUI not available after upgrade
757787-4	3-Major		Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI.
756643	3-Major		HSB error causes TMM core and failover
756139-5	3-Major		Inconsistent logging of hostname files when hostname contains periods
755976-5	3-Major		ZebOS might miss kernel routes after mcpd deamon restart
754460-4	3-Major		No failover on HA Dual Chassis setup using HA score
714176-6	3-Major		UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed
708803-4	3-Major		Remote admin user with misconfigured partition fallback to "All"
708448	3-Major		Modify LTM client SSL or server SSL profile ciphers default-value does not work
701534	3-Major		HSB transmitter failure due to watchdog loopback failure
692218-7	3-Major		Audit log messages sent from the primary blade to the secondaries should not be logged.
690928-2	3-Major		System posts error message: 01010054:3: tmrouted connection closed
662301-1	3-Major		'Unlicensed objects' error message appears despite there being no unlicensed config
658850-4	3-Major		Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
587821	3-Major		vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
499348-12	3-Major		System statistics may fail to update, or report negative deltas due to delayed stats merging
489572-6	3-Major	K60934489	Sync fails if file object is created and deleted before sync to peer BIG-IP
486712-8	3-Major		GUI PVA connection maximum statistic is always zero
469724-4	3-Major		When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
431503-9	3-Major	K14838	TMSH crashes in rare initial tunnel configurations
398683-5	3-Major	K12304	Use of a # in a TACACS secret causes remote auth to fail
385013-1	3-Major		Certain user roles do not trigger a sync for a 'modify auth password' command
919745-1	4-Minor		CSV files downloaded from the Dashboard have the first row with all 'NaN
918209-4	4-Minor		GUI Network Map icons color scheme is not section 508 compliant
915141-1	4-Minor		Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
914761-4	4-Minor		Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
913325	4-Minor		Upgrade process does not update Tcl scripts★
910645-2	4-Minor		Upgrade error 'Parsing default XML files. Failed to parse xml file'★
908453-4	4-Minor		Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
906889-2	4-Minor		Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
906449-1	4-Minor		Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
902417-6	4-Minor		Configuration error caused by Drafts folder in a deleted custom partition★
901985-7	4-Minor		Extend logging for incomplete HTTP requests
901669-5	4-Minor		Error status in "show cm failover-status" after MGMT-IP change
899097-3	4-Minor		Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking★
896693-5	4-Minor		Patch installation is failing for iControl REST endpoint.
896689-5	4-Minor		Asynchronous tasks can be managed via unintended endpoints
893813-4	4-Minor		Modifying pool enables address and port translation in TMUI
893093-1	4-Minor		An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
892677-6	4-Minor		Loading config file with imish adds the newline character
890277-4	4-Minor		Mcpd takes too long on full config sync to a device group when there are large amount of partitions.
865313-4	4-Minor		Validation of monitor field fails in transaction
864757-4	4-Minor		Traps that were disabled are enabled after configuration save
860573-4	4-Minor		LTM iRule validation performance improvement by tracking procedure/event that have been validated
848681	4-Minor		Disabling the LCD on a VIPRION causes blade status lights to turn amber
817989-2	4-Minor		Cannot change managemnet IP from GUI
809089	4-Minor		TMM crash after sessiondb ref_cnt overflow
807309-4	4-Minor		Incorrect Active/Standby status in CLI Prompt after failover test
779857-3	4-Minor		Misleading GUI error when installing a new version in another partition★
759606	4-Minor		REST error message is logged every five minutes on vCMP Guest
753536-4	4-Minor		REST no longer requires a token to login for TACACS use
751103-1	4-Minor		TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
742753-6	4-Minor		Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742105-4	4-Minor		Displaying network map with virtual servers is slow
713183-5	4-Minor		Malformed JSON files may be present on vCMP host
712241-7	4-Minor		A vCMP guest may not provide guest health stats to the vCMP host
689147-4	4-Minor		Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
675911-8	4-Minor	K13272442	Different sections of the WebUI can report incorrect CPU utilization
673573-7	4-Minor		tmsh logs boost assertion when running child process and reaches idle-timeout
671025-5	4-Minor		File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
658943-4	4-Minor		Errors when platform-migrate loading UCS using trunks on vCMP guest
646768-5	4-Minor	K71255118	VCMP Guest CM device name not set to hostname when deployed
617636-4	4-Minor	K15009669	LTM v11.6.x Errors in F5-BIGIP-LOCAL-MIB.txt prevent its compilation in NMS (Network Management System)
595313	4-Minor		"vcmp.vdisk.new_image_size" BigDB variable ignored when using virtual disk templates
394873	4-Minor		Upgrade process does not update Tcl scripts★

Local Traffic Manager Issues

ID Number	Severity	Solution Article(s)	Description
911041-4	2-Critical		Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
910653-6	2-Critical		iRule parking in clientside/serverside command may cause tmm restart
910213-1	2-Critical		LB::down iRule command is ineffective, and can lead to inconsistent pool member status
901033-4	2-Critical		TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window
886045-1	2-Critical		Multi-nic instances fail to come up when trying to use memory mapped virtio device
851385-2	2-Critical		Failover takes too long when traffic blade failure occurs
835505-5	2-Critical		Tmsh crash potentially related to NGFIPS SDK
824437-8	2-Critical		Chaining a standard virtual server and an ipother virtual server together can crash TMM.
758491-4	2-Critical		When using Thales NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), the BIG-IP will not be able to use the keys
756234	2-Critical		In SSL forward proxy, forged untrusted server certs are no longer cached.
665906	2-Critical	K02285831	tmm crash in free_bufctls
625807-2	2-Critical		tmm cored in bigproto_cookie_buffer_to_server
920205-3	3-Major		Rate shaping might suppress TCP RST
918277-1	3-Major		Slow Ramp does not take into account pool members' ratio weights
915605-2	3-Major		Image install fails if iRulesLX is provisioned and /usr mounted read-write★
914493-1	3-Major		Protocol Profile (Client) for virtual server is reset to "tcp" after "Update"
913249-1	3-Major		Restore missing UDP statistics
912517-1	3-Major		MySQL monitor marks pool member down if send is configured but no recv strings are configured
912425-4	3-Major		Modification of in-tmm monitors may result in crash
912293-4	3-Major		Persistence might not work properly on virtual servers that utilize address lists
910673-1	3-Major		Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
910273-1	3-Major		SSL Certificate version always displays as '1' in the GUI
910105	3-Major		Partial HTTP/2 payload may freeze on the BIG-IP system
909997-2	3-Major		Virtual server status displays as unavailable when it is accepting connections
909677-1	3-Major		HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted
905477-1	3-Major		The sdmd daemon cores during config sync when multiple devices configured for iRules LX
904625-1	3-Major		Changes to SSL.CertRequest.* DB variables cause HA devices go out of sync
903581-4	3-Major		The pkcs11d process cannot recover under certain error condition
902377-3	3-Major		HTML profile forces re-chunk even though HTML::disable
901929-1	3-Major		GARPs not sent on virtual server creation
901569-3	3-Major		Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
898733-4	3-Major		SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
898685-5	3-Major		Order of ciphers changes after updating cipher group
897185-4	3-Major		Resolver cache not using random port distribution
895205-1	3-Major		A circular reference in rewrite profiles causes MCP to crash
895165-1	3-Major		Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
893281-2	3-Major		Possible ssl stall on closed client handshake
892801-1	3-Major		When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
892485-3	3-Major		A wrong OCSP status cache may be looked up and re-used during SSL handshake.
891373-1	3-Major		BIG-IP does not shut a connection for a HEAD request
889165-4	3-Major		"http_process_state_cx_wait" errors in log and connection reset
887045-2	3-Major		The session key does not get mirrored to standby.
885325-1	3-Major		Stats might be incorrect for iRules that get executed a large number of times
883049-1	3-Major		Statsd can deadlock with rrdshim if an rrd file is invalid
881065-3	3-Major		Adding port-list to Virtual Server changes the route domain to 0
879413-7	3-Major		Statsd fails to start if one or more of its *.info files becomes corrupted
870309-3	3-Major		Ephemeral pool member not created when FQDN resolves to new IP address
858701-5	3-Major		Running config and saved config are having different route-advertisement values after upgrading from v12.1.x★
842517-1	3-Major		CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails
842137-2	3-Major		Keys cannot be created on module protected partitions when strict FIPS mode is set
823825	3-Major		Renaming HA VLAN can disrupt state-mirror connection
816953-2	3-Major		RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy
807821-6	3-Major		ICMP echo requests occasionally go unanswered
803629-8	3-Major		SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
803233-6	3-Major		Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
794417-5	3-Major		Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
794385-4	3-Major		BGP sessions may be reset after CMP state change
793669-6	3-Major		FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
785877-4	3-Major		VLAN groups do not bridge non-link-local multicast traffic.
785361-2	3-Major		In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
780857-1	3-Major		HA failover network disruption when cluster management IP is not
767341	3-Major		If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
767217-4	3-Major		Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-6	3-Major		RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
764969-1	3-Major		ILX no longer supports symlinks in workspaces as of v14.1.0
762137-4	3-Major		Ping6 with correctly populated NDP entry fails
757029-7	3-Major		Ephemeral pool members may not be created after config load or reboot
738450	3-Major		Parsing pool members as variables with IP tuple syntax
712489	3-Major		TMM crashes with message 'bad transition'
700639-1	3-Major		The default value for the syncookie threshold is not set to the correct value
696755-6	3-Major		HTTP/2 may truncate a response body when served from cache
680841	3-Major	K67996855	Reported Virtual Server CPU usage stats are slightly higher than actual
680030	3-Major		IP ToS/QoS is not preserved in chained Virtual Servers when the second Virtual Server is FastL4.
646440-4	3-Major		TMSH allows mirror for persistence even when no mirroring configuration exists
629640	3-Major	K33695305	TMM may stall and not service queued connections on pool state transition
510650	3-Major		BIG-IP MPTCP Checksum calculation might be incorrect.
381100	3-Major		Internal Datagroup Entries are added one at a time in TMM
224665	3-Major	K12711	Proxy Exclusion List setting is not aware of administrative partitions
916485-3	4-Minor		Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object
915689-2	4-Minor		The HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
914681-1	4-Minor		Value of tmm.quic.log.level can differ between TMSH and GUI
914589-1	4-Minor		VLAN Failsafe timeout is not always respected
898753-6	4-Minor		Multicast control-plane traffic requires handling with AFM policies
898201-1	4-Minor		Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
869565-2	4-Minor		Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN
869553-2	4-Minor		HTTP2::disable fails for server side allowing HTTP/2 traffic
838305	4-Minor		BIG-IP may create multiple connections for packets that should belong to a single flow.
822245-1	4-Minor		Large number of in-TMM monitors results in some monitors being marked down
808409-5	4-Minor		Unable to specify if giaddr will be modified in DHCP relay chain
754100	4-Minor		iRule event info command does not return proper error codes
748030	4-Minor		Modifying datagroup type at runtime is not supported
738032-4	4-Minor		BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
727266	4-Minor		ICMP monitors may be marked down if packet-filter is set to discard or reject
677270	4-Minor	K76116244	Trailing comments in iRules are removed from the config when entered/loaded in TMSH or Configuration Utility
652856	4-Minor		The tmsh utility shows memory information only for the main thread of each TMM process.
640374	4-Minor		DHCP statistics are incorrect
631595	4-Minor		iRule does not re-enable AVR when in was disabled by LTM Policy
898929-5	5-Cosmetic		Tmm might crash when ASM, AVR, and pool connection queuing are in use
873249-6	5-Cosmetic		Switching from fast_merge to slow_merge can result in incorrect tmm stats

Global Traffic Manager (DNS) Issues

ID Number	Severity	Solution Article(s)	Description
919553-1	2-Critical		GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
918169-4	2-Critical		The GTM HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
916753-1	2-Critical		RESOLV::lookup returns null for local virtual server and possible tmm core
783125-5	2-Critical		iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
705869	2-Critical		tmm cores with consequential of repeated load of the GEOIP database
913917-1	3-Major		Unable to save UCS
912761-1	3-Major		Link throughput statistics are different
911241-7	3-Major		The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
903521-1	3-Major		TMM fails to sign responses from BIND when BIND has "dnssec-enable no"
899253-1	3-Major		[GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
813221	3-Major		Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
789421-5	3-Major		Resource-administrator cannot create GTM server object through GUI
895021	4-Minor		Error log when listing with tmsh ECDSA fips key
886145-1	4-Minor		The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.
718110-1	4-Minor		MCP high CPU usage after clicking on GTM Listener name to view its properties in the Web GUI.

Application Security Manager Issues

ID Number	Severity	Solution Article(s)	Description
904593-3	2-Critical		Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
887621-3	2-Critical		ASM virtual server names configuration CRC collision is possible
854001-1	2-Critical		TMM might crash in case of trusted bot signature and API protected url
918081-2	3-Major		Application Security Administrator role cannot create parent policy on GUI
913761-1	3-Major		Security - Options section in left menu is visible for only Administrator users
913137-2	3-Major		No learning suggestion on ASM policies enabled via LTM policy
912089-1	3-Major		Some roles are missing necessary permission to perform Live Update
910253-3	3-Major		BD error on HTTP response after upgrade★
907337-1	3-Major		BD crash on specific scenario
907025-4	3-Major		Live update error" 'Try to reload page'
903357-4	3-Major		Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
901061-1	3-Major		Safari browser might be blocked when using Bot Defense profile and related domains.
900797-1	3-Major		Brute Force Protection (BFP) hash table entry cleanup
900789-1	3-Major		Alert before Brute Force Protection (BFP) hash are fully utilized
898825-1	3-Major		Attack signatures are enforced on excluded headers under some conditions
898741-1	3-Major		Missing critical files causes FIPS-140 system to halt upon boot
892653-4	3-Major		Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
891181-1	3-Major		Wrong date/time treatment in logs in Turkey/Istambul timezone
888289-7	3-Major		Add option to skip percent characters during normalization
887265-3	3-Major		BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration★
703678-4	3-Major		Cannot add 'secure' attributes to several ASM cookies
623243	3-Major		Single-page application AJAX does not work properly with synchronous ajax requests
911729-3	4-Minor		Redundant learning suggestion to set a Maximum Length when parameter is already at that value
887625-4	4-Minor		Note should be bold back, not red

Application Visibility and Reporting Issues

ID Number	Severity	Solution Article(s)	Description
913085-2	3-Major		Avrd core when avrd process is stopped or restarted
908065-1	3-Major		Logrotation for /var/log/avr blocked by files with .1 suffix
902485-5	3-Major		Incorrect pool member concurrent connection value
898333-1	3-Major		Avrd logs errors while DCD is restarting
869049-3	3-Major		Charts discrepancy in AVR reports
746837	3-Major		AVR JS injection can cause error on page if the JS was not injected
697421-4	3-Major		Monpd core when trying to restart
648242-7	3-Major	K73521040	Administrator users unable to access all partition via TMSH for AVR reports

Access Policy Manager Issues

ID Number	Severity	Solution Article(s)	Description
904441-1	2-Critical		APM vs_score for GTM-APM load balancing is not calculated correctly
907873-1	3-Major		Authentication tab is missing in VPE for RDG-RAP Access Policy type
891613-2	3-Major		RDP resource with user-defined address cannot be launched from webtop with modern customization
883577-5	3-Major		ACCESS::session irule command does not work in HTTP_RESPONSE event
744091	3-Major		VMware Horizon PCoIP transport is not supported for IPv6 targets
643446	3-Major		When a pool is in use for AAA server, the SNAT virtual server does not pick up a packet going out to non-default route domain.
554228-10	3-Major		OneConnect does not work when WEBSSO is enabled/configured.
867705	4-Minor		URL for IFRAME element may not be normalized in some cases
866953	4-Minor		[Portal Access] F5_Inflate_onclick wrapper need to be fixed for special case
860041	4-Minor		[Portal Access] 5_Deflate_removeEventListener wrapper need to be added
848217	4-Minor		Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend
840257	4-Minor		[Portal Access] html iframe sandbox attribute need to be supported
840249	4-Minor		With BIG-IP as a SAML IdP, important diagnostic information is not logged
722204	4-Minor		SWG URL Filters does not show the Filter Action for the Category but instead shows the Filter Action of its Sub-Categories
720322	4-Minor		Intercepted HTTPS traffic isn't sent to HTTP services in SWG use cases
712542	4-Minor		Network Access client caches the response for /pre/config.php
707294	4-Minor		[BIG-IP as OAuthAS] : When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear
636866-1	4-Minor		OAuth Client/RS secret issue with export/import

Service Provider Issues

ID Number	Severity	Solution Article(s)	Description
908477-1	3-Major		Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request
904373-4	3-Major		MRF GenericMessage:Implement limit to message queues size
898997-1	3-Major		GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
895801-1	3-Major		Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
891385-1	3-Major		Add support for URI protocol type "urn" in MRF SIP load balancing
916781-3	4-Minor		Validation error while attaching DoS profile to GTP virtual

Advanced Firewall Manager Issues

ID Number	Severity	Solution Article(s)	Description
915221-5	3-Major		DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
905153-3	3-Major		HW offload of vector 22 (IPv6 Duplicate Extension Headers) not operational
789857-4	3-Major		"TCP half open' reports drops made by LTM syn-cookies mitigation.
757279-4	3-Major		LDAP authenticated Firewall Manager role cannot edit firewall policies
716746-4	3-Major		Possible tmm restart when disabling single endpoint vector while attack is ongoing
803149-3	4-Minor		Flow Inspector cannot filter on IP address with non-default route_domain
701555	4-Minor		DNS Security Logs report Drop action for unhandled rejected DNS queries
543022	4-Minor		Logging profile with trailing whitespace cannot be associated with VS in GUI
462536	4-Minor		AFM DoS UDP PortList configuration is not migrated automatically★
906885-2	5-Cosmetic		Spelling mistake on AFM GUI Flow Inspector screen

Policy Enforcement Manager Issues

ID Number	Severity	Solution Article(s)	Description
911585-4	4-Minor		PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
685937	4-Minor		PEM Diameter stats may have errors when Diameter requests and responses are asynchronous

Carrier-Grade NAT Issues

ID Number	Severity	Solution Article(s)	Description
883977	2-Critical		Upgrade (or UCS load) from versions earlier than 14.1.x to 15.0.0 or greater version fails★
723658-7	2-Critical		TMM core when processing an unexpected remote session DB response.
454671	3-Major		SIP media flows do not count toward LSN pool client connection limit
446712	3-Major		FTP data flows do not count toward LSN pool client connection limit

Fraud Protection Services Issues

ID Number	Severity	Solution Article(s)	Description
830313	3-Major		FPS does not serve configuration script in gzip format
748976-4	3-Major		DataSafe Logging Settings page is missing when DataSafe license is active
891729-1	4-Minor		Errors in datasyncd.log★
726534	4-Minor		False-positive DATA IS MALFORMED alert when request is redirected to a protected URL

Traffic Classification Engine Issues

ID Number	Severity	Solution Article(s)	Description
913453-6	2-Critical		URL Categorisation: WR_URLDBD cored while processing urlcat query
887609-6	2-Critical		TMM crash when updating urldb blacklist
874677-4	2-Critical		TC auto signature update failing from GUI on 14.1.2★

Device Management Issues

ID Number	Severity	Solution Article(s)	Description
718796-6	2-Critical		IControl REST token issue after upgrade★
760752-4	3-Major		Internal sync-change conflict after update to local users table
717174-4	3-Major		WebUI shows error: Error getting auth token from login provider★

iApp Technology Issues

ID Number	Severity	Solution Article(s)	Description
778817-4	3-Major		Invalid client request can cause un-captured exception on ASM container.

Protocol Inspection Issues

ID Number	Severity	Solution Article(s)	Description
825501-4	3-Major		IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★
778225-4	3-Major		vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
787845-4	4-Minor		Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.
760740-4	4-Minor		Mysql error is displayed when saving UCS configuration on BIG-IP system with only LTM provisioned

 

Known Issue details for BIG-IP v16.0.x

920205-3 : Rate shaping might suppress TCP RST

Component: Local Traffic Manager

Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.

Conditions:
Rate shaping is configured.

Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.

Workaround:
Do not use rate-shaping.

---

919745-1 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

---

919553-1 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

---

919401-1 : Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed

Component: TMOS

Symptoms:
If ICAP is not licensed, the system does not prevent you from adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in the CLI. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.

---

919317-6 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.

---

919185-1 : Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed

Component: TMOS

Symptoms:
The Request Adapt Profile and Response Adapt Profile settings are visible when creating or editing a virtual server in the GUI on systems that do not have ICAP licensed. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.

---

918693-5 : Wide IP alias validation error during sync or config load

Component: TMOS

Symptoms:
DB validation exception occurs during sync or config load:

01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.

Conditions:
-- Wide IP has an alias associated with it.
-- Sync or load the config.

Impact:
You are unable to load config or full sync from peer GNS/GTM.

Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.

---

918409-1 : BIG-IP i15600 / i15800 does not monitor all TMMs for heartbeat failures

Component: TMOS

Symptoms:
If a BIG-IP has more than 24 tmms and one of the tmms above the 24th one loops due to a bug, it will loop indefinitely.

Conditions:
Another issue occurs that that causes a tmm greater than the 24th tmm to loop.

Impact:
Traffic disrupted on the tmm that is looping indefinitely.

Workaround:
Manually change /defaults/daemon.conf to have the correct stanzas for the remaining tmms. This change must be performed across every blade in the chassis, and will not persist across software installs.

After performing the edit, load the changes into the running configuration via "tmsh load sys config partitions all", and then verify that sod is now correctly monitoring TMMs above tmm24, via a command such as:

    tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm

---

918277-1 : Slow Ramp does not take into account pool members' ratio weights

Component: Local Traffic Manager

Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.

Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.

Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.

Workaround:
None.

---

918209-4 : GUI Network Map icons color scheme is not section 508 compliant

Component: TMOS

Symptoms:
Network Map color scheme is not section 508 compliant. There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

---

918169-4 : The GTM HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

---

918081-2 : Application Security Administrator role cannot create parent policy on GUI

Component: Application Security Manager

Symptoms:
On the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created

Conditions:
Create Application Security Administrator user role, login to the GUI and try to create/edit the parent policy.

Impact:
The following actions will be restricted to Application Security Administrator:
1) Create/Edit parent policy
2) Edit Inheritance Settings for parent policy
3) Clone Policy, selecting policy type is disabled

Workaround:
The possible workarounds:
1) Create parent policy by Administrator or Resource Administrator (not Application Security Administrator).
2) Create parent policy using tmsh or REST call

---

916781-3 : Validation error while attaching DoS profile to GTP virtual

Component: Service Provider

Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.

Conditions:
Attach DoS security profile to GTP virtual server.

Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.

Workaround:
None.

---

916753-1 : RESOLV::lookup returns null for local virtual server and possible tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns null for a local virtual server;
tmm might crash.

Conditions:
RESOLV::lookup for a local virtual server.

Impact:
RESOLV::lookup does not get expected result;
tmm might crash. Traffic disrupted while tmm restarts.

---

916485-3 : Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object

Component: Local Traffic Manager

Symptoms:
Running 'tmsh install sys crypto key' command for SafeNet keys creates a new mcp object with the keyname as the label name in HSM, and with the duplicate key-id.

Conditions:
This happens when trying to install the key using the key-label as the argument.

Impact:
Even after deleting the tmsh key (tmsh delete sys crypto key), the BIG-IP system can still pass traffic because there's a duplicate key pointing to the same key in the HSM.

Workaround:
None.

---

915825-1 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.

---

915689-2 : The HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already been stored within the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers will be marked as being incrementally indexed on subsequent responses instead of using the table index.

Workaround:
None.

---

915605-2 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume:

Could not access configuration source.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr

---

915557-1 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.

Component: TMOS

Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:

General database error retrieving information.

Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.

Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.

Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.

---

915497-1 : New Traffic Class Page shows multiple question marks.

Component: TMOS

Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.

Conditions:
This is encountered when creating a new Traffic Class.

Impact:
Multi-byte characters are displayed incorrectly.

Workaround:
None.

---

915305-6 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.

---

915221-5 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.

---

915141-1 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'

Component: TMOS

Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.

Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.

Impact:
Inconsistent availability status of pool and virtual server.

Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.

---

914761-4 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.

Component: TMOS

Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:

Unexpected Error: UCS saving process failed.

Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.

Impact:
UCS file is not successfully saved and backup fails.

Workaround:
None.

---

914681-1 : Value of tmm.quic.log.level can differ between TMSH and GUI

Component: Local Traffic Manager

Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.

Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.

Impact:
Misleading log level displayed in the GUI.

Workaround:
Use TMSH to set and view values for tmm.quic.log.level.

---

914645-4 : Unable to apply LTM policies to virtual servers after running "mount -a"

Component: TMOS

Symptoms:
After attempting to assign an LTM policy to a virtual server, you get an error:

 err mcpd[6905]: 010716d5:3: Failed to publish LOIPC object for (loipc_vs_LTE_FTP.1590693547.777142413). Call to (shm_open) failed with errno (13) errstr (Permission denied)

Conditions:
-- Run the command "mount -a"
-- Attempt to assign an LTM policy to a virtual server

Impact:
Unable to apply LTM policies to virtual servers after running "mount -a"

This occurs because after running "mount -a", the device name fields for "/proc" and "/dev/shm" in /etc/fstab differ from the hard-coded systemd values:
  /etc/fstab:
     none /proc proc defaults
     none /dev/shm tmpfs defaults,noatime
  systemd hard-coded parameters:
     proc /proc proc rw,relatime
     tmpfs /dev/shm tmpfs rw,seclabel,noatime

Workaround:
umount -l /dev/shm

---

914589-1 : VLAN Failsafe timeout is not always respected

Component: Local Traffic Manager

Symptoms:
VLAN Failsafe timeout is triggered later than its configured interval.

Conditions:
-- Rarely happen on first failover. More commonly occurs on 3rd/4th failover.
-- Specific conditions that cause this issue are not known.

Impact:
VLAN Failsafe timeout might be triggered later than it is configured.

The exact impact varies based on the configuration and traffic activity.

Workaround:
Use another form of automatic failover if needed (gateway failsafe, ha-groups, etc.).

---

914493-1 : Protocol Profile (Client) for virtual server is reset to "tcp" after "Update"

Component: Local Traffic Manager

Symptoms:
After changing the Protocol Profile (Client) for a Virtual Server from "tcp" to any other value, e.g. "tcp-lan-optimized" in the GUI, the value remains set to "tcp".

Conditions:
Update Protocol Profile (Client) for Virtual Server through GUI.

Impact:
You are unable to update Protocol Profile (Client) for a Virtual Server using the GUI.

Workaround:
The TMSH command to update the Protocol Profile (Client) for Virtual Server will work fine.

---

913917-1 : Unable to save UCS

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to create a backup UCS.

You see a warning in /var/log/restjavad.0.log:

[WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/.

Conditions:
Named has some Slave zones configured and is going through frequent zone transfer.

Impact:
You are unable to create a UCS file.

Workaround:
Stop named zone transfer while doing UCS backup.

---

913849-2 : Syslog-ng periodically logs nothing for 20 seconds

Component: TMOS

Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.

Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)

Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.

Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.

Workaround:
None.

---

913829-5 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a BIG-IP system.

---

913761-1 : Security - Options section in left menu is visible for only Administrator users

Component: Application Security Manager

Symptoms:
Security - Options section in left menu visible for only Administrator users

Conditions:
You logged in with a role other than the Administrator role

Impact:
No direct access to many settings that are available not for Administrator role only

Workaround:
Direct links to the pages work

---

913573-3 : Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.

Component: TMOS

Symptoms:
When REST API PUT request is call to modify LTM data-group internal without 'type' field in body-content, it fails intermittently with a 400 error.

--{"code":400,"message":"invalid property value \"type\":\"\"","errorStack":[],"apiError":26214401}

The 'type' field is not getting populated with default value and is set to null string "" instead.

Conditions:
-- PUT REST API request used to modify LTM data-group internal.
-- Type field is not specified in the body-content.

Impact:
Unable to update the configuration object (LTM data-group internal) with REST API PUT.

Workaround:
Include 'type' field inside PUT request body content for the operation to succeed.

Example Curl Command:
-- curl -isku <username>:<password> -H "Content-Type: application/json" -X PUT -d '{"records":[{"name":"1.1.1.1"}, {"name":"1.1.1.2"}], "type":"ip"}' https://localhost/mgmt/tm/ltm/data-group/internal/~Common~<Name>

---

913453-6 : URL Categorisation: WR_URLDBD cored while processing urlcat query

Component: Traffic Classification Engine

Symptoms:
Wr_urldbd cores

Conditions:
This can occur while passing traffic when webroot is enabled.

Impact:
Wr_urldb cores. URL Categorization functionality may not work as expected.

---

913325 : Upgrade process does not update Tcl scripts★

Component: TMOS

Symptoms:
The upgrade process does not update Tcl scripts (such as iRules) in the configuration.

Conditions:
Upgrading Tcl scripts (such as iRules).

Impact:
This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.

Workaround:
None.

---

913249-1 : Restore missing UDP statistics

Component: Local Traffic Manager

Symptoms:
Bufdropdgram, maxrate_conns, maxrate_cur_conns, sendbuf_cur_bytes, and queue_dropped_bytes UDP statistics are missing.

Conditions:
Viewing UDP statistics.

Impact:
Unable to view these UDP statistics.

---

913137-2 : No learning suggestion on ASM policies enabled via LTM policy

Component: Application Security Manager

Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.

Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.

This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.

Impact:
No learning suggestions.

Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.

---

913085-2 : Avrd core when avrd process is stopped or restarted

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

---

912761-1 : Link throughput statistics are different

Component: Global Traffic Manager (DNS)

Symptoms:
Different link throughput statistics are seen on GTM/DNS systems that are connected by full-mesh iQuery.

Conditions:
-- The same link is used on different BIG-IP addresses as a pool member in the default gateway pool.
-- A forwarding virtual server is used.

Impact:
Each GTM/DNS server might get different link throughput for the same link, and therefore make less-than-optimal decisions.

Workaround:
Do not use the same uplink for different BIG-IP devices.

---

912517-1 : MySQL monitor marks pool member down if send is configured but no recv strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- 'send' string is configured for the monitor.
-- 'receive' string is not configured.

Impact:
DB monitor marks Pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

---

912425-4 : Modification of in-tmm monitors may result in crash

Component: Local Traffic Manager

Symptoms:
TMM crash.

Conditions:
-- Modify in-tmm monitors.
-- Perform configuration sync.

Impact:
-- High availability (HA) failover.
-- Potential traffic interruption.

Workaround:
-- Disable in-tmm monitors.
-- Avoid config syncing to the active device.

---

912293-4 : Persistence might not work properly on virtual servers that utilize address lists

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.

---

912089-1 : Some roles are missing necessary permission to perform Live Update

Component: Application Security Manager

Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.

Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.

Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.

Workaround:
None.

---

911729-3 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value

Component: Application Security Manager

Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.

Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.

Impact:
Redundant learning suggestion is issued.

Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.

---

911585-4 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.

---

911241-7 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.

---

911041-4 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash

Component: Local Traffic Manager

Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.

Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.

---

910673-1 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'

Component: Local Traffic Manager

Symptoms:
Thales installation script fails with error message.

ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.

Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.

Impact:
Thales/nCipher NetHSM client software installation fails.

Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.

---

910653-6 : iRule parking in clientside/serverside command may cause tmm restart

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.

Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.

For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.

---

910645-2 : Upgrade error 'Parsing default XML files. Failed to parse xml file'★

Component: TMOS

Symptoms:
After upgrading BIG-IP APM, multiple error messages appear in /var/log/ltm:

-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) errno(2) strerror(No such file or directory)
-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) errno(2) strerror(No such file or directory)

Conditions:
-- APM configuration.
-- Upgrade the BIG-IP system to v15.1.0 or newer.

Impact:
These are benign messages that do not indicate a functional issue. There is no impact; the system works correctly.

The errors occur when the upgraded BIG-IP APM configuration attempts to load resource definitions for the modern customization schema. However, by design, the modern customization schema does not define resources. Only the standard customization schema defines resources found under '/var/sam/www/client/customization-source/Common/standard/'.

Workaround:
None.

---

910273-1 : SSL Certificate version always displays as '1' in the GUI

Component: Local Traffic Manager

Symptoms:
In GUI an SSL certificate's version is displayed as '1', even if its version is higher than 1.

Conditions:
-- Viewing an SSL certificate in the GUI.
-- The SSL certificate's version is higher than 1.

Impact:
SSL certificate's version is displayed as '1'. There is no functional impact.

Workaround:
None.

---

910253-3 : BD error on HTTP response after upgrade★

Component: Application Security Manager

Symptoms:
After upgrade, some requests can cause BD errors on response:

BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040

IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Upgrading BIG-IP systems to v15.0.0 or later from versions earlier than v15.0.0.
-- ASM policy is configured on a virtual server.

Impact:
For some requests, the response can arrive truncated or not arrive at all.

Workaround:
Add an iRule that deletes ASM cookies:

when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Note: Performing this workaround affects cookie-related violations (they may need to be disabled to use this workaround), session, and login protection.

---

910213-1 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect.

Specifically, the pool member is marked down within the tmm thread executing the iRule, but the status change is not updated to mcpd, or to other tmm threads.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
No direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.

---

910201-4 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.

---

910105 : Partial HTTP/2 payload may freeze on the BIG-IP system

Component: Local Traffic Manager

Symptoms:
HTTP/2 allows sending the payload in both directions gradually, until a frame with an END_STREAM flag closes a direction. The BIG-IP does not properly handles an early response from a server when HTTP router is configured on a virtual and partial payload sent in each direction. In this case, communication over the stream hangs.

Conditions:
-- Virtual server is configured on the BIG-IP system with HTTP and HTTP/2 profiles on both the client and server sides.
-- HTTP router profile is configured on the virtual server.
-- Client sends a request and delivers a partial payload, waiting for a response from a server.
-- Server responds with a partial payload.

Impact:
A response with a partial payload is not delivered to a client. Communication freezes on that specific stream.

Workaround:
None.

---

909997-2 : Virtual server status displays as unavailable when it is accepting connections

Component: Local Traffic Manager

Symptoms:
After a rate limit is triggered and released, the virtual server status in the GUI remains as 'unavailable'. The virtual server resumes accepting new connections while the GUI shows the virtual server is unavailable.

Conditions:
-- The virtual server has a source address list configured.
-- Address lists define more than one address.
-- The connections are over the rate limit, and the virtual server status is marked unavailable.
-- The number of connections falls below the limit.

Impact:
Actual virtual server status is not reflected in GUI.

Workaround:
If the deployment design allows, you can use either of the following workarounds:

-- Remove the source address list from the virtual server.

-- Have a single address in the source address list.

---

909677-1 : HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted

Component: Local Traffic Manager

Symptoms:
When using HTTP/2, the :scheme pseudo-header appears to always be set to HTTPS on requests, even when the server-side connection is not encrypted.

Conditions:
-- Using an HTTP/2 virtual server.
-- The server-side connection that is unencrypted.

Impact:
The impact of this issue varies based on how the application reacts at the server-side.

Workaround:
None.

---

909505-4 : Creating LTM data group external object fails.

Component: TMOS

Symptoms:
iControl REST command to create a data group fails if you do not set the externalFileName variable.

The same command works in tmsh, and you are not required to specify the externalFileName.

Conditions:
-- Creating a data group using iControl REST.
-- POST payload does not contain the externalFileName variable.

Impact:
You are unable to create the data group.

Workaround:
The command works if you specify the externalFileName parameter:

curl -sku $PASS https://$HOST/mgmt/tm/ltm/data-group/external -X POST -H "Content-type: application/json" -d '{"name":"fooBar", "externalFileName":"fooBar.txt"}'

---

909485-4 : Deleting LTM data-group external object incorrectly reports 200 when object fails to delete

Component: TMOS

Symptoms:
When you delete an LTM external data-group object using iControl REST, it incorrectly returns '200 OK' even though the object is not deleted.

Conditions:
-- Deleting an external data-group object via iControl REST.
-- The LTM external data-group object is referenced by another object (such as an iRule).

Impact:
The object still exists, even though the system returns a '200 OK' message indicating that the operation completed successfully.

Workaround:
None.

---

909197-2 : The mcpd process may become unresponsive

Component: TMOS

Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.

Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.

Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.

Workaround:
None.

---

908753-2 : Password memory not effective even when password policy is configured

Component: TMOS

Symptoms:
The BIG-IP system does not prevent you from specifying previously used passwords, even if Secure Password Enforcement is enabled with password memory set to a non-zero value.

Conditions:
-- Password memory in auth settings is not 0 (zero).
-- Attempt to specify a previously specified password

Impact:
Password history to prevent user from using same password is not enforced.

Workaround:
None.

---

908601-1 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option

Component: TMOS

Symptoms:
When the BIG-IP system boots, mcpd continually restarts.

Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.

Impact:
The BIG-IP system is unable to complete the boot process and become active.

Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.

Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.

You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.


If the system is already in the defective state, use this shell command, and then reboot:

touch /.tmos.platform.init

The problem should be resolved.

---

908517-4 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'

Component: TMOS

Symptoms:
LDAP authentication fails with an error message:

err nslcd[2867]: accept() failed: Too many open files

Conditions:
This problem occurs when user-template is used instead of Bind DN.

Impact:
You cannot logon to the system using LDAP authentication.

Workaround:
None.

---

908477-1 : Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request

Component: Service Provider

Symptoms:
When an HTTP chunked request is sent to a virtual server that has both a request-adapt (e.g., for ICAP), and a request-logging profile attached, the request that is sent to the ICAP server is doubly chunked.

Conditions:
-- A virtual server is configured with both a request-adapt (ICAP) and request-logging profile.
-- HTTP chunked requests are sent to this virtual server.

Impact:
Data corruption in the HTTP stream.

Workaround:
You can use either of the following workarounds:

-- Force rechunking on the HTTP profile:
request-chunking rechunk

-- Remove the request-logging profile (and potentially log requests) using an iRule instead.

---

908453-4 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly

Component: TMOS

Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.

Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.

Impact:
The vCMP guests may fail over unexpectedly.

Workaround:
Do not use trunk names longer than 32 characters.

---

908065-1 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. May fill disk with logs over time.

Workaround:
Remove or rename all of the .1 logs.

---

907873-1 : Authentication tab is missing in VPE for RDG-RAP Access Policy type

Component: Access Policy Manager

Symptoms:
Authentication tab is missing in Visual Policy Editor (VPE) for RDG-RAP Access Policy type

Conditions:
Configuration of RDG-RAP Access Policy type in VPE.

Impact:
Authentication tab with AD/LDAP Query agents is missing in VPE.

Workaround:
Use the tmsh cli configuration of AD/LDAP Query for RDG-RAP Access Policy type.

---

907549-2 : Memory leak in BWC::Measure

Component: TMOS

Symptoms:
Memory leak

Conditions:
When HSL log publisher is attached to BWC::Measure instance in Bandwidth policy, memory leak will occur.

Impact:
Memory leaks.

---

907337-1 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.

---

907025-4 : Live update error" 'Try to reload page'

Component: Application Security Manager

Symptoms:
When trying to update Attack Signatures. the following error message is shown:

Could not communicate with system. Try to reload page.

Conditions:
Insufficient disk space to update the Attack Signature.

Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.

Workaround:
This following procedure restores the database to its default, initial state:

1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.

2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script

3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.

4. Add the following lines to create the live update database schema and set the SA user as expected:

 CREATE SCHEMA PUBLIC AUTHORIZATION DBA
 CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
 CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
 CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
 CREATE USER SA PASSWORD ""
 GRANT DBA TO SA
 SET WRITE_DELAY 20
 SET SCHEMA PUBLIC

5. Restart the tomcat process:
bigstart restart tomcat

---

906889-2 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Component: TMOS

Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:

  Packets In 2 shows as 016 in the GUI
  Packets Out 0 shows as 8 in the GUI

Workaround:
View statistics in tmsh.

---

906885-2 : Spelling mistake on AFM GUI Flow Inspector screen

Component: Advanced Firewall Manager

Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.

Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).

Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.

Workaround:
None.

---

906505-1 : Display of LCD System Menu cannot be configured via GUI on iSeries platforms

Component: TMOS

Symptoms:
In the BIG-IP Graphical User Interface (TMUI), display of the System Menu on the LCD front panel of most BIG-IP platforms can be enabled or disabled under System :: Configuration :: Device :: General.

However, on iSeries appliances, the 'Display LCD System Menu' option does not appear on this page.

Conditions:
This occurs on the following iSeries appliances:
-- i850
-- i2000-series (i2600/i2800)
-- i4000-series (i4600/i4800)
-- i5000-series (i5600/i5800/i5820-DF)
-- i7000-series (i7600/i7600-D/i7800/i7800-D/i7820-DF)
-- i10000-series (i10600/i10600-D/i10800/i10800-D)
-- i11000-series (i11600/i11800/i11400-DS/i11600-DS/i11800-DS)
-- i15000-series (i15600/i15800)

Impact:
The 'Display LCD System Menu' option cannot be configured via the GUI.

Workaround:
You can enable display of the LCD System Menu using the Command Line (CLI) by running the following commands, in sequence:

tmsh mod sys global-settings lcd-display [enabled|disabled]
tmsh mod sys db lcd.showmenu value [enabled|disabled]

---

906449-1 : Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load

Component: TMOS

Symptoms:
The text that describes the monitor state of an LTM node, pool member, or monitor instance also contains a timestamp that initially indicates when the monitor set the affected node or pool member to the indicated state. This timestamp can be affected by other actions, such as incremental or full config sync and config load.

The monitor-state description and timestamp can be viewed in the CLI (CLI/TMSH) and GUI (TMUI) as follows:

-- From the CLI/TMSH:
tmsh show ltm monitor <monitor_type> <monitor_name>

This command shows the state of ltm nodes or pool members currently monitored by the specified ltm health monitor, as in the following example:
-------------------------------------
 LTM::Monitor /Common/mysql_test
-------------------------------------
   Destination: 10.10.200.28:3296
   State time: down for 1hr:58mins:42sec
   | Last error: No successful responses received before deadline. @2020.03.25 14:10:24

-- From the GUI:
   + Navigate to Local Traffic :: Nodes : Node List :: <node_name>. The 'Availability' field shows text describing the node's monitored state with a timestamp.

   + Navigate to Local Traffic :: Pools : Pool List :: <pool_name>, under the Members tab, click the pool member name. The 'Availability' field shows text describing the pool member's monitored state with a timestamp.

Conditions:
This may occur under the following conditions:

-- If an incremental config sync occurs from one high availability (HA) member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + If a Node or Pool Member has been marked DOWN by a monitor, its timestamp may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a full/forced config sync occurs from one HA member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a config load occurs:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on the HA member where the config load occurred.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on the HA member where the config load occurred.

Impact:
The timestamp indicated next to the monitored-state description for an LTM Node or Pool Member indicates when the Node or Pool Member was updated in ways other than by its configured monitor. Thus, this timestamp may not indicate the actual time of the monitor event suggested by the description text.

Workaround:
None.

---

905477-1 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX

Component: Local Traffic Manager

Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.

Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.

Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.

Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.

---

905153-3 : HW offload of vector 22 (IPv6 Duplicate Extension Headers) not operational

Component: Advanced Firewall Manager

Symptoms:
All mitigation for IPv6 Duplicate Extension Headers DoS vector happens at the software level. The counter in int_drops column reads 0 (zero) in dos_stat tmctl for that vector.

Conditions:
Double IPv6 headers in the packets (except Destination Options header).

Impact:
You cannot offload DDoS vector 22 to FPGA hardware. Only the software-based DDoS mitigation is supported.

Workaround:
Use software DDoS mitigation for this vector.

---

904845-1 : VMware guest OS customization works only partially in a dual stack environment.

Component: TMOS

Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).

By default, DHCP is enabled on the management interface.

During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.

Conditions:
Applying a customization profile to VMware VM in a dual stack environment.

Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.

Workaround:
Configure the mgmt interface addresses using the config script.

---

904625-1 : Changes to SSL.CertRequest.* DB variables cause HA devices go out of sync

Component: Local Traffic Manager

Symptoms:
The GUI saves SSL certificate/CSR subject fields data into SSL.CertRequest.* DB variables to use them in pre-populating subject fields for subsequent modifications.

Conditions:
-- SSL certificate/CSR modification through GUI.
-- Changing the content of the SSL.CertRequest.* DB variables.
-- High availability (HA) configuration.

Impact:
HA devices go out of sync.

Workaround:
SSL.CertRequest.* DB variables are used only as GUI SSL certificate/CSR pre-populated suggestions.

You can still review and modify them before completing SSL certificate/CSR modification operation, so it is safe to sync them onto the HA peer.

---

904593-3 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.

Impact:
Configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable

---

904441-1 : APM vs_score for GTM-APM load balancing is not calculated correctly

Component: Access Policy Manager

Symptoms:
Output from the 'show ltm virtual <vs> detail' command reports an incorrect value for the APM Module-Score.

Conditions:
-- Using GTM/DNS and APM.
-- Configure an access profile attached to a virtual server.
-- Configure a non-zero number for 'Max Concurrent Users' for the access profile.
-- Access the virtual server.

Impact:
GTM/DNS load balancing does not work as expected.

Workaround:
None.

---

904373-4 : MRF GenericMessage:Implement limit to message queues size

Component: Service Provider

Symptoms:
The GenericMEssage filter does not have a configurable limit to the number of messages that can be received.

Conditions:
If a message is waiting for an asynchronous iRule operation during GIENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages will be placed in wither the ingress or egress queue. As the number of messages increase, more memory is required.

Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.

Workaround:
NA

---

904041-1 : Ephemeral pool members are missing from pool of Common partition when reloading configuration for current partition

Component: TMOS

Symptoms:
-- A pool in a partition other than Common has issues when reloading the configuration of that partition when the ephemeral nodes are assigned to the Common partition instead of the partition that the ephemeral member belongs to.
-- Ephemeral pool members are missing from pool.

Conditions:
When reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"

Impact:
Missing pool members.

Workaround:
Reload the entire configuration instead of just the individual partition.

---

903581-4 : The pkcs11d process cannot recover under certain error condition

Component: Local Traffic Manager

Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.

Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.

Impact:
SSL handshake failure.

Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d

---

903521-1 : TMM fails to sign responses from BIND when BIND has "dnssec-enable no"

Component: Global Traffic Manager (DNS)

Symptoms:
TMM fails to sign responses from BIND.

Conditions:
BIND has "dnssec-enable no" in named.conf.

Impact:
TMM fails to sign responses from BIND.

Workaround:
Remove "dnssec-enable no" from named.conf in options section.

---

903357-4 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers

Component: Application Security Manager

Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.

Workaround:
None.

---

903265-4 : Single user mode faced sudden reboot

Component: TMOS

Symptoms:
Being logged into the system in single user mode (emergency shell) causes a sudden automatic reboot after some time (~5-to-10 minutes, or longer).

Conditions:
-- Using iSeries platforms.
-- When logged into the emergency shell by appending rd.break to kernel command line.

Impact:
The device reboots after some time. Because of the automatic reboot, you cannot reliably use the emergency shell.

Workaround:
None.

---

902485-5 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

---

902417-6 : Configuration error caused by Drafts folder in a deleted custom partition★

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.

---

902401-1 : OSPFd SIGSEGV core when ospf clear is done on remote device

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.

---

902377-3 : HTML profile forces re-chunk even though HTML::disable

Component: Local Traffic Manager

Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.

Conditions:
Using HTML::disable in an HTTP_RESPONSE event.

Impact:
The HTML profile still performs a re-chunk.

Workaround:
None.

---

901989-1 : Boot_marker writes to /var/log/btmp

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
-- Rebooting a BIG-IP.

Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.

Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp

---

901985-7 : Extend logging for incomplete HTTP requests

Component: TMOS

Symptoms:
Logging is not triggered for incomplete HTTP requests.

Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.

Impact:
Logging is missing for incomplete HTTP requests.

Workaround:
None.

---

901929-1 : GARPs not sent on virtual server creation

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.

---

901669-5 : Error status in "show cm failover-status" after MGMT-IP change

Component: TMOS

Symptoms:
The "tmsh show cm failover-status" command shows failover connection status "Error" on one device, but manual failover is working properly.

Conditions:
-- Two or more devices configured with high availability (HA) and are in sync.
-- The management IP address is changed on one of the devices
--show cm failover-status" on peer. You will see "show cm failover-status" returns "Error" status.

Impact:
The tmsh show cm failover-status command indicates an error, even though the devices are in sync and failover communication is working.

Workaround:
tmsh restart sys service sod

---

901569-3 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

---

901061-1 : Safari browser might be blocked when using Bot Defense profile and related domains.

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.

---

901033-4 : TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window

Component: Local Traffic Manager

Symptoms:
The test traffic is controlled and being increased with an iRule running TCP::respond . iRules operate fine until some threshold is reached, after which memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed.

Conditions:
A specific threshold of data is reached. The threshold varies, depending on the memory available on the BIG-IP system.

Impact:
Memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed. A tmm core is observed. Traffic disrupted while tmm restarts.

Workaround:
None.

---

900933-3 : IPsec interoperability problem with ECP PFS

Component: TMOS

Symptoms:
IPsec tunnels fails to remain established after initially working.
 
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.

This may also immediately present as a problem when trying to establish a second tunnel to the same peer.

Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).

Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.

Workaround:
Do not use ECP for PFS.

---

900797-1 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

---

900789-1 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
However, before reaching this scenario an alert should be sent to '/var/log/asm', currently there is no tangible warning/alert that statets the status of the hash table for the relevant virtual server.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
No alert is sent in case of reaching maximum capacity of the hash table.

Workaround:
N/A

---

900485-1 : Syslog-ng 'program' filter does not work

Component: TMOS

Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.

Conditions:
-- Using the 'program' expression in a syslog-ng filter.

Impact:
Unable to filter messages as expected.

Workaround:
None.

---

899933-1 : Listing property groups in TMSH without specifying properties lists the entire object

Component: TMOS

Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.

Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.

Impact:
Unexpected output.

Workaround:
None.

---

899253-1 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist

Component: Global Traffic Manager (DNS)

Symptoms:
Making changes to wide IP pools through GUI management do not take effect.

Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.

Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.

Workaround:
Use TMSH.

---

899097-3 : Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking★

Component: TMOS

Symptoms:
When using the rewrite profile, unchunked server responses where content-type is not text/html or text/css also gets converted to chunked encoding in client-side. Also, the server response is missing a message-body (no content-type/content-length).

The client device receives 'Transfer-Encoding: chunked' in the message-header and receives a chunked body if the origin response has a message-body. The client receives a zero-length chunk if the origin response has no message-body.

Prior to BIG-IP version 15, chunking happens only if origin server response has content-type header set to either text/html or text/css.

Conditions:
- HTTP profile response chunking is set to 'sustain'.
- The virtual server has rewrite profile attached.
- Server response has content-type set not to text/html or text/css OR no content-type header.

Impact:
End users may notice a change in chunking behavior after upgrading from prior release.

Workaround:
Use response chunking mode 'unchunk'

---

899085-7 : Configuration changes made by Certificate Manager role do not trigger saving config

Component: TMOS

Symptoms:
Configuration changes made in the BIG-IP GUI by a user with role 'Certificate Manager' do not result in the configuration being saved.

If the system is rebooted (or MCPD restarted) without saving the configuration, those changes will be lost.

Conditions:
-- User with role 'Certificate Manager'.
-- Changes made in GUI.
-- System rebooted.

Impact:
Loss of configuration changes.

Workaround:
Users with a 'Certificate Manager' role can save the configuration from tmsh:
tmsh save /sys config

Alternately, another user can save the configuration.

---

898997-1 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted

---

898929-5 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.

---

898825-1 : Attack signatures are enforced on excluded headers under some conditions

Component: Application Security Manager

Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).

Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.

Impact:
False positive enforcement for header signature.

Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.

---

898753-6 : Multicast control-plane traffic requires handling with AFM policies

Component: Local Traffic Manager

Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.

Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.

Impact:
OSPF neighborship is not formed.

Workaround:
Add an AFM route-domain policy.

---

898741-1 : Missing critical files causes FIPS-140 system to halt upon boot

Component: Application Security Manager

Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.

Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing

Impact:
System halts during boot because of sys-eicheck.py failure.

Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.

If the missing files are due to missing signature update files:

- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.

---

898733-4 : SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM

Component: Local Traffic Manager

Symptoms:
SSL handshakes intermittently fail for virtual servers using HSM keys.

In /var/log/ltm you see errors:
err pkcs11d[6575]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software with fipskey.nethsm wrapper, and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm wrapper.

3. The platform is a multi-bladed Viprion.

This can occur after applying the workaround for ID758491:
https://cdn.f5.com/product/bugtracker/ID758491.html

Impact:
SSL handshakes that arrive on the secondary blade(s) fail.

Handshakes arriving on the primary blade work fine.

Workaround:
Re-install the Thales client after the upgrade.

---

898705-6 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.

---

898685-5 : Order of ciphers changes after updating cipher group

Component: Local Traffic Manager

Symptoms:
The order of cipher results may change with no modification in the cipher group.

Conditions:
Click 'Update' in a cipher group in the GUI without making any changes.

Impact:
The order of the ciphers changes. During a handshake, SSL/TLS may not be able to select ciphers in the preferred order.

Workaround:
Create a cipher rule with the preferred cipher order and include only a single rule in cipher group allow list.

---

898577-1 : Executing a command in "mgmt tm" using iControl REST results in tmsh error

Component: TMOS

Symptoms:
When you try to update the frequency of live-update using iControl REST, it results in a java exception being returned instead of updating the value.

Conditions:
When a command for updating the frequency of live updates is executed using iControl REST in an ASM configured BIG-IP.

Impact:
You are unable to update the frequency of live-update via iControl REST.

---

898461-1 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.

---

898333-1 : Avrd logs errors while DCD is restarting

Component: Application Visibility and Reporting

Symptoms:
Avrd logs an error to /var/log/avrd.log:

EXTERNAL_MESSAGES|ERROR|Mar 27 06:27:19.529|127|lib/avrpublisher/infrastructure/avr_http_connection.cpp:0117| Can't insert messages to queue - some external log will be lost!

Conditions:
-- The BIG-IP system is connected to DCD.
-- DCD is going down.

Impact:
Avrd tries to reconnect, fails, and get stuck at some point for around 25 minutes. In the meantime the queue gets full and there are errors in avrd.log.

Workaround:
None.

---

898201-1 : Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.

Component: Local Traffic Manager

Symptoms:
After reboot, no access to services host using fqdn nodes.
-- fqdn nodes are not populated with IP addresses.
-- Unable to access virtual servers served by pools using fqdn nodes.

Conditions:
The issue happens after the BIG-IP is rebooted.
-- when DNS server is accessed through a local virtual server.
-- Single arm cloud BIG-IP with virtual server listening for DNS requests to redirect.

Impact:
-- FQDN DNS requests bypassing the listening virtual server.
-- Unable to access the pools of those configured fqdn nodes.

Workaround:
-- restarting dynconfd.
-- Running a script to trigger off "Tmm ready" and either delete the bad flow(s) or a specific connflow entry.
-- change the dummy dns server to be something in the same subnet as the single interface.

---

897185-4 : Resolver cache not using random port distribution

Component: Local Traffic Manager

Symptoms:
Outgoing queries to backend dns server use incremented port numbers instead of being distributed random ports.

Conditions:
-- Fix of ID726176 is applied (see https://cdn.f5.com/product/bugtracker/ID726176.html )

Impact:
The port numbers are incremented.

---

896817-1 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb

Component: TMOS

Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:

01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.

Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.

Impact:
Unable to replace configuration using TMSH's 'replace' verb.

Workaround:
None.

---

896693-5 : Patch installation is failing for iControl REST endpoint.

Component: TMOS

Symptoms:
iControl REST async endpoint /mgmt/tm/task/util/ihealth behaving inconsistently:

-- A call to VALIDATE the async task is rejected with the error message: 'Operation is not allowed on component /util/ihealth.'
-- The task can be started by calling a different endpoint (e.g., /mgmt/tm/task/cli/script). In this case, the task completes immediately, however, a qkview generating iHealth util is still running. At the end, the qkview is generated.

Conditions:
-- Use iControl REST to create an async task for creating qkview using 'ihealth' with -n option (just generate file, do not upload to iHealth).
-- Try starting the async task by changing the status to VALIDATING.

Impact:
Patch for iControl REST endpoint is not successful. Patch operation is accepted by /mgmt/tm/task/cli/script/ but rejected by /mgmt/tm/task/util/ihealth.

Workaround:
None.

---

896689-5 : Asynchronous tasks can be managed via unintended endpoints

Component: TMOS

Symptoms:
An asynchronous task created on one endpoint can be started using some other endpoint

Conditions:
Create an asynchronous task e.g. creating qkview using ihealth
using endpoint /mgmt/tm/task/util/ihealth

Gather the task id of the created asynchronous task and send it to a different endpoint e.g. /mgmt/tm/task/cli/script

Impact:
The asynchronous task can be started using this endpoint but this is not intended behavior.

---

896217-1 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat

---

895837-4 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified

Component: TMOS

Symptoms:
Virtual server configured with:

-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0

-- The configuration uses a destination port list.

Conditions:
Modify the virtual server's port-list to a different one.

Impact:
Mcpd generates a core, and causes services to restart and failover.

Workaround:
None.

---

895801-1 : Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted

Component: Service Provider

Symptoms:
After modifying an MRF transport-config to use a different TCP profile, TMM must be restarted for this change to take effect. tmm crash

Conditions:
-- Using MRF with a transport-config.
-- Modifying the transport-config so that it uses a different TCP profile.

Impact:
Expected changes do not take effect until TMM is restarted.

Workaround:
Restart TMM.

Note: Traffic is disrupted while tmm restarts.

---

895205-1 : A circular reference in rewrite profiles causes MCP to crash

Component: Local Traffic Manager

Symptoms:
MCPD crash when modifying rewrite profile.

Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.

Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.

Workaround:
Do not create circular references with profiles.

---

895165-1 : Traffic-matching-criteria with "any" protocol overlaps with explicit protocols

Component: Local Traffic Manager

Symptoms:
An error like the example below when defining "any" protocol after previously defining traffic-matching-criteria with explicit protocols.
01b90011:3: Virtual Server /Common/vs-tcp's Traffic Matching Criteria /Common/vs-tcp_IP_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs-any destination address, source address, service port.

Conditions:
-- Previously defining traffic-matching-criteria with explicit protocols
-- Afterwards defining virtual server with "any" protocol

Impact:
Cannot define a valid virtual server with "any" protocol

Workaround:
N/A

---

895021 : Error log when listing with tmsh ECDSA fips key

Component: Global Traffic Manager (DNS)

Symptoms:
Error log appears in /var/log/ltm when tmsh lists FIPS ECDSA keys:
err tmsh[23337]: error: fips-codec1 Failed to get length of attribute 3 for FIPS key 8. FIPS 0x000000af.

Conditions:
1. FIPS card contains ECDSA DNSSEC Key.
2. Listing FIPS keys with: tmsh show sys crypto fips key.

Impact:
There is no functional impact; the keys are correctly listed, but an error log appears in /var/log/ltm:

10350f1.example.net err tmsh[23337]: error: fips-codec1 Failed to get length of attribute 3 for FIPS key 8. FIPS 0x000000af : HSM Error: Invalid attribute type in the object template

Workaround:
None.

---

894545-1 : Creating a virtual server in the GUI with a destination address list and 'All Ports' can erroneously conflict with other virtual servers

Component: TMOS

Symptoms:
If you have an existing virtual server that uses an address list for its destination and 'All Ports' configured for its port, then if you attempt to create another virtual server with a different (non-overlapping) address list with 'All Ports' configured and a protocol that overlaps (i.e., is either the same, or one of the protocols is 'All Protocols'), then creation of the virtual server will fail with an error similar to:

01b90011:3: Virtual Server /Common/test's Traffic Matching Criteria /Common/test_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/test2 destination address, source address, service port.

Conditions:
-- Using the GUI.
-- An existing virtual server that uses an address list as its destination and has its Service Port set to 'All Ports'.
-- An attempt to create another virtual server with a (non-overlapping) destination address list and 'All Ports' that has an overlapping Protocol (i.e., is either the same, or one of the protocols is 'All Protocols').

Impact:
Unable to create a valid virtual server.

Workaround:
Use TMSH to create the second virtual server instead.

---

893885-4 : The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation

Component: TMOS

Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.

Conditions:
-- BIG-IP software v14.1.0 or later version.
-- EHF installed on TPM-supported BIG-IP platform.

Impact:
Incorrect presentation of system software status.

Workaround:
None.

---

893813-4 : Modifying pool enables address and port translation in TMUI

Component: TMOS

Symptoms:
When modifying the pool for a virtual server, address translation and port translation checkboxes are enabled irrespective of their initial state.

Conditions:
-- Creating a virtual server using the GUI
-- Advanced Configuration is selected
-- Address Translation or Port Translation checkboxes are initially unchecked
-- You modify a pool from this screen

Impact:
Virtual server is created with address and port translation enabled.

Workaround:
You can disable it by again editing the virtual server.

---

893341-4 : BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445★

Component: TMOS

Symptoms:
You have BIG-IP Virtual Edition (VE) v13.1.x affected with ID 774445, and its workaround is in place.

 echo "device driver vendor_dev 15ad:07b0 unic" >> /config/tmm_init.tcl

After upgrading to a newer version, interfaces are down.

Conditions:
-- Virtual Edition environment affected by the ID774445.
-- Apply the workaround described in in Final - K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later) :: https://support.f5.com/csp/article/K74921042.

Impact:
Interfaces are down.

Workaround:
1. Edit the /config/tmm_init.tcl file to remove the following line:
device driver vendor_dev 15ad:07b0 unic

2. Reboot into into the new software version.

3.Restart TMM:
tmsh restart sys service tmm

---

893281-2 : Possible ssl stall on closed client handshake

Component: Local Traffic Manager

Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.

Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.

Impact:
Some ssl client connection remain until idle timeout.

---

893093-1 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.

Component: TMOS

Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:

-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates

-- DNS :: GSLB :: Servers :: Trusted Server Certificates

The system returns the following error:

An error has occurred while trying to process your request.

Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.

Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.

-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.

-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.

Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.

Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).

You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.

For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.

---

892801-1 : When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"

Component: Local Traffic Manager

Symptoms:
When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent".

Conditions:
-- An Internal Virtual Server is created without an existing 0.0.0.0 virtual address.

Impact:
The Internal Virtual Server will be considered unavailable and will not process traffic.

Workaround:
Create a 0.0.0.0 virtual address prior to creating the Internal Virtual Server.

---

892677-6 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted

---

892653-4 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html

---

892485-3 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.

Component: Local Traffic Manager

Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.

Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.

Impact:
A wrong OCSP status may be reported in the SSL handshake.

---

892445-1 : BWC policy names are limited to 128 characters

Component: TMOS

Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:

01070088:3: The requested object name <name> is invalid.

Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.

Impact:
Unable to create BWC policy objects with names that have more than 128 characters.

Workaround:
Use fewer than 128 characters when creating a BWC policy.

---

891729-1 : Errors in datasyncd.log★

Component: Fraud Protection Services

Symptoms:
An error exists in datasyncd.log: "cannot start the generator for table CS_FPM"

Conditions:
Upgrades from version 13.0 or 13.1 (all version variations) to 14.0 or higher.

Impact:
FPS will have a maximum of ~990 rows instead of 1001 and there will be errors in datasyncd.log.

Workaround:
Do not upgrade, Install from scratch.
Even if not treated, the impact is insignificant and mostly cosmetical.

---

891613-2 : RDP resource with user-defined address cannot be launched from webtop with modern customization

Component: Access Policy Manager

Symptoms:
RDP resource with a user-defined address cannot be launched from the webtop when configured with modern customization.

After requesting the RDP file for a remote address, the RDP file fails to download and the system reports an error message:

Logon failed. Connection to your resource failed. Please click the Try Again button to try again or Close button to close this dialog.

Conditions:
-- Webtop with modern customization.
-- RDP resource with a user-defined address is assigned to the webtop.

Impact:
Cannot use remote desktop resource with user-defined addresses.

Workaround:
As the problem is with modern access policy with modern webtop, a quick workaround:

1. Create a standard access policy with standard webtop (it is similar to modern access policy and modern webtop):

-- 1.1 GUI: Access :: Profiles / Policies :: Create :: {choose Customization Type as 'Standard').
-- 1.2 GUI: Access :: Webtops :: Create :: {choose Customization Type as 'Standard').

Recreate similar access policy as modern access policy that is showing this problem.

If manually re-creating similar standard access policy is not possible, there is no workaround.

---

891385-1 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.

---

891373-1 : BIG-IP does not shut a connection for a HEAD request

Component: Local Traffic Manager

Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.

Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.

Impact:
Connection remains idle until it expires normally, consuming network resources.

Workaround:
None.

---

891221-1 : Router bgp neighbor password CLI help string is not helpful

Component: TMOS

Symptoms:
Unable to confirm the supported encryption types.

enable or add BGP routing prorotol to a route domain
imish >> enable >> conf t >> router bgp 20065004 >> neighbor 1.2.3.4 password ?

b7000.lab[0](config-router)#neighbor 1.1.1.1 password ?
  WORD Encryption Type or the password

Conditions:
Configuring the bgp neighbor with encryption password.

Impact:
Unable to confirm the supported encryption types.

Workaround:
None.

---

891181-1 : Wrong date/time treatment in logs in Turkey/Istambul timezone

Component: Application Security Manager

Symptoms:
There is mismatch between server and GUI timezone treatment for Turkey/Istambul timezone.

Conditions:
User sets Turkey/Istambul timezone on BIG-IP

Impact:
When filtering logs by time period, results differ from set period by an hour

Workaround:
Define time period one hour earlier for filtering ASM logs

---

890277-4 : Mcpd takes too long on full config sync to a device group when there are large amount of partitions.

Component: TMOS

Symptoms:
When Full config sync is done to a device group with large amount of partitions
a) Mcpd is taking more time to complete config sync.
b) Spike in cpu usage in the device where config push is done
c) Mcpd is un responsive to daemons like tmsh, GUI etc. as it is busy pushing the config sync.
d) iQuery connections are getting killed due to high cpu utilization

Conditions:
Full config sync on device with large partitions.

Impact:
Impedes management of device as well as kills iQuery connections to GTM

Workaround:
Enable Manual Incremental Sync

---

889165-4 : "http_process_state_cx_wait" errors in log and connection reset

Component: Local Traffic Manager

Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:

err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside

Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server

Impact:
Possible connection failure.

---

889029-1 : Unable to login if LDAP user does not have search permissions

Component: TMOS

Symptoms:
A user is unable to log in using remote LDAP.

Conditions:
-- BIG-IP configured to use LDAP authentication.
-- Remote user has no search permissions on directory

Impact:
Authentication does not work

Workaround:
Grant search permissions to the user in LDAP.

---

888341-8 : HA Group failover may fail to complete Active/Standby state transition

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), high availability (HA) Group failover may not complete despite an high availability (HA) Group score change occurring. As a result, a BIG-IP unit with a lower high availability (HA) Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 1 floating traffic group, after 2485~ days.
-- For 2 floating traffic groups, after 1242~ days.
-- For 4 floating traffic groups, after 621~ days.
-- For 8 floating traffic groups, after 310~ days.
-- For 9 floating traffic groups, after 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
-- high availability (HA) Group failover mode configured.

Note: No other failover configuration is affected except for high availability (HA) Group failover.

 o VLAN failsafe failover.
 o Gateway failsafe failover.
 o Failover triggered by loss of network failover heartbeat packets.
 o Failover caused by system failsafe (i.e., the TMM process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite high availability (HA) Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

---

888289-7 : Add option to skip percent characters during normalization

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

---

888081-5 : BIG-IP VE Migration feature fails for 1NIC

Component: TMOS

Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails.

load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting.

Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable.

Impact:
The UCS restore fails.

Workaround:
The DB variable can be set to enable before loading the UCS.

# tmsh modify sys db provision.1nicautoconfig value enable

---

887625-4 : Note should be bold back, not red

Component: Application Security Manager

Symptoms:
Under Session Hijacking :: Device Session Hijacking by Device ID Tracking, the note text below the 'enable' checkbox is shown in bold red color

Note : Device-ID mode must be configured in bot profile for this option to work.

Conditions:
This always occurs.

Impact:
The Note does not indicate a hazardous situation (as might be implied by the color), so the text should be black instead of red.

Workaround:
None.

---

887621-3 : ASM virtual server names configuration CRC collision is possible

Component: Application Security Manager

Symptoms:
A policy add/modify/delete fails with the following error: Mar 3 03:45:24 bit21 crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY')

Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers.

Impact:
Every config update fails.

Workaround:
Figure out which virtual servers has the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers.

You can get the name of the affected virtual server by using the entry reported in the "Duplicate entry" log and running this command.

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375'

---

887609-6 : TMM crash when updating urldb blacklist

Component: Traffic Classification Engine

Symptoms:
TMM crashes after updating the urldb blacklist.

Conditions:
-- The BIG-IP system is configured with URL blacklists.
-- Multiple database files are used.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

---

887265-3 : BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration★

Component: Application Security Manager

Symptoms:
When booting to a boot location for the first time, the system does not come on-line.

Conditions:
-- There is a large ASM configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.

Impact:
BIG-IP processes continually restart (vlan failsafe-action failover-restart-tm) or the BIG-IP system continually reboots (vlan failsafe-action reboot)

Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.

---

887117-3 : Invalid SessionDB messages are sent to Standby

Component: TMOS

Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:

SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.

Impact:
Standby drops these messages

Workaround:
None.

---

887089-2 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.

---

887045-2 : The session key does not get mirrored to standby.

Component: Local Traffic Manager

Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.

Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives

Impact:
The session key does not get mirrored to standby.

Workaround:
None

---

886693-4 : System may become unresponsive after upgrading★

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration works in the previous release, but does not work properly in the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown. In the environment in which it occurred, a datagroup had been deleted, but an iRule was still referencing it, see https://cdn.f5.com/product/bugtracker/ID688629.html

Impact:
-- System down, too busy to process traffic
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' on BIG-IP Virtual Edition (VE) or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a VE from an applicable management panel, then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch. For more information, see K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296, K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658, and K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

---

886689-7 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.

---

886649-1 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.

---

886273-4 : Unanticipated restart of TMM due to heartbeat failure

Component: TMOS

Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process.

Conditions:
-- Appliance platforms (i.e., non-VIPRION platforms).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None known.

---

886145-1 : The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.

Component: Global Traffic Manager (DNS)

Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked.

The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console.

The 'Reconnect All' button is clickable but returns the error "No response action specified by the request" when clicked.

Conditions:
You have accessed the buttons via the following WebUI path:

DNS > GSLB > Data Centers > [dc name] > Servers

Impact:
The buttons do not work, making the corresponding feature unavailable from the WebUI.

Workaround:
Access the buttons via the following alternative WebUI path:

DNS > GSLB > Servers

---

886045-1 : Multi-nic instances fail to come up when trying to use memory mapped virtio device

Component: Local Traffic Manager

Symptoms:
Multi-nic instances fail to come up while using memory mapped

Running the command lspci -s <pci-id> -vv
Results in the "region" field reporting 'Memory at xxxxx'

Conditions:
TMM crashes as soon as BIG-IP tries to come up.

Impact:
BIG-IP fails to attach to the underlying virtio devices

Workaround:
Switch to the sock driver by overriding tmm_init.tcl. For instructions on how to enable the sock driver, see the workaround in K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later), available at https://support.f5.com/csp/article/K74921042

---

885325-1 : Stats might be incorrect for iRules that get executed a large number of times

Component: Local Traffic Manager

Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).

Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.

Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.

Workaround:
None.

---

884729-1 : The vCMP CPU usage stats are incorrect

Component: TMOS

Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.

Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.

Impact:
The vCMP CPU usage stats are intermittently incorrect.

Workaround:
None.

---

883977 : Upgrade (or UCS load) from versions earlier than 14.1.x to 15.0.0 or greater version fails★

Component: Carrier-Grade NAT

Symptoms:
Upgrade (or UCS load) fails with error:
When a Dedicated provision level is set, all other provision levels must be set to None.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Running v14.1.x or earlier.
-- Any module provisioned as Dedicated.
-- CGNAT enabled as a feature module.
-- Upgrade to v15.0.0 or later, or save a v14.1.x or earlier UCS and apply it to a v15.0.0 or later installation.

Impact:
Configuration load fails during an upgrade (or when applying the older UCS), and the device stays in an inoperable state.

Workaround:
You can use either of the following workaround:

-- You must return to the previous version, reset Dedicated, and try the upgrade again.

1. Change the provisioned module's level from Dedicated to Nominal or Minimum in the older version.
2. Upgrade to v15.0.0 or newer version.


-- If you cannot downgrade to the older version, do the following:

1. In v15.0.0 or later, assuming ASM is the Dedicated level provisioned module, open the file:
/config/bigip_base.conf file.

2. Remove the following lines:

sys feature-module cgnat {
    enabled
}

sys provision asm { (---> This could be any module, not just ASM.)
    level dedicated
}

3. Add the following lines:

sys provision asm {
    level nominal
}
sys provision cgnat {
    level minimum
}

4. Try the upgrade again.

---

883577-5 : ACCESS::session irule command does not work in HTTP_RESPONSE event

Component: Access Policy Manager

Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm

No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)

Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.

Impact:
Cannot create APM session using the ACCESS::session irule command.

Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.

---

883149-2 : The fix for ID 439539 can cause mcpd to core.

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
NA

---

883049-1 : Statsd can deadlock with rrdshim if an rrd file is invalid

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd

---

882609-2 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back

Component: TMOS

Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.

MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.

Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.

Impact:
Devices unable to ConfigSync.

Workaround:
This workaround will disrupt traffic while TMM restarts:

1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm


This workaround should not disrupt traffic:

Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.

TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"

---

881085-4 : Intermittent auth failures with remote LDAP auth for BIG-IP managment

Component: TMOS

Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.

Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).

Impact:
There might be intermittend auth failures.

Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299

---

881065-3 : Adding port-list to Virtual Server changes the route domain to 0

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

---

880625-4 : Check-host-attr enabled in LDAP system-auth creates unusable config

Component: TMOS

Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.

Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.

Impact:
LDAP-based auth does not function.

Workaround:
None.

---

879969-6 : FQDN node resolution fails if DNS response latency >5 seconds

Component: TMOS

Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.

Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses

Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.

Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.

---

879413-7 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd will fail to load it and end up restarting continuously. You see the following messages in /var/log/ltm:

err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'
err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
-- Corrupted *.info file in /var/rrd.

Impact:
Stats will no longer be accurate.

Workaround:
It might take multiple attempts to retain the *.info file:

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

... where <filename> is the actual name of the file (e.g. "throughput.info").

---

879405-3 : Incorrect value in Transparent Nexthop property

Component: TMOS

Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN.

Conditions:
-- Virtual server configured with with transparent next-hop bychecking 'Transparent Nexthop' in the GUI on the LTM Virtual Server page: Transparent Nexthop = None

   Works fine with:

Impact:
Incorrect value shown in Transparent Nexthop property field.

Workaround:
Use tmsh to complete the action successfully.

---

874677-4 : TC auto signature update failing from GUI on 14.1.2★

Component: Traffic Classification Engine

Symptoms:
From v14.1.0 onwards, Traffic Classification auto signature update fails from GUI.

Conditions:
-- Traffic Classification auto signature update failing from GUI only.
-- It's working through CLI and GUI manually.

Impact:
Fail to update the classification signature from GUI automatically.

Workaround:
Traffic Classification auto signature update from CLI and manually on GUI will work.

---

873249-6 : Switching from fast_merge to slow_merge can result in incorrect tmm stats

Component: Local Traffic Manager

Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.

Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.

Impact:
Incorrect reporting for TMM stats.

Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.

These files are roll-ups and will be re-created as necessary.

---

871705-7 : Restarting bigstart shuts down the system

Component: TMOS

Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.

Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.

Impact:
Different versions appear to have different behavior:

-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.

Workaround:
None.

---

871561-6 : Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'

Component: TMOS

Symptoms:
Due to a known issue, software upgrade to an engineering hotfix might fail with a log message in /var/log/ltm similar to:

info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)

Conditions:
Performing a software upgrade to a hotfix release on a vCMP guest.

Impact:
Unable to perform an upgrade.

Workaround:
Option 1:
Make sure that .iso files for both base image and hotfix reside only on a vCMP guest before starting the installation.

Option 2:
Even if the hotfix installation has failed, the base image should still have been installed properly, so you can restart the vCMP guest and perform a hotfix installation on top of already installed base image.

---

870309-3 : Ephemeral pool member not created when FQDN resolves to new IP address

Component: Local Traffic Manager

Symptoms:
On rare occasions, when using FQDN nodes/pool members and the FQDN name resolves to a different IP address, the ephemeral pool member for the old IP address may be removed, but a new ephemeral pool member for the new IP address may not be created.

Under normal operation, the following sequence of messages is logged in /var/log/dynconfd.log when dynconfd logging is set to 'debug' level:

[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com
[D]: PoolMember::scan: pool /Common/my_fqdn_pool member /Common/my_fqdn_node fqdn my.fqdn.com

But when this problem occurs, the 'setFQDNPoolMembersModified' log message is not followed by a 'PoolMember::scan' log message:

[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com

Conditions:
This may occur under rare timing conditions while using using FQDN nodes/pool members, when the DNS server resolves the FQDN name to a different IP address.

Impact:
Pools configured with FQDN-based pool members may become empty, in which case no traffic will be processed by that pool.

Workaround:
To recover from this condition once it occurs, perform either of the following actions:

-- Restart the dynconfd daemon:
bigstart restart dynconfd

This temporarily interrupts queries for FQDN name resolution and updates (deletion/creation) of ephemeral nodes/pool members in response to FQDN resolution changes.

This action is not otherwise expected to affect traffic currently flowing to pools.


-- Remove the FQDN pool member, then re-add the FQDN pool member back to the pool:
tmsh modify ltm pool my_fqdn_pool { members delete { my_fqdn_node:port } }
tmsh modify ltm pool my_fqdn_pool { members add { my_fqdn_node:port <other parameters> } }

If the pool already has no ephemeral pool members, this has no effect on traffic (which is already not flowing to this pool).

If the pool has some ephemeral pool members but not the complete list of expected ephemeral members, this will interrupt traffic flowing to this pool while there are no pool members present.

In that case, temporarily adding at least one pool member with a statically-configured IP address before removing the FQDN pool member, then removing the same temporary pool members after replacing the FQDN pool member, allow straffic to continue flowing to the pool while this action is performed.

---

869565-2 : Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN

Component: Local Traffic Manager

Symptoms:
HTTP/2 protocol can be negotiated with the Application-Layer Protocol Negotiation (ALPN) on the Transport Layer Security (TLS) level of communication. When an iRule disables HTTP/2 on a server side, it is assumed that the BIG-IP system no longer offers h2 to a server as an option.

Conditions:
-- A virtual server has an HTTP/2 profile configured on both the client and server sides.
-- A server SSL profile is configured on the virtual server.
-- An iRule using the 'HTTP2::disable serverside' command is attached to the virtual server.

Impact:
The BIG-IP system offers h2 as an option in ALPN when the HTTP/2 profile is disabled on a server side. If h2 is accepted by the server, communication fails since HTTP/2 is disabled and does not decode HTTP/2 traffic.

Workaround:
None.

---

869553-2 : HTTP2::disable fails for server side allowing HTTP/2 traffic

Component: Local Traffic Manager

Symptoms:
BIG-IP provides an iRule command "HTTP2::disable serverside" to put http2 in passthrough mode. When the command is called during event CLIENT_ACCEPTED it should completely disable http2 until end of TCP connection or HTTP2::enable is executed.

Conditions:
-- A virtual server has http2 profile configured on server side.
-- An iRule with an "HTTP2::disable serverside" command is attached to the virtual in CLIENT_ACCEPTED event.

Impact:
BIG-IP continues to send HTTP/2 traffic to a server.

---

869049-3 : Charts discrepancy in AVR reports

Component: Application Visibility and Reporting

Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.

Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).

Impact:
Stats on DB get corrupted and incorrect.

Workaround:
None.

---

867705 : URL for IFRAME element may not be normalized in some cases

Component: Access Policy Manager

Symptoms:
Client JavaScript may see a non-normalized URL for the IFRAME HTML element in Portal Access.

Conditions:
- original HTML page contains IFRAME element with relative URL
- JavaScript code reads this URL from the IFRAME element

Impact:
The URL for IFRAME element is not normalized and the web application may not work correctly in Portal Access.

Workaround:
Use iRule to correct returned IFRAME URL in rewritten JavaScript code. There is no generic iRule pattern; the correction depends on actual JavaScript code.

Use the following template for iRule:

when REWRITE_REQUEST_DONE {
  if { [HTTP::path] ... } { # use appropriate selection for URI
    set correct_location 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists correct_location]} {
    unset correct_location
    # look for the piece of code to be corrected
    set str2find {...} # use appropriate pattern for rewritten code
    set str_len [string length $str2find]
    set strt [string first $str2find [REWRITE::payload]]

    # make replacement using appropriate corrected code
    if {$strt > 0} {
      REWRITE::payload replace $strt $str_len {...}
    }
  }
}

---

866953 : [Portal Access] F5_Inflate_onclick wrapper need to be fixed for special case

Component: Access Policy Manager

Symptoms:
Event handler defined on DOM elements is not executed properly, and some events on a page like onClick() are not executed properly.

Conditions:
-- Portal access enabled
-- Rewrite enabled
-- New value of event handler is equal to inline handler already set for the element.

Impact:
Web-application misfunction

Workaround:
Custom iRule an be used. For example:
# Custom workaround for ID 866953 (redefine F5_Inflate_onclick)
# NOTE: change PATH_TO_PAGE before using this iRule
when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "<<PATH_TO_PAGE>>"
  } {

    # log "URI=([HTTP::path])"
    # Found the file to modify

    REWRITE::post_process 1
    set do_it 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_it]} {
    unset do_it

    set strt [string first {<script>try} [REWRITE::payload]]

    if {$strt > 0} {
      REWRITE::payload replace $strt 0 {
        <script>
          (function(){
            var ioc = F5_Inflate_onclick;

            F5_Inflate_onclick = function(o, incr, v) {
              if (v === o.onclick && typeof v === 'function') {
                return v;
              }
              return ioc.call(this,o,incr,v);
            }

          })();
        </script>
      }
    }
  }
}

---

865313-4 : Validation of monitor field fails in transaction

Component: TMOS

Symptoms:
Validation of monitor destination/address fails if used with transactions. The transaction consists of two operations: a delete and a create (with a new destination).

This passes validation on the BIG-IP system where the change was made. However when the change is synced to the peer, it fails validation on the peer.

Conditions:
1. Create monitor destination/address in transaction.
-- Delete monitor.
-- Create monitor with destination as *:80 and *:*.
2. Sync to peer.

Impact:
It passes validation on BIG-IP but fails on config sync to the peer.

Workaround:
In order to get the devices back in sync, run config sync with force-full-load-push.

---

865177-5 : Cert-LDAP returning only first entry in the sequence that matches san-other oid

Component: TMOS

Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists

Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids

Impact:
Only the first matching oid is returned.

---

864757-4 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.

---

862937-4 : Running cpcfg after first boot can result in daemons stuck in restart loop★

Component: TMOS

Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.

Conditions:
Running cpcfg on a volume that has already been booted into.

Impact:
Services do not come up.

Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:

# touch /.autorelabel
# reboot

---

862525-7 : GUI Browser Cache Timeout option is not available via tmsh

Component: TMOS

Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
  bigpipe httpd browsercachetimeout

In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.

However there is no tmsh equivalent in any version.

Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.

Impact:
Unable to modify browser cache timeout except from GUI

Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.

---

860573-4 : LTM iRule validation performance improvement by tracking procedure/event that have been validated

Component: TMOS

Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with.

Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules.

Impact:
Task fails (via REST) or ends up taking a really long time when run manually.

Workaround:
None.

---

860041 : [Portal Access] 5_Deflate_removeEventListener wrapper need to be added

Component: Access Policy Manager

Symptoms:
Various issues are possible, for example drop-down menu is not clickable, etc

Conditions:
Web-application code which use native removeEventListener() function indirectly.

Impact:
Web-application misfunction

Workaround:
Custom iRule can be used. Please find below
example of such iRule ("/PATH_TO_HTML_FILE" should be replaced by real path dependent on custom web application).


#
# Custom workaround for BZ 860041
# replace wrappers for addEventListener and removeEventListener by pass-through wrappers
#
# v1. very simple
#

when REWRITE_REQUEST_DONE {
  if {
    [HTTP::path] ends_with "/PATH_TO_HTML_FILE"
  } {

    # log "URI=([HTTP::path])"
    # Found the file to modify

    REWRITE::post_process 1
    set do_it 1
  }
}

when REWRITE_RESPONSE_DONE {
  if {[info exists do_it]} {
    unset do_it

    set str {<script>try}
    set strlen [string length $str]

    set strt [string first $str [REWRITE::payload]]
    if {$strt > 0} {
      REWRITE::payload replace $strt 0 {
        <script>
          function F5_Invoke_addEventListener (o, e, h, c) {
            console.log('addEventListener '+e);
            var args = [];
            for (var i = 1; i<arguments.length; i++) {
              args[i-1] = arguments[i]
            }
            return o.addEventListener.apply(o,args);
          }

          function F5_Invoke_removeEventListener(o, e, h, c) {
            console.log('removeEventListener '+e);
            var args = [];
            for (var i = 1; i<arguments.length; i++) {
              args[i-1] = arguments[i]
            }
            return o.removeEventListener.apply(o,args);
          }
        </script>
      }
    }
  }
}

---

858877 : SSL Orchestrator config sync issues between HA-pair devices

Component: TMOS

Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost.

Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group.

Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group.

Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help.

---

858701-5 : Running config and saved config are having different route-advertisement values after upgrading from v12.1.x★

Component: Local Traffic Manager

Symptoms:
If you upgrade a 12.1.x device with route advertisement enabled, there will be a difference between the running configuration and the saved configuration post upgrade.

-- In the running configuration, the word 'enabled' changes to 'selective'.
-- In bigip.conf, the setting is still set to 'enabled'.

Conditions:
-- Upgrading a v12.1.x device with route advertisement enabled.
-- After saving config both the running-config and bigip.conf are having same value i.e., 'selective'.
-- Load the configuration (tmsh load sys config).

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
After the running config is set to the 'disabled' value, reload the configuration again using the following command to set the running config and saved config to to 'selective':

tmsh load sys config

---

858197-5 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

---

856713-4 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.

---

854001-1 : TMM might crash in case of trusted bot signature and API protected url

Component: Application Security Manager

Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.

Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.

---

851385-2 : Failover takes too long when traffic blade failure occurs

Component: Local Traffic Manager

Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
  
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.

Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI

Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover

---

848681 : Disabling the LCD on a VIPRION causes blade status lights to turn amber

Component: TMOS

Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.

Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable

Impact:
Blade status lights change to amber, even if nothing is wrong with the system.

Workaround:
None.

---

848217 : Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend

Component: Access Policy Manager

Symptoms:
Bad response, or invalid response for request in which default port was used in web-application.

Conditions:
Default port is used in the url, back end application does not expect the default port in the request's Host header.

Impact:
Web-application misfunction

Workaround:
Custom workaround iRule can be used to remove default port form rewritten url.

---

844925-4 : Command 'tmsh save /sys config' fails to save the configuration and hangs

Component: TMOS

Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.

Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.

Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.

Workaround:
Run the command:
tmsh save /sys config binary

This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.

That way, you can reboot the BIG-IP system and not lose the configuration.

Note: It os possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save, which is impossible to predict. It is possible that every time you want to save the config, you must use the binary option.

---

844085-5 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: TMOS

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any

---

842669-5 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Component: TMOS

Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as

-The cron process tries and fails to send an email because of output about a cron script.
-Modify syslog include configuration
-Apply ASM policy configuration change

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first part to the appropriate file, and the other lines to /var/log/user.log.

Workaround:
No known workaround.

---

842517-1 : CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails

Component: Local Traffic Manager

Symptoms:
SSL handshake fails with error in LTM logs.pkcs11d[10407]:
err pkcs11d[10407]: 01680048:3: C_Sign: pkcs11_rv=0x00000082, CKR_OBJECT_HANDLE_INVALID

Conditions:
Key created with Safenet NetHSM is used in SSL profile for virtual server. This error is seen randomly.

Impact:
SSL handshake fails.

Workaround:
Restart the PKCS11D.

---

842137-2 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Component: Local Traffic Manager

Symptoms:
When FIPS mode is set to use FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition
-- You attempt to create a FIPS key using that partition

Impact:
New Keys cannot be created

Workaround:
Here are all the steps to generate a new netHSM key called "workaround" and install it into the BIG-IP config:

1.

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>


str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
 operation Operation to perform generate
 application Application pkcs11
 protect Protected by module
 verify Verify security of key yes
 type Key type RSA
 size Key size 2048
 pubexp Public exponent for RSA key (hex)
 embedsavefile Filename to write key to workaround
 plainname Key name workaround
 x509country Country code
 x509province State or province
 x509locality City or locality
 x509org Organisation
 x509orgunit Organisation unit
 x509dnscommon Domain name
 x509email Email address
 nvram Blob in NVRAM (needs ACS) no
 digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory

2. (this is to confirm the key is present with the label "workaround"

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

 key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...

3.
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm

4. (install public certificate)
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround

---

840257 : [Portal Access] html iframe sandbox attribute need to be supported

Component: Access Policy Manager

Symptoms:
Issues with content displayed in iframes

Conditions:
iframes with sandbox attribute is used in web-application

Impact:
Web-application mis-function

Workaround:
Custom iRule can be used as workaround. While iRule is strongly dependent on the web-application, the following iRule is a good example that can be customized:

when REWRITE_REQUEST_DONE {
  if {
    HTTP::path] ends_with "/CUSOM_PATH_TO_JS_FILE"
  } {
    REWRITE::post_process 1
  }

}

when REWRITE_RESPONSE_DONE {

  while {true} {
    set str { sandbox="}
    set strt [string first $str [REWRITE::payload]]
    set str_len [string length $str]

    if {
      $strt > 0
      and
      $strt < [expr [REWRITE::payload length] - $str_len]
    } {
      REWRITE::payload replace $strt $str_len { sandbo1="}
    } else {
      break
    }
  }

}

---

840249 : With BIG-IP as a SAML IdP, important diagnostic information is not logged

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured as a SAML IdP and processes an SAML Authentication Request, if it does not find the appropriate SAML SP connector then it does not log relevant information such as the Issuer, ACS _URL and Protocol binding from the Authentication request.

Conditions:
This occurs when BIG-IP is configured as a SAML IdP and processes a SAML Authentication request but does not find an appropriate SP configuration that matches the information provided in the SAML Authentication request.

Impact:
Troubleshooting the issue and fixing the SAML configuration is difficult since there is no relevant information in the error log

Workaround:
The workaround is to enable the log level for SSO to "Debug", and capture the logs at the debug level to troubleshoot further.

---

839121-4 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★

Component: TMOS

Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

Conditions:
The upgrade failure is seen when all the following conditions are met:

-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Workaround:
There are two possible workarounds:

-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.

-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:

 1. cp /config/bigip.conf /config/backup_bigip.conf
 2. Run: sed -i "s/\!SSLv2://g" /config/bigip.conf
 3. tmsh load /sys config

---

838305 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.

---

837637-5 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★

Component: TMOS

Symptoms:
Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
Before upgrading:

If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh restart sys service all

---

835505-5 : Tmsh crash potentially related to NGFIPS SDK

Component: Local Traffic Manager

Symptoms:
Tmsh crash occurs rarely. The NGFIPS SDK may generate a core as well.

Conditions:
The exact conditions that trigger this are unknown.

It can be encountered when running the following tmsh command:

tmsh -a show sys crypto fips key field-fmt include-public-keys all-properties

Impact:
Tmsh may crash. You are exited from tmsh if you were using it as a shell.

Workaround:
None.

---

830313 : FPS does not serve configuration script in gzip format

Component: Fraud Protection Services

Symptoms:
When FPS is attached to a virtual server with http-compression profile, website page loading occasionally hangs.

Conditions:
-- http-compression profile is attached to FPS virtual server.
-- The compression profile is configured to compress js files (this is the default).

Impact:
Site loads slowly / hangs, or appears to hang.

Workaround:
Exclude 'JavaScript Configuration Directory' from http-compression profiles.

---

825501-4 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.

---

824437-8 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.

---

823825 : Renaming HA VLAN can disrupt state-mirror connection

Component: Local Traffic Manager

Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.

Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

Impact:
System might crash eventually.

Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an HA configuration.

---

822245-1 : Large number of in-TMM monitors results in some monitors being marked down

Component: Local Traffic Manager

Symptoms:
Pool members are marked down from the in-TMM monitor.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
Monitor target may appear down when it is actually up.

Workaround:
Disable in-tmm monitors:
  tmsh modify sys db bigd.tmm value disable

---

820845-5 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.

Component: TMOS

Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.

Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.

Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.

Workaround:
Create static ARP entries on affected endpoints.

---

817989-2 : Cannot change managemnet IP from GUI

Component: TMOS

Symptoms:
You are unable to change the management IP from the GUI

Conditions:
This is encountered when using the GUI to change the management IP address via the System :: Platform page.

Impact:
The GUI indicates that it will redirect you to the new IP address. You will eventually be redirected but the management IP address is not changed on the BIG-IP device.

Workaround:
Use tmsh to create the management IP. This will overwrite the old one.

Example:
create /sys management-ip [ip address/prefixlen]

To view the management IP configurations

tmsh list /sys management-ip

---

816953-2 : RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy

Component: Local Traffic Manager

Symptoms:
RST_STREAM is sent on a serverside stream in closing state in HTTP/2 full proxy.

Conditions:
-- HTTP/2 clientside and serverside profiles are attached to the virtual server.
-- HTTP and httprouter profiles are attached to the virtual server.
-- Race between clientside and serverside closing, where clientside closes faster.

Impact:
RST_STREAM is sent on a stream in closed state.

---

814585-8 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.

---

813221 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync

Component: Global Traffic Manager (DNS)

Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.

Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.

Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.

Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.

---

809089 : TMM crash after sessiondb ref_cnt overflow

Component: TMOS

Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt

Conditions:
-- Specific MRF configuration where all 500 session entries are owned by a single tmm.

-- High rate of session lookups with a lot of entries returned.

Note: This issue does not affect HTTP/2 MRF configurations.

Impact:
TMM core: the program terminates with signal SIGSEGV, Segmentation fault. Traffic disrupted while tmm restarts.

Workaround:
1. Change MRF configuration to spread session lookups across multiple tmms.
2. Reduce the sub-key entries to far below 500.

---

808409-5 : Unable to specify if giaddr will be modified in DHCP relay chain

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

---

807821-6 : ICMP echo requests occasionally go unanswered

Component: Local Traffic Manager

Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.

Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.

Impact:
Possible traffic failures.

Workaround:
None.

---

807337-6 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
Web UI shows misleading info about pool monitor.The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

---

807309-4 : Incorrect Active/Standby status in CLI Prompt after failover test

Component: TMOS

Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt.

Conditions:
This occurs under the following conditions:

1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system.

Impact:
Status shown in the prompt does not change.

Workaround:
Do not run 'promptstatusd -y' command manually.

The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status.

Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought.

---

806073-8 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.

---

803833-6 : On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★

Component: TMOS

Symptoms:
An upgrade or UCS restore fails on the host with an error message:

err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.

Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.

Impact:
The upgrade or UCS restore fails with an MCPD error.

Workaround:
Comment out the sym-unit-key field and load the configuration.

---

803629-8 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.

---

803233-6 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.

---

803149-3 : Flow Inspector cannot filter on IP address with non-default route_domain

Component: Advanced Firewall Manager

Symptoms:
Flow Inspector cannot filter on IP address with non-default route_domain.

Conditions:
-- In Flow Inspector.
-- Attempting to filter results.
-- Some results use IP addresses with non-default route domains.

Impact:
Filter does not return results as expected.

Workaround:
None.

---

799001-8 : Sflow agent does not handle disconnect from SNMPD manager correctly

Component: TMOS

Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.

Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.

Impact:
Snmpd service restarts repeatedly

Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.

---

798885-5 : SNMP response times may be long due to processing burden of requests

Component: TMOS

Symptoms:
It is possible with large configurations to make SNMP requests that require a lot of processing to gather the statistics needed to respond to the request.

Conditions:
With large configurations, it is possible to overburden MCPD and SNMPD such that client queries time out.

Impact:
SNMP clients might think the BIG-IP system has become unresponsive.

Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.

---

797829-7 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

---

796605 : GUI gives error when saving UCS or other operation takes more than 5 minutes

Component: TMOS

Symptoms:
If an operation initiated by the GUI takes more than 5 minutes, httpd times out, causing the GUI to display an error with no indication that the operation is still continuing. Most often, this happens when saving UCS or during a cpcfg operation of a very large configuration.

When:
-- Activating a new boot location and selecting the 'Install Configuration' operation (System :: Software Management : Boot Locations).
-- Generating a UCS archive (System :: Archives).

If generating a UCS archive takes over 5 minutes, the Apache httpd process terminates the connection to the backend, presenting this error in the GUI:

-- Internal Server Error
-- The server encountered an internal error or misconfiguration and was unable to complete your request.
-- Please contact the server administrator at support@f5.com to inform them of the time this error occurred, and the actions you performed just before this error.
-- More information about this error may be available in the server error log.


And logging these errors in /var/log/httpd/httpd_errors:

-- hostname httpd[16063]: [proxy_ajp:error] [pid 16063] [client a.b.c.d:53870] AH00992: ajp_read_header: ajp_ilink_receive failed, referer: https://bigip/tmui/Control/jspmap/tmui/system/archive/create.jsp.
-- hostname httpd[16063]: [proxy_ajp:error] [pid 16063] (70007)The timeout specified has expired: [client a.b.c.d:5370] AH00878: read response failed from 127.0.0.1:72 (localhost), referer: https://bigip/tmui/Control/jspmap/tmui/system/archive/create.jsp.

Conditions:
GUI operation (e.g. creating a UCS archive) takes more than 5 minutes.

Impact:
The httpd process times out, rendering the GUI inactive.

Workaround:
Use tmsh for a save UCS or cpcfg operation on large configurations that might take longer than 5 minutes.

---

794417-5 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Component: Local Traffic Manager

Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:

1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Impact:
The configuration will not load if saved.

Workaround:
Do not simultaneously disable 'Enforce TLS Requirements' in the HTTP/2 profile, and enable 'TLS Renegotiation' in the Client SSL profile on a single virtual server.

---

794385-4 : BGP sessions may be reset after CMP state change

Component: Local Traffic Manager

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection

Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.

---

793669-6 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value

Component: Local Traffic Manager

Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.

Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover

Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.

Workaround:
None.

---

789857-4 : "TCP half open' reports drops made by LTM syn-cookies mitigation.

Component: Advanced Firewall Manager

Symptoms:
'TCP half open' reports drops in logs/tmctl/AVR even though it is configured in detect-only mode.

Conditions:
-- 'TCP half open' attack is being actively detected.
-- LTM syn-cookie mitigation is enabled.
-- This is triggered when LTM syn-cookies mitigation begins.

Impact:
It will appear that 'TCP half open' is doing mitigation, but it is actually LTM syn-cookies dropping the connections.

Workaround:
If LTM syn-cookies are not needed, disable the option:

modify ltm global-settings connection default-vs-syn-challenge-threshold infinite global-syn-challenge-threshold infinite

---

789421-5 : Resource-administrator cannot create GTM server object through GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.

Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.

Impact:
Unable to create GTM server object via the GUI.

Workaround:
Use tmsh or iControl/REST.

---

788577-8 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

---

787845-4 : Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.

Component: Protocol Inspection

Symptoms:
If the Protocol Inspection feature is not licensed then tmsh command 'show running-config' fails with 'Protocol Inspection feature not licensed.' message.

Conditions:
- AFM Protocol Inspection feature is not licensed.

Impact:
'tmsh show running-config' command returns an error: 'Protocol Inspection feature not licensed.'

Workaround:
None.

---

785877-4 : VLAN groups do not bridge non-link-local multicast traffic.

Component: Local Traffic Manager

Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.

Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.

Impact:
Non-link-local multicast traffic does not get forwarded.

Workaround:
None.

---

785361-2 : In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system is configured in L2Wire mode, packets from srcIP 0.0.0.0 are dropped.

Conditions:
L2Wire mode.

Impact:
All srcIP 0.0.0.0 packets are dropped silently.

Workaround:
Configure the virtual server to be in L2-forward mode.

---

785017-5 : Secondary blades go offline after new primary is elected

Component: TMOS

Symptoms:
Secondary active blades go offline.

Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.

For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.

Impact:
Cluster reduced to a single blade, which may impact performance.

Workaround:
None.

---

783125-5 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
    https://clouddocs.f5.com/api/irules/DNS__drop.html
    https://clouddocs.f5.com/api/irules/UDP__drop.html

---

783113-8 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted

---

780857-1 : HA failover network disruption when cluster management IP is not

Component: Local Traffic Manager

Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.

Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.

Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:

[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--

Workaround:
You can add an explicit management IP firewall rule to allow this traffic:

tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }

This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.

---

780745-4 : TMSH allows creation of duplicate community strings for SNMP v1/v2 access

Component: TMOS

Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string.

Conditions:
Duplicate access records are created in TMSH.

Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record.

Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database.

If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol.

---

780437-7 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.

---

779857-3 : Misleading GUI error when installing a new version in another partition★

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.

---

778817-4 : Invalid client request can cause un-captured exception on ASM container.

Component: iApp Technology

Symptoms:
Posting invalid message body content can cause restnoded to restart.

Conditions:
Post request with invalid data.

Impact:
ASM service disruption and loss of the state on in-process service requests.

Workaround:
NA

---

778225-4 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host

Component: Protocol Inspection

Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.

Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).

Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.

Workaround:
Install the hitless upgrade IM package manually.

---

778041-4 : tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)

Component: TMOS

Symptoms:
When tcpdump is invoked with the epva option on a non-epva platform (BIG-IP Virtual Edition, for example), it fails with an unclear message

errbuf:DPT Provider fatal error. Provider:ePVA Provider. No valid arguments.

Conditions:
-- Using a non-epva platform such as VE.
-- Calling the epva option:
  + Directly:
tcpdump -i 0.0 --f5 epva
  + Indirectly using 'all' (which includes epva):
tcpdump -i 0.0 --f5 all

Impact:
Unclear message does not give clear indication what the issue is, or how to get tcpdump to run with the 'all' option on non-epva platforms

Workaround:
Do not use the explicit epva option on non-epva platforms (it does not work anyway, as there is no epva debug information on those platforms).

Instead of 'all', explicitly specify other, non-epva providers on such platforms, for example, specifying 'noise' and 'ssl' providers:
tcpdump -i 0.0 --f5 n,ssl

---

777389-6 : In a corner case, for PostgreSQL monitor MCP process restarts

Component: TMOS

Symptoms:
MCP expects a monitoring response from SQL server and starts polling for data continuously, resulting in infinite loop.

Conditions:
In one of the corner cases of SQL monitoring, MCP expects to read monitoring data from the PostgreSQL server, but there is no data available to read.

Impact:
MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.

Workaround:
None.

---

775797-4 : Previously deleted user account might get authenticated

Component: TMOS

Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.

Conditions:
-- User account configured as local user.
-- The user account is deleted later.

(Note: The exact steps to produce this issue are not yet known).

Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.

Workaround:
None.

---

769581-6 : Timeout when sending many large requests iControl Rest requests

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
  https://<$IP_address>/mgmt/shared/appsvcs/declare \
  -H 'Content-Type: application/json' \
  -d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
  https://<$IP_address>/mgmt/shared/appsvcs/task \
  -H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
  https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.

---

767877-1 : TMM core with Bandwidth Control on flows egressing on a VLAN group

Component: TMOS

Symptoms:
TMM cores during operation.

Conditions:
Known condition:
1. BWC attached to serverside connflow
2. Serverside traffic traversing/egressing VLAN group

Impact:
Traffic disrupted while tmm restarts.

---

767341 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.

Component: Local Traffic Manager

Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.

Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.

This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.

Filesystem error might be due to power loss, full disk or other reasons.

Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.

Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.

Another workaround is clean install, if possible/acceptable

---

767217-4 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.

---

766593-6 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20

Component: Local Traffic Manager

Symptoms:
RESOLVE::lookup returns empty string.

Conditions:
Input bytes array is at length of 4, 16, or 20.

For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]

Impact:
RESOLVE::lookup returns empty string.

Workaround:
Use lindex 0 to get the first element of the array.

For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]

---

764969-1 : ILX no longer supports symlinks in workspaces as of v14.1.0

Component: Local Traffic Manager

Symptoms:
The GUI and TMSH report an error message if a symlink is present, and the workspace does not run. The error appears similar to the following:
General database error retrieving information.
General error: 01070711:3: boost::filesystem::status: Permission denied: "/var/ilx/workspaces/Common/test_links1/tmp_file" in statement [SELECT COUNT(*) FROM dev_workspace WHERE name LIKE '%'].

Conditions:
-- An ILX workspace is in the configuration.
-- The workspace contains a symlink.
-- Install the relevant rpm package with --no-bin-links (e.g., npm install <package-name> --no-bin-links).

Impact:
The ILX module is not accessible via the GUI, and the workspace with the symlink cannot be run.

Workaround:
1. Remove the symlink.
2. Copy the file into the workspace.

---

762137-4 : Ping6 with correctly populated NDP entry fails

Component: Local Traffic Manager

Symptoms:
TMM NDP entries show correct info with neighbor discovery protocol (NDP) resolved but ping6 fails

Conditions:
This occurs only on a cluster setup. Other conditions that cause the issue are unknown.

Impact:
Ping6 fails for that address.

Workaround:
None.

---

760752-4 : Internal sync-change conflict after update to local users table

Component: Device Management

Symptoms:
-- The 'top' command shows Java and mcpd becoming CPU intensive.
-- /var/log/audit shows many 'modify { user_role_partition { user_role_partition_user ...'
-- /var/log/restjavad-audit.0.log shows many REST API calls to 'http://localhost:8100/mgmt/shared/gossip' from the peer.

Conditions:
-- Create a new admin user with bash access on a device.

Impact:
High CPU usage (Java and mcpd) on control and analysis plane.

Workaround:
To work around this issue, follow these steps:

1. Sync from the device where the user was created.
2. Run the following command on all devices:
tmsh restart sys service restjavad

Although Java and mcpd will still show high CPU usage even after restart, waiting a few minutes enables the processes to return to normal.

---

760740-4 : Mysql error is displayed when saving UCS configuration on BIG-IP system with only LTM provisioned

Component: Protocol Inspection

Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySql database. Because BIG-IP systems with only LTM provisioning (i.e., without AFM licensed) do not have the MySql server running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:

Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.

Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system is provisioned with LTM only.

Impact:
The error message is cosmetic and has no impact on the UCS save process.

Workaround:
None.

---

760354-2 : Continual mcpd process restarts after removing big logs when /var/log is full

Component: TMOS

Symptoms:
Unit suddenly stops passing traffic. You might see errors similar to the following:

err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...

Conditions:
This might occur when when /var/log is full and then you remove big logs.

Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.

Workaround:
Fix the logs and reboot the BIG-IP system.

---

759737-4 : Control and Analysis Plane CPU usage statistics may be inaccurate

Component: TMOS

Symptoms:
CPU usage statistics reported for Control and Analysis planes are not always allocated appropriately between the two planes.

Conditions:
Non-Data plane processes consuming CPU cycles generate usage statistics that are then classified as Control or Analysis plane CPU usage.

Impact:
CPU usage statistics for Control and Analysis planes may not provide actionable data due to their inaccuracy.

Workaround:
None.

---

759606 : REST error message is logged every five minutes on vCMP Guest

Component: TMOS

Symptoms:
Guestagentd periodically logs the following REST error message for each secondary slot in /var/log/ltm:

Rest request failed{"code":502."message":"This is a non-primary slot on the Viprion. Please access this device through the cluster address.","restOperationId":6410038,"kind":":resterrorresponse"}

Conditions:
Upgrade a vCMP guest from pre-13.1.x to a 13.1.x or later version.

Impact:
There is stale stat information for vCMP guests running on secondary slots.

Workaround:
Create a Log Filter with no publisher on the vCMP guest to discard the specific error message:

sys log-config filter Filter_RestError {
    level info
    message-id 01810007
    source guestagentd
}

---

759564-1 : GUI not available after upgrade

Component: TMOS

Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions

    Shell prompt may show logger[1234]: Re-starting named
    bigstart restart httpd fails
    bigstart start httpd fails

Conditions:
Installation over a previously used Boot Volume

Impact:
Corrupt install

Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.

---

758491-4 : When using Thales NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), the BIG-IP will not be able to use the keys

Component: Local Traffic Manager

Symptoms:
Ltm log showing SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:57106 -> 192.0.2.200:5607
warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log will show:

2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===

Conditions:
Fipskey.nethsm wrapper was used to create keys in any of the following scenarios:

1. Keys were created on earlier versions of BIG-IP software, and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm

Impact:
SSL handshake failures

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.


-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm

Where key_label is the rightmost string in the output of the Thales command: nfkminfo -l.

---

757787-4 : Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI.

Component: TMOS

Symptoms:
When creating a new rule or modifying an existing rule in a LTM Policy using the WebUI, the operation fails and an error similar to the following example is returned:

Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().

Conditions:
-- The LTM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.

Impact:
Unable to make changes to existing LTM Policies.

Workaround:
Use the tmsh utility to make the necessary modifications to the LTM Policy. For example, the following command modifies an existing rule:

tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }

---

757279-4 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.

---

757029-7 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.

---

756643 : HSB error causes TMM core and failover

Component: TMOS

Symptoms:
The HSB device reports a transmitter failure, which can be observed in the ltm/tmm logs:

Error in /var/log/ltm similar to:crit tmm[17788]: 01010025:2: Device error: hsb hsb interface 0 DMA lockup on transmitter failure

This results in a TMM core, a failover, and a unit reboot.

Conditions:
It's unknown under what conditions this occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

756234 : In SSL forward proxy, forged untrusted server certs are no longer cached.

Component: Local Traffic Manager

Symptoms:
Previously, SSL forward proxy cached forged server certs on the client side even if the server cert was untrusted. Now, SSL forward proxy does not cache the forged cert if the server cert is untrusted.

Conditions:
SSL forward proxy is enabled and server cert is untrusted.

Impact:
You might notice a performance impact compared with previous releases.

Workaround:
None.

---

756139-5 : Inconsistent logging of hostname files when hostname contains periods

Component: TMOS

Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:

-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.


Whereas other log files write the full name:

-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.

Conditions:
BIG-IP hostname contains periods or an FQDN:

[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
    hostname bigip1.example.com
}

Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.

Workaround:
None.

---

755976-5 : ZebOS might miss kernel routes after mcpd deamon restart

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.

---

754460-4 : No failover on HA Dual Chassis setup using HA score

Component: TMOS

Symptoms:
On a high availability (HA) set up of two chassis, an HA failover does not occur, despite HA score on Standby being greater than Active.

Conditions:
-- Multiple blades disabled.
-- Both active and standby chassis have same HA score.
-- Enabling blades on standby chassis.

Impact:
Although enabling blades on the standby chassis causes a higher HA score on the standby (which should cause a failover to occur), HA state remains the same on both chassis. HA failover is not occurring using HA score calculation.

Workaround:
None.

---

754100 : iRule event info command does not return proper error codes

Component: Local Traffic Manager

Symptoms:
The iRules API documentation on the 'event' command on DevCentral (https://devcentral.f5.com/wiki/iRules.event.ashx?lc=1) states that the [event info] command would return one of the ERR_xxxx error codes when LB_FAILED is emitted.

However, the return is not according to the API doc, e.g.,

1) When the pool is marked down, [event info] returns a empty string.

2) When the pool is marked up but all the members are available, it returns 'connection limit'.

Conditions:
This occurs when comparing the documented iRule event error codes to the actual error codes.

Impact:
Misleading information.

---

753536-4 : REST no longer requires a token to login for TACACS use

Component: TMOS

Symptoms:
Configurations that previously used TACACS for authentication in order to make REST requests are no longer required to use a token for remote authentication. You can simply use username and password.

Conditions:
Use of remote authentication using TACACS.

Impact:
If you have scripts that automatically request tokens, you no longer need them.

Workaround:
None.

---

751103-1 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop

Component: TMOS

Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.

Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config

Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)

Scripts are stopped until the prompt is answered.

Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).


In the case of this script, you can also delete the management route definitions to prevent the question from being asked.

---

750588 : While loading large configurations on BIG-IP systems, some daemons may core intermittently.

Component: TMOS

Symptoms:
When manually copying a large config file and running 'tmsh load sys config' on specific hardware BIG-IP platforms, multiple cores may be observed from different daemons.

Conditions:
This has been observed on i4800 platforms when the 'management' provisioning (corresponding to the provision.extramb DB key) is set to 500 MB or less.

Impact:
The mcp daemon may core and all daemons on the BIG-IP system may be restarted.

Workaround:
Set db key 'provision.extramb' to 1024 or greater.

---

748976-4 : DataSafe Logging Settings page is missing when DataSafe license is active

Component: Fraud Protection Services

Symptoms:
DataSafe Logging Settings page is missing when DataSafe license is active

Conditions:
1. DataSafe license is active
2. Logging of Login attempts feature enabled

Impact:
DataSafe Logging Settings page is missing in GUI.

Workaround:
Use tmsh to configure the logging of Login attempts feature.

---

748030 : Modifying datagroup type at runtime is not supported

Component: Local Traffic Manager

Symptoms:
After a hand-edit of BIG-IP configuration to modify a datagroup's type, "tmsh load sys config" appears to succeed without error. However, the datagroup type change does not take effect.

Conditions:
Edit datagroup type by hand.

Impact:
Datagroup and the rules which reference it do not behave as expected.

Workaround:
If feasible, create a new datagroup with the desired type.

---

746837 : AVR JS injection can cause error on page if the JS was not injected

Component: Application Visibility and Reporting

Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header.

If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces.

This can lead to errors in cases where the change in response size is not supported.

Conditions:
AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions:
-- The response is uncompressed.
-- The context-type header is text/html.
-- The response is not chunked (Context-length header exists).
-- The payload does not include the HTML head tag.

Impact:
White Spaces at the end of the page can cause it to be invalid for some applications.

Workaround:
To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

---

744091 : VMware Horizon PCoIP transport is not supported for IPv6 targets

Component: Access Policy Manager

Symptoms:
When APM is configured as a proxy for Vmware Horizon and the Horizon backends are accessible only via IPv6 address, user is not able to access resources over PCoIP protocol.

Conditions:
- APM is configured as proxy for Vmware Horizon
- A virtual desktop host (Horizon backend) can only be accessed via IPv6
- Vmware VCS (View Connection Server) is configured with Virtual "HTTP(s) Secure Tunnel" option disabled
 - User tries to open a desktop via APM with native Horizon client using PCoIP protocol.

Impact:
User is not able to access the desktop. Instead, this error is displayed: "This desktop is not addressable with your current settings. Please contact your system administrator"

Workaround:
There is no workaround at this time.

---

742753-6 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.

---

742105-4 : Displaying network map with virtual servers is slow

Component: TMOS

Symptoms:
The network map loads slowly when it contains lots of objects.

Conditions:
Load the network map in a configuration that contains 1000 or more objects.

Impact:
The network map loads very slowly.

Workaround:
None.

---

739507-4 : How to recover from a failed state due to FIPS integrity check

Component: TMOS

Symptoms:
After FIPS 140-2 license is installed on FIPS-certified hardware devices, and the device rebooted, the system halts upon performing FIPS integrity check.

Conditions:
[1] Some system applications, monitored by FIPS 140-2, get routinely changed.
[2] The device was containing a FIPS 140-2 enabled license installed.
[3] The device operator installs a FIPS 140-2 enabled license
[4] The device is rebooted

Impact:
The device is halted and cannot be used.

Workaround:
Workaround:
[1] The device needs to have serial console access (Telnet).
[2] From the Telnet console, enter the GRUB menu and boot into a different partition not having a FIPS 140-2 enabled license.
[3] Examine the contents of file /config/fipserr which will show the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones and reboot.

If system still halts, repeat from Step [1] above, until this no longer happens.

---

738450 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.

---

738032-4 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.

Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.

Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.

Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.

---

737322-5 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

---

727266 : ICMP monitors may be marked down if packet-filter is set to discard or reject

Component: Local Traffic Manager

Symptoms:
ICMP monitors may incorrectly mark pool members down if packet filters are used

Conditions:
1. If an ICMP monitor is configured, as well as packet filters, and the default packet-filter action is Discard or Reject, and no rule exists to specifically allow the reply traffic, then the ICMP echo reply packets may be dropped, and the monitor will be marked down.

2. This can also be encountered by simply pinging the target from the BIG-IP command line.

Impact:
Monitors incorrectly mark the pool member down.

Workaround:
Either add a packet filter rule specifically allowing the return traffic, change the default packet filter behaviour to 'accept', or use a different type (non ICMP) of monitor.

---

726534 : False-positive DATA IS MALFORMED alert when request is redirected to a protected URL

Component: Fraud Protection Services

Symptoms:
There is a false-positive DATA IS MALFORMED alert sent when a request is redirected to a protected URL.

Conditions:
A request is redirected to a FPS-protected URL.

Impact:
False-positive DATA IS MALFORMED alert is sent.

Workaround:
None.

---

723658-7 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

722204 : SWG URL Filters does not show the Filter Action for the Category but instead shows the Filter Action of its Sub-Categories

Component: Access Policy Manager

Symptoms:
SWG Parent URL Filter does not show the Filtering Action of self; instead it shows the accumulated status of the sub-categories

Conditions:
If default Filtering action is different from the Sub-categories filtering action.

Impact:
From the traffic filter and the GUI showing status of the URL filter is different

Workaround:
None.

---

720322 : Intercepted HTTPS traffic isn't sent to HTTP services in SWG use cases

Component: Access Policy Manager

Symptoms:
BIG-IP doesn't have SSL Orchestrator iRules in SWG use cases, and if the L7 check agent isn't added in the Per-Request Policy before Service connect agent for HTTP type services (like ICAP, Explicit HTTP or Transparent HTTP service), traffic isn't sent to these services.

Conditions:
SWG use case with Per_request Policy:
Start->Service Connect ->Allow with service connect for http type services

Impact:
Traffic isn't sent to the services.

Workaround:
Use the following iRule :
when CLIENTSSL_HANDSHAKE {
    CONNECTOR::enable
}

---

718796-6 : IControl REST token issue after upgrade★

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.

Conditions:
-- Upgrading to version 13.1.0.x.
-- iControl REST.

Impact:
A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may loose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
      # bigstart restart restjavad.

   2) Update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT:
      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Now, when you create a new user, the permissions should start in a healthy state.

---

718573-4 : Internal SessionDB invalid state

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
SessionDB is accessed in a specific way that results in an invalid state.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

---

718110-1 : MCP high CPU usage after clicking on GTM Listener name to view its properties in the Web GUI.

Component: Global Traffic Manager (DNS)

Symptoms:
MCP has high CPU usage.

Conditions:
A config that contains a large number of virtual servers, profiles and virtual addresses.

Impact:
MCP has high CPU usage for 5 to 20 seconds.

Workaround:
Use TMSH to view the properties if you cannot afford any CPU cycles loss on the BIG-IP you are using to view your listeners.

---

717174-4 : WebUI shows error: Error getting auth token from login provider★

Component: Device Management

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded

---

716746-4 : Possible tmm restart when disabling single endpoint vector while attack is ongoing

Component: Advanced Firewall Manager

Symptoms:
tmm restarts.

Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.

Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.

Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.

Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.

---

714176-6 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Component: TMOS

Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.

Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.

Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.

Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.

1. Locate the dynad config in /config/bigip_base.conf file:

For example, the dynad config will look like:
sys dynad key {
    key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}

2. Modify the dynad configuration lines to:
sys dynad key {
    key "test"
}

3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config

---

713183-5 : Malformed JSON files may be present on vCMP host

Component: TMOS

Symptoms:
Malformed JSON files may be present on vCMP host.

Conditions:
All needed conditions are not yet defined.

- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.

Impact:
Some vCMP guests may not show up in the output of the command:
 tmsh show vcmp health

In addition, there might be files present named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.

Workaround:
None.

---

712542 : Network Access client caches the response for /pre/config.php

Component: Access Policy Manager

Symptoms:
The Network Access client caches the response for /pre/config.php.

Conditions:
-- APM is provisioned.
-- Network Access is configured.

Impact:
Caching the response for /pre/config.php might reveal configuration information. However, a URL is public information by definition. The only sensitive information revealed are server names, which have to be revealed in order for the client to know where to connect.

Workaround:
None.

---

712489 : TMM crashes with message 'bad transition'

Component: Local Traffic Manager

Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition

Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

---

712241-7 : A vCMP guest may not provide guest health stats to the vCMP host

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
There is no functional impact to the guests or to the host, other than these lost tables.

-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

Workaround:
There is no workaround at this time.

---

708803-4 : Remote admin user with misconfigured partition fallback to "All"

Component: TMOS

Symptoms:
When remote role groups are used to set user role and partition from the remote authentication server, and the server is configured to set a user to Administrator role with access to a particular partition, the user instead receives Administrator role on all partitions. Users with Administrator role on the BIG-IP are required to have all partition access.

Conditions:
Remote authentication with remote role groups. Remote authentication server configured to set a user to Administrator role with access to a particular partition.

Impact:
Administrator users have access to all partitions.

Workaround:
Change configuration on remote authentication server. Users with Administrator role need all partition access. Users who must be restricted to a particular partition should be given a more restrictive role.

---

708448 : Modify LTM client SSL or server SSL profile ciphers default-value does not work

Component: TMOS

Symptoms:
The value 'default-value for the ciphers attribute of client SSL or server SSL profiles does not set the ciphers attribute to inherited-from-parent, but instead copies the parent profile's current value. Additionally, it does not set the ciphers attribute to inherited if the attribute had previously been customized.

Conditions:
1. Create a child client SSL or server SSL profile.
2. Customize the child profile's ciphers value.
3. Modify the child profile's ciphers value via TMSH to 'default-value'

Impact:
Any subsequent changes to the parent profile's ciphers value are not inherited by the child profile because the ciphers attribute is considered to be customized, and has not been reset to inherited.

Workaround:
Any of the following workarounds work:

1. Simultaneously set both 'cipher-group' and 'ciphers' to 'default-value':

tmsh modify ltm profile client-ssl child_clientssl cipher-group default-value ciphers default-value

2. In the Configuration Utility, uncheck the customization box for the ciphers attribute on the child profile.

---

707294 : [BIG-IP as OAuthAS] : When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear

Component: Access Policy Manager

Symptoms:
When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear. It shows an error indicating "OAuth mode is not set", instead of showing "OAuth Profile is not configured".

Conditions:
This occurs when BIG-IP is configured as OAuth AS, however, the access profile is not configured with OAuth profile

Impact:
Confusing error message that leads to delay in troubleshooting the OAuth configuration

Workaround:
The error "OAuth mode is not set" means thats the OAuth Profile is not associated in the Access Profile of the Virtual acting as BIG-IP OAuth Authentication server.
An OAuth Profile need to be configured in the Access profile of the virtual acting as BIG-IP OAuth AS, in order to avoid this error.

---

705869 : tmm cores with consequential of repeated load of the GEOIP database

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores.

Conditions:
Repeatedly loading the GeoIP database in rapid succession.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Don't do repeated load of GeoIP Database.

---

703678-4 : Cannot add 'secure' attributes to several ASM cookies

Component: Application Security Manager

Symptoms:
There is an option to add 'secure' attribute to ASM cookies.
There are some specific cookies which this option does not apply on.

Conditions:
-- ASM policy is attached to the virtual server.
-- Internal parameter 'cookie_secure_attr' flag is enabled, along with either of the following:
   + Using HTTPS traffic.
   + The 'assume https' internal parameter is also enabled.
-- Along with one of the following:
   + Web Scraping' feature is enabled.
   + 'Bot Detection' feature is enabled.
   + The 'brute force' feature is enabled using CATPCHA.

Impact:
Some cookies do not have the 'secure' attributes.

Workaround:
None.

---

701555 : DNS Security Logs report Drop action for unhandled rejected DNS queries

Component: Advanced Firewall Manager

Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.

Conditions:
DNS profile set unhandled-query-action reject.

Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system

Workaround:
None.

---

701534 : HSB transmitter failure due to watchdog loopback failure

Component: TMOS

Symptoms:
An HSB transmitter failure is reported in the TMM logs.

Under normal operation, software has an HSB watchdog that sends and receives a loopback packet. Under some unknown conditions, software fails to receive the loopback packet from the HSB.

The following error messages are seen in the TMM logs:
-- notice hsb0: failed to transmit loopback packet No.1 with error 2. (ERR_BUF)
-- notice ring0: rx_prod_idx 00ba rx_cons_idx 00aa tx_prod_idx 0acf tx_cons_idx 0ace
-- notice fsc_tx0: sw_cons 4acc hw_cons 6ace hw_prod_written 4acf hw_prod 4acf mask 0fff
...
-- notice *** TMM 0 - PDE 0 - transmitter failure ***

Conditions:
The conditions under which this occurs are unknown.

Impact:
An HSB lockup is detected, resulting in a nic_failsafe reboot.

Workaround:
None.

---

700639-1 : The default value for the syncookie threshold is not set to the correct value

Component: Local Traffic Manager

Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.

Conditions:
This issue may be encountered when a virtual server uses syncookies.

Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.

Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000

---

697421-4 : Monpd core when trying to restart

Component: Application Visibility and Reporting

Symptoms:
Monpd tries to restart and tries to access a non-initiated variable

Conditions:
Monpd tries to restart due to change of primary blade

Impact:
Monpd cores

Workaround:
N/A

---

696755-6 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}

---

692218-7 : Audit log messages sent from the primary blade to the secondaries should not be logged.

Component: TMOS

Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.

Conditions:
Multi-blade platform.

Impact:
Unnecessary messages in the log file.

Workaround:
None.

---

690928-2 : System posts error message: 01010054:3: tmrouted connection closed

Component: TMOS

Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.

System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed

Conditions:
This message occurs when all of the following conditions are met:

-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.

Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.

Workaround:
None.

---

689147-4 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.

---

685937 : PEM Diameter stats may have errors when Diameter requests and responses are asynchronous

Component: Policy Enforcement Manager

Symptoms:
Statistics provided by PEM Diameter applications may be in error.

Conditions:
-- PEM configured with Gx, Sd, or Gy.
-- Diameter requests and responses processed asynchronously.

Impact:
May impact logic that is dependent on statistics.

Workaround:
Configure the Diameter solution such that requests and responses are synchronous.

---

680841 : Reported Virtual Server CPU usage stats are slightly higher than actual

Solution Article: K67996855

Component: Local Traffic Manager

Symptoms:
The average CPU usage percentage reported per LTM Virtual Server is slightly higher than actual percentage of system CPU cycles used by each Virtual Server.

The average CPU usage percentage per LTM Virtual Server is reported by the 'tmsh show ltm virtual' and 'tmctl virtual_server_cpu_stat' commands and in the GUI under Statistics :: Module Statistics : Local Traffic :: Virtual Servers.

The average CPU usage values reported by these commands incorrectly include TMM Idle cycles in the calculations, which causes a slight over-reporting of average per-Virtual-Server CPU usage.

Conditions:
This occurs when LTM Virtual Server CPU usage stats are observed via the 'tmsh show ltm virtual' or 'tmctl virtual_server_cpu_stat' commands or in the GUI under Statistics :: Module Statistics : Local Traffic :: Virtual Servers.

Impact:
Each LTM Virtual Server may appear to be using a greater percentage of system CPU cycles than they actually use.

Workaround:
Note: The values reported for 'tm_total_cycles' and 'tm_idle_cycles' represent a total value applied across the entire system: i.e., these are global values. The output from 'tmsh show ltm virtual', 'tmctl virtual_server_cpu_stat', or via the GUI report individual statistics for each virtual server.

If you have multiple virtual servers, each with varying degrees of usage, you cannot use this workaround extract the per-virtual server information from a global stat. In the interest of extracting the information for a single virtual server, the following process might be useful.

To determine the over-reporting value of the per-Virtual-Server CPU usage percentage
=====================================
The instantaneous running count of TMM Idle cycles is displayed in the 'tm_idle_cycles' column displayed by the 'tmctl tmm_stat' command. You can compare this value to the 'tm_total_cycles' column to gain a general sense of the scale of the error.

For a meaningful comparison of these values with the per-Virtual-Server CPU usage statistics (such as the 'avg_5sec' value reported by 'tmctl virtual_server_cpu_stat' or the 'Last 5 Seconds' value reported by 'tmsh show ltm virtual'), run the 'tmctl tmm_stat' command at intervals, such as every 5 seconds, and use the incremental changes in the 'tm_idle_cycles' and 'tm_total_cycles' values to estimate the degree to which the per-Virtual-Server CPU usage percentage is over-reported.

---

680030 : IP ToS/QoS is not preserved in chained Virtual Servers when the second Virtual Server is FastL4.

Component: Local Traffic Manager

Symptoms:
IP Type of Service (ToS) and/or Quality of Service (QoS) set by the server is not received by the client through the BIG-IP system when the BIG-IP system has two Virtual Servers chained together.

Conditions:
Two Virtual Servers in a chain with the second Virtual Server being a forwarding/performance (i.e., FastL4) rather than a Standard Virtual Server.

IP ToS/QoS desired to be preserved from server to client.

Impact:
Client does not receive IP ToS/QoS from server via the BIG-IP system.

Workaround:
Change the second Virtual Server type to Standard with a TCP profile which has ToS/QoS set to Pass Through.

---

677270 : Trailing comments in iRules are removed from the config when entered/loaded in TMSH or Configuration Utility

Solution Article: K76116244

Component: Local Traffic Manager

Symptoms:
Comments at the bottom of an iRule (outside of any event stanza) end up missing from the config.

Conditions:
-- Merging an iRule in a config file in TMSH or entering the iRule manually in TMSH or entering the iRule in the iRules Editor of the BIG-IP Configuration Utility.
-- iRule comments are outside of any event stanza.

Impact:
Trailing comments in iRules are lost.

Workaround:
Use one or both of the following workarounds:

-- Make sure comments are inside of an event stanza.

---

675911-8 : Different sections of the WebUI can report incorrect CPU utilization

Solution Article: K13272442

Component: TMOS

Symptoms:
The following sections of the WebUI can report incorrect (i.e. higher than expected) CPU utilization:

- The "download history" option found in the Flash dashboard

- Statistics › Performance › Traffic Report (section introduced in version 12.1.0)

Values such as 33%, 66% and 99% may appear in these sections despite the system being potentially completely idle.

Conditions:
HT-Split is enabled (this is the default for platforms that support it).

Impact:
Incorrect CPU utilization is reported by multiple sections of the WebUI, which can confuse BIG-IP Administrators and cause unnecessary alarm.

Workaround:
You can obtain CPU history through various other means. One way is to use the sar utility.

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

Live CPU utilization also can be obtained through various other means. Including: the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.

---

673573-7 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
    'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.

---

671025-5 : File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured

Component: TMOS

Symptoms:
devmgmtd exhausting file descriptors when state-mirroring peer-address is misconfigured:
err devmgmtd[8301]: 015a0000:3: [evConnMgr.tcc:29 evIncomingConn] Incoming connection failed: Too many open files

Conditions:
State-mirroring peer-address is misconfigured or configured to a self-ip with port lockdown misconfigured.

Impact:
devmgmtd has too many open files causing iControl issues as it is unable to communicate with devmgmtd.

Workaround:
None.

---

665906 : tmm crash in free_bufctls

Solution Article: K02285831

Component: Local Traffic Manager

Symptoms:
tmm crashes in free_bufctls.

Conditions:
Any double-free or use-after-free issue may cause this crash.

Note: The component causing the issue may vary.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

662301-1 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Component: TMOS

Symptoms:
An error message appears in the GUI reading 'This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.' Examination of the configuration and license shows that there are no configuration error or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
Restart mcpd by running the following command:
bigstart restart mcpd

---

658943-4 : Errors when platform-migrate loading UCS using trunks on vCMP guest

Component: TMOS

Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use either of the following Workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

---

658850-4 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP

Component: TMOS

Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.

If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.

Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate

Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.

Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>

---

652856 : The tmsh utility shows memory information only for the main thread of each TMM process.

Component: Local Traffic Manager

Symptoms:
When running the 'tmsh show sys tmm-info' command from the command line, you may notice that the utility returns memory information only for the main thread of each TMM process.

All the memory available to the TMM process is accounted for under its main thread, and all other threads appear as having no memory at all.

For example:

# tmsh show sys tmm-info
---------------------------
Sys::TMM: 0.0
---------------------------
Global
  TMM Process Id 18228
  Running TMM Id 0
  TMM Count 1
  CPU Id 0

Memory (bytes)
  Total 17.0G
  Used 522.9M

CPU Usage Ratio (%)
  Last 5 Seconds 2
  Last 1 Minute 2
  Last 5 Minutes 2

--------------------------
Sys::TMM: 0.1
--------------------------
Global
  TMM Process Id 18228
  Running TMM Id 1
  TMM Count 1
  CPU Id 1

Memory (bytes)
  Total 0
  Used 0

CPU Usage Ratio (%)
  Last 5 Seconds 2
  Last 1 Minute 2
  Last 5 Minutes 2

[...]

Conditions:
This issue occurs on any BIG-IP device running version 11.3.0 or later (provided that TMM threading has not been disabled for troubleshooting purposes).

Impact:
This issue is cosmetic, and there is no functional impact to the BIG-IP system. Whilst a BIG-IP Administrator may find the output confusing, all TMM threads have an equal share of the memory and are operating correctly.

Workaround:
Refer to memory information for the main thread.

---

648242-7 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

---

646768-5 : VCMP Guest CM device name not set to hostname when deployed

Solution Article: K71255118

Component: TMOS

Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.

Impact:
The vCMP guest does not use the configured hostname.

Workaround:
-- In tmsh, run the following commands, in sequence:

 mv cm device bigip1 HOSTNAME
 save sys config

-- Rename the device name in the GUI.

---

646440-4 : TMSH allows mirror for persistence even when no mirroring configuration exists

Component: Local Traffic Manager

Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.

Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.

Impact:
A memory leak and degraded performance can occur when:

-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.

Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.

If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:

1. Access the BIG-IP Bash prompt.

2. List the Persistence profiles with the following command:
      tmsh list ltm persistence

3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.

4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled

5. Save the changes to the Persistence profiles:
tmsh save sys config

---

643446 : When a pool is in use for AAA server, the SNAT virtual server does not pick up a packet going out to non-default route domain.

Component: Access Policy Manager

Symptoms:
SNAT rules are not applied to outgoing traffic.

Conditions:
This occurs when all the following conditions are true:
- APM authentication server is configured to use pool.
- Pool members are in non-default route domain.
- Administrator creates another layered virtual server (LVS) to apply SNAT for outgoing traffic.

Impact:
Source IP address is not the one the backend server expects, so authentication might fail.

Workaround:
Configure the following:
1. Create a new layered virtual server with an IP address from your network.
2. Create a pool of the backend servers for the new layered virtual server.
3. Create a SNAT pool with the IP address that you wanted to use as the source IP address, assign that SNAT pool to the layered virtual server.
4. Create the AAA server to use direct mode with the new layered virtual server's address as the destination address.

Using this AAA server in the policy will have the desired effect.

---

640374 : DHCP statistics are incorrect

Component: Local Traffic Manager

Symptoms:
DHCP statistics are incorrect if DHCP server is down while a new virtual server is created. And when the DHCP server comes back up, the current pending transactions are incorrect.

Conditions:
-- DHCP relay configured.
-- DHCP server is down while the virtual server is created.

Impact:
The 'current pending transactions' for the DHCP server is incorrect if the DHCP server is down while a new virtual server is created.

Workaround:
None.

---

636866-1 : OAuth Client/RS secret issue with export/import

Component: Access Policy Manager

Symptoms:
When the access profile with a OAuth Client/RS agent is configured, the OAuth server objects has a client secret and/or resource server secret to be configured.
When such an access profile is exported and then imported, the client secret or resource server secret may not be imported properly.

Conditions:
In OAuth client/RS use case, when an access profile is configured with OAuth client or Scope Agent.

Impact:
The APM OAuth client or Scope Agent may not run properly and end up in the fallback branch.

Workaround:
After importing the access profile, the OAuth server object needs to be modified with the proper client secret or resource server secret.

---

631595 : iRule does not re-enable AVR when in was disabled by LTM Policy

Component: Local Traffic Manager

Symptoms:
When disabling AVR from an iRule, AVR HTTP statistics are not collected.

When disabling AVR from LTM policy, you will still see AVR HTTP statistics.

Conditions:
LTM policy disables AVR, and an iRule running immediately after enables AVR.

Impact:
AVR HTTP statistic not available.

Workaround:
None.

---

629640 : TMM may stall and not service queued connections on pool state transition

Solution Article: K33695305

Component: Local Traffic Manager

Symptoms:
In certain situations TMM may not process all connections queued in a configured connection queue if the relevant poolmember has been disabled/down, connection enqueued, and poolmember reenabled.

Conditions:
All of the following:
  - Persistence on VIP.
  - Slow ramp configured on pool.
  - Connection queueing on pool.
  - Connection limiting on poolmember.
  - Poolmember is disabled/down,
    connection is enqueued to poolmember,
    and poolmember is re-enabled/up.

Impact:
The queued connection to the VIP/poolmember on the specific TMM will remain in that state until the connection is either killed or client shuts down the connection. Any additional connections queued behind the prior queued connection will also stay queued.
This will continue until all connections to the VIP/pmbr/tmm cease to connect/queue and are deleted.

Workaround:
You can use one of the following as a workaround:
  - Don't use persistence (or present via fallback) that makes cmp lookups, if a single poolmember is used in the pool.
  - Disable slow ramp

If the situation has already occurred, delete all connections to the VIP/Affected TMM. After which new connections will work as expected.

---

625807-2 : tmm cored in bigproto_cookie_buffer_to_server

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>

Impact:
Traffic disrupted while tmm restarts.

---

623243 : Single-page application AJAX does not work properly with synchronous ajax requests

Component: Application Security Manager

Symptoms:
When single-page application is enabled and a synchronous Ajax request is sent, ASM responses such as CAPTCHA response may not work as expected.

Conditions:
-- Single-page application is enabled in ASM.
-- The single-page application sends a synchronous AJAX request that needs to be mitigated.

Impact:
End users may not be able to pass the CAPTCHA challenge and therefore not we able to access the application.

Workaround:
Modify the backend application to use an asynchronous AJAX request.

---

621260-8 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.

---

617636-4 : LTM v11.6.x Errors in F5-BIGIP-LOCAL-MIB.txt prevent its compilation in NMS (Network Management System)

Solution Article: K15009669

Component: TMOS

Symptoms:
Error during compilation of MIB file F5-BIGIP-LOCAL-MIB.txt in NMS:

Unexpected token: in /.../mibs/F5-BIGIP-LOCAL-MIB.mib line no: 27738.

The above compilation error is caused by missing commas in F5-BIGIP-LOCAL-MIB.txt:
 
ltmFwRuleStatRuleStatType OBJECT-TYPE
    SYNTAX INTEGER {
        enforced(1)staged(2), <===== comma missing here
        active(3),
        overlapper(4)
    }
    MAX-ACCESS read-only
    STATUS current
    DESCRIPTION
        ""
    ::= { ltmFwRuleStatEntry 6 }

ltmFwPolicyRuleStatRuleStatType OBJECT-TYPE
    SYNTAX INTEGER {
        enforced(1)staged(2), <===== comma missing here
        active(3),
        overlapper(4)
    }
    MAX-ACCESS read-only
    STATUS current
    DESCRIPTION
        ""
    ::= { ltmFwPolicyRuleStatEntry 6 }

Conditions:
Compile F5-BIGIP-LOCAL-MIB.txt from 11.6.x versions in NMS.

Impact:
F5-BIGIP-LOCAL-MIB.txt fails to compile in NMS.

Workaround:
Correct syntax in the F5-BIGIP-LOCAL-MIB.txt file, as follows:

ltmFwRuleStatRuleStatType OBJECT-TYPE
        SYNTAX INTEGER {
                enforced(1),
                staged(2),
                active(3),
                overlapper(4)
        }
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
                ""
        ::= { ltmFwRuleStatEntry 6 }

ltmFwPolicyRuleStatRuleStatType OBJECT-TYPE
    SYNTAX INTEGER {
        enforced(1),
        staged(2),
        active(3),
        overlapper(4)
    }
    MAX-ACCESS read-only
    STATUS current
    DESCRIPTION
        ""
    ::= { ltmFwPolicyRuleStatEntry 6 }

---

595313 : "vcmp.vdisk.new_image_size" BigDB variable ignored when using virtual disk templates

Component: TMOS

Symptoms:
The "vcmp.vdisk.new_image_size" BigDB variable controls the size of newly create virtual disk images for vCMP guests. However, when vCMP Fast Provisioning is used (i.e., virtual disk templates), new virtual disk images created from a virtual disk template will have the same size as the template.

Conditions:
You may experience this issue if:

* The vCMP host BIG-IP system is configured to use virtual disk templates, which is the case by default.

* The "vcmp.vdisk.new_image_size" BigDB variable has been changed from its default value.

* A new virtual disk image is created for a vCMP guest using a virtual disk template that was created before the "vcmp.vdisk.new_image_size" BigDB var was modified.

Impact:
The virtual disk image(s) created for a vCMP guest may have an unexpected and/or undesirable size.

Workaround:
To force the system to create a new virtual disk template using the size specified in the "vcmp.vdisk.new_image_size" BigDB variable, set the "vcmp.installer.use_vdisk_templates" to "disabled" using the following TMSH command:

# tmsh modify sys db vcmp.installer.use_vdisk_templates value disabled

Then set the vCMP guest to the provisioned or deployed state to initiate a new virtual disk image install for the guest. If a virtual disk image of the undesired size has already been created, it should be deleted first.

---

587821 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.

---

554228-10 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.

Conditions:
WEBSSO and OneConnect.

Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.

---

543022 : Logging profile with trailing whitespace cannot be associated with VS in GUI

Component: Advanced Firewall Manager

Symptoms:
A security logging profile with trailing whitespace cannot be associated with a Virtual Server from the "Virtual Server > Security" page in GUI.

Conditions:
The user attempts to associate a security logging profile with trailing whitespace with a Virtual Server from the "Virtual Server > Security" page in GUI.

Impact:
An error message occurs ("01020036:3: The requested firewall virtual log profile (/Common/profile name) was not found.").

Workaround:
The logging profile can be associated with the Virtual Server using tmsh. Also, please note that trailing whitespace on a configuration entity is not recommended and the issue can be easily avoided by adhering to entity naming best practices.

---

510650 : BIG-IP MPTCP Checksum calculation might be incorrect.

Component: Local Traffic Manager

Symptoms:
RFC 6824 specifies that a data sequence mapping also contains a checksum of the data that this mapping covers, if use of checksums has been negotiated at the MP_CAPABLE exchange. However, the BIG-IP implementation only calculates a checksum for a mapping of a single packet.

Conditions:
MPTCP checksum enabled by either client or the BIG-IP system.

Impact:
The MPTCP checksum may be computed incorrectly and may cause connection failures if MPTCP checksums have been negotiated.

Workaround:
There is no workaround available if the client cannot disable checksums and sends a checksum covering a DSS mapping larger than a single packet.

---

499348-12 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
    tmsh modify sys db merged.method value slow_merge.

---

489572-6 : Sync fails if file object is created and deleted before sync to peer BIG-IP

Solution Article: K60934489

Component: TMOS

Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:

Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.

Impact:
Sync fails.

Workaround:
When you create/add a file object, make sure to sync before deleting it.

If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.

---

486712-8 : GUI PVA connection maximum statistic is always zero

Component: TMOS

Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.

Conditions:
This occurs when fastL4 connections are used.

Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.

---

469724-4 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire

Component: TMOS

Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.

Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.

Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.

This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.

Workaround:
To work around this issue, activate the license from the command line:

When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.

For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:

get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ

You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue

---

462536 : AFM DoS UDP PortList configuration is not migrated automatically★

Component: Advanced Firewall Manager

Symptoms:
When a DoS UDP port list is configured via sys db variables dos.udplimiter, the configuration is not automatically migrated during upgrades.

Conditions:
AFM DoS with UDP PortList configuration and customer upgrade from pre 11.6.0.

Impact:
AFM DoS UDP PortList configuration is not migrated automatically

Workaround:
As a workaround, migrate the configuration manually using the tmsh command: security dos udp-portlist { } .

---

454671 : SIP media flows do not count toward LSN pool client connection limit

Component: Carrier-Grade NAT

Symptoms:
When SIP is used with LSN pools, the media connections do not count towards the LSN client connection limit count.

Conditions:
SIP ALG is configured with an LSN pool whose client connection limit value is greater than zero.

Impact:
Media connections are not counted. This might result in a subscriber being able to create more connections than specified by LSN pool client connection limit

Workaround:
None.

---

446712 : FTP data flows do not count toward LSN pool client connection limit

Component: Carrier-Grade NAT

Symptoms:
When FTP is used with LSN pools, the data connections do not count towards the LSN client connection limit count.

Conditions:
FTP is configured with LSN pool whose client connection limit value is greater than zero.

Impact:
Data connections (active/passive mode) are not counted. This might result in a subscriber being able to create more connections than specified by LSN pool client connection limit

Workaround:
None.

---

431503-9 : TMSH crashes in rare initial tunnel configurations

Solution Article: K14838

Component: TMOS

Symptoms:
In rare BigIP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.

Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.

Impact:
TMM crash in rare race conditions.

Workaround:
None.

---

398683-5 : Use of a # in a TACACS secret causes remote auth to fail

Solution Article: K12304

Component: TMOS

Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.

Conditions:
TACACS secret contains the '#' character.

Impact:
TACACS remote auth fails.

Workaround:
Do not use the '#' character in the TACACS secret.

---

394873 : Upgrade process does not update Tcl scripts★

Component: TMOS

Symptoms:
The upgrade process does not update Tcl scripts (such as iRules) in the configuration.

Conditions:
Upgrading Tcl scripts (such as iRules).

Impact:
This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.

Workaround:
None.

---

385013-1 : Certain user roles do not trigger a sync for a 'modify auth password' command

Component: TMOS

Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:

Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
  + guest
  + operator
  + application-editor
  + manager
  + certificate-manager
  + irule-manager
  + resource-admin
  + auditor

Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.

Workaround:
Force a full sync to the peer systems.

---

382363-2 : min-up-members and using gateway-failsafe-device on the same pool.

Solution Article: K30588577

Component: TMOS

Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.

Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.

Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.

Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.

---

381100 : Internal Datagroup Entries are added one at a time in TMM

Component: Local Traffic Manager

Symptoms:
You may see entries coming in one at a time while an iRule is running.

Conditions:
Using internal datagroup in an iRule.

Impact:
iRule operates incorrectly.

Workaround:
Use an external datagroup instead of an internal datagroup.

---

224665 : Proxy Exclusion List setting is not aware of administrative partitions

Solution Article: K12711

Component: Local Traffic Manager

Symptoms:
The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group.

Conditions:
Using VLAN groups and proxy exclusion.

Impact:
Results in issues for the VLAN group.

Workaround:
None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.

---

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade