Supplemental Document : BIG-IP 16.0.1.2 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1

BIG-IP Analytics

  • 16.0.1

BIG-IP Link Controller

  • 16.0.1

BIG-IP LTM

  • 16.0.1

BIG-IP PEM

  • 16.0.1

BIG-IP AFM

  • 16.0.1

BIG-IP DNS

  • 16.0.1

BIG-IP FPS

  • 16.0.1

BIG-IP ASM

  • 16.0.1
Original Publication Date: 07/21/2021
Updated Date: 07/21/2021

BIG-IP Release Information

Version: 16.0.1.2
Build: 8.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v16.0.1.1 that are included in this release
Cumulative fixes from BIG-IP v16.0.1 that are included in this release
Cumulative fixes from BIG-IP v16.0.0.1 that are included in this release
Known Issues in BIG-IP v16.0.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
1017973-7 CVE-2021-25215 K96223611 BIND Vulnerability CVE-2021-25215
1017965-1 CVE-2021-25214 K11426315 BIND Vulnerability CVE-2021-25214
990333-6 CVE-2021-23016 K75540265 APM may return unexpected content when processing HTTP requests
965485-4 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
949889-4 CVE-2019-3900 K04107324 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
945109-1 CVE-2015-9382 K46641512 Freetype Parser Skip Token Vulnerability CVE-2015-9382
803933-8 CVE-2018-20843 K51011533 Expat XML parser vulnerability CVE-2018-20843
797797-5 CVE-2019-11811 K01512680 CVE-2019-11811 kernel: use-after-free in drivers
797769-10 CVE-2019-11599 K51674118 Linux vulnerability : CVE-2019-11599
1003557-2 CVE-2021-23015 K74151369 Not following best practices in Guided Configuration Bundle Install worker
1003105-2 CVE-2021-23015 K74151369 iControl Hardening
1002561-6 CVE-2021-23007 K37451543 TMM vulnerability CVE-2021-23007
968733-7 CVE-2018-1120 K42202505 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
939421-1 CVE-2020-10029 K38481791 CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow


Functional Change Fixes

ID Number Severity Solution Article(s) Description
913729-6 2-Critical   Support for DNSSEC Lookaside Validation (DLV) has been removed.
933777-4 3-Major   Context use and syntax changes clarification
923301-3 3-Major   ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group
913829-5 3-Major   i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
866073-3 3-Major   Add option to exclude stats collection in qkview to avoid very large data files
794417-5 3-Major   Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
918097-4 4-Minor   Cookies set in the URI on Safari


TMOS Fixes

ID Number Severity Solution Article(s) Description
995629-4 2-Critical   Loading UCS files may hang if ASM is provisioned
967905-4 2-Critical   Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
935433-1 2-Critical   iControl SOAP Hardening
888341-8 2-Critical   HA Group failover may fail to complete Active/Standby state transition
886693-4 2-Critical   System may become unresponsive after upgrading
856713-4 2-Critical   IPsec crash during rekey
1000973-4 2-Critical   Unanticipated restart of TMM due to heartbeat failure
999021-1 3-Major   IPsec IKEv1 tunnels fail after a config sync from Standby to Active
998221-2 3-Major   Accessing pool members from configuration utility is slow with large config
996593-1 3-Major   Password change through REST or GUI not allowed if the password is expired
994801-8 3-Major   SCP file transfer hardening
976505-4 3-Major   Rotated restnoded logs will fail logintegrity verification.
975809-3 3-Major   Rotated restjavad logs fail logintegrity verification.
969213-3 3-Major   VMware: management IP cannot be customized via net.mgmt.addr property
959629-1 3-Major   Logintegrity script for restjavad/restnoded fails
958465-1 3-Major   in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization
958353-1 3-Major   Restarting the mcpd messaging service renders the PAYG VE license invalid.
950017-1 3-Major   TMM may crash while processing SCTP traffic
946089-3 3-Major   BIG-IP might send excessive multicast/broadcast traffic.
937365-1 3-Major   LTM UI does not follow best practices
934065-2 3-Major   The turboflex-low-latency and turboflex-dns are missing.
932497-2 3-Major   Autoscale groups require multiple syncs of datasync-global-dg
928697-1 3-Major   Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
922297-1 3-Major   TMM does not start when using more than 11 interfaces with more than 11 vCPUs
914245-3 3-Major   Reboot after tmsh load sys config changes sys FPGA firmware-config value
913849-2 3-Major   Syslog-ng periodically logs nothing for 20 seconds
908601-1 3-Major   System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
907201-4 3-Major   TMM may crash when processing IPSec traffic
906377-1 3-Major   iRulesLX hardening
900933-3 3-Major   IPsec interoperability problem with ECP PFS
889029-1 3-Major   Unable to login if LDAP user does not have search permissions
879829-1 3-Major   HA daemon sod cannot bind to ports numbered lower than 1024
862937-4 3-Major   Running cpcfg after first boot can result in daemons stuck in restart loop
839121-4 3-Major K74221031 A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade
829821-8 3-Major   Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
809205-8 3-Major   CVE-2019-3855: libssh2 Vulnerability
692218-7 3-Major   Audit log messages sent from the primary blade to the secondaries should not be logged.
675911-11 3-Major K13272442 Different sections of the GUI can report incorrect CPU utilization
1010393-5 3-Major   Unable to relax AS-path attribute in multi-path selection
1002761-2 3-Major   SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure
879189-4 4-Minor   Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
819053-9 4-Minor   CVE-2019-13232 unzip: overlapping of files in ZIP container
675772-3 4-Minor   IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy
1004417-4 4-Minor   Provisioning error message during boot up


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
945997-1 2-Critical   LTM policy applied to HTTP/2 traffic may crash TMM
942185-1 2-Critical   Non-mirrored persistence records may accumulate over time
938233-1 2-Critical   An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
911041-4 2-Critical   Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
1005489-1 2-Critical   iRules with persist command might result in tmm crash.
997929-2 3-Major   Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
980821-3 3-Major   Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.
968641 3-Major   Fix for zero LACP priority
946377-1 3-Major   HSM WebUI Hardening
945601-5 3-Major   An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
940665-2 3-Major   DTLS 1.0 support for PFS ciphers
939961-1 3-Major   TCP connection is closed when necessary after HTTP::respond iRule.
926929-4 3-Major   RFC Compliance Enforcement lacks configuration availability
921881-1 3-Major   Use of IPFIX log destination can result in increased CPU utilization
891373-1 3-Major   BIG-IP does not shut a connection for a HEAD request
889601-4 3-Major   OCSP revocation not properly checked
888517-1 3-Major   Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.
882549-1 3-Major   Sock driver does not use multiple queues in unsupported environments
858701-5 3-Major   Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x
819329-5 3-Major   Specific FIPS device errors will not trigger failover
785877-4 3-Major   VLAN groups do not bridge non-link-local multicast traffic.
767341-8 3-Major   If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
696755-6 3-Major   HTTP/2 may truncate a response body when served from cache
962333-1 4-Minor   FIN from client does not get propagated to server side, if the FIN arrives before server side reaching ESTABLISHED
962177-1 4-Minor   Results of POLICY::names and POLICY::rules commands may be incorrect
949721-1 4-Minor   QUIC does not send control frames in PTO packets
895557-3 4-Minor   NTLM profile logs error when used with profiles that do redirect
804157-4 4-Minor   ICMP replies are forwarded with incorrect checksums causing them to be dropped
743253-1 4-Minor   TSO in software re-segments L3 fragments.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
975465-1 2-Critical   TMM may consume excessive resources while processing DNS iRules
918597-6 2-Critical   Under certain conditions, deleting a topology record can result in a crash.
993489-2 3-Major   GTM daemon leaks memory when reading GTM link objects
973261-1 3-Major   GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
971297-1 3-Major   DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade
912001-2 3-Major   TMM cores on secondary blades of the Chassis system.
863917-1 3-Major   The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
858973-5 3-Major   DNS request matches less specific WideIP when adding new wildcard wideips
857953-1 4-Minor   Non-functional disable/enable buttons present in GTM wide IP members page


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
996381-2 2-Critical   ASM attack signature may not match as expected
989009-2 2-Critical   BD daemon may crash while processing WebSocket traffic
980809-1 2-Critical   ASM REST Signature Rule Keywords Tool Hardening
980125-2 2-Critical   BD Daemon may crash while processing WebSocket traffic
979081-1 2-Critical   Hardening of ASM External References
968421-1 2-Critical   ASM attack signature doesn't matched
962341-5 2-Critical   BD crash while processing JSON content
943913-2 2-Critical   ASM attack signature does not match
854001-1 2-Critical   TMM might crash in case of trusted bot signature and API protected url
791669-3 2-Critical   TMM might crash when Bot Defense is configured for multiple domains
1017645-1 2-Critical   False positive HTTP compliance violation
996753-3 3-Major   ASM BD process may crash while processing HTML traffic
986937-2 3-Major   Cannot create child policy when the signature staging setting is not equal in template and parent policy
981785-4 3-Major   Incorrect incident severity in Event Correlation statistics
976617-1 3-Major   Manual signature sets are converted to filter based when trying to update signature set without field "type"
963461-2 3-Major   ASM performance drop on the response side
962497-1 3-Major   BD crash after ICAP response
960369-1 3-Major   Negative value suggested in Traffic Learning as max value
956373-1 3-Major   ASM sync files not cleaned up immediately after processing
955017-1 3-Major   Excessive CPU consumption by asm_config_event_handler
951133-3 3-Major   Live Update does not work properly after upgrade
947341-2 3-Major   MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files
946081-5 3-Major   Getcrc tool help displays directory structure instead of version
929001-2 3-Major   ASM form handling improvements
928685-1 3-Major   ASM Brute Force mitigation not triggered as expected
922261-1 3-Major   WebSocket server messages are logged even it is not configured
920197-4 3-Major   Brute force mitigation can stop mitigating without a notification
914277-1 3-Major   [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
913761-1 3-Major   Security - Options section in navigation menu is visible for only Administrator users
912089-1 3-Major   Some roles are missing necessary permission to perform Live Update
907337-1 3-Major   BD crash on specific scenario
888289-7 3-Major   Add option to skip percent characters during normalization
881757-3 3-Major   Unnecessary HTML response parsing and response payload is not compressed
830341-3 3-Major   False positives Mismatched message key on ASM TS cookie
673272-1 3-Major   Search by "Signature ID is" does not return results for some signature IDs
964897-1 4-Minor   Live Update - Indication of "Update Available" when there is no available update
956105-1 4-Minor   Websocket URLs content profiles are not created as expected during JSON Policy import
952509-3 4-Minor   Cross origin AJAX requests are blocked in case there is no Origin header
944441-5 4-Minor   BD_XML logs memory usage at TS_DEBUG level
941929-3 4-Minor   Google Analytics shows incorrect stats, when Google link is redirected.
941249-5 4-Minor   Improvement to getcrc tool to print cookie names when cookie attributes are involved
922785-1 4-Minor   Live Update scheduled installation is not installing on set schedule
911729-3 4-Minor   Redundant learning suggestion to set a Maximum Length when parameter is already at that value


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
981385-2 3-Major   AVRD does not send HTTP events to BIG-IQ DCD
949593-4 3-Major   Unable to load config if AVR widgets were created under '[All]' partition
932485-4 3-Major   Incorrect sum(hits_count) value in aggregate tables
924945-4 3-Major   Fail to detach HTTP profile from virtual server
913085-2 3-Major   Avrd core when avrd process is stopped or restarted
869049-3 3-Major   Charts discrepancy in AVR reports


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
924857-3 3-Major   Logout URL with parameters resets TCP connection
747234-8 4-Minor   Macro policy does not find corresponding access-profile directly


Service Provider Fixes

ID Number Severity Solution Article(s) Description
974881-3 2-Critical   Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic
989753-1 3-Major   In HA setup, standby fails to establish connection to server
982869-2 3-Major   With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0
977053-1 3-Major   TMM crash on standby due to invalid MR router instance
968349-2 3-Major   TMM crashes with unspecified message
966701-1 3-Major   Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP
957029-2 3-Major   MRF Diameter loop-detection is enabled by default
788625-2 3-Major   A pool member is not marked up by the inband monitor even after successful connection to the pool member


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
988005-2 3-Major   Zero active rules counters in GUI
969509-1 3-Major   Possible memory corruption due to DOS vector reset
910417-1 3-Major   TMM core may be seen when reattaching a vector to a DoS profile
907245-2 3-Major   AFM UI Hardening
716746-4 3-Major   Possible tmm restart when disabling single endpoint vector while attack is ongoing
1012521-3 3-Major   BIG-IP UI file permissions


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
1012145-1 2-Critical   TMM may crash when processing Datasafe profiles with ASM
887205-1 3-Major   Correct handling of wildcard parameters with search-in 'any' marked for data integrity


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
932737-4 2-Critical   DNS & BADOS high-speed logger messages are mixed
944785-4 3-Major   Admd restarting constantly. Out of memory due to loading malformed state file
914293-4 3-Major   TMM SIGSEGV and crash


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
901041-2 2-Critical   CEC update using incorrect method of determining number of blades in VIPRION chassis
984657-1 3-Major   Sysdb variable not working from tmsh
948573-5 3-Major   Wr_urldbd list of valid TLDs needs to be updated
846601-5 3-Major   Traffic classification does not update when an inactive slot becomes active after upgrade


Device Management Fixes

ID Number Severity Solution Article(s) Description
970829-6 2-Critical K03310534 iSeries LCD incorrectly displays secure mode


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
964585-2 3-Major   "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update
964577-2 4-Minor   IPS automatic IM download not working as expected


In-tmm monitors Fixes

ID Number Severity Solution Article(s) Description
912425-4 3-Major   Modification of in-tmm monitors may result in crash


BIG-IP Risk Engine Fixes

ID Number Severity Solution Article(s) Description
969385-1 3-Major   Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers.



Cumulative fixes from BIG-IP v16.0.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
975233-1 CVE-2021-22992 K52510511 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
973333-6 CVE-2021-22991 K56715231 TMM buffer-overflow vulnerability CVE-2021-22991
955145-1 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
954381-1 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
953677-1 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
951705-1 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
950077-1 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
981169-1 CVE-2021-22994 K66851119 F5 TMUI XSS vulnerability CVE-2021-22994
959121-5 CVE-2021-23015 K74151369 Not following best practices in Guided Configuration Bundle Install worker
953729-1 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
949933-5 CVE-2021-22980 K29282483 BIG-IP APM CTU vulnerability CVE-2021-22980
943125-1 CVE-2021-23010 K18570111 ASM bd may crash while processing WebSocket traffic
943081-4 CVE-2021-23009 K90603426 Unspecified HTTP/2 traffic may cause TMM to crash
941449-1 CVE-2021-22993 K55237223 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
931837-7 CVE-2020-13817 K55376430 NTP has predictable timestamps
931513-1 CVE-2021-22977 K14693346 TMM vulnerability CVE-2021-22977
921337-6 CVE-2021-22976 K88230177 BIG-IP ASM WebSocket vulnerability CVE-2021-22976
916821-1 CVE-2021-22974 K68652018 iControl REST vulnerability CVE-2021-22974
882189-1 CVE-2020-5897 K20346072 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897
882185-1 CVE-2020-5897 K20346072 BIG-IP Edge Client Windows ActiveX
881317-7 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
881293-1 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
880361-7 CVE-2021-22973 K13323323 iRules LX vulnerability CVE-2021-22973
976925-1 CVE-2021-23002 K71891773 BIG-IP APM VPN vulnerability CVE-2021-23002
954429-1 CVE-2021-23014 K23203045 User authorization changes for live update
948769-6 CVE-2021-23013 K05300051 TMM panic with SCTP traffic
942921-1 CVE-2021-22985 K32049501 BIG-IP APM vulnerability CVE-2021-22985
939845-1 CVE-2021-23004 K31025212 BIG-IP MPTCP vulnerability CVE-2021-23004
939841-1 CVE-2021-23003 K43470422 BIG-IP MPTCP vulnerability CVE-2021-23003
937637-2 CVE-2021-23002 K71891773 BIG-IP APM VPN vulnerability CVE-2021-23002
935401-1 CVE-2021-23001 K06440657 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001
924961-1 CVE-2019-20892 K45212738 CVE-2019-20892: SNMP Vulnerability
881445-8 CVE-2020-5898 K69154630 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
877109-8 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy
842717-8 CVE-2020-5855 K55102004 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
743105-1 CVE-2021-22998 K31934524 BIG-IP SNAT vulnerability CVE-2021-22998
718189-10 CVE-2021-23011 K10751325 Unspecified IP traffic can cause low-memory conditions
773693-9 CVE-2020-5892 K15838353 CVE-2020-5892: APM Client Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
930005-1 3-Major   Recover previous QUIC cwnd value on spurious loss
920961-1 3-Major   Devices incorrectly report 'In Sync' after an incremental sync
756139-5 3-Major   Inconsistent logging of hostname files when hostname contains periods
921421-4 4-Minor   iRule support to get/set UDP's Maximum Buffer Packets


TMOS Fixes

ID Number Severity Solution Article(s) Description
957337-2 2-Critical   Tab complete in 'mgmt' tree is broken
942497-3 2-Critical   Declarative onboarding unable to download and install RPM
940021-4 2-Critical   Syslog-ng hang may lead to unexpected reboot
933409-1 2-Critical   Tomcat upgrade via Engineering Hotfix causes live-update files removal
932437-1 2-Critical   Loading SCF file does not restore files from tar file
927033-3 2-Critical   Installer fails to calculate disk size of destination volume
915305-6 2-Critical   Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
910201-4 2-Critical   OSPF - SPF/IA calculation scheduling might get stuck infinitely
908517-4 2-Critical   LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
829677-5 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
818253-5 2-Critical   Generate signature files for logs
776393-4 2-Critical   Restjavad restarts frequently due to insufficient memory with relatively large configurations
739505-4 2-Critical   Automatic ISO digital signature checking not required when FIPS license active
967745-1 3-Major   Last resort pool error for the modify command for Wide IP
945265-5 3-Major   BGP may advertise default route with incorrect parameters
939541-1 3-Major   TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
936125-1 3-Major   SNMP request times out after configuring IPv6 trap destination
932233-1 3-Major   '@' no longer valid in SNMP community strings
930905-2 3-Major   Management route lost after reboot.
927941-6 3-Major   IPv6 static route BFD does not come up after OAMD restart
921361-3 3-Major   SSL client and SSL server profile names truncated in GUI
915497-1 3-Major   New Traffic Class Page shows multiple question marks.
913433-2 3-Major   On blade failure, some trunked egress traffic is dropped.
909197-2 3-Major   The mcpd process may become unresponsive
904785-2 3-Major   Remotely authenticated users may experience difficulty logging in over the serial console
902401 3-Major   OSPFd SIGSEGV core when 'ospf clear' is done on remote device
898705-6 3-Major   IPv6 static BFD configuration is truncated or missing
898461-1 3-Major   Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
896817-1 3-Major   iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
895837-4 3-Major   Mcpd crash when a traffic-matching-criteria destination-port-list is modified
892785 3-Major   Azure walinuxagent has been updated to v2.2.48.1
889041-4 3-Major   Failover scripts fail to access resolv.conf due to permission issues
888497-1 3-Major   Cacheable HTTP Response
879405-3 3-Major   Incorrect value in Transparent Nexthop property
876805-4 3-Major   Modifying address-list resets the route advertisement on virtual servers.
865177-5 3-Major   Cert-LDAP returning only first entry in the sequence that matches san-other oid
858197-5 3-Major   Merged crash when memory exhausted
830413-2 3-Major   Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure
820845-5 3-Major   Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
807337-6 3-Major   Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
806073-8 3-Major   MySQL monitor fails to connect to MySQL Server v8.0
797829-7 3-Major   The BIG-IP system may fail to deploy new or reconfigure existing iApps
787885-3 3-Major   The device status is falsely showing as forced offline on the network map while actual device status is not.
749007-5 3-Major   South Sudan, Sint Maarten, and Curacao country missing in GTM region list
398683-5 3-Major K12304 Use of a # in a TACACS secret causes remote auth to fail
966277-2 4-Minor   BFD down on multi-blade system
933461-5 4-Minor   BGP multi-path candidate selection does not work properly in all cases.
924429-1 4-Minor   Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
914761-4 4-Minor   Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
902417-6 4-Minor   Configuration error caused by Drafts folder in a deleted custom partition
892677-6 4-Minor   Loading config file with imish adds the newline character


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
937777-1 2-Critical   The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.
910653-6 2-Critical   iRule parking in clientside/serverside command may cause tmm restart
953845-2 3-Major   After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
949145-6 3-Major   Improve TCP's response to partial ACKs during loss recovery
946953-2 3-Major   HTTP::close used in iRule might not close connection.
944641-2 3-Major   HTTP2 send RST_STREAM when exceeding max streams
934993-1 3-Major   BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams
916589-1 3-Major   QUIC drops 0RTT packets if CID length changes
915713-1 3-Major   Support QUIC and HTTP3 draft-29
915605-2 3-Major K56251674 Image install fails if iRulesLX is provisioned and /usr mounted read-write
913249-1 3-Major   Restore missing UDP statistics
901929-1 3-Major   GARPs not sent on virtual server creation
892941-1 3-Major K20105555 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
879413-7 3-Major   Statsd fails to start if one or more of its *.info files becomes corrupted
845333-7 3-Major   An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
803629-8 3-Major   SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
717346-8 3-Major K13040347 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
714642-7 3-Major   Ephemeral pool-member state on the standby is down
935593-5 4-Minor   Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
914681-1 4-Minor   Value of tmm.quic.log.level can differ between TMSH and GUI
808409-5 4-Minor   Unable to specify if giaddr will be modified in DHCP relay chain
748333-6 4-Minor   DHCP Relay does not retain client source IP address for chained relay mode
738032-4 4-Minor   BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
859717-1 5-Cosmetic   ICMP-limit-related warning messages in /var/log/ltm


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
960749-1 1-Blocking   TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
953393-1 1-Blocking   TMM crashes when performing iterative DNS resolutions.
933405-1 1-Blocking K34257075 Zonerunner GUI hangs when attempting to list Resource Records
960437-1 2-Critical   The BIG-IP system may initially fail to resolve some DNS queries
918169-4 2-Critical   The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
916753-1 2-Critical   RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core
837637-5 2-Critical K02038650 Orphaned bigip_gtm.conf can cause config load failure after upgrading
926593-1 3-Major   GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
921625-1 3-Major   The certs extend function does not work for GTM/DNS sync group
891093-2 3-Major   iqsyncer does not handle stale pidfile
644192-9 3-Major K23022557 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN
896861-1 4-Minor   PTR query enhancement for RESOLVER::name_lookup
853585-3 4-Minor   REST Wide IP object presents an inconsistent lastResortPool value


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
940249-1 2-Critical   Sensitive data is not masked after "Maximum Array/Object Elements" is reached
927617-1 2-Critical   'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
941853-5 3-Major   Logging Profiles do not disassociate from virtual server when multiple changes are made
941621-1 3-Major K91414704 Brute Force breaks server's Post-Redirect-Get flow
940897-1 3-Major   Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
930017-1 3-Major   Bot defense profile upgrade fails from 14.x to 15.x/16.x with error match-order should be unique
929077-3 3-Major   Bot Defense allow list does not apply when using default Route Domain and XFF header
921677-1 3-Major   Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
918933-1 3-Major K88162221 The BIG-IP ASM system may not properly perform signature checks on cookies
918081-2 3-Major   Application Security Administrator role cannot create parent policy in the GUI
913757-2 3-Major   Error viewing security policy settings for virtual server with FTP Protocol Security
913137-2 3-Major   No learning suggestion on ASM policies enabled via LTM policy
910253-3 3-Major   BD error on HTTP response after upgrade
904053-1 3-Major   Unable to set ASM Main Cookie/Domain Cookie hashing to Never
903357-4 3-Major   Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
893061-4 3-Major   Out of memory for restjavad
722337-4 3-Major   Always show violations in request log when post request is large
962817-1 4-Minor   Description field of a JSON policy overwrites policy templates description
960385-1 4-Minor   In rare conditions modal does not close when it should
935293-6 4-Minor   'Detected Violation' Field for event logs not showing
919001-3 4-Minor   Live Update: Update Available notification is shown twice in rare conditions
896285-1 4-Minor   No parent entity in suggestion to add predefined-filetype as allowed filetype


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
934721-4 2-Critical   TMM core due to wrong assert
924301-2 3-Major   Incorrect values in REST response for DNS/SIP
743826-5 3-Major   Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)
648242-7 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
910097-4 2-Critical   Changing per-request policy while tmm is under traffic load may drop heartbeats
896709-4 2-Critical   Add support for Restart Desktop for webtop in VMware VDI
924929-3 3-Major   Logging improvements for VDI plugin
914649-4 3-Major   Support USB redirection through VVC (VMware virtual channel) with BlastX
760629-6 3-Major   Remove Obsolete APM keys in BigDB
739570-5 3-Major   Unable to install EPSEC package
766017-7 4-Minor   [APM][LocalDB] Local user database instance name length check inconsistencies


Service Provider Fixes

ID Number Severity Solution Article(s) Description
952545-1 3-Major   'Current Sessions' statistics of HTTP2 pool may be incorrect
939529-1 3-Major   Branch parameter not parsed properly when topmost via header received with comma separated values
913373-1 3-Major   No connection error after failover with MRF, and no connection mirroring


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
938165-3 2-Critical   TMM Core after attempted update of IP geolocation database file
965617-4 3-Major   HSB mitigation is not applied on BDoS signature with stress-based mitigation mode
963237-4 3-Major   Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.
938149-2 3-Major   Port Block Update log message is missing the "Start time" field


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
928553-4 2-Critical   LSN64 with hairpinning can lead to a tmm core in rare circumstances
966681-3 3-Major   NAT translation failures while using SP-DAG in a multi-blade chassis


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
915489-3 4-Minor   LTM Virtual Server Health is not affected by iRule Requests dropped


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
874677-4 2-Critical   Traffic Classification auto signature update fails from GUI
954937 3-Major   Tmm crash when GPA POLICY is used


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
768085-6 4-Minor   Error in python script /usr/libexec/iAppsLX_save_pre line 79


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
825501-4 3-Major   IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.



Cumulative fixes from BIG-IP v16.0.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
935029-4 CVE-2020-27720 K04048104 TMM may crash while processing IPv6 NAT traffic
933741-1 CVE-2021-22979 K63497634 BIG-IP FPS XSS vulnerability CVE-2021-22979
932065-1 CVE-2021-22978 K87502622 iControl REST vulnerability CVE-2021-22978
928321-4 CVE-2020-27719 K19166530 K19166530: XSS vulnerability CVE-2020-27719
917509-2 CVE-2020-27718 K58102101 BIG-IP ASM vulnerability CVE-2020-27718
911761-1 CVE-2020-5948 K42696541 F5 TMUI XSS vulnerability CVE-2020-5948
908673-6 CVE-2020-27717 K43850230 TMM may crash while processing DNS traffic
891457-1 CVE-2020-5939 K75111593 NIC driver may fail while transmitting data
888417-6 CVE-2020-8840 K15320518 Apache Vulnerability: CVE-2020-8840
879745-6 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic
876353-2 CVE-2020-5941 K03125360 iRule command RESOLV::lookup may cause TMM to crash
814953-8 CVE-2020-5940 K43310520 TMUI dashboard hardening
928037-1 CVE-2020-27729 K15310332 APM Hardening
919989-3 CVE-2020-5947 K64571774 TMM does not follow TCP best practices
919841-4 CVE-2020-27728 K45143221 AVRD may crash while processing Bot Defense traffic
917469-1 CVE-2020-5946 K53821711 TMM may crash while processing FPS traffic
917005-6 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619
912969-1 CVE-2020-27727 K50343630 iAppsLX REST vulnerability CVE-2020-27727
910017-1 CVE-2020-5945 K21540525 Security hardening for the TMUI Interface page
905125-1 CVE-2020-27726 K30343902 Security hardening for APM Webtop
898949-6 CVE-2020-27724 K04518313 APM may consume excessive resources while processing VPN traffic
778049-1 CVE-2018-13405 K00854051 Linux Kernel Vulnerability: CVE-2018-13405
693360-1 CVE-2020-27721 K52035247 A virtual server status changes to yellow while still available
639773-7 CVE-2021-22983 K76518456 BIG-IP AFM vulnerability CVE-2021-22983
818213-7 CVE-2019-10639 K32804955 CVE-2019-10639: KASLR bypass using connectionless protocols
889557 CVE-2019-11358 K20455158 jQuery Vulnerability CVE-2019-11358
839145-4 CVE-2019-10744 K47105354 CVE-2019-10744: lodash vulnerability
834533-8 CVE-2019-15916 K57418558 Linux kernel vulnerability CVE-2019-15916


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
947905-1 1-Blocking   Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails
896217-1 2-Critical   BIG-IP GUI unresponsive
871561-6 2-Critical   Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'
706521-1 2-Critical K21404407 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
924493-1 3-Major   VMware EULA has been updated
904845-1 3-Major   VMware guest OS customization works only partially in a dual stack environment.
904705-1 3-Major   Cannot clone Azure marketplace instances.
886689-7 3-Major   Generic Message profile cannot be used in SCTP virtual
880625-4 3-Major   Check-host-attr enabled in LDAP system-auth creates unusable config
880165-3 3-Major   Auto classification signature update fails
844085-5 3-Major   GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
814585-8 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
788577-8 3-Major   BFD sessions may be reset after CMP state change
759564-1 3-Major   GUI not available after upgrade
740589-5 3-Major   Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
714176-6 3-Major   UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed
489572-6 3-Major K60934489 Sync fails if file object is created and deleted before sync to peer BIG-IP
919745-1 4-Minor   CSV files downloaded from the Dashboard have the first row with all 'NaN
918209-4 4-Minor   GUI Network Map icons color scheme is not section 508 compliant
906889-2 4-Minor   Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
890277-4 4-Minor   Full config sync to a device group operation takes a long time when there are a large number of partitions.
864757-4 4-Minor   Traps that were disabled are enabled after configuration save
779857-3 4-Minor   Misleading GUI error when installing a new version in another partition
751103-1 4-Minor   TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
919885-1 2-Critical   A TCP connection is not closed after invoking the HTTP::respond iRule command.
948757-1 3-Major   A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
915689-2 3-Major   HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
915281-3 3-Major   Do not rearm TCP Keep Alive timer under certain conditions
910521-1 3-Major   Support QUIC and HTTP draft-28
892385-5 3-Major   HTTP does not process WebSocket payload when received with server HTTP response
803233-6 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
932937-1 4-Minor   HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
926997-2 4-Minor   QUIC HANDSHAKE_DONE profile statistics are not reset


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
919553-1 2-Critical   GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
788465-6 2-Critical   DNS cache idx synced across HA group could cause tmm crash
783125-5 2-Critical   iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
789421-5 3-Major   Resource-administrator cannot create GTM server object through GUI


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
901061-1 3-Major   Safari browser might be blocked when using Bot Defense profile and related domains.
900797-1 3-Major   Brute Force Protection (BFP) hash table entry cleanup
900793-4 3-Major K32055534 APM Brute Force Protection resources do not scale automatically
900789-1 3-Major   Alert before Brute Force Protection (BFP) hash are fully utilized
892653-4 3-Major   Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
908065-1 3-Major   Logrotation for /var/log/avr blocked by files with .1 suffix
902485-5 3-Major   Incorrect pool member concurrent connection value
841305-3 3-Major   HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log
819301-3 3-Major   Incorrect values in REST response for dos-l3 table


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
892937-1 3-Major K20105555 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
747020-3 3-Major   Requests that evaluate to same subsession can be processed concurrently


Service Provider Fixes

ID Number Severity Solution Article(s) Description
904373-4 3-Major   MRF GenericMessage: Implement limit to message queues size
898997-1 3-Major   GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
891385-1 3-Major   Add support for URI protocol type "urn" in MRF SIP load balancing
876953-1 3-Major   Tmm crash while passing diameter traffic
817369-3 3-Major   TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.
924349-3 4-Minor   DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP
916781-3 4-Minor   Validation error while attaching DoS profile to GTP virtual


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
876581-1 3-Major   JavaScript engine file is empty if the original HTML page cached for too long
891729-1 4-Minor   Errors in datasyncd.log
759988-1 4-Minor   Geolocation information inconsistently formatted
940401-1 5-Cosmetic   Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'



Cumulative fixes from BIG-IP v16.0.0.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
935721-6 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624


Functional Change Fixes

None


Cumulative fix details for BIG-IP v16.0.1.2 that are included in this release

999021-1 : IPsec IKEv1 tunnels fail after a config sync from Standby to Active

Component: TMOS

Symptoms:
When racoon (the IKEv1 daemon) sees a tunnel config change, which occurs due to a config sync from the standby device, the change causes tmm and racoon to have conflicting views on the state of that tunnel.

If the IKEv1 tunnel is up at the time of the config change, tmm fails to restart the tunnel.

Conditions:
-- IPsec IKEv1 tunnel in use.
-- Changes made to IPsec IKEv1 tunnel on the Standby BIG-IP device, which are then sync'd to the Active BIG-IP device.
-- And/or a full config sync from the Standby to Active BIG-IP system.

Impact:
IPsec IKEv1 tunnels fail and do not start again.

Workaround:
-- Do not make changes to IPsec IKEv1 tunnels on the Standby device.

-- Avoid full syncs from Standby to Active.

How to recover when the problem occurs:

-- Disable the affected ike-peer and re-enable it.

Fix:
IKEv1 tunnels are able to negotiate after Standby to Active config sync.


998221-2 : Accessing pool members from configuration utility is slow with large config

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.


997929-2 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic

Component: Local Traffic Manager

Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.

If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.

Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.

-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.

Impact:
The virtual server stops processing traffic.

Workaround:
To recover, you can do either of the following:

-- Restart tmm:
bigstart restart tmm

-- Change the virtual server's port back to 'any' (0).


996753-3 : ASM BD process may crash while processing HTML traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM BD process may crash while processing HTML traffic

Conditions:
- ASM profile enabled

Impact:
ASM traffic disrupted while BD restarts.

Workaround:
None.

Fix:
ASM now processes HTML traffic as expected.


996593-1 : Password change through REST or GUI not allowed if the password is expired

Component: TMOS

Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:

Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.

Impact:
Expired password cannot be updated through REST or the GUI.

Workaround:
Update password using tmsh:

tmsh modify auth password <username>

Fix:
You can now change an expired password through REST or the GUI.


996381-2 : ASM attack signature may not match as expected

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.


995629-4 : Loading UCS files may hang if ASM is provisioned

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fails while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' and de-provision ASM. The UCS file should then load successfully.

Fix:
Loading UCS files no longer hangs if ASM is provisioned.


994801-8 : SCP file transfer hardening

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
Administrative user with SCP access.

Impact:
users with with SCP access but without shell access can run arbitrary commands

Workaround:
None

Fix:
The SCP file transfer system now follows current best practices.


993489-2 : GTM daemon leaks memory when reading GTM link objects

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None


990333-6 : APM may return unexpected content when processing HTTP requests

Solution Article: K75540265


989753-1 : In HA setup, standby fails to establish connection to server

Component: Service Provider

Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:

err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config

Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.

Impact:
Standby BIG-IP system fails to establish a connection to the server.

Workaround:
None.

Fix:
Standby is now able to establish a connection to the server.


989009-2 : BD daemon may crash while processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, the BD daemon may crash while processing WebSocket traffic.

Conditions:
- ASM enabled
- WebSocket profile enabled

Impact:
BD daemon crash leading to a failover event

Workaround:
N/A

Fix:
The BD daemon now processes WebSocket traffic as expected.


988005-2 : Zero active rules counters in GUI

Component: Advanced Firewall Manager

Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).

Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules

Impact:
Incorrect information on active rules count is seen in the UI.

Workaround:
Disable firewall inline editor.

Fix:
The active rules count column now displays the correct number of times a rule has been hit.


986937-2 : Cannot create child policy when the signature staging setting is not equal in template and parent policy

Component: Application Security Manager

Symptoms:
When trying to create a child policy, you get an error:

FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."

Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.

Impact:
You are unable to create the child policy and the system presents an error.

Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.

Fix:
The error no longer occurs on child policy creation.


984657-1 : Sysdb variable not working from tmsh

Component: Traffic Classification Engine

Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh

Conditions:
The following sys db variable is enabled: cloud_only

You attempt to run the following command:

tmsh list sys db urlcat_query

Impact:
Sysdb variables does not work from tmsh

Fix:
After the fix able to verify sysdb variables from tmsh


982869-2 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0

Component: Service Provider

Symptoms:
Tmm may crash.

Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes under these conditions.


981785-4 : Incorrect incident severity in Event Correlation statistics

Component: Application Security Manager

Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".

Conditions:
Usually happens for the first incident after ASM startup.

Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.

Workaround:
Use severity info from the Incidents list.

Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.


981385-2 : AVRD does not send HTTP events to BIG-IQ DCD

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.


981169-1 : F5 TMUI XSS vulnerability CVE-2021-22994

Solution Article: K66851119


980821-3 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.

Component: Local Traffic Manager

Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.

Conditions:
There are two virtual servers configured:
  - One with a specific port and ip-protocol 'any'
  - One with port any and a specific ip-protocol

Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.

Workaround:
Create individual listeners for specific protocols.

For example, given the configuration:
  ltm virtual vs-port80-protoAny {
    destination 10.1.1.1:80
    ip-protocol any
    ...
  }
  ltm virtual vs-portAny-protoTCP {
    destination 10.1.1.1:0
    ip-protocol TCP
    ...
  }

Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
  ltm virtual vs-port80-protoTCP {
    destination 10.1.1.1:80
    ip-protocol TCP
    ...
  }
  ltm virtual vs-port80-protoUDP {
    destination 10.1.1.1:80
    ip-protcol UDP
    ...
  }

Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.


980809-1 : ASM REST Signature Rule Keywords Tool Hardening

Component: Application Security Manager

Symptoms:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Conditions:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Impact:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Workaround:
N/A.

Fix:
The ASM REST Signature Rule Keywords Tool now follows current best practices.


980125-2 : BD Daemon may crash while processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, the WAF daemon may crash while processing WebSocket traffic.

Conditions:
- ASM enabled
- WebSocket profile enabled

Impact:
WAF crash resulting in a failover event.

Workaround:
N/A

Fix:
WAF now processes WebSocket traffic as expected.


979081-1 : Hardening of ASM External References

Component: Application Security Manager

Symptoms:
Some ASM actions allow specifying external references for resources. Under certain conditions processing of the external resource does not follow current best practices.

Conditions:
-ASM provisioned
-External resources configured

Impact:
Resolution of external resources is incorrect.

Workaround:
N/A

Fix:
External resources are now processed as expected..


977053-1 : TMM crash on standby due to invalid MR router instance

Component: Service Provider

Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.

Conditions:
-- HA environment.
-- Connection mirroring is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM on the standby device no longer crashes under these conditions.


976925-1 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: K71891773


976617-1 : Manual signature sets are converted to filter based when trying to update signature set without field "type"

Component: Application Security Manager

Symptoms:
Manual signature sets are converted to filter based when trying to update signature set without field "type" in rest request.

Conditions:
Patch request to manual signature set without type.

Impact:
Manual signature set is being converted to filter based signature set

Workaround:
Update the signature set again to convert to manual, then add the appropriate signatures to it.

Fix:
Updated the logic to check the existing type of signature set before updating it.


976505-4 : Rotated restnoded logs will fail logintegrity verification.

Component: TMOS

Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restnoded logs fail logintegrity verification.

Workaround:
None

Fix:
Restnoded logs are now verified successfully by the logintegrity utility.


975809-3 : Rotated restjavad logs fail logintegrity verification.

Component: TMOS

Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restjavad logs fail logintegrity verification.

Workaround:
None

Fix:
Restjavad logs are now verified successfully by the logintegrity utility.


975465-1 : TMM may consume excessive resources while processing DNS iRules

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may consume excessive resources while processing DNS iRules

Conditions:
- RESOLVER::summarize iRule command in use

Impact:
TMM consumes excessive resources

Workaround:
Use 'DNSMSG::section <response> answer' in place of 'RESOLVER::summarize <response>'

Fix:
TMM now processes DNS iRules as expected.


975233-1 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Solution Article: K52510511


974881-3 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic

Component: Service Provider

Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.

Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to handling certain events in an iRule.


973333-6 : TMM buffer-overflow vulnerability CVE-2021-22991

Solution Article: K56715231


973261-1 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.


971297-1 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.

Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded

Impact:
The keys are stored locally following the upgrade.

Workaround:
None.


970829-6 : iSeries LCD incorrectly displays secure mode

Solution Article: K03310534

Component: Device Management

Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.

Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.

Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:

-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.


The restjavad-audit.*.log may contain similar messages

[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}

Workaround:
None

Fix:
The LCD now functions normally, and no authentication errors appear in the logs.


969509-1 : Possible memory corruption due to DOS vector reset

Component: Advanced Firewall Manager

Symptoms:
Unpredictable result due to possible memory corruption

Conditions:
DOS vector configuration change

Impact:
Memory corruption

Fix:
Added correct logic to reset DOS vector.


969385-1 : Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers.

Component: BIG-IP Risk Engine

Symptoms:
Automatic attach/detach BeWAF policy to a virtual server stops working for all virtual servers if at least one virtual server has a regular ASM policy with TAP profile

Conditions:
Define Virtual Servers with DOS profiles, along with Virtual Servers that are managed by cloud (Cortex)

Impact:
Detaching virtual servers from DOS can cause the attach option to be disabled.

Workaround:
Do not define virtual servers with cloud along with virtual servers managed by cloud (Applications).

Fix:
None


969213-3 : VMware: management IP cannot be customized via net.mgmt.addr property

Component: TMOS

Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.

Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.

Impact:
Management IP cannot be customized in VMware during the VM setup.


968733-7 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Solution Article: K42202505


968641 : Fix for zero LACP priority

Component: Local Traffic Manager

Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.

Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.

Impact:
BIG-IP may be unable to connect to Cisco trunks.

Workaround:
None.

Fix:
Eliminate LACP priority equal 0


968421-1 : ASM attack signature doesn't matched

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.


968349-2 : TMM crashes with unspecified message

Component: Service Provider

Symptoms:
TMM crashes with unspecified message

Conditions:
Requires specific iRule for gtp processing.

Impact:
TMM crashes with core and restarts. Traffic disrupted while TMM restarts.

Workaround:
None.

Fix:
TMM handles unspecified message properly.


967905-4 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.


967745-1 : Last resort pool error for the modify command for Wide IP

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.


966701-1 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP

Component: Service Provider

Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.

Conditions:
-- SCTP transport profile
-- MRF generic msg router profile

Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing

Fix:
Enable the return type in generic msg filter when data received over SCTP transport


966681-3 : NAT translation failures while using SP-DAG in a multi-blade chassis

Component: Carrier-Grade NAT

Symptoms:
NAT translation fails

Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlan's

Impact:
Traffic failure, performance degraded

Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096

Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.


966277-2 : BFD down on multi-blade system

Component: TMOS

Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.

Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots

Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.


965617-4 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode

Component: Advanced Firewall Manager

Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB

Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support

Impact:
More resources loading during DDoS attack

Fix:
Correct free spot search with offloading to HSB


965485-4 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Solution Article: K41523201


964897-1 : Live Update - Indication of "Update Available" when there is no available update

Component: Application Security Manager

Symptoms:
Live Update notifies you that an update is available even though there is no available update.

Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status

Impact:
Live Update erroneously indicates that an update is available.

Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat

Fix:
Fixed an issue with Live Update notification.


964585-2 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update

Component: Protocol Inspection

Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.

Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.

Impact:
- The error message does not accurately explain the cause of the problem.

Workaround:
None.

Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.


964577-2 : IPS automatic IM download not working as expected

Component: Protocol Inspection

Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.

IPS automatic IM download considers the BIG-IP software major and minor version numbers.

However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.

Conditions:
Auto download of IM package for IPS.

Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.

Workaround:
Manually download the IM package and upload it onto the BIG-IP system.

Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.


963461-2 : ASM performance drop on the response side

Component: Application Security Manager

Symptoms:
Clients encounter a longer time to respond from the BIG-IP

Conditions:
-- One of the following features is enabled:
   - convictions
   - csrf
   - ajax.
-- The response is HTML
-- The response has many tags

Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.


963237-4 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.

Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server

Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.


962817-1 : Description field of a JSON policy overwrites policy templates description

Component: Application Security Manager

Symptoms:
Creating a UTF-8 policy using a template for the first time creates a binary policy the system uses the next time you create a UTF-8 policy with the same template.

If the creation occurs via JSON policy import, the description field of the JSON policy overwrites the description from the template, and the next time you create a UTF-8 policy using the same template, the system uses the description from the first JSON policy.

Conditions:
Create an initial UTF-8 policy with some template using a JSON policy with a custom description.

Impact:
The next time you create a UTF-8 policy with the same template, unless you provide a description, the system uses the one from the initially created JSON policy instead the template.

Workaround:
Before creating the second policy, remove the binary file that was created from the first run. For example if the template used was Fundamental:

rm -f /ts/install/policy_templates/fundamental.bin

Fix:
The binary file now contains the correct description.


962497-1 : BD crash after ICAP response

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A


962341-5 : BD crash while processing JSON content

Component: Application Security Manager

Symptoms:
Under certain conditions, BD may crash while processing JSON content

Conditions:
- ASM enabled
- JSON content profile enabled

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A


962333-1 : FIN from client does not get propagated to server side, if the FIN arrives before server side reaching ESTABLISHED

Component: Local Traffic Manager

Symptoms:
FIN from client will not be propagated to server side, if the FIN arrives in BIG-IP before the corresponding server side connection reaches ESTABLISHED.

Conditions:
- standard virtual server with the default tcp profile
- client sends FIN immediately after 3WHS

Impact:
These connections remain until the idle timeout is reached.

Workaround:
None


962177-1 : Results of POLICY::names and POLICY::rules commands may be incorrect

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.


960749-1 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.


960437-1 : The BIG-IP system may initially fail to resolve some DNS queries

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.


960385-1 : In rare conditions modal does not close when it should

Component: Application Security Manager

Symptoms:
When one modal is already opened in the GUI and the system tries to open another one, first one is not closed

Conditions:
In new policy settings pages following steps are needed:
 - open settings page and change something so that Save button becomes active
 - open modal (e.g. Add Webhook in General Settings)
 - press back in browser

Impact:
Unsaved changes modal is not visible.

Workaround:
Close modals before navigating back in the browser

Fix:
On open of new modal - all previous are forced to close


960369-1 : Negative value suggested in Traffic Learning as max value

Component: Application Security Manager

Symptoms:
Negative value suggested in Traffic Learning as max value

Conditions:
A huge parameter value is seen in traffic

Impact:
Wrong learning suggestion issued

Workaround:
Manually change maximum allowed value on the parameter to ANY

Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY


959629-1 : Logintegrity script for restjavad/restnoded fails

Component: TMOS

Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:

find: '14232restnoded_log_pattern': No such file or directory.

Conditions:
When the logintegrity script runs.

Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.

Workaround:
Modify the script file /usr/bin/rest_logintegrity:

1. mount -o remount,rw /usr

2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original

3. vi /usr/bin/rest_logintegrity

4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log

With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log

5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)

With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)

6. mount -o remount,ro /usr

Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.


959121-5 : Not following best practices in Guided Configuration Bundle Install worker

Solution Article: K74151369


958465-1 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization

Component: TMOS

Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):

MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.

The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.


958353-1 : Restarting the mcpd messaging service renders the PAYG VE license invalid.

Component: TMOS

Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.

Conditions:
Restarting the mcpd messaging service.

Impact:
The license becomes expired. A message is displayed in the console:

mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).

Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).

Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.


957337-2 : Tab complete in 'mgmt' tree is broken

Component: TMOS

Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:

(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"

Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete

Impact:
You are unable to configure objects in mgmt.

This issue also prevents users with the admin role from accessing the following REST endpoints:

shared/authz/users
shared/echo-js

The error returned was HTTP/1.1 401 F5 Authorization Required

Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.


957029-2 : MRF Diameter loop-detection is enabled by default

Component: Service Provider

Symptoms:
The default value of Message Routing Framework (MRF) Diameter loop detection is enabled.

Conditions:
Default diameter session profile loop detection configuration.

Impact:
System performance is impacted even if MRF Diameter loop detection is not used.

Workaround:
Disable loop detection in all message routing Diameter profiles when it is not needed.

Fix:
MRF Diameter loop detection is now disabled by default.

Note: If you expect MRF Diameter loop detection to be enabled, you must manually change the value after upgrading.


956373-1 : ASM sync files not cleaned up immediately after processing

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.


956105-1 : Websocket URLs content profiles are not created as expected during JSON Policy import

Component: Application Security Manager

Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import

Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.

Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.

Workaround:
The content profiles can be manually associated after the import process using REST or GUI.

Fix:
Setting the correct profile reference during import.


955145-1 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


955017-1 : Excessive CPU consumption by asm_config_event_handler

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.


954937 : Tmm crash when GPA POLICY is used

Component: Traffic Classification Engine

Symptoms:
Tmm crashes while passing traffic.

Conditions:
-- Traffic classification policy exists and is configured to block the application traffic
-- Application traffic is passed

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a PEM policy to block the traffic instead of a traffic classification policy

Fix:
Fixed a tmm crash when a traffic classification policy is configured to block application traffic.


954429-1 : User authorization changes for live update

Solution Article: K23203045


954381-1 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


953845-2 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.


953729-1 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Solution Article: K56142644 K45056101


953677-1 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488 K70031188


953393-1 : TMM crashes when performing iterative DNS resolutions.

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes and produces a core file.

Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.

To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.

The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).

Fix:
TMM no longer crashes.


952545-1 : 'Current Sessions' statistics of HTTP2 pool may be incorrect

Component: Service Provider

Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552

Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.

Workaround:
None.

Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.


952509-3 : Cross origin AJAX requests are blocked in case there is no Origin header

Component: Application Security Manager

Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.

Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.

Impact:
Request is blocked.

Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix:
Check referrer header also when modifying CORS headers.


951705-1 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


951133-3 : Live Update does not work properly after upgrade

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat


950077-1 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488 K70031188


950017-1 : TMM may crash while processing SCTP traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing SCTP traffic. After this crash logs will show the message: "flow not in use".

Conditions:
- SCTP profile enabled

Impact:
TMM crashing leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes SCTP traffic as expected.


949933-5 : BIG-IP APM CTU vulnerability CVE-2021-22980

Solution Article: K29282483


949889-4 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Solution Article: K04107324


949721-1 : QUIC does not send control frames in PTO packets

Component: Local Traffic Manager

Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.

Conditions:
A control frame is in-flight when the PTO timer fires.

Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.

Workaround:
None.

Fix:
Retransmittable control frames are now sent when the PTO timer fires.


949593-4 : Unable to load config if AVR widgets were created under '[All]' partition

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.


949145-6 : Improve TCP's response to partial ACKs during loss recovery

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.


948769-6 : TMM panic with SCTP traffic

Solution Article: K05300051


948757-1 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

Component: Local Traffic Manager

Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.

Conditions:
A snat-translation address is configured with ARP enabled.

Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.

Workaround:
None.

Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.


948573-5 : Wr_urldbd list of valid TLDs needs to be updated

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.


947905-1 : Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails

Component: TMOS

Symptoms:
Loading configuration process fails after an upgrade from 13.1.4, 14.1.4, or 15.1.1 to release 14.0.0, 15.0.0, 16.0.0 or 16.0.0.1.

The system posts errors similar to the following:

-- info tmsh[xxxx]: cli schema (15.1.1) has been loaded from schema data files.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (user-account.session_limit) : framework/SchemaCmd.cpp, line 825.
-- emerg load_config_files[xxxx]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.1.
-- err mcpd[xxxx]: 01070422:3: Base configuration load failed.
-- Unexpected Error: "Can't load keyword definition (user-account.session_limit)".
-- Syntax Error:(/config/bigip_user.conf at line: 10) "session-limit" unknown property

Conditions:
Upgrade from one of the following release:

-- v13.1.4 or later within the v13.1.x branch
-- v14.1.4 or later within the v14.1.x branch
-- v15.1.1 or later within the v15.1.x branch

to one of the following releases:

-- v14.0 through v14.1.3.1
-- v15.0 through v15.1.0.5
-- v16.0.0 and v16.0.0.1

Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status.

Workaround:
Although there is no workaround, you can avoid this issue by upgrading to the most recent maintenance or point release in v14.1.x, v15.1.x, or v16.x.

You can find a list of most current software releases in K5903: BIG-IP software support policy :: https://support.f5.com/csp/article/K5903


947341-2 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries containing:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL out of resources when opening files
PRX.REQUEST_LOG Corrupt

Workaround:
0) If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

1) To identify the empty partitions, look into:
   SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G

2) For every partition that is empty, manually (or via shell script) execute this sql:
   ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where 'empty_partition_name' is the partition name as 'p100001'

4) Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5) pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases 'open_files_limit' to '10000'.


946953-2 : HTTP::close used in iRule might not close connection.

Component: Local Traffic Manager

Symptoms:
HTTP::close used in an iRule might not close the connection. For example:

when HTTP_REQUEST {
    HTTP::close
    HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
  }

Conditions:
Using HTTP::close along with HTTP::respond

Impact:
HTTP connection can be re-used.

Workaround:
Explicitly add close header in the HTTP::respond. For example:

HTTP::respond 200 content "OK" Connection close

Fix:
Fixed an issue where HTTP::close might not close a connection.


946377-1 : HSM WebUI Hardening

Component: Local Traffic Manager

Symptoms:
The HSM Management WebUI does not follow current best practices.

Conditions:
HSM Management WebUI accessed by an authorized administrative user.

Impact:
The HSM Management WebUI does not follow current best practices.

Workaround:
N/A

Fix:
The HSM Management WebUI now follows current best practices.


946089-3 : BIG-IP might send excessive multicast/broadcast traffic.

Component: TMOS

Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.

Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.

Impact:
Excessive multicast/broadcast traffic.


946081-5 : Getcrc tool help displays directory structure instead of version

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.

Fix:
Getcrc utility help now displays version information.


945997-1 : LTM policy applied to HTTP/2 traffic may crash TMM

Component: Local Traffic Manager

Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.

Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.


945601-5 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.

Component: Local Traffic Manager

Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omited.

Conditions:
Policy contains multiple rules which employ TCP address matching condition.

Impact:
Inocorrect LTM policy is applied.


945265-5 : BGP may advertise default route with incorrect parameters

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>


945109-1 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Solution Article: K46641512


944785-4 : Admd restarting constantly. Out of memory due to loading malformed state file

Component: Anomaly Detection Services

Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.

Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.

Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption

Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD

If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD

Fix:
No more memory corruption, no OOM nor ADMD restarts.


944641-2 : HTTP2 send RST_STREAM when exceeding max streams

Component: Local Traffic Manager

Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.

Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.

Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.

Workaround:
None.

Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.


944441-5 : BD_XML logs memory usage at TS_DEBUG level

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None

Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.


943913-2 : ASM attack signature does not match

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.

Workaround:
N/A

Fix:
ASM now processes traffic as expected.


943125-1 : ASM bd may crash while processing WebSocket traffic

Solution Article: K18570111


943081-4 : Unspecified HTTP/2 traffic may cause TMM to crash

Solution Article: K90603426


942921-1 : BIG-IP APM vulnerability CVE-2021-22985

Solution Article: K32049501


942497-3 : Declarative onboarding unable to download and install RPM

Component: TMOS

Symptoms:
Installation of declarative onboarding RPM fails.

Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.

Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.

Workaround:
RPMs must be installed manually.

Fix:
The installation directory was updated to fix the RPM installation issue.


942185-1 : Non-mirrored persistence records may accumulate over time

Component: Local Traffic Manager

Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.

Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.

Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Persistence records are now reliably expired at the appropriate time.


941929-3 : Google Analytics shows incorrect stats, when Google link is redirected.

Component: Application Security Manager

Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
-- Google link is responded to (by the server) with a redirect.

-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
None


941853-5 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.


941621-1 : Brute Force breaks server's Post-Redirect-Get flow

Solution Article: K91414704

Component: Application Security Manager

Symptoms:
Brute Force breaks server's Post-Redirect-Get flow

Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.

Impact:
Brute Force breaks server's Post-Redirect-Get flow

Workaround:
None

Fix:
Support PRG mechanism in brute force mitigations.


941449-1 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Solution Article: K55237223


941249-5 : Improvement to getcrc tool to print cookie names when cookie attributes are involved

Component: Application Security Manager

Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server

Conditions:
This is applicable when domain and path cookie attributes are present in response from server

Impact:
ASM cookie name which is displayed is incorrect

Workaround:
None

Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s


940897-1 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.


940665-2 : DTLS 1.0 support for PFS ciphers

Component: Local Traffic Manager

Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.

* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA

Conditions:
DTLS 1.0 is configured in an SSL profile.

Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.


940401-1 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.


940249-1 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.


940021-4 : Syslog-ng hang may lead to unexpected reboot

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.

The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.

Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).

Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.

Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.

Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.


939961-1 : TCP connection is closed when necessary after HTTP::respond iRule.

Component: Local Traffic Manager

Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
N/A

Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.


939845-1 : BIG-IP MPTCP vulnerability CVE-2021-23004

Solution Article: K31025212


939841-1 : BIG-IP MPTCP vulnerability CVE-2021-23003

Solution Article: K43470422


939541-1 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE

Component: TMOS

Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
TMM no longer shuts down prematurely during initialization.


939529-1 : Branch parameter not parsed properly when topmost via header received with comma separated values

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.


939421-1 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow

Solution Article: K38481791


938233-1 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Component: Local Traffic Manager

Symptoms:
BIG-IP exhibits gradual and linear increase in memory accumulation (high xfrag accumulation) leading to high CPU utilization.

Impact:
This may start affecting BIG-IPs capacity to serve other incoming requests as CPU utilization tends towards maximum limit.

Fix:
BIG-IP no longer shows the known issues of high memory (xfrag) accumulation that leads to the high CPU utilization.


938165-3 : TMM Core after attempted update of IP geolocation database file

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.

For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.

Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.


938149-2 : Port Block Update log message is missing the "Start time" field

Component: Advanced Firewall Manager

Symptoms:
Port Block Update log message is missing the "Start time" field.

Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.

Impact:
NAT Log information is not usable for accounting purpose.

Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.


937777-1 : The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.

Component: Local Traffic Manager

Symptoms:
The iRule command HTTP::payload is not supported for use within Policy Enforcement Manager (PEM) policies. Attempting to use this within your configuration may result in the TMM crashing.

Conditions:
-- Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload

Impact:
Traffic disrupted while the TMM restarts.

Workaround:
Do not use the iRule command HTTP::payload within Policy Enforcement Manager (PEM) policies.

Fix:
Having a Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload will no longer cause the TMM to crash.


937637-2 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: K71891773


937365-1 : LTM UI does not follow best practices

Component: TMOS

Symptoms:
The SCTP component of LTM WebUI does not follow current best practices.

Conditions:
- Authenticated LTM WebUI user

Impact:
LTM WebUI does not follow current best practices.

Workaround:
None

Fix:
TMUI now follows best practices.


936125-1 : SNMP request times out after configuring IPv6 trap destination

Component: TMOS

Symptoms:
SNMP request is times out.

Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.

Impact:
No response is returned for SNMP request.

Workaround:
Restart SNMP daemon by running the following TMSH command:

restart sys service snmpd

Fix:
N/A


935721-6 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291


935593-5 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.


935433-1 : iControl SOAP Hardening

Component: TMOS

Symptoms:
Under certain condition, iControl SOAP does not follow current best practices.

Conditions:
- Undisclosed conditions.

Impact:
iControl SOAP doe not follow current best practices.

Workaround:
N/A

Fix:
iControl SOAP now follows current best practices.


935401-1 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Solution Article: K06440657


935293-6 : 'Detected Violation' Field for event logs not showing

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.


935029-4 : TMM may crash while processing IPv6 NAT traffic

Solution Article: K04048104


934993-1 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams

Component: Local Traffic Manager

Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.

Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.

Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.

Workaround:
None.

Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.


934721-4 : TMM core due to wrong assert

Component: Application Visibility and Reporting

Symptoms:
TMM crashes with a core

Conditions:
AFM and AVR provisioned and collecting ACL statistics.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.

Fix:
Fixed a tmm crash related to ACL statistics


934065-2 : The turboflex-low-latency and turboflex-dns are missing.

Component: TMOS

Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.

Conditions:
The turboflex-low-latency or turboflex-dns in use.

Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.

Workaround:
None.

Fix:
The turboflex-low-latency and turboflex-dns profiles are restored.


933777-4 : Context use and syntax changes clarification

Component: Application Visibility and Reporting

Symptoms:
There are two context and syntax-related issues:

-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.

-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.

Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.

Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.

Workaround:
None

Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.


933741-1 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Solution Article: K63497634


933461-5 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.


933409-1 : Tomcat upgrade via Engineering Hotfix causes live-update files removal

Component: TMOS

Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.

Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.

Impact:
Live-update functionality does not work properly.

Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.

Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.


933405-1 : Zonerunner GUI hangs when attempting to list Resource Records

Solution Article: K34257075

Component: Global Traffic Manager (DNS)

Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.

Conditions:
Attempt to list Resource Records in Zonerunner GUI.

Impact:
Zonerunner hangs.

Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.


932937-1 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

Component: Local Traffic Manager

Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.

Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.

Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.

Workaround:
Use an iRule to prevent connections from hanging:

when HTTP_REJECT {
    after 1
}

Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.


932737-4 : DNS & BADOS high-speed logger messages are mixed

Component: Anomaly Detection Services

Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.

Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.

Impact:
Reporting will be confusing.


932497-2 : Autoscale groups require multiple syncs of datasync-global-dg

Component: TMOS

Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.

Conditions:
Browser Challenges update image is automatically downloaded.

Impact:
Peers are not synced.

Workaround:
Manually sync datasync-global-db group.

Fix:
Perform full sync for each change when having multiple live update changes in a row.


932485-4 : Incorrect sum(hits_count) value in aggregate tables

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.


932437-1 : Loading SCF file does not restore files from tar file

Component: TMOS

Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.

Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:

01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.

Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles

Impact:
Restoring SCF does not restore contents of file objects.

Workaround:
None.


932233-1 : '@' no longer valid in SNMP community strings

Component: TMOS

Symptoms:
The '@' character is no longer valid in SNMP community strings.

Conditions:
Attempting to use the '@' character in SNMP community strings.

Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.

Workaround:
Use a community string that does not contain the '@' character.


932065-1 : iControl REST vulnerability CVE-2021-22978

Solution Article: K87502622


931837-7 : NTP has predictable timestamps

Solution Article: K55376430


931513-1 : TMM vulnerability CVE-2021-22977

Solution Article: K14693346


930905-2 : Management route lost after reboot.

Component: TMOS

Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.

Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).

-- The instance is rebooted.

Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.

Workaround:
Use either of the following workarounds:

-- Delete the route completely and reinstall the route.

-- Restart mcpd:
bigstart restart mcpd


930017-1 : Bot defense profile upgrade fails from 14.x to 15.x/16.x with error match-order should be unique

Component: Application Security Manager

Symptoms:
Upgrading Bot defense profile fails with match-order field 1 or 2 fails, while the error is "match-order should be unique"

Conditions:
- ASM provisioned
- Bot defense profile has allow list object (the GUI says whitelist object)
- The object has a field match-order = 1 or 2
- Upgrade happening from 14.x to 15.x/16.x

Impact:
Upgrade fails

Workaround:
Before upgrading
-- Change match-order field 1 to 3
-- Change match-order field 2 to 4

Fix:
Fix changes match-order field 1 to 3 and match-order field 2 to 4 programmatically


930005-1 : Recover previous QUIC cwnd value on spurious loss

Component: Local Traffic Manager

Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.

Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.

Impact:
Inefficient use of bandwidth in the presence of packet reordering.

Workaround:
None.

Fix:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.

Behavior Change:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.


929077-3 : Bot Defense allow list does not apply when using default Route Domain and XFF header

Component: Application Security Manager

Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from an IP address that is on the allow list is blocked.

Workaround:
Allow the IP address using an iRule.

Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.


929001-2 : ASM form handling improvements

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.


928697-1 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT

Component: TMOS

Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.

Conditions:
The initiator sends more than one proposal.

Impact:
Diagnosing connection issues is more difficult.

Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.


928685-1 : ASM Brute Force mitigation not triggered as expected

Component: Application Security Manager

Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.

Conditions:
- ASM enabled
- Brute Force mitigation enabled

Impact:
Brute Force mitigation is not triggered as expected.

Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when HTTP_REQUEST
{

    if { [catch { HTTP::username } ] } {
      log local0. "ERROR: bad username";
      ASM::raise bad_auth_header_custom_violation
    }

}

Fix:
Brute Force mitigation is now triggered as expected.


928553-4 : LSN64 with hairpinning can lead to a tmm core in rare circumstances

Component: Carrier-Grade NAT

Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.

Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.

Impact:
Tmm cores. Traffic disrupted while tmm restarts.

Workaround:
Disable full proxy config of hairpinning.

Fix:
Tmm does not crash anymore.


928321-4 : K19166530: XSS vulnerability CVE-2020-27719

Solution Article: K19166530


928037-1 : APM Hardening

Solution Article: K15310332


927941-6 : IPv6 static route BFD does not come up after OAMD restart

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.


927617-1 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Component: Application Security Manager

Symptoms:
A valid request that should be passed to the backend server is blocked.

Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.

-- The cookie header that contain the valid cookie value is encoded to base64.

Impact:
A request is blocked that should not be.

Workaround:
Disable 'Base64 Decoding' for the desired cookie.

Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.


927033-3 : Installer fails to calculate disk size of destination volume

Component: TMOS

Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:

error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.

Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:

[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map

Impact:
Unable to successfully upgrade.

Workaround:
Create the expected symlink manually:

cd /dev/md
ln -s ../md127 _none_\:0


926997-2 : QUIC HANDSHAKE_DONE profile statistics are not reset

Component: Local Traffic Manager

Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.

Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.

Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.

Workaround:
Restart tmm to reset all statistics:

Impact of Workaround: Traffic disrupted while tmm restarts.

bigstart restart tmm

Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.


926929-4 : RFC Compliance Enforcement lacks configuration availability

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that require certain constructions after a header name may not function.

Workaround:
None.

Fix:
A configuration item is introduced to manage any RFC compliance option when enforcement is turned on:

HTTP profile option enforcement.allow-ws-header-name; prior releases Tmm.HTTP.RFC.AllowWSHeaderName DB key (necessarily a global flag, rather than per-profile control).


926593-1 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets


924961-1 : CVE-2019-20892: SNMP Vulnerability

Solution Article: K45212738


924945-4 : Fail to detach HTTP profile from virtual server

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.


924929-3 : Logging improvements for VDI plugin

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.


924857-3 : Logout URL with parameters resets TCP connection

Component: Access Policy Manager

Symptoms:
TCP connection reset when 'Logout URI Include' configured.

Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
 /logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
 /logoff.html?a=b

Impact:
TCP connection resets, reporting BIG-IP APM error messages.

'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.


Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.

Workaround:
None

Fix:
The system now ignores unsupported query parameters.


924493-1 : VMware EULA has been updated

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.


924429-1 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.

Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.


924349-3 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

Component: Service Provider

Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.

Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses

Impact:
Unable to see multiple HostIPAddress in CER/CEA

Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.


924301-2 : Incorrect values in REST response for DNS/SIP

Component: Application Visibility and Reporting

Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.

Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached

Impact:
An incorrect value is calculated in the REST response.

Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation


923301-3 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group

Component: Application Security Manager

Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.

Conditions:
Automatic installation of ASU on manual sync setup.

Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.

Workaround:
Manually sync the device group.

Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.


922785-1 : Live Update scheduled installation is not installing on set schedule

Component: Application Security Manager

Symptoms:
A scheduled live update does not occur at the scheduled time.

Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.

Impact:
Automated installation does not initiate

Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14


922297-1 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

You see the following log entries in /var/log/tmm:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.

Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).


922261-1 : WebSocket server messages are logged even it is not configured

Component: Application Security Manager

Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.

Impact:
Remote logging server overloaded with unexpected WebSocket messages.

Workaround:
Set response-logging=illegal in all remote logging profiles.

Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.


921881-1 : Use of IPFIX log destination can result in increased CPU utilization

Component: Local Traffic Manager

Symptoms:
-- Increased baseline CPU.

- The memory_usage_stats table shows a continuous increase in mds_* rows.

Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.

Impact:
Increased baseline CPU may result in exhaustion of CPU resources.

Workaround:
Limiting changes to associated configuration can slow the effects of this issue.


921677-1 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.

Component: Application Security Manager

Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:

Bot defense profile <profile full name> error: match-order should be unique.

Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.

2. Delete item with the value: match-order 2 (in tmsh), and save.

3. Switch to the GUI, add new allow list item, and save.

Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.

Workaround:
Drag between two items, and then drag back.

Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.


921625-1 : The certs extend function does not work for GTM/DNS sync group

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.


921421-4 : iRule support to get/set UDP's Maximum Buffer Packets

Component: Local Traffic Manager

Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.

Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.

Impact:
Unable to dynamically change the max buffer packets setting in an iRule.

Workaround:
None

Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts

Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.


921361-3 : SSL client and SSL server profile names truncated in GUI

Component: TMOS

Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.

Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.

Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.

Note: The fields remain at the limited width even when the browser window is maximized.

Workaround:
Use tmsh to see the full SSL client and SSL server name.


921337-6 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Solution Article: K88230177


920961-1 : Devices incorrectly report 'In Sync' after an incremental sync

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
   # tmsh modify ltm policy <LTM Policy Name> legacy

Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.


920197-4 : Brute force mitigation can stop mitigating without a notification

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.


919989-3 : TMM does not follow TCP best practices

Solution Article: K64571774


919885-1 : A TCP connection is not closed after invoking the HTTP::respond iRule command.

Component: Local Traffic Manager

Symptoms:
After sending a HTTP response that would normally cause the underlying TCP connection to get closed, the BIG-IP system fails to close the TCP connection.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule command is used.
- The HTTP filter sets the "Connection: close" header (for example, in response to a HTTP/1.0 request that does not request Keep-Alive behavior).

Impact:
The TCP connection lives longer than needed, and even allows the client to send subsequent requests over the same connection.

Workaround:
N/A

Fix:
TCP connection is now closed as necessary after invoking the HTTP::respond iRule command.


919841-4 : AVRD may crash while processing Bot Defense traffic

Solution Article: K45143221


919745-1 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.


919553-1 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.


919001-3 : Live Update: Update Available notification is shown twice in rare conditions

Component: Application Security Manager

Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.

Conditions:
This can be encountered on the first load of the Live Update page.

Impact:
Notification is shown twice.

Workaround:
None.

Fix:
Notification is shown only once in all cases.


918933-1 : The BIG-IP ASM system may not properly perform signature checks on cookies

Solution Article: K88162221

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221


918597-6 : Under certain conditions, deleting a topology record can result in a crash.

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.


918209-4 : GUI Network Map icons color scheme is not section 508 compliant

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.

Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.


918169-4 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.


918097-4 : Cookies set in the URI on Safari

Component: Application Security Manager

Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.

Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.

Impact:
A cookie is set on the URL.

Workaround:
None.

Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.

Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.

This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable

Default value is the original behavior (enable), which sets the cookie in the URl.

NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.


918081-2 : Application Security Administrator role cannot create parent policy in the GUI

Component: Application Security Manager

Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created

Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.

Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.

Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.

Fix:
The Application Security Administrator role can now create the parent policy when required.


917509-2 : BIG-IP ASM vulnerability CVE-2020-27718

Solution Article: K58102101


917469-1 : TMM may crash while processing FPS traffic

Solution Article: K53821711


917005-6 : ISC BIND Vulnerability: CVE-2020-8619

Solution Article: K19807532


916821-1 : iControl REST vulnerability CVE-2021-22974

Solution Article: K68652018


916781-3 : Validation error while attaching DoS profile to GTP virtual

Component: Service Provider

Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.

Conditions:
Attach DoS security profile to GTP virtual server.

Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.

Workaround:
None.

Fix:
Create GTP virtual profile and attach DoS security profile to it. No validation error should be reported.


916753-1 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.

Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:

    RESOLV::lookup @/Common/my_dns_virtual www.example.com

Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.

For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:

instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53


916589-1 : QUIC drops 0RTT packets if CID length changes

Component: Local Traffic Manager

Symptoms:
QUIC sometimes rejects valid 0RTT packets.

Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.

Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.

Workaround:
None.

Fix:
Fixed an issue with 0RTT packets when using QUIC.


915713-1 : Support QUIC and HTTP3 draft-29

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.

Conditions:
Browser requests draft-29.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-29 and draft-28, and has removed draft-27 support.


915689-2 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.


915605-2 : Image install fails if iRulesLX is provisioned and /usr mounted read-write

Solution Article: K56251674

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume as one of the following:

-- Could not access configuration source.
-- Unable to get hosting system product info.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr


915497-1 : New Traffic Class Page shows multiple question marks.

Component: TMOS

Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.

Conditions:
This is encountered when creating a new Traffic Class.

Impact:
Multi-byte characters are displayed incorrectly.

Workaround:
None.

Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.


915489-3 : LTM Virtual Server Health is not affected by iRule Requests dropped

Component: Anomaly Detection Services

Symptoms:
Virtual Server Health should not take into account deliberate drop requests.

Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.

Impact:
Server Health reflects it is overloading status more precisely.

Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.

Fix:
Virtual Server Health is no longer affected while dropping requests using iRules.


915305-6 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.


915281-3 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.


914761-4 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.

Component: TMOS

Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:

Unexpected Error: UCS saving process failed.

Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.

Impact:
UCS file is not successfully saved and backup fails.

Workaround:
None.


914681-1 : Value of tmm.quic.log.level can differ between TMSH and GUI

Component: Local Traffic Manager

Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.

Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.

Impact:
Misleading log level displayed in the GUI.

Workaround:
Use TMSH to set and view values for tmm.quic.log.level.

Fix:
GUI values for tmm.quic.log.level are now displayed properly.


914649-4 : Support USB redirection through VVC (VMware virtual channel) with BlastX

Component: Access Policy Manager

Symptoms:
USB is unavailable after opening VMware View Desktop.

Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client

Impact:
USB is unavailable after opening VMware View Desktop

Workaround:
None.

Fix:
USB is now available after opening VMware View Desktop


914293-4 : TMM SIGSEGV and crash

Component: Anomaly Detection Services

Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.

Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.

Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.

Fix:
Fixed a tmm crash related to iRules and Behavioral DoS policies.


914277-1 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.

Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable

In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.

Fix:
Automatic downloads are quietly synced and do not have an impact on the device group sync status.


914245-3 : Reboot after tmsh load sys config changes sys FPGA firmware-config value

Component: TMOS

Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.

Chmand reports errors:

chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]

Conditions:
Running either of the following commands:

tmsh load sys config
/etc/init.d/fw_update_post reload

Impact:
Firmware update fails.

Workaround:
Use this procedure:

1. Mount /usr:
mount -o rw,remount /usr

2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload

3. Reload systemctl:
systemctl daemon-reload

4. Reload the file:
/etc/init.d/fw_update_post reload

Fix:
Added the reload option in fw_update_post service file.


913849-2 : Syslog-ng periodically logs nothing for 20 seconds

Component: TMOS

Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.

Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)

Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.

Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.

Workaround:
None.

Fix:
F5 patched syslog-ng to use a lower 1-second, 0-retries timeout back in 13.0.0, but this patch was made ineffective by the upgrade to centos 7 in 14.1.0. This fixes the patch so that it works again.


913829-5 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.

Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.

Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.

You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.


913761-1 : Security - Options section in navigation menu is visible for only Administrator users

Component: Application Security Manager

Symptoms:
The Security - Options section in the left navigation menu is visible for only for user accounts configured with the Administrator role.

Conditions:
You logged in as a user configured with a role other than Administrator.

Impact:
No direct access to many settings that are available only for user account configured with the Administrator role.

Workaround:
Direct links to the pages work for those with the appropriate roles.

Fix:
Security - Options section is available for all user roles when at least one of the following is enabled:
-- ASM
-- DoS
-- FPS
-- AFM


913757-2 : Error viewing security policy settings for virtual server with FTP Protocol Security

Component: Application Security Manager

Symptoms:
The system reports an error message when trying to navigate to 'Security :: Policies' under virtual server properties:

An error has occurred while trying to process your request.

Conditions:
-- An FTP or SMTP profile with protocol security enabled is attached to a virtual server.
-- Attempt to navigate to 'Security :: Policies'.

Impact:
-- No policies appear. You cannot perform any operations on the 'Security :: Policies' screen.
-- The following error message appears instead:

An error has occurred while trying to process your request.

Workaround:
As long as an FTP or SMTP profile with protocol security enabled is defined under virtual server properties (in another words, it is attached to a virtual server), this issue recurs. There are no true workarounds, but you can avoid the issue by using any of the following:

-- Use another profile, such as HTTP.
-- Set the FTP/SMTP profile under the virtual server settings to None.
-- Remove the profile via the GUI or the CLI (e.g., you can remove the profile from the virtual server in tmsh using this command:

 tmsh modify ltm virtual /Common/test-vs { profiles delete { ftp_security } }

Fix:
You can now attach FTP or SMTP profile with protocol security enabled and navigate to 'Security :: Policies' without error.


913729-6 : Support for DNSSEC Lookaside Validation (DLV) has been removed.

Component: Global Traffic Manager (DNS)

Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.

Conditions:
Attempting to use DLV.

Impact:
Cannot use DLV.

Workaround:
None. DLV is no longer supported.

Fix:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV). If you roll forward a configuration that contains this feature, the system removes it from the configuration and prints a log message.

Behavior Change:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV).


913433-2 : On blade failure, some trunked egress traffic is dropped.

Component: TMOS

Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.

Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)

Workaround:
None.


913373-1 : No connection error after failover with MRF, and no connection mirroring

Component: Service Provider

Symptoms:
-- Unable to establish MRF connection after failover.
-- Error reports 'no connection'.

Conditions:
- MRF configured.
- Using iRule for routing.
-- Failover occurs.

Impact:
Unable to establish new connection until existing sessions time out. No message is reported explaining the circumstances.

Workaround:
Any of the following:
-- Enable connection mirroring on the virtual server.
-- Disable session mirroring.


913249-1 : Restore missing UDP statistics

Component: Local Traffic Manager

Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

Conditions:
Viewing UDP statistics.

Impact:
Unable to view these UDP statistics.

Workaround:
None.

Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes


913137-2 : No learning suggestion on ASM policies enabled via LTM policy

Component: Application Security Manager

Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.

Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.

This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.

Impact:
No learning suggestions.

Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.

Fix:
Policy builder now classifies non-bot traffic and applies learning suggestions.


913085-2 : Avrd core when avrd process is stopped or restarted

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

Fix:
Avrd no longer cores when avrd process is stopped or restarted.


912969-1 : iAppsLX REST vulnerability CVE-2020-27727

Solution Article: K50343630


912425-4 : Modification of in-tmm monitors may result in crash

Component: In-tmm monitors

Symptoms:
TMM crash.

Conditions:
-- Modify in-tmm monitors.
-- Perform configuration sync.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Disable in-tmm monitors.
-- Avoid config syncing to the active device.


912089-1 : Some roles are missing necessary permission to perform Live Update

Component: Application Security Manager

Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.

Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.

Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.

Workaround:
None.

Fix:
The following roles can now perform live-update:
- Administrator
- Web Application Security Administrator
- Resource Administrator
- Application Security Operations Administrator


912001-2 : TMM cores on secondary blades of the Chassis system.

Component: Global Traffic Manager (DNS)

Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:

tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307

Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.

Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.

Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.


911761-1 : F5 TMUI XSS vulnerability CVE-2020-5948

Solution Article: K42696541


911729-3 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value

Component: Application Security Manager

Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.

Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.

Impact:
Redundant learning suggestion is issued.

Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.

Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.


911041-4 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash

Component: Local Traffic Manager

Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.

Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.

Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.


910653-6 : iRule parking in clientside/serverside command may cause tmm restart

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.

Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.

For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.

Fix:
iRule parking in clientside/serverside command no longer causes tmm to restart.


910521-1 : Support QUIC and HTTP draft-28

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-25 and draft-27. IETF has released draft-28.

Conditions:
Browser requests draft-28.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-28 and draft-27, and has removed draft-25 support.


910417-1 : TMM core may be seen when reattaching a vector to a DoS profile

Component: Advanced Firewall Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.


910253-3 : BD error on HTTP response after upgrade

Component: Application Security Manager

Symptoms:
After upgrade, some requests can cause BD errors on response:

BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040

IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Upgrading BIG-IP systems to v15.0.0 or later from versions earlier than v15.0.0.
-- ASM policy is configured on a virtual server.

Impact:
For some requests, the response can arrive truncated or not arrive at all.

Workaround:
Add an iRule that deletes ASM cookies:

when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Note: Performing this workaround affects cookie-related violations (they may need to be disabled to use this workaround), session, and login protection.


910201-4 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.


910097-4 : Changing per-request policy while tmm is under traffic load may drop heartbeats

Component: Access Policy Manager

Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash

Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.


910017-1 : Security hardening for the TMUI Interface page

Solution Article: K21540525


909197-2 : The mcpd process may become unresponsive

Component: TMOS

Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.

Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.

Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.

Workaround:
None.

Fix:
Fixed handling of malformed messages by mcpd, so the problem should no longer occur.


908673-6 : TMM may crash while processing DNS traffic

Solution Article: K43850230


908601-1 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option

Component: TMOS

Symptoms:
When the BIG-IP system boots, mcpd continually restarts.

Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.

Impact:
The BIG-IP system is unable to complete the boot process and become active.

Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.

Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.

You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.


If the system is already in the defective state, use this shell command, and then reboot:

touch /.tmos.platform.init

The problem should be resolved.

Fix:
Running 'diskinit' from MOS with the '--style=volumes' option no longer causes continuous mcpd restarts.


908517-4 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'

Component: TMOS

Symptoms:
LDAP authentication fails with an error message:

err nslcd[2867]: accept() failed: Too many open files

Conditions:
This problem occurs when user-template is used instead of Bind DN.

Impact:
You cannot logon to the system using LDAP authentication.

Workaround:
None.

Fix:
LDAP authentication now succeeds when user-template is used.


908065-1 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.


907337-1 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.

Fix:
This BD crash no longer occurs.


907245-2 : AFM UI Hardening

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, the AFM WebUI does not follow current best practices.

Conditions:
- AFM provisioned
- Authenticated AFM WebUI user

Impact:
AFM WebUI does not follow current best practices.

Workaround:
N/A

Fix:
AFM WebUI now follows current best practices


907201-4 : TMM may crash when processing IPSec traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while negotiation IPSec traffic with a remote peer.

Conditions:
-IPSec peers configured and active

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes IPSec traffic as expected.


906889-2 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Component: TMOS

Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:

  Packets In 2 shows as 016 in the GUI
  Packets Out 0 shows as 8 in the GUI

Workaround:
View statistics in tmsh.


906377-1 : iRulesLX hardening

Component: TMOS

Symptoms:
Under certain conditions, iRulesLX does not follow current best practices.

Conditions:
- Authenticated administrative user

Impact:
iRulesLX does not follow current best practices.

Workaround:
N/A

Fix:
iRulesLX now follows current best practices.


905125-1 : Security hardening for APM Webtop

Solution Article: K30343902


904845-1 : VMware guest OS customization works only partially in a dual stack environment.

Component: TMOS

Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).

By default, DHCP is enabled on the management interface.

During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.

Conditions:
Applying a customization profile to VMware VM in a dual stack environment.

Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.

Workaround:
Configure the mgmt interface addresses using the config script.

Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.


904785-2 : Remotely authenticated users may experience difficulty logging in over the serial console

Component: TMOS

Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user

Conditions:
-- Remote authentication (e.g., RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.

Impact:
Remotely authenticated users cannot log in over the serial console.

Workaround:
Using either of the following workaround:

-- Log in over SSH instead

-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.


904705-1 : Cannot clone Azure marketplace instances.

Component: TMOS

Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.

Conditions:
Applies to any Azure marketplace instance.

Impact:
Cannot clone Azure marketplace instances.

Workaround:
None.

Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.


904373-4 : MRF GenericMessage: Implement limit to message queues size

Component: Service Provider

Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.

Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.

Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.

Workaround:
None.

Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.


904053-1 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never

Component: Application Security Manager

Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.

Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.

Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.

Workaround:
Disable Learning mode for the Policy disables Cookie hashing.

Note: This affects all learning, not just Cookie hashing.

Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".


903357-4 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers

Component: Application Security Manager

Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.

Workaround:
None.


902485-5 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.


902417-6 : Configuration error caused by Drafts folder in a deleted custom partition

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.


902401 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.

Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.


901929-1 : GARPs not sent on virtual server creation

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.

Fix:
GARPs are now sent when a virtual server is created.


901061-1 : Safari browser might be blocked when using Bot Defense profile and related domains.

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.

Fix:
Set the cookie so all requests in the target domain will contain it.


901041-2 : CEC update using incorrect method of determining number of blades in VIPRION chassis

Component: Traffic Classification Engine

Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.

Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.

Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.

Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.

Workaround:
Install the package manually on each slot.

Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.


900933-3 : IPsec interoperability problem with ECP PFS

Component: TMOS

Symptoms:
IPsec tunnels fails to remain established after initially working.
 
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.

This may also immediately present as a problem when trying to establish a second tunnel to the same peer.

Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).

Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.

Workaround:
Do not use ECP for PFS.

Fix:
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.


900797-1 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.


900793-4 : APM Brute Force Protection resources do not scale automatically

Solution Article: K32055534

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.


900789-1 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.


898997-1 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted

Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes


898949-6 : APM may consume excessive resources while processing VPN traffic

Solution Article: K04518313


898705-6 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.


898461-1 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.

Fix:
These iRule commands are now available within these iRule events.


896861-1 : PTR query enhancement for RESOLVER::name_lookup

Component: Global Traffic Manager (DNS)

Symptoms:
Currently RESOLVER::name_lookup does not have PTR reverse domain mapping.

Conditions:
RESOLVER::name_lookup needs an additional iRule to make PTR query work

Impact:
Need an additional iRule to convert to reverse IP PTR query to work

Workaround:
Use an iRule to convert ip address reverse mapping

Fix:
Address IP address reverse mapping for PTR query


896817-1 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb

Component: TMOS

Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:

01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.

Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.

Impact:
Unable to replace configuration using TMSH's 'replace' verb.

Workaround:
None.

Fix:
When merging a configuration that modifies the list of iRules a virtual server uses using the TMSH 'replace' verb, no error is encountered.


896709-4 : Add support for Restart Desktop for webtop in VMware VDI

Component: Access Policy Manager

Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.

Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.

Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.

Workaround:
None.

Fix:
APM now supports restart desktop option on webtop for VMware VDI.


896285-1 : No parent entity in suggestion to add predefined-filetype as allowed filetype

Component: Application Security Manager

Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.

Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.

Impact:
No parent entity appears in the sugestion.

Workaround:
None.

Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.


896217-1 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat


895837-4 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified

Component: TMOS

Symptoms:
Virtual server configured with:

-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0

-- The configuration uses a destination port list.

Conditions:
Modify the virtual server's port-list to a different one.

Impact:
Mcpd generates a core, and causes services to restart and failover.

Workaround:
None.

Fix:
Mcpd no longer crashes when modifying a traffic-matching-criteria's destination port list.


895557-3 : NTLM profile logs error when used with profiles that do redirect

Component: Local Traffic Manager

Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).

When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.

Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).

Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.

For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"


893061-4 : Out of memory for restjavad

Component: Application Security Manager

Symptoms:
REST framework not available due to Out of memory error

Conditions:
Long list of Live Update installations

Impact:
Live Update GUI is not responding.

Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)

# tmsh modify sys db provision.extramb value 1000

2) Allow restjavad to access the extra memory:

# tmsh modify sys db restjavad.useextramb value true

3) Save the config:

# tmsh save sys config

4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.

5) Increase the restjavad maxMessageBodySize property:

# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
  "maxMessageBodySize": 134217728,
  "localhostRestnodedConnectionLimit": 8,
  "defaultEventHandlerTimeoutInSeconds": 60,
  "minEventHandlerTimeoutInSeconds": 15,
  "maxEventHandlerTimeoutInSeconds": 60,
  "maxActiveLoginTokensPerUser": 100,
  "generation": 6,
  "lastUpdateMicros": 1558012004824502,
  "kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
  "selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}

Ensure the command returns output showing the limit has been increased (as shown above).

6) Reboot the unit.


892941-1 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Solution Article: K20105555

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555


892937-1 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Solution Article: K20105555

Component: Access Policy Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555


892785 : Azure walinuxagent has been updated to v2.2.48.1

Component: TMOS

Symptoms:
Some onboarding features are not available in the current version of walinuxagent.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.48.1


892677-6 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted


892653-4 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html

Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.


892385-5 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.


891729-1 : Errors in datasyncd.log

Component: Fraud Protection Services

Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM

Conditions:
Upgrades from version 13.x to 14.0.0 or higher.

Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.

Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.

If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.

Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.


891457-1 : NIC driver may fail while transmitting data

Solution Article: K75111593


891385-1 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.

Fix:
Added support for the urn URI protocol type.


891373-1 : BIG-IP does not shut a connection for a HEAD request

Component: Local Traffic Manager

Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.

Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.

Impact:
Connection remains idle until it expires normally, consuming network resources.

Workaround:
None.

Fix:
When an HTTP HEAD request contains 'Connection: close' header and a OneConnect profile is configured on a virtual server, the BIG-IP system shuts a connection down after a response is served.


891093-2 : iqsyncer does not handle stale pidfile

Component: Global Traffic Manager (DNS)

Symptoms:
Stale /var/run/iqsyncer.pid file is causing a new iqsyncer application to exit immediately after start.

Conditions:
iqsyncer applications is killed by Linux kernel or any other reason causing a stale iqsyncer pid file

Impact:
Gtm config changes and gtm_add operations are blocked

Workaround:
Remove iqsyncer pid file manually or reboot

Fix:
Stale iqsyncer pid file condition handled in iqsyncer application


890277-4 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.


889601-4 : OCSP revocation not properly checked

Component: Local Traffic Manager

Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.

Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles

Impact:
The SSL handshake continues eve if a certificate is revoked.

Fix:
OCSP revocation checking now working properly.


889557 : jQuery Vulnerability CVE-2019-11358

Solution Article: K20455158


889041-4 : Failover scripts fail to access resolv.conf due to permission issues

Component: TMOS

Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:

/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file

Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.

Impact:
Failover does not complete. Floating IP addresses do not move to the active device.

Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0

Impact of workaround: these commands disable SELinux policy enforcement.


889029-1 : Unable to login if LDAP user does not have search permissions

Component: TMOS

Symptoms:
A user is unable to log in using remote LDAP.

Conditions:
-- BIG-IP systems are configured to use LDAP authentication.
-- Remote user has no search permissions on directory

Impact:
Authentication does not work.

Workaround:
Grant search permissions to the user in LDAP.


888517-1 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.

Component: Local Traffic Manager

Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.

Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.

Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.

Workaround:
Correct the underlying networking/virtualization issue.

Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.


888497-1 : Cacheable HTTP Response

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.


888417-6 : Apache Vulnerability: CVE-2020-8840

Solution Article: K15320518


888341-8 : HA Group failover may fail to complete Active/Standby state transition

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:

-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
HA Group failover configured.

Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:

 o VLAN failsafe failover.
 o Gateway failsafe failover.
 o Failover triggered by loss of network failover heartbeat packets.
 o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.


888289-7 : Add option to skip percent characters during normalization

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).


887205-1 : Correct handling of wildcard parameters with search-in 'any' marked for data integrity

Component: Fraud Protection Services

Symptoms:
The Data Integrity feature does not work for wildcard parameters with search-in set to 'any'.

Conditions:
-- Configure a wildcard parameter with search-in 'any' and mark it for data integrity.
-- Send traffic containing multiple parameters that match the configured pattern.

Impact:
-- Only the first traffic parameter matched by wildcard pattern will be checked for Data Integrity.
-- No alerts will be triggered for other parameters matched by same pattern even if they were manipulated.

Workaround:
Use explicit parameters.
Use wildcard parameters only if each pattern should match only one traffic parameter.

Fix:
Wildcard parameters with search-in 'any' marked for Data Integrity are now handled correctly.


886693-4 : System may become unresponsive after upgrading

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html

Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:

-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
-- BIG-IP Virtual Edition (VE)


886689-7 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.

Fix:
Generic Message profile can be used in SCTP virtual


882549-1 : Sock driver does not use multiple queues in unsupported environments

Component: Local Traffic Manager

Symptoms:
In some unsupported environments, the underlying sock driver uses only only 1 queue. You can confirm whether it does so by executing the tmctl command to check the rxq column (which shows 0):
tmctl -d blade -i tmm/ndal_rx_stats' and

You can verify this on the tx side as well.

Conditions:
This occurs in certain unsupported environments.

Note: When you run 'ethtool -l', you can see: 'command not supported'.

Impact:
When multi-q is present, the use of single queue can impact performance when using the sock driver.

Workaround:
Use other available drivers.

You can check the available drivers by executing the tmctl command:
tmctl -d blade -i tmm/device_probed

Fix:
Fixed an issue with the sock driver.


882189-1 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897

Solution Article: K20346072


882185-1 : BIG-IP Edge Client Windows ActiveX

Solution Article: K20346072


881757-3 : Unnecessary HTML response parsing and response payload is not compressed

Component: Application Security Manager

Symptoms:
When either DoS Application Profile or Bot Defense profile are used, or ASM Policy with complex LTM Policy, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload.

Conditions:
One of these options:
-- Bot Defense Profile is associated with the Virtual Server.
-- DoS Profile is associated with the Virtual Server and has Application (L7) enabled.
-- ASM Policy is associated with the Virtual Server and has complex LTM Policy: multiple ASM Policies, or additional rules.

Impact:
-- Response payload sent by the backend server is uncompressed.
-- Performance impact caused by response parsing.

Workaround:
The workaround is to disable the option for modification of Referer header:
tmsh modify sys db asm.inject_referrer_hook value false

Note: Using this brings back the impact of bug 792341.

Fix:
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.


881445-8 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Solution Article: K69154630


881317-7 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


881293-1 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


880625-4 : Check-host-attr enabled in LDAP system-auth creates unusable config

Component: TMOS

Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.

Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.

Impact:
LDAP-based auth does not function.

Workaround:
None.


880361-7 : iRules LX vulnerability CVE-2021-22973

Solution Article: K13323323


880165-3 : Auto classification signature update fails

Component: TMOS

Symptoms:
During classification update, you get an error:

"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"

An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".

Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.

It can occur when something goes wrong during license activation, but license activation ultimately succeeds.

Impact:
When this issue occurs, auto classification signature update will fail.

Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.


879829-1 : HA daemon sod cannot bind to ports numbered lower than 1024

Component: TMOS

Symptoms:
If the network high availability (HA) daemon sod is configured to use a port number that is lower than 1024, the binding fails with a permission-denied error. This affects binding to ports on both management and self IP addresses.

Example log messages:
/var/log/ltm
err sod[2922]: 010c003b:3: bind fails on recv_sock_fd addr 1.2.3.4 port 1023 error Permission denied.
notice sod[2992]: 010c0078:5: Not listening for unicast failover packets on address 1.2.3.4 port 1023.

/var/log/auditd/audit.log
type=AVC msg=audit(1578067041.047:17108): avc: denied { net_bind_service } for pid=2922 comm="sod" capability=10 scontext=system_u:system_r:f5sod_t:s0 tcontext=system_u:system_r:f5sod_t:s0 tclass=capability

Conditions:
-- high availability (HA) daemon sod is configured to use a port lower than 1024 for network high availability (HA) operations.

-- Version 13.1.0 or later.

Impact:
A network high availability (HA) connection configured to use a port number lower than 1024 on an affected version does not function.

Workaround:
Change the port number to 1024 or higher.

Note: UDP port 1026 is the default.


879745-6 : TMM may crash while processing Diameter traffic

Solution Article: K82530456


879413-7 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.


879405-3 : Incorrect value in Transparent Nexthop property

Component: TMOS

Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN.

Conditions:
-- Virtual server configured with with transparent next-hop bychecking 'Transparent Nexthop' in the GUI on the LTM Virtual Server page: Transparent Nexthop = None

   Works fine with:

Impact:
Incorrect value shown in Transparent Nexthop property field.

Workaround:
Use tmsh to complete the action successfully.


879189-4 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section

Component: TMOS

Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.

Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual server, but the module supporting the profile is not provisioned.

Impact:
The Network Map shows an error message.

Workaround:
Provision the module that supports the profile.

Fix:
The button text has been modified to be more informative.


877109-8 : Unspecified input can break intended functionality in iHealth proxy

Solution Article: K04234247


876953-1 : Tmm crash while passing diameter traffic

Component: Service Provider

Symptoms:
Tmm crashes with the following log message.

-- crit tmm1[11661]: 01010289:2: Oops @ 0x2a3f440:205: msg->ref > 0.

Conditions:
This can be encountered while passing diameter traffic when one or more of the pool members goes down and retransmissions occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash while passing diameter traffic.


876805-4 : Modifying address-list resets the route advertisement on virtual servers.

Component: TMOS

Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the address list is modified.

This issue has also been shown to cause inconsistent ICMP response behavior when 'selective' mode is used.

Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all virtual addresses.
-- Modify the address list.

Impact:
-- Modifications made to virtual addresses are lost.
-- Possible ICMP response issues when 'selective' mode is used (e.g., responses when all pool members are disabled, or no responses when pool members are enabled).

Workaround:
None

Fix:
Virtual address properties are now preserved when an address list is modified.


876581-1 : JavaScript engine file is empty if the original HTML page cached for too long

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

Fix:
FPS now also removes ETag headers from protected HTML pages.


876353-2 : iRule command RESOLV::lookup may cause TMM to crash

Solution Article: K03125360


874677-4 : Traffic Classification auto signature update fails from GUI

Component: Traffic Classification Engine

Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.

The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.

Conditions:
Performing Traffic Classification auto signature update using the GUI.

Impact:
Fails to update the classification signature automatically.

Workaround:
You can use either of the following:

-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.

Fix:
Fixed the hitless upgrade script to download the IM packages from the EDSM server for point releases.


871561-6 : Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'

Component: TMOS

Symptoms:
Software upgrades to an Engineering Hotfix on a vCMP guest might fail with one of the following messages:

failed (Software compatibility tests failed.)
failed (The requested product/version/build is not in the media.)

The failed installation is also indicated by log messages in /var/log/ltm similar to:

-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (The requested product/version/build is not in the media.)

Conditions:
This may occur when performing a software upgrade to an engineering hotfix on a vCMP guest running affected versions of BIG-IP software, when the software images are present on the vCMP host.

This can be accomplished by running the following command from the vCMP guest console:

tmsh install sys software block-device-hotfix <hotfix-image-name> volume <volume.name>

Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host.

Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:

tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>

Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:

tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>

Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.

Then restart the lind service on the vCMP Guest:
  tmsh restart sys service lind

If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
  clsh tmsh restart sys service lind

The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.

Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:

1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
  isoinfo -d -i /dev/cdrom

Note: Pay attention to the volume ID in the output from within the vCMP guest.

2. Unlock (eject) the image:
  eject -r -F /dev/cdrom && vcmphc_tool -e

3. Verify the CD drive is now empty:
  isoinfo -d -i /dev/cdrom

The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>

4. Restart lind:
  tmsh restart sys service lind

If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
  clsh tmsh restart sys service lind

Fix:
Software upgrades on a vCMP guest complete successfully even when the software images are present on the vCMP hypervisor.


869049-3 : Charts discrepancy in AVR reports

Component: Application Visibility and Reporting

Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.

Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).

Impact:
Stats on DB get corrupted and incorrect.

Workaround:
None.

Fix:
Aggregation store-procedure is now fixed.


866073-3 : Add option to exclude stats collection in qkview to avoid very large data files

Component: TMOS

Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:

qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938

Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.

Impact:
Qkview files may not be able to be parsed by the iHealth service.

Also, memory allocation error messages may be displayed when generating qkview.

Workaround:
None.

Fix:
Qkview now has a -x option that can be used to exclude statistics collection in the stat_module.xml file.

Behavior Change:
Qkview now has a -x option that can be used to exclude statistics collection.


865177-5 : Cert-LDAP returning only first entry in the sequence that matches san-other oid

Component: TMOS

Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists

Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids

Impact:
Only the first matching oid is returned.


864757-4 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.


863917-1 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.

Component: Global Traffic Manager (DNS)

Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:

The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.

This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.

Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.

Impact:
Messages are logged that imply the system is overloaded when it is not.

Workaround:
Create a log filter to suppress the messages

sys log-config filter gtm-warn {
    level warn
    message-id 011ae116
    source gtmd
}


862937-4 : Running cpcfg after first boot can result in daemons stuck in restart loop

Component: TMOS

Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.

Conditions:
Running cpcfg on a volume that has already been booted into.

Impact:
Services do not come up.

Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:

# touch /.autorelabel
# reboot


859717-1 : ICMP-limit-related warning messages in /var/log/ltm

Component: Local Traffic Manager

Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:

warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.

Conditions:
Viewing /var/log/ltm.

Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.

Workaround:
None.

Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.


858973-5 : DNS request matches less specific WideIP when adding new wildcard wideips

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm


858701-5 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x

Component: Local Traffic Manager

Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.

-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.

Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:

Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:

  Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.

  You can check this value with the guishell command:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

    Example:
      guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
        -----------------------------------------------------------
        | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
        -----------------------------------------------------------
        | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
        | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
        | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
        | /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
        | /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

      Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.

------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:

1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.

2. Fail over Active system to Standby status:
  tmsh run sys failover standby

3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.

4. Save the config to disk:
  tmsh save sys config

5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
  tmsh load sys config

6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
  tmsh load sys config

7. Verify it worked:
  guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

  Example of a fixed config:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
      -----------------------------------------------------------
      | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
      -----------------------------------------------------------
      | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
      | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
      | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
      | /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
      | /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':

tmsh load sys config


858197-5 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

Fix:
Remove function call to drop row from table on error path where row was not successfully added.


857953-1 : Non-functional disable/enable buttons present in GTM wide IP members page

Component: Global Traffic Manager (DNS)

Symptoms:
Enable/disable buttons do not perform any action against the selected members when pressed.

Conditions:
-- GTM wide IP has members.
-- Navigate to the GTM wide IP members page.
-- Attempt to enable or disable a selected member./

Impact:
No action against the selected members occurs when the buttons are pressed.

Workaround:
None.


856713-4 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec-related tmm crash has been fixed.


854001-1 : TMM might crash in case of trusted bot signature and API protected url

Component: Application Security Manager

Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.

Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.

Fix:
An issue where tmm could crash when processing a request sent to a protected API URL with a trusted bot signature has been fixed.


853585-3 : REST Wide IP object presents an inconsistent lastResortPool value

Component: Global Traffic Manager (DNS)

Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:

...
"lastResortPool": "aaaa \"\""
...

Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:

tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.

Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.

Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.


846601-5 : Traffic classification does not update when an inactive slot becomes active after upgrade

Component: Traffic Classification Engine

Symptoms:
VIPRION platforms have an automated process of joining a newly inserted blade to a cluster. TMOS install, licensing, and configuration including iAppLX are synchronized from primary to the newly inserted blade automatically without manual intervention. Traffic classification update is not occurring as expected under these conditions.

Conditions:
-- Traffic classification configured.
-- Update installation.
-- VIPRION blade is inactive, and later comes online.

Impact:
Traffic policies/rules related to updated installation do not work on inactive slot when it returns to the online state.

Workaround:
To prevent this issue from occurring, ensure that all blades are online when installation begins.

If you insert a blade, run config sync manually from the active blade.

Fix:
Upgrade script now initiates install when the slot becomes active.


845333-7 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config

Component: Local Traffic Manager

Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]

Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.

Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.

Workaround:
Make the datagroup a Tcl variable to bypass validation.

Fix:
Validation can recognize the datagroup on Transport Config objects.


844085-5 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: TMOS

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any


842717-8 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855

Solution Article: K55102004


841305-3 : HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log

Component: Application Visibility and Reporting

Symptoms:
The HTTP/2 version appears in charts, but when clicking on the chart reports, errors are reported in monpd log and the chart is empty in the GUI, with an error reported in the GUI and in the monpd log:

-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:mysql_query_safe:0209| Error (err-code 1054) executing SQL string :
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:runSqlQuery:0677| Error executing SQL query:
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/handlers/ReportRunnerHandler.cpp:runReport:0409| Results for query came back as NULL
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/ReporterUtils.cpp:throwInternalException:0105| throwing exception to client error code is 1 error msg is Internal error

Conditions:
-- Create a new policy or use an existing policy.
-- Go to Security :: Reporting : Application : Charts.
-- Select weekly charts.

Impact:
Charts are empty in the GUI, and the system logs errors in monpd.

Workaround:
None.

Fix:
Fixed an issue with HTTP stats database tables.


839145-4 : CVE-2019-10744: lodash vulnerability

Solution Article: K47105354


839121-4 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade

Solution Article: K74221031

Component: TMOS

Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

Conditions:
The upgrade failure is seen when all the following conditions are met:

-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Workaround:
There are two possible workarounds:

-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.

-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:

 1. cp /config/bigip.conf /config/backup_bigip.conf
 2. Run: sed -i "s/\(\!SSLv2:\|:\!SSLv2\)//g" /config/bigip.conf
 3. tmsh load /sys config


837637-5 : Orphaned bigip_gtm.conf can cause config load failure after upgrading

Solution Article: K02038650

Component: Global Traffic Manager (DNS)

Symptoms:
Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
Before upgrading:

If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh restart sys service all


834533-8 : Linux kernel vulnerability CVE-2019-15916

Solution Article: K57418558


830413-2 : Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure

Component: TMOS

Symptoms:
Deployment of BIG-IP Virtual Edition may result in an error "Failed to generate ssh host key".

Conditions:
Azure only. Observed for instances with password-based authentication.

Impact:
A timing issues exists with host key generation. The Virtual Machine is likely to be deployed, but users and automation tools might be unable to communicate with the instance.

Workaround:
BIG-IP may still be accessible despite the error.


830341-3 : False positives Mismatched message key on ASM TS cookie

Component: Application Security Manager

Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact

Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation

Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.

OR

2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix:
ASM system does not trigger false positives


829821-8 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.


829677-5 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker

The fix also includes automatic removal of unused tmp files.


825501-4 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.


820845-5 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.

Component: TMOS

Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.

Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.

Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.

Workaround:
Create static ARP entries on affected endpoints.


819329-5 : Specific FIPS device errors will not trigger failover

Component: Local Traffic Manager

Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.

Conditions:
-- FIPS hardware failure occurs, but the device is idle

Impact:
The device may not fail over on FIPS hardware failure.

Fix:
Interpret rare FIPS card failure as failover event.


819301-3 : Incorrect values in REST response for dos-l3 table

Component: Application Visibility and Reporting

Symptoms:
Some of the calculations in the AVR publisher are not performed, and incorrect values are shown in the REST response.

Conditions:
-- Device vector detection and mitigation thresholds are set to 10
-- The attack vector is triggered

Impact:
Wrong values appear in REST reponse

Fix:
Fixed an issue with incorrect values for mitigated attacks.


819053-9 : CVE-2019-13232 unzip: overlapping of files in ZIP container

Component: TMOS

Symptoms:
CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service

Conditions:
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container

Impact:
UnZip overlapping will leading to denial of service.

Workaround:
N/A

Fix:
UnZip updated to resolve CVE-2019-13232


818253-5 : Generate signature files for logs

Component: TMOS

Symptoms:
To achieve DoDIN APL certification, the BIG-IP system must guarantee the integrity of log files using the standards' recommendation of encrypting those files on the local store. The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) without creating integrity files.

Conditions:
Viewing the audit information stored in /var/log and other locations.

Impact:
Audit log files are stored without integrity files on the local system.

Workaround:
Disable local logging for audit logs and send them to remote syslog, for example:

tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "

Fix:
There is now a LogIntegrity utility provided to generate signature files for logs.

-- To enable the feature:
 tmsh modify sys db logintegrity.support value enable

-- To set the LogIntegrity loglevel:
 tmsh modify sys db logintegrity.loglevel value debug

You must create private key and store it in SecureVault before enabling this feature. To do so:

1. Generate a private key with the name logfile_integrity.key, for example:
 tmsh create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365

2. Generate RSA encrypted private SSL keys:

2a. Go to the filestore location on the BIG-IP system:
 cd /config/filestore/files_d/Common_d/certificate_key_d/

 ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2

 openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key

2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key):

2c. run command to list the generated files
 ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key

3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system:

 tmsh install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key


Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated.


If you want to verify Signatures, follow these steps:

1. Go to the filestore location on the BIG-IP system :
 cd /config/filestore/files_d/Common_d/certificate_d
 
2. Execute the following command to generate the public key.
 openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer

3.Verify the signature file using public key:
 openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1


818213-7 : CVE-2019-10639: KASLR bypass using connectionless protocols

Solution Article: K32804955


817369-3 : TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.

Component: Service Provider

Symptoms:
When a georedundancy profile is attached to a TCP, UDP, and SCTP virtual server, proxy does not convert to GEO proxy.

Conditions:
Attach georedundancy profile to a standard TCP, UDP, or SCTP virtual server.

Impact:
Unable to convert proxy to GEO proxy when georedundancy profile is attached with TCP, UDP and SCTP virtual

Workaround:
None.


814953-8 : TMUI dashboard hardening

Solution Article: K43310520


814585-8 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


809205-8 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated


808409-5 : Unable to specify if giaddr will be modified in DHCP relay chain

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced

The default is :

sys db tmm.dhcp.relay.giaddr.overwrite {
    value "enable"
}

On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP

On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain


807337-6 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object (such as delete, create, modify).

Impact:
The GUI shows misleading info about the pool monitor.The monitor-related object may be unchanged, or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').

Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).


806073-8 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.


804157-4 : ICMP replies are forwarded with incorrect checksums causing them to be dropped

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server receives an ICMP response without first receiving an ICMP request, the checksum on the ICMP response that is egressed by tmm will not be calculated correctly.

Conditions:
An ICMP response without a corresponding ICMP request, such as in non-symmetric routing scenarios.

Impact:
ICMP replies are forwarded with the incorrect checksum and likely will be dropped by the recipient or other devices on the network.

Workaround:
Ensure symmetric routing. Configure L7 virtual servers for use with ipother profiles.


803933-8 : Expat XML parser vulnerability CVE-2018-20843

Solution Article: K51011533


803629-8 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.


803233-6 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.

Fix:
FQDN ephemeral pool members are created in a more timely manner when FQDN resolution via DNS returns new address records.


797829-7 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.


797797-5 : CVE-2019-11811 kernel: use-after-free in drivers

Solution Article: K01512680


797769-10 : Linux vulnerability : CVE-2019-11599

Solution Article: K51674118


794417-5 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Component: Local Traffic Manager

Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:

1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Impact:
The configuration does not load if saved, and reports an error:

01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.

Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.

Fix:
Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.

Behavior Change:
BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile


791669-3 : TMM might crash when Bot Defense is configured for multiple domains

Component: Application Security Manager

Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.

Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.

Impact:
TMM crash with core. Traffic disrupted while tmm restarts.

Workaround:
None,

Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.


789421-5 : Resource-administrator cannot create GTM server object through GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.

Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.

Impact:
Unable to create GTM server object via the GUI.

Workaround:
Use tmsh or iControl/REST.


788625-2 : A pool member is not marked up by the inband monitor even after successful connection to the pool member

Component: Service Provider

Symptoms:
1. Pool member is still shown as down even after BIG-IP has connected to it.
2. If a pool has only one pool member, continuous logs are seen in /var/log/ltm, at the frequency of auto-init interval and in-band timer interval mentioning about pool member being in-active and active respectively.

Conditions:
-- Auto-init is enabled to continuously try connecting the pool member
-- An inband monitor is configured
-- The inband monitor's retry interval is slightly less than auto-init interval

Impact:
Pool member marked down, even though the pool member is up

Workaround:
Configure the inband monitor's retry interval to be the lowest interval possible, which is 1 second.

Fix:
Pool member should be marked as up by the inband monitor, when the pool member comes up and connection to it is successful.


788577-8 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.


788465-6 : DNS cache idx synced across HA group could cause tmm crash

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache idx conflicts and tmm crash.

Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.

Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.

Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm


787885-3 : The device status is falsely showing as forced offline on the network map while actual device status is not.

Component: TMOS

Symptoms:
Network Map in GUI shows incorrect [Forced Offline] status.

Conditions:
-- Multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Forced Offline]. In other words, it is always shown as [Forced Offline].

-- Non multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Active] or [Forced Offline]. In other words, it displays fine only for [Active] and [Forced Offline].

Impact:
The device status in the network map is not reliable

Workaround:
None.


785877-4 : VLAN groups do not bridge non-link-local multicast traffic.

Component: Local Traffic Manager

Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.

Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.

Impact:
Non-link-local multicast traffic does not get forwarded.

Workaround:
None.

Fix:
VLAN groups now bridge non-link-local multicast traffic.


783125-5 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
    https://clouddocs.f5.com/api/irules/DNS__drop.html
    https://clouddocs.f5.com/api/irules/UDP__drop.html


779857-3 : Misleading GUI error when installing a new version in another partition

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.


778049-1 : Linux Kernel Vulnerability: CVE-2018-13405

Solution Article: K00854051


776393-4 : Restjavad restarts frequently due to insufficient memory with relatively large configurations

Component: TMOS

Symptoms:
Restjavad restarts frequently -- approximately every 5 minutes -- due to the JVM heap running out of memory

Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory, using the following commands. The example below allocates 2 GB of extra memory to restjavad:

tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad

To persist the change above with system reboots, save the configuration with:

tmsh save sys config

Fix:
Default restjavad heap memory has been increased to 384MB


773693-9 : CVE-2020-5892: APM Client Vulnerability

Solution Article: K15838353


768085-6 : Error in python script /usr/libexec/iAppsLX_save_pre line 79

Component: iApp Technology

Symptoms:
While creating a UCS file, you see a confusing error message, and the UCS file is not created:
Failed task: %s: %s"%(taskUri, taskResult['message']))"

Conditions:
This can be encountered while trying to create a UCS file.

Impact:
Certain failure messages are not interpreted correctly by the script, resulting in the actual error message not being displayed.

Workaround:
None.


767341-8 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.

Component: Local Traffic Manager

Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.

Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.

This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.

Filesystem error might be due to power loss, full disk or other reasons.

Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.

Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.

Another workaround is clean install, if possible/acceptable


766017-7 : [APM][LocalDB] Local user database instance name length check inconsistencies

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

Fix:
Tmsh now enforces the length limit for localdb instance names.


760629-6 : Remove Obsolete APM keys in BigDB

Component: Access Policy Manager

Symptoms:
Several APM/Access BigDB keys are obsolete

Conditions:
This is encountered on BIG-IP software installations.

Impact:
The db keys are obsolete and can be safely ignored.

Workaround:
None

Fix:
The following db keys have been removed from the system:

Log.AccessControl.Level
Log.ApmAcl.Level
Log.SSO.Level
Log.swg.Level
Log.AccessPerRequest.Level
Log.access.syslog
Log.access.db


759988-1 : Geolocation information inconsistently formatted

Component: Fraud Protection Services

Symptoms:
The ${geo} pattern in the Logging Profile has only GeoIP data; however, in alerts that are sent to either the alert server or to BIG-IQ, the GEO data includes both GeoIP and GeoLocation information.

Conditions:
Configure ${geo} pattern in Logging Profile template and trigger a logging event.

Impact:
GeoLocation data is missing in logs written by Logging Profile when using ${geo} pattern.

Fix:
The ${geo} pattern in Logging Profile template now provides full GEO informaion, both GeoIP and GeoLocation, in the same format as in alerts.


759564-1 : GUI not available after upgrade

Component: TMOS

Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions

    Shell prompt may show logger[1234]: Re-starting named
    bigstart restart httpd fails
    bigstart start httpd fails

Conditions:
Installation over a previously used Boot Volume

Impact:
Corrupt install

Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.


756139-5 : Inconsistent logging of hostname files when hostname contains periods

Component: TMOS

Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:

-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.


Whereas other log files write the full name:

-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.

Conditions:
BIG-IP hostname contains periods or an FQDN:

[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
    hostname bigip1.example.com
}

Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.

Workaround:
None.

Fix:
Hostnames are now written consistently for all log files in /var/log directory.

Behavior Change:
Syslog-ng was using truncated hostname (without FQDN) while logging. This release adds fqdn use_fqdn(yes) in the syslog-ng template, so the system now logs the full hostname (FQDN).


751103-1 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop

Component: TMOS

Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.

Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config

Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)

Scripts are stopped until the prompt is answered.

Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).


In the case of this script, you can also delete the management route definitions to prevent the question from being asked.


749007-5 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list

Component: TMOS

Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.

Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.

Impact:
Cannot select South Sudan county from GTM country list.

Workaround:
None

Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.


748333-6 : DHCP Relay does not retain client source IP address for chained relay mode

Component: Local Traffic Manager

Symptoms:
The second relay in a DHCP relay chain modifies the src-address. This is not correct.

Conditions:
Using DHCP chained relay mode.

Impact:
The src-address is changed when it should not be.

Workaround:
None.

Fix:
For chained relay mode there is now an option to preserve the src-ip, controllable by 'sys db tmm.dhcp.relay.change.src'.


747234-8 : Macro policy does not find corresponding access-profile directly

Component: Access Policy Manager

Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.

Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.

Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.

Workaround:
Apply the Access Policy manually after auto-discovery.

Fix:
Fixed an issue with not automatically applying the access policy after discovery.


747020-3 : Requests that evaluate to same subsession can be processed concurrently

Component: Access Policy Manager

Symptoms:
Requests that evaluate to the same subsession can be processed concurrently in some cases

Conditions:
-- Per-Request policy with subroutines.
-- Duplicate requests are sent that match existing subsession gating criteria.

Impact:
The request gets aborted with error messages in /var/log/apm:
apmd_plugin.cpp func: "serialize_apmd_reply()" line: 495 Msg: AccessV2 agent execution error 4.

Workaround:
None.


743826-5 : Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)

Component: Application Visibility and Reporting

Symptoms:
When a pool member is defined with port any(0), calling the GetPoolMember() function, gives an incorrect error message that the pool member was not found.

Conditions:
Pool member with port any(0)

Impact:
Wrong error message printed to avrd.log

Fix:
Added a flag that indicates whether or not to print an error message to the GetPoolMember() function.


743253-1 : TSO in software re-segments L3 fragments.

Component: Local Traffic Manager

Symptoms:
FastL4 does not re-assemble fragments by default, but on a system with software-enabled TSO (sys db tm.tcpsegmentationoffload value disable), those fragments are erroneously re-segmented.

Conditions:
The behavior is encountered on BIG-IP Virtual Edition when setting sys db tm.tcpsegmentationoffload value disable, but does not cause a tmm core on Virtual Edition.

Impact:
Already-fragmented traffic is fragmented again.

Workaround:
None


743105-1 : BIG-IP SNAT vulnerability CVE-2021-22998

Solution Article: K31934524


740589-5 : Mcpd crash with core after 'tmsh edit /sys syslog all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));


739570-5 : Unable to install EPSEC package

Component: Access Policy Manager

Symptoms:
Installation of EPSEC package via tmsh fails with error:

Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).

Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso

Impact:
First-time installation of EPSEC package through tmsh fails.

Workaround:
You can do a first-time installation of EPSEC with the following commands:

tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso

Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.


739505-4 : Automatic ISO digital signature checking not required when FIPS license active

Component: TMOS

Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.

The system logs an error message upon an attempt to install or update the BIG-IP system:
 failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)

Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.

Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.

Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.

Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.


738032-4 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.

Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.

Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.

Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.


722337-4 : Always show violations in request log when post request is large

Component: Application Security Manager

Symptoms:
The system does not always show violations in request log when post request is large.

Conditions:
A large post request with many parameters is sent.

Impact:
Although the violations is handled correctly, it is not reported.

Workaround:
Disable learning mode.

The internal parameter pb_sampling_high_cpu_load can define what is seen as high CPU load above which sampling does not take place. The default is 60.

-- Using a lower value reduces the chances of sampling data.
-- Using 0 makes sampling never happen and thus this issue does not occur (this slows down automatic policy building).


718189-10 : Unspecified IP traffic can cause low-memory conditions

Solution Article: K10751325


717346-8 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket


716746-4 : Possible tmm restart when disabling single endpoint vector while attack is ongoing

Component: Advanced Firewall Manager

Symptoms:
tmm restarts.

Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.

Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.

Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.

Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.

Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.


714642-7 : Ephemeral pool-member state on the standby is down

Component: Local Traffic Manager

Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.

Conditions:
Re-enabling a forced-down FQDN node on the primary system.

Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).

Workaround:
None.


714176-6 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Component: TMOS

Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.

Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.

Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.

Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.

1. Locate the dynad config in /config/bigip_base.conf file:

For example, the dynad config will look like:
sys dynad key {
    key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}

2. Modify the dynad configuration lines to:
sys dynad key {
    key "test"
}

3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config

Fix:
The log message is improved to provide the BIG-IP administrator with more specific detail that the dynad key failed to be decrypted.


706521-1 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password

Solution Article: K21404407

Component: TMOS

Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.

Conditions:
Configure TACACS+ auditing forwarder.

Impact:
Exposes sensitive information.

Workaround:
None.

Fix:
The sensitive data is not exposed, and this issue is fixed.


696755-6 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}

Fix:
With provided fix, HTTP/2 end users no longer experience the problem of incorrect page rendering due to this issue.


693360-1 : A virtual server status changes to yellow while still available

Solution Article: K52035247


692218-7 : Audit log messages sent from the primary blade to the secondaries should not be logged.

Component: TMOS

Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.

Conditions:
Multi-blade platform.

Impact:
Unnecessary messages in the log file.

Workaround:
None.


675911-11 : Different sections of the GUI can report incorrect CPU utilization

Solution Article: K13272442

Component: TMOS

Symptoms:
The following sections of the GUI can report incorrect or higher than expected CPU utilization:

-- The 'download history' option found in the Flash dashboard.

-- Statistics :: Performance :: Traffic Report (section introduced in version 12.1.0).

Values such as 33%, 66%, and 99% may appear in these sections despite the system being completely idle.

Conditions:
HT-Split is enabled (default for platforms that support it).

Impact:
The CPU history in the exported comma-separated values (CSV) file does not match actual CPU usage.

Workaround:
-- You can obtain CPU history through various other means. One way is to use the sar utility.

   - In 12.x and higher versions:
     sar -f /var/log/sa6/sa

   - or for older data:
     sar -f /var/log/sa6/sa.1

   - The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.


   - In 11.x:
     sar -f /var/log/sa/sa

   - or for older data
     sar -f /var/log/sa/sa.1

   - The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

-- Live CPU utilization can also be obtained through the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.


675772-3 : IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy

Component: TMOS

Symptoms:
When IPsec tunnels to several different peers are configured using a single ipsec-policy in interface mode, the tunnels will be unreliable or may not start.

Conditions:
Several traffic-selectors that are associated with different tunnels reference the same interface mode IPsec policy.

Note: It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.

Impact:
IPsec tunnels may start but fail after a period of time. In other cases, IPsec tunnels may not start at all.

Workaround:
(1) Create a unique ipsec-policy configuration object for each remote peer and traffic-selector.
(2) Use tunnel mode. It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.

Fix:
By design the implementation does not allow ipsec-policy instances to be shared, under interface mode tunnels, because the tunnel IP addresses used by the interface mode tunnel get pushed into the ipsec-policy instance. In effect, they must match. You can select a dummy IP address for the tunnel into the ipsec-policy, but these are ignored and replaced by the IP addresses of the interface mode tunnel at runtime. When an ipsec-policy is shared, it will have the wrong tunnel IP addresses for one or more of the interface mode tunnels.


673272-1 : Search by "Signature ID is" does not return results for some signature IDs

Component: Application Security Manager

Symptoms:
Search by "Signature ID is" does not return results for some signature IDs.

Conditions:
Request associated with signature that was previously enforced and is now in staging after the attack signature update.

Impact:
You are unable to filter requests by some signature IDs.

Fix:
Fixed an issue with searching by signature ID.


648242-7 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

Fix:
Allowing for administrator users to get all partitions available on query.


644192-9 : Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN

Solution Article: K23022557

Component: Global Traffic Manager (DNS)

Symptoms:
Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN.

Conditions:
A CNAME wide IP and a dnx with parent zone.
For example, CNAME wide IP for www.siterequest.com and a dnx zone for siterequest.com.

Impact:
Cache resolvers will remember NXDOMAIN for the entire name. So clients talking to those caches asking for A/AAAA records may actually get NXDOMAIN responses until the negative cache expires.

Workaround:
Option 1: Create a related "www.siterequest.com" txt record in ZoneRunner
Option 2: Create a ltm virtual server iRule, similar to this:
when DNS_RESPONSE {
  if { [DNS::question name] eq "www.siterequest.com" } {
    if { [DNS::header rcode] eq "NXDOMAIN" } {
        DNS::header rcode NOERROR
        DNS::authority clear
        return
    }
  }
}

Fix:
A new DB key, 'gtm.allownxdomainoverride', has been added to allow configuring the BIG-IP DNS system to respond with a NOERROR response.


639773-7 : BIG-IP AFM vulnerability CVE-2021-22983

Solution Article: K76518456


489572-6 : Sync fails if file object is created and deleted before sync to peer BIG-IP

Solution Article: K60934489

Component: TMOS

Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:

Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.

Impact:
Sync fails.

Workaround:
When you create/add a file object, make sure to sync before deleting it.

If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.


398683-5 : Use of a # in a TACACS secret causes remote auth to fail

Solution Article: K12304

Component: TMOS

Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.

Conditions:
TACACS secret contains the '#' character.

Impact:
TACACS remote auth fails.

Workaround:
Do not use the '#' character in the TACACS secret.


1017973-7 : BIND Vulnerability CVE-2021-25215

Solution Article: K96223611


1017965-1 : BIND Vulnerability CVE-2021-25214

Solution Article: K11426315


1017645-1 : False positive HTTP compliance violation

Component: Application Security Manager

Symptoms:
False-positive HTTP compliance violation.

Conditions:
Authorization header with bearer token and/or some other authorization headers types.

Impact:
False-positive traffic blocking.

Workaround:
Turn on an internal parameter by entering the following command from the BIG-IP CLI:

/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1

Then restart ASM for this to take effect:

bigstart restart asm

Fix:
The RFC compliance violation is no longer issued for unknown types of authorization headers.


1012521-3 : BIG-IP UI file permissions

Component: Advanced Firewall Manager

Symptoms:
Some GUI files have incorrect permission settings.

Conditions:
Files installed by the security-ui rpm.

Impact:
File permissions are incorrect.

Fix:
Installation script updated to set permissions to remove write privileges for the Group and User level


1012145-1 : TMM may crash when processing Datasafe profiles with ASM

Component: Fraud Protection Services

Symptoms:
Under certain conditions TMM may crash while processing Datasafe profiles with ASM.

Conditions:
- ASM provisioned
- Datasafe profile active

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes Datasafe profiles as expected.


1010393-5 : Unable to relax AS-path attribute in multi-path selection

Component: TMOS

Symptoms:
In BIG-IP versions where ID933461 (https://cdn.f5.com/product/bugtracker/ID933461.html) is fixed, you are unable to relax AS-path attribute in multi-path selections.

Conditions:
BGP multi-path routes with different AS_PATH attributes.

Impact:
Some routes might not be considered as multipath. ECMP routes are not installed properly.

Workaround:
Consider using 'bgp bestpath as-path ignore' or alter the AS_PATH attribute upstream.


1005489-1 : iRules with persist command might result in tmm crash.

Component: Local Traffic Manager

Symptoms:
BIG-IP systems may experience a tmm crash if iRules containing 'persist' command are being used.

Conditions:
-- BIG-IP systems with multiple TMMs
-- Virtual server with HTTP/HTTP/2 profile attached.
-- Virtual server has iRules containing the 'persist add' command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


1004417-4 : Provisioning error message during boot up

Component: TMOS

Symptoms:
Error message in /var/log/ltm:
Could not retrieve DB variable for (provision.datastor)

Conditions:
Upgrade BIG-IP software from version 12.x to version 13.x or higher.

Impact:
The error message is logged after the first boot after the upgrade. There is no impact on functionality and the error message can be ignored.

Workaround:
None


1003557-2 : Not following best practices in Guided Configuration Bundle Install worker

Solution Article: K74151369


1003105-2 : iControl Hardening

Solution Article: K74151369


1002761-2 : SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure

Component: TMOS

Symptoms:
A SCTP client's INIT chunks are rejected repeatedly.

Conditions:
-- Client-side SCTP association times out and is terminated with ABORT.
-- The client attempts to INIT the association again using the same source port.

Impact:
Client cannot reconnect to BIG-IP systems, even after the network failures are resolved.

Workaround:
Fail over and restart tmm on the affected device.


1002561-6 : TMM vulnerability CVE-2021-23007

Solution Article: K37451543


1000973-4 : Unanticipated restart of TMM due to heartbeat failure

Component: TMOS

Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process. A core file might be generated without any message logged in /var/log/*.

High resolution timers (hrtimer) may be lost.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed an unanticipated restart of TMM due to heartbeat failure triggered by the kernel.



Known Issues in BIG-IP v16.0.x


TMOS Issues

ID Number Severity Solution Article(s) Description
934241-1 1-Blocking   TMM may core when using FastL4's hardware offloading feature
913713-1 1-Blocking   Rebooting a blade causes MCPd to core as it rejoins the cluster
998945-1 2-Critical   Load sys config is failing with OOM in MCPD processing
997793-4 2-Critical   Error log: Failed to reset strict operations; disconnecting from mcpd
997313-1 2-Critical   Unable to create APM policies in a sync-only folder
994969-1 2-Critical   Possible installation failure with three software volumes on a BIG-IP system
992097-3 2-Critical   Incorrect hostname is seen in logging files
990853-2 2-Critical   Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
989517-1 2-Critical   Acceleration section of virtual server page not available in DHD
980325-6 2-Critical   Chmand core due to memory leak from dossier requests.
979045-2 2-Critical   The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
976669-1 2-Critical   FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
974241-2 2-Critical   Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
950673-4 2-Critical   Hardware Syncookie mode not cleared when deleting/changing virtual server config.
950201-2 2-Critical   Tmm core on GCP
944513-3 2-Critical   Apache configuration file hardening
943109-1 2-Critical   Mcpd crash when bulk deleting Bot Defense profiles
942549-1 2-Critical   Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
941893-4 2-Critical   VE performance tests in Azure causes loss of connectivity to objects in configuration
940225-1 2-Critical   Not able to add more than 6 NICs on VE running in Azure
937481-3 2-Critical   Tomcat restarts with error java.lang.OutOfMemoryError
929133-1 2-Critical   TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
866957-2 2-Critical   Load balancing IPsec tunnels
865653-2 2-Critical   Wrong FDB table entries with same MAC and wrong VLAN combination
842669-5 2-Critical   Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
799001-8 2-Critical   Sflow agent does not handle disconnect from SNMPD manager correctly
785017-5 2-Critical   Secondary blades go offline after new primary is elected
780437-7 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777389-6 2-Critical   In rare occurrences related to PostgreSQL monitor, the mcpd process restarts
742764-1 2-Critical   The raccoon daemon is spawned more then once on startup, one fails and cores.
742419-3 2-Critical   BIG-IP NIC teaming of SR-IOV interfaces does not work under VMware ESXi
739507-4 2-Critical   Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check
737692-6 2-Critical   Handle x520 PF DOWN/UP sequence automatically by VE
718573-4 2-Critical   Internal SessionDB invalid state
671545-3 2-Critical   MCPD core while booting up device with error "Unexpected exception caught"
382363-2 2-Critical K30588577 min-up-members and using gateway-failsafe-device on the same pool.
998957-2 3-Major   Mcpd consumes excessive CPU while collecting stats.
998649-4 3-Major   Log hostname should be consistent when it contains ' . '
997561-4 3-Major   TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
997541-4 3-Major   Round-robin Disaggregator for hardware and software
996001-4 3-Major   AVR Inspection Dashboard 'Last Month' does not show all data points
995097-2 3-Major   Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
994365-2 3-Major   Inconsistency in tmsh 'object mode' for some configurations
994305-2 3-Major   The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
992813-1 3-Major   The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
992449-2 3-Major   The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI
992253-3 3-Major   Cannot specify IPv6 management IP addresses using GUI
992053-3 3-Major   Pva_stats for server side connections do not update for redirected flows
987081-2 3-Major   Alarm LED remains active on Secondary blades even after LCD alerts are cleared
985537-4 3-Major   Upgrade Microsoft Hyper-V driver
984585-2 3-Major   IP Reputation option not shown in GUI.
981485-5 3-Major   Neurond enters a restart loop after FPGA update.
976013-5 3-Major   If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards
974225-1 3-Major   Link Status traps are not issued on VE based BIG-IP systems
972785-7 3-Major   Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP
969737-3 3-Major   Snmp requests not answered if V2 traps are configured
969329-3 3-Major   Dashboard: Chart title/legend 'Control Plane' needs to be modified within dashboard of BIG-IP
969105-3 3-Major   HA failover connections via the management address do not work on vCMP guests running on VIPRION
967573-1 3-Major   Qkview generation from Configuration Utility fails
966949-1 3-Major   Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
965941-1 3-Major   Creating a net packet filter in the GUI does not work for ICMP for IPv6
965205-1 3-Major   BIG-IP dashboard downloads unused widgets
964941-2 3-Major   IPsec interface-mode tunnel does not initiate or respond after config change
964125-1 3-Major   Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
963541-1 3-Major   Net-snmp5.8 crash
963017-1 3-Major   The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed
960029-1 3-Major   Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error
959057-2 3-Major   Unable to create additional login tokens for the default admin user account
958833-2 3-Major   After mgmt ip change via GUI, brower is not redirected to new address
958601-1 3-Major   In the GUI, searching for virtual server addresses does not match address lists
958093-4 3-Major   IPv6 routes missing after BGP graceful restart
957993-1 3-Major   Unable to set a port list in the GUI for an IPv6 address for a virtual server
956625-1 3-Major   Port and port-list type are both stored in a traffic-matching-criteria object
956589-3 3-Major   The tmrouted daemon restarts and produces a core file
956109-1 3-Major   Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target
955953-1 3-Major   iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'
955897-1 3-Major   Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain
953477-2 3-Major   Syncookie HW mode not cleared when modifying VLAN config.
950849-5 3-Major   B4450N blades report page allocation failure.
948717-2 3-Major   F5-pf_daemon_cond_restart uses excessive CPU
948601-2 3-Major   File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU
946745-1 3-Major   'System Integrity: Invalid' after Engineering Hotfix installation
945413-1 3-Major   Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
943793-3 3-Major   Neurond continuously restarting
943669-2 3-Major   B4450 blade reboot
943641-2 3-Major   IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfiguration
943577-1 3-Major   Full sync failure for traffic-matching-criteria with port list under certain conditions
943473-1 3-Major   LDAP monitor's test functionality has an incorrect and non-modifiable IP address field in GUI
943045-3 3-Major   Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.
941381-4 3-Major   MCP restarts when deleting an application service with a traffic-matching-criteria
940885-1 3-Major   Add embedded SR-IOV support for Mellanox CX5 Ex adapter
940177-2 3-Major   Certificate instances tab shows incorrect number of instances in certain conditions
939249-2 3-Major   iSeries LCD changes to secure mode after multiple reboots
938145-2 3-Major   DAG redirects packets to non-existent tmm
936093-1 3-Major   Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
935485-1 3-Major   BWC: flows might stall when using dynamic BWC policy
935177-1 3-Major   IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
934941-1 3-Major   Platform FIPS power-up self test failures not logged to console
933329-1 3-Major   The process plane statistics do not accurately label some processes
931629-4 3-Major   External trunk fdb entries might end up with internal MAC addresses.
930825-5 3-Major   System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
930741-3 3-Major   Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
928389-1 3-Major   GUI becomes inaccessible after importing certificate under import type 'certificate'
928353-1 3-Major   Error logged installing Engineering Hotfix: Argument isn't numeric
928161-2 3-Major   Local password policy not enforced when auth source is set to a remote type.
927025-2 3-Major   Sod restarts continuously
925797-1 3-Major   Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
924297-3 3-Major   Ltm policy MCP objects are not being synced over to the peer device
923745-4 3-Major   Ctrl-Alt-Del reboots the system
922885-1 3-Major K27872027 BIG-IP Virtual Edition does not pass traffic on ESXi 6.5
922613-3 3-Major   Tunnels using autolasthop might drop traffic with ICMP route unreachable
922185-2 3-Major   LDAP referrals not supported for 'cert-ldap system-auth'
922153-1 3-Major   Tcpdump is failing on tmm 0.x interfaces
922053-2 3-Major   inaccurate number of trunk members reported by bcm56xxd/bcmLINK
921149-4 3-Major   After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
921121-5 3-Major   Tmm crash with iRule and a PEM Policy with BWC Enabled
920761-1 3-Major   Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values
920517-1 3-Major   Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI
919401-1 3-Major   Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed
919317-6 3-Major   NSM consumes 100% CPU processing nexthops for recursive ECMP routes
919185-1 3-Major   Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed
918409-1 3-Major   BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
915829-3 3-Major   Particular Users unable to login with LDAP Authentication Provider
915825-1 3-Major   Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
915557-1 3-Major   The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
915493-5 3-Major   imish command hangs when ospfd is enabled
913573-3 3-Major   Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.
909505-4 3-Major   Creating LTM data group external object fails.
909485-4 3-Major   Deleting LTM data-group external object incorrectly reports 200 when object fails to delete
908753-2 3-Major   Password memory not effective even when password policy is configured
907549-2 3-Major   Memory leak in BWC::Measure
906505-1 3-Major   Display of LCD System Menu cannot be configured via GUI on iSeries platforms
904713-1 3-Major   FailoverState device status and CM device status do not match shortly after triggering failover
904401-4 3-Major   Guestagentd core
903265-4 3-Major   Single user mode faced sudden reboot
901989-1 3-Major   Boot_marker writes to /var/log/btmp
901669-5 3-Major   Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
900485-1 3-Major   Syslog-ng 'program' filter does not work
899933-1 3-Major   Listing property groups in TMSH without specifying properties lists the entire object
899085-7 3-Major   Configuration changes made by Certificate Manager role do not trigger saving config
898577-1 3-Major   Executing a command in "mgmt tm" using iControl REST results in tmsh error
893885-4 3-Major   The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation
892445-1 3-Major   BWC policy names are limited to 128 characters
891221-1 3-Major   Router bgp neighbor password CLI help string is not helpful
888869-1 3-Major   GUI reports General Database Error when accessing Instances Tab of SSL Certificates
888081-5 3-Major   BIG-IP VE Migration feature fails for 1NIC
887117-3 3-Major   Invalid SessionDB messages are sent to Standby
887089-2 3-Major   Upgrade can fail when filenames contain spaces
886649-1 3-Major   Connections stall when dynamic BWC policy is changed via GUI and TMSH
883149-2 3-Major   The fix for ID 439539 can cause mcpd to core.
882833-1 3-Major   SELinux issue cause zrd down
882709-5 3-Major   Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors
882609-2 3-Major   ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
881085-4 3-Major   Intermittent auth failures with remote LDAP auth for BIG-IP managment
880289-2 3-Major   FPGA firmware changes during configuration loads
879969-6 3-Major   FQDN node resolution fails if DNS response latency >5 seconds
872165-3 3-Major   LDAP remote authentication for REST API calls may fail during authorization
871705-7 3-Major   Restarting bigstart shuts down the system
867549-2 3-Major   LCD touch panel reports "Firmware update in progress" indefinitely
865225-5 3-Major   100G modules may not work properly in i15000 and i15800 platforms
862525-7 3-Major   GUI Browser Cache Timeout option is not available via tmsh
844925-4 3-Major   Command 'tmsh save /sys config' fails to save the configuration and hangs
842013-2 3-Major   ASM Configuration is Lost on License Reactivation
828789-4 3-Major   Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
814273-5 3-Major   Multicast route entries are not populating to tmm after failover
810613-6 3-Major   GUI Login History hides informative message about max number of lines exceeded
809089-5 3-Major   TMM crash after sessiondb ref_cnt overflow
807945-4 3-Major   Loading UCS file for the first time not updating MCP DB
807837-1 3-Major   Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.
806881-7 3-Major   Loading the configuration may not set the virtual server enabled status correctly
803457-4 3-Major   SNMP custom stats cannot access iStats
798885-5 3-Major   SNMP response times may be long when processing requests
791365-4 3-Major   Bad encryption password error on UCS save
791061-6 3-Major   Config load in /Common removes routing protocols from other partitions
788645-6 3-Major   BGP does not function on static interfaces with vlan names longer than 16 characters.
781733-6 3-Major   SNMPv3 user name configuration allows illegal names to be entered
780745-4 3-Major   TMSH allows creation of duplicate community strings for SNMP v1/v2 access
778041-4 3-Major   tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
776489-6 3-Major   Remote authentication attempts to resolve only LDAP host against the first three name servers configured.
775845-5 3-Major   Httpd fails to start after restarting the service using the iControl REST API
775797-4 3-Major   Previously deleted user account might get authenticated
773577-6 3-Major   SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
773173-3 3-Major   LTM Policy GUI is not working properly
767305-6 3-Major   If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
764969-1 3-Major   ILX no longer supports symlinks in workspaces as of v14.1.0
762097-4 3-Major   No swap memory available after upgrading to v14.1.0 and above
760932-2 3-Major   Part of audit log messages are also in other logs when strings are long
760354-2 3-Major   Continual mcpd process restarts after removing big logs when /var/log is full
759737-4 3-Major   Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests
759258-6 3-Major   Instances shows incorrect pools if the same members are used in other pools
757787-4 3-Major   Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
755976-5 3-Major   ZebOS might miss kernel routes after mcpd deamon restart
754335-4 3-Major   Install ISO does not boot on BIG-IP VE
751409-8 3-Major   MCP Validation does not detect when virtual servers differ only by overlapping VLANs
749757 3-Major   -s option in qkview help does not indicate maximum size
744924-3 3-Major   Bladed unit goes offline after UCS install
741702-1 3-Major   TMM crash
739820-8 3-Major   Validation does not reject IPv6 address for TACACS auth configuration
739118-6 3-Major   Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
737739-3 3-Major   Bash shell still accessible for admin even if disabled
730852-5 3-Major   The tmrouted repeatedly crashes and produces core when new peer device is added
725646-1 3-Major   The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
724653-1 3-Major   In a device group, a non-empty partition can be deleted by a peer device during a config sync
690928-2 3-Major   System posts error message: 01010054:3: tmrouted connection closed
674026-5 3-Major   iSeries AOM web UI update fails to complete.
662301-1 3-Major   'Unlicensed objects' error message appears despite there being no unlicensed config
658850-4 3-Major   Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
615934-7 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
538283-1 3-Major   iControl REST asynchronous tasks may block other tasks from running
499348-12 3-Major   System statistics may fail to update, or report negative deltas due to delayed stats merging
486712-8 3-Major   GUI PVA connection maximum statistic is always zero
469724-4 3-Major   When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
431503-9 3-Major K14838 TMSH crashes in rare initial tunnel configurations
385013-1 3-Major   Certain user roles do not trigger a sync for a 'modify auth password' command
1032949-3 3-Major   Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate
1027237-2 3-Major   Cannot edit virtual server in GUI after loading config with traffic-matching-criteria
1026549-2 3-Major   Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd
1022997-2 3-Major   TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
1021573-2 3-Major   Issues when creating an LTM Policy (with a rule) through an iApp
1020129-3 3-Major   Turboflex page in GUI reports 'profile.Features is undefined' error
1019429-2 3-Major   CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated
1019285-2 3-Major   Systemd hangs and is unresponsive
1018309-4 3-Major   Loading config file with imish removes the last character
1017857-2 3-Major   Restore of UCS leads to incorrect UID on authorized_keys
1015453-2 3-Major   Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI
1015093-2 3-Major   The "iq" column is missing from the ndal_tx_stats table
1014285-4 3-Major   Set auto-failback-enabled moved to false after upgrade
1012601-3 3-Major   Alarm LED and LCD alert cleared prematurely on startup for missing PSU input
1012449-2 3-Major   Unable to edit custom inband monitor in the GUI
1012049-2 3-Major   Incorrect virtual server list returned in response to status request
1011265-2 3-Major   Failover script cannot read /config/partitions/ after upgrade
1010341-3 3-Major   Slower REST calls after update for CVE-2021-22986
1009949-3 3-Major   High CPU usage when upgrading from previous version
1008837-4 3-Major   Control plane is sluggish when mcpd processes a query for virtual server and address statistics
1008269-2 3-Major   Error: out of stack space
1007909-2 3-Major   Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs
1004469-5 3-Major   SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string
1003257-5 3-Major   ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected
1001129-2 3-Major   Maximum Login Failures lockout for root and admin
1001069-4 3-Major   VE CPU higher after upgrade, given same throughput
992241-2 4-Minor   Unable to change initial admin password from GUI after root password change
985953-4 4-Minor   GRE Transparent Ethernet Bridging inner MAC overwrite
983021-1 4-Minor   Tmsh does not correctly handle the app-service for data-group records
976517-3 4-Minor   Tmsh run sys failover standby with a device specified but no traffic group fails
964533-1 4-Minor   Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs
962605-5 4-Minor   BIG-IP may go offline after installing ASU file with insufficient disk space
957461-1 4-Minor   Creating virtual server with IPv6 address or port list in destination should display source address in IPv6 format
955593-1 4-Minor   "none" missing from the error string when snmp trap is configured with an invalid network type
955057-1 4-Minor   UCS archives containing a large number of DNS zone files may fail to restore.
947865-1 4-Minor   Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
944485-6 4-Minor   License activation through proxy server uses IP address in proxy CONNECT, not nameserver
943597-1 4-Minor   'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart
939757-5 4-Minor   Deleting a virtual server might not trigger route injection update.
939517-5 4-Minor   DB variable scheduler.minsleepduration.ltm changes to default value after reboot
929813-3 4-Minor   "Error loading object from cursor" while updating a client SSL profile
928665-3 4-Minor   Kernel nf_conntrack table might get full with large configurations.
927441-4 4-Minor   Guest user not able to see virtual server details when ASM policy attached
921369-3 4-Minor   Signature verification for logs fails if the log files are modified during log rotation
921065-2 4-Minor   BIG-IP systems not responding to DPD requests from initiator after failover
921001-5 4-Minor   After provisioning change, pfmand might keep interfaces down on particular platforms
919861-2 4-Minor   Tunnel Static Forwarding Table does not show entries per page
915473-3 4-Minor   Accessing Dashboard page with AVR provisioned causes continuous audit logs
915141-1 4-Minor   Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
911713-4 4-Minor   Delay in Network Convergence with RSTP enabled
910645-2 4-Minor   Upgrade error 'Parsing default XML files. Failed to parse xml file'
908453-4 4-Minor   Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
906449-1 4-Minor   Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
904661-1 4-Minor   Mellanox NIC speeds may be reported incorrectly on Virtual Edition
901985-7 4-Minor   Extend logging for incomplete HTTP requests
899097-3 4-Minor   Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking
898441-3 4-Minor   Enable logging of IKE keys
896693-5 4-Minor   Patch installation is failing for iControl REST endpoint.
896689-5 4-Minor   Asynchronous tasks can be managed via unintended endpoints
893813-4 4-Minor   Modifying pool enables address and port translation in TMUI
893093-1 4-Minor   An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
882713-2 4-Minor   BGP SNMP trap has the wrong sysUpTime value
860573-4 4-Minor   LTM iRule validation performance improvement by tracking procedure/event that have been validated
848681 4-Minor   Disabling the LCD on a VIPRION causes blade status lights to turn amber
817989-2 4-Minor   Cannot change managemnet IP from GUI
807309-4 4-Minor   Incorrect Active/Standby status in CLI Prompt after failover test
805325-7 4-Minor   tmsh help text contains a reference to bigpipe, which is no longer supported
795429-6 4-Minor   Unrelated iControl REST transaction error message is returned when committing a transaction without any tasks.
759852-5 4-Minor   SNMP configuration for trap destinations can cause a warning in the log
759590-7 4-Minor   Creation of RADIUS authentication fails with service types other than 'authenticate only'
742753-6 4-Minor   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742105-4 4-Minor   Displaying network map with virtual servers is slow
713183-5 4-Minor   Malformed JSON files may be present on vCMP host
712241-7 4-Minor   A vCMP guest may not provide guest health stats to the vCMP host
696363-5 4-Minor   Unable to create SNMP trap in the GUI
689147-4 4-Minor   Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
673573-7 4-Minor   tmsh logs boost assertion when running child process and reaches idle-timeout
659579-5 4-Minor   Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time
658943-4 4-Minor   Errors when platform-migrate loading UCS using trunks on vCMP guest
646768-5 4-Minor K71255118 VCMP Guest CM device name not set to hostname when deployed
631083-6 4-Minor   Some files in home directory are overwritten on password change
603693-1 4-Minor K52239932 Brace matching in switch statement of iRules can fail if literal strings use braces
550526-4 4-Minor K84370515 Some time zones prevent configuring trust with a peer device using the GUI.
472645-3 4-Minor   Memory issues when there is a lot of data in /var/annotate (annotations for dashboard)
1025965-2 4-Minor   Audit role users cannot see folder properties under sys-folder
1011217-4 4-Minor   TurboFlex Profile setting reverts to turboflex-base after upgrade
1010785-2 4-Minor   Online help is missing for CRL in client SSL profile and server SSL profile
1010761-2 4-Minor   Missing TMSH help description for client-ssl profile 'CRL'
1002809-3 4-Minor   OSPF vertex-threshold should be at least 100
965457-5 5-Cosmetic   OSPF duplicate router detection might report false positives
964421-1 5-Cosmetic   Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
968929-1 2-Critical   TMM may crash when resetting a connection on an APM virtual server
967249-1 2-Critical   TMM may leak memory early during its startup process, and may continue to do so indefinitely.
949137-2 2-Critical   Clusterd crash and vCMP guest failover
946481-2 2-Critical   Virtual Edition FIPS not compatible with TLS 1.3
938545-2 2-Critical   Oversize plugin Tcl object results can result in 0-length messages and plugin crash
937649-1 2-Critical   Flow fwd broken with statemirror.verify enabled and source-port preserve strict
935193-2 2-Critical   With APM and AFM provisioned, single logout ( SLO ) fails
927633-1 2-Critical   Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
926985-1 2-Critical   HTTP/3 aborts stream on incomplete frame headers
914309-4 2-Critical   TMM crash seen with FTP and Classification profiles
910213-1 2-Critical   LB::down iRule command is ineffective, and can lead to inconsistent pool member status
886045-1 2-Critical   Multi-NIC instances fail to come up when trying to use memory-mapped virtio device
862885-3 2-Critical   Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error
851385-2 2-Critical   Failover takes too long when traffic blade failure occurs
835505-5 2-Critical   Tmsh crash potentially related to NGFIPS SDK
824437-8 2-Critical   Chaining a standard virtual server and an ipother virtual server together can crash TMM.
797573-2 2-Critical   TMM assert crash with resulting in core generation in multi-blade chassis
758491-4 2-Critical   When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
738964-5 2-Critical   Instruction logger debugging enhancement
625807-2 2-Critical   Tmm cores in bigproto_cookie_buffer_to_server
1030185-4 2-Critical   TMM may crash when looking up a persistence record using "persist lookup" iRule commands
1020645-4 2-Critical   When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered
1004317-3 2-Critical   Csyncd removes files and directories under /config/zebos, /var/named/config/namedb, etc.
999881-5 3-Major   Tcl command 'string first' not working if payload contains Unicode characters.
999097-2 3-Major   SSL::profile may select profile with outdated configuration
998253-3 3-Major   SNI configuration is not sent via HTTPS when in-tmm monitors are disabled
996649-5 3-Major   Improper handling of DHCP flows leading to orphaned server-side connections
993517-2 3-Major   Loading an upgraded config can result in a file object error in some cases
991501-4 3-Major   Pool members with HTTPS monitor may be incorrectly marked down.
991265-4 3-Major   Persistence entries point to the wrong servers for longer periods of time
987077-2 3-Major   TLS1.3 with client authentication handshake failure
985925-2 3-Major   Ipv6 Routing Header processing not compatible as per Segments Left value.
985749-2 3-Major   TCP exponential backoff algorithm does not comply with RFC 6298
985433-1 3-Major   Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset.
985401-2 3-Major   ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached
984897-2 3-Major   Some connections performing SSL mirroring are not handled correctly by the Standby unit.
980617-2 3-Major   SNAT iRule is not working with HTTP/2 and HTTP Router profiles
976525-4 3-Major   Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
976101-3 3-Major   TMM crash after deleting an interface from a virtual wire vlan
975725-4 3-Major   Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast
974501-2 3-Major   Excessive memory usage by mirroring subsystem when remirroring
971217-1 3-Major   AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.
969637-1 3-Major   Config may fail to load with "FIPS 140 operations not available on this system" after upgrade
968949-6 3-Major   Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile
967425-1 3-Major   mcp error: 0x1020036 at ../mcp/db_pool.c:461
967353-2 3-Major   HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
967093-2 3-Major   In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail
965037-2 3-Major   SSL Orchestrator does not send HTTP CONNECT tunnel payload to services
963713-2 3-Major   HTTP/2 virtual server with translate-disable can core tmm
963705-4 3-Major   Proxy ssl server response not forwarded
962913-5 3-Major   The number of native open connections in the SSL profile is higher than expected
961001-1 3-Major   Arp requests not resolved for snatpool members when primary blade goes offline
958785-7 3-Major   FTP data transfer does not complete after QUIT signal
956133-1 3-Major   MAC address might be displayed as 'none' after upgrading
955617-1 3-Major   Cannot modify properties of a monitor that is already in use by a pool
950005-1 3-Major   TCP connection is not closed when necessary after HTTP::respond iRule
948065-2 3-Major   DNS Responses egress with an incorrect source IP address.
947125-1 3-Major   Unable to delete monitors after certain operations
945189-4 3-Major   HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA
944173-1 3-Major   SSL monitor stuck does not change TLS version
942489-2 3-Major   TCP proxy with ramcache and OneConnect can result in out-of-order events which stalls the flow
942217-4 3-Major   Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
941481-1 3-Major   iRules LX - nodejs processes consuming excessive memory
941257-4 3-Major   Occasional Nitrox3 ZIP engine hang
938309-1 3-Major   In-TMM Monitors time out unexpectedly
937769-1 3-Major   SSL connection mirroring failure on standy with sslv2 records
937573-2 3-Major   Connections drop in virtual server with Immediate Action On Service Down set to Drop
936441-1 3-Major   Nitrox5 SDK driver logging messages
935793-1 3-Major   With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)
934697-4 3-Major   Route domain not reachable (strict mode)
932857-1 3-Major   Delays marking Nodes or Pool Members DOWN with in-TMM monitoring
932825-1 3-Major   Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device
932461-4 3-Major   Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
928857-1 3-Major   Use of OCSP responder may leak X509 store instances
928805-1 3-Major   Use of OCSP responder may cause memory leakage
928789-1 3-Major   Use of OCSP responder may leak SSL handshake instances
927713-3 3-Major   Secondary blade IPsec SAs lost after standby reboot using clsh reboot
927589-2 3-Major   ILX::call command response get truncated
927569-1 3-Major   HTTP/3 rejects subsequent partial SETTINGS frames
926757-3 3-Major   ICMP traffic to a disabled virtual-address might be handled by a virtual-server.
926513-1 3-Major   HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.
922641-5 3-Major   Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
922413-1 3-Major   Excessive memory consumption with ntlmconnpool configured
921541-2 3-Major   When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
920789-1 3-Major   UDP commands in iRules executed during FLOW_INIT event fail
920205-3 3-Major   Rate shaping might suppress TCP RST
918277-1 3-Major   Slow Ramp does not take into account pool members' ratio weights
915773-3 3-Major   Restart of TMM after stale interface reference
914061-1 3-Major   BIG-IP may reject a POST request if it comes first and exceeds the initial window size
913385-2 3-Major   TMM generates core while deleting iFiles
912517-1 3-Major   MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
912293-4 3-Major   Persistence might not work properly on virtual servers that utilize address lists
911777-1 3-Major   BIG-IP SSL forward proxy might drop connection to servers with revoked certificate status.
910673-1 3-Major   Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
910105 3-Major   Partial HTTP/2 payload may freeze on the BIG-IP system
909997-2 3-Major   Virtual server status displays as unavailable when it is accepting connections
909677-1 3-Major   HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted
907177-1 3-Major   Priority of embedded APM iRules is ignored
906653-2 3-Major   Server side UDP immediate idle-timeout drops datagrams
905477-1 3-Major   The sdmd daemon cores during config sync when multiple devices configured for iRules LX
904625-1 3-Major   Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
904041-1 3-Major   Ephemeral pool members may be incorrect when modified via various actions
903581-4 3-Major   The pkcs11d process cannot recover under certain error condition
902377-3 3-Major   HTML profile forces re-chunk even though HTML::disable
901569-3 3-Major   Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
898733-4 3-Major   SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
898685-5 3-Major   Order of ciphers changes after updating cipher group
897185-4 3-Major   Resolver cache not using random port distribution
895205-1 3-Major   A circular reference in rewrite profiles causes MCP to crash
895165-1 3-Major   Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
893281-2 3-Major   Possible ssl stall on closed client handshake
892801-1 3-Major   When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
892485-3 3-Major   A wrong OCSP status cache may be looked up and re-used during SSL handshake.
891145-6 3-Major   TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
889165-4 3-Major   "http_process_state_cx_wait" errors in log and connection reset
888885-2 3-Major   BIG-IP Virtual Edition TMM restarts frequently without core
887045-2 3-Major   The session key does not get mirrored to standby.
885325-1 3-Major   Stats might be incorrect for iRules that get executed a large number of times
883049-1 3-Major   Statsd can deadlock with rrdshim if an rrd file is invalid
881065-3 3-Major   Adding port-list to Virtual Server changes the route domain to 0
879169-1 3-Major   RESOLV::lookup @<virtual server name> may not work
872981-4 3-Major   MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction
870349-2 3-Major   Continuous restart of ntlmconnpool after license reinstall
870309-3 3-Major   Ephemeral pool member not created when FQDN resolves to new IP address
867985-5 3-Major   LTM policy with a 'shutdown' action incorrectly allows iRule execution
862001-7 3-Major   Improperly configured NTP server can result in an undisciplined clock stanza
854129-1 3-Major   SSL monitor continues to send previously configured server SSL configuration after changes (removal/modification)
852325-6 3-Major   HTTP2 does not support Global SNAT
851121-1 3-Major   Database monitor DBDaemon debug logging not enabled consistently
846977-6 3-Major   TCP:collect validation changed in 12.0.0: the first argument can no longer be zero
843317-4 3-Major   The iRules LX workspace imported with incorrect SELinux contexts
842137-2 3-Major   Keys cannot be created on module protected partitions when strict FIPS mode is set
816953-2 3-Major   RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy
815405-5 3-Major   GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
812693-4 3-Major   Connection in FIN_WAIT_2 state may fail to be removed
808017-6 3-Major   When using a variable as the only parameter to the iRule persist command, the iRule validation fails
805561-2 3-Major   Change of pool configuration in OneConnect environment can impact active traffic
795933-8 3-Major   A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
794505-6 3-Major   OSPFv3 IPv4 address family route-map filtering does not work
794385-4 3-Major   BGP sessions may be reset after CMP state change
793669-6 3-Major   FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
785361-2 3-Major   In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
780857-1 3-Major   HA failover network disruption when cluster management IP is not in the list of unicast addresses
779137-6 3-Major   Using a source address list for a virtual server does not preserve the destination address prefix
778501-3 3-Major   LB_FAILED does not fire on failure of HTTP/2 server connection establishment
767217-4 3-Major   Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-6 3-Major   RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
757029-7 3-Major   Ephemeral pool members may not be created after config load or reboot
756812-4 3-Major   Nitrox 3 instruction/request logger may fail due to SELinux permission error
756313-8 3-Major   SSL monitor continues to mark pool member down after restoring services
755791-7 3-Major   UDP monitor not behaving properly on different ICMP reject codes.
755631-6 3-Major   UDP / DNS monitor marking node down
754604-5 3-Major   iRule : [string first] returns incorrect results when string2 contains null
753526-8 3-Major   IP::addr iRule command does not allow single digit mask
751451-1 3-Major   When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
748886-1 3-Major   Virtual server stops passing traffic after modification
723112-7 3-Major   LTM policies does not work if a condition has more than 127 matches
705387-4 3-Major   HTTP/2, ALPN and SSL
700639-1 3-Major   The default value for the syncookie threshold is not set to the correct value
574762-3 3-Major   Forwarding flows leak when a routing update changes the egress vlan
500786-8 3-Major   Heavy memory usage while using FastL4/BIGTCP virtual server with HTTP profile
315765-1 3-Major   The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.
1025089-2 3-Major   Pool members marked down by database monitor due to stale cached connection
1022453-3 3-Major   IPv6 fragments are dropped when packet filtering is enabled.
1020957-2 3-Major   HTTP response may be truncated by the BIG-IP system
1020549-2 3-Major   Server-side connections stall with zero window with OneConnect profile
1017801-2 3-Major   Internal listeners (cgc, ftp data, etc) all share the same listener_key stats
1017721-4 3-Major   WebSocket does not close cleanly when SSL enabled.
1017513-4 3-Major   Config sync fails with error Invalid monitor rule instance identifier
1017029-4 3-Major   SASP monitor does not identify specific cause of failed SASP Registration attempt
1016589-2 3-Major   Incorrect expression in STREAM::expression might cause a tmm crash
1016113-2 3-Major   HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile.
1015817-2 3-Major   Flows rejected due to no return route do not increment rejection stats
1015161-1 3-Major   Ephemeral pool member may not be created when FQDN resolves to address that matches static node
1013597-3 3-Major   `HTTP2::disable serverside` can reset flows
1013209-1 3-Major   BIG-IP components relying on ca-bundle.crt may stop working after upgrade
1012813-2 3-Major   Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"
1010209-2 3-Major   BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings
1009921-2 3-Major   'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check
1008501-2 3-Major   TMM core
1008017-4 3-Major   Validation failure on Enforce TLS Requirements and TLS Renegotiation
1008009-4 3-Major   SSL mirroring null hs during session sync state
1007749-3 3-Major   URI TCL parse functions fail when there are interior segments with periods and semi-colons
1006857-2 3-Major   Adding a source address list to a virtual server in a partition with a non-default route domain fails
1006157-2 3-Major   FQDN nodes not repopulated immediately after 'load sys config'
1004897-6 3-Major   'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
1004609-5 3-Major   SSL forward proxy virtual server may set empty SSL session_id in server hello.
1000561-4 3-Major   Chunk size incorrectly passed to client-side
1000069-2 3-Major   Virtual server does not create the listener
999709-5 4-Minor   iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.
990173-2 4-Minor   Dynconfd repeatedly sends the same mcp message to mcpd
987885-5 4-Minor   Half-open unclean SSL termination might not close the connection properly
987401-3 4-Minor   Increased TMM memory usage on standby unit after pool flap
982993-5 4-Minor   Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail
962181-1 4-Minor   iRule POLICY command fails in server-side events
956025-1 4-Minor   HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header
947937-1 4-Minor   HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field.
947745-2 4-Minor   Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error
942793-2 4-Minor   BIG-IP system cannot accept STARTTLS command with trailing white space
940837-3 4-Minor   The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.
936557-1 4-Minor   Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
932553-5 4-Minor   An HTTP request is not served when a remote logging server is down
932045-4 4-Minor   Memory leak when creating/deleting LTM node object
931469-8 4-Minor   Redundant socket close when half-open monitor pings
929429-1 4-Minor   Oracle database monitor uses excessive CPU when Platform FIPS is licensed
922005-2 4-Minor   Stats on a certain counter for web-acceleration profile may show excessive value
921993-2 4-Minor   LTM policy with a 'contains' operator does not work as expected when using an external data group.
921477-1 4-Minor   Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.
916485-3 4-Minor   Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object
915969-2 4-Minor   Truncated QUIC connection close reason
914589-1 4-Minor   VLAN Failsafe timeout is not always respected
912945-1 4-Minor   A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
911853-6 4-Minor   Stream filter chunk-size limits filter to a single match per ingress buffer
910965-1 4-Minor   Overflow of Multicast table filling the tmm log
907045-1 4-Minor   QUIC HANDSHAKE_DONE is sent at the end of first flight
904537-2 4-Minor   The csyncd process may keep trying to sync the GeoIP database to a secondary blade
901485-1 4-Minor   HTTP_RESPONSE_RELEASE is not raised for HTTP early response
898753-6 4-Minor   Multicast control-plane traffic requires handling with AFM policies
898201-1 4-Minor   Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
890881-5 4-Minor   ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
869565-2 4-Minor   Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN
869553-2 4-Minor   HTTP2::disable fails for server side allowing HTTP/2 traffic
838305-8 4-Minor   BIG-IP may create multiple connections for packets that should belong to a single flow.
829021-2 4-Minor   BIG-IP does not account a presence of http2 profile when response payload is modified
807397-4 4-Minor   IRules ending with a comment cause config verification to fail
802721-5 4-Minor   Virtual Server iRule does not match an External Data Group key that's 128 characters long
760590-5 4-Minor   TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server
758435-3 4-Minor   Ordinal value in LTM policy rules sometimes do not work as expected
717806-6 4-Minor   In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
683534-1 4-Minor   'tmsh show sys connection' command prompt displaying 4 billion connections is misleading
640374-3 4-Minor   DHCP statistics are incorrect
1026605-5 4-Minor   When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes
1024761-2 4-Minor   HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body
1016049-5 4-Minor   EDNS query with CSUBNET dropped by protocol inspection
1015117-4 4-Minor   Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used
1011889-5 4-Minor   The BIG-IP system does not handle DHCPv6 fragmented traffic properly
1005109-3 4-Minor   TMM crashes when changing traffic-group on IPv6 link-local address
1004953-4 4-Minor   HTTP does not fall back to HTTP/1.1
1002945-3 4-Minor   Some connections are dropped on chained IPv6 to IPv4 virtual servers.
968581-1 5-Cosmetic   TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description
898929-5 5-Cosmetic   Tmm might crash when ASM, AVR, and pool connection queuing are in use
897437-6 5-Cosmetic   First retransmission might happen after syn-rto-base instead of minimum-rto.
873249-6 5-Cosmetic   Switching from fast_merge to slow_merge can result in incorrect tmm stats
860277-5 5-Cosmetic   Default value of TCP Profile Proxy Buffer High Low changed in 14.1
755061-2 5-Cosmetic   iRule audit logs may be written to separate files


Performance Issues

ID Number Severity Solution Article(s) Description
908001-1 2-Critical   Possible 13%-16% TPS drop in performance on VIPRION and iSeries vCMP with v16.1.0 'host'
948417-3 3-Major   Network Management Agent (Azure NMAgent) updates causes Kernel Panic


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
993921-3 2-Critical   TMM SIGSEGV
940733-4 2-Critical K29290121 Downgrading a FIPS-enabled BIG-IP system results in a system halt
931149-2 2-Critical   Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
705869-2 2-Critical   TMM crashes as a result of repeated loads of the GEOIP database
264701-6 2-Critical K10066 GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
1011433-2 2-Critical   Heap allocation failure would cause tmm core in resolver_deprecated_wire2result
1010617-2 2-Critical   String operation against DNS resource records cause tmm memory corruption
1009037-2 2-Critical   Tcl resume on invalid connection flow can cause tmm crash
994221-2 3-Major   ZoneRunner returns error 'Resolver returned no such record'
990929-1 3-Major   Status of GTM monitor instance is constantly flapping
987709-5 3-Major   Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
982361-2 3-Major   SNAT on wildcard virtual server does not work
977625-2 3-Major   GTM persistence records linger in tmm
967737-1 3-Major   DNS Express: SOA stops showing up in statistics from second zone transfer
940469-1 3-Major   Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration
935249-1 3-Major   GTM virtual servers have the wrong status
912761-1 3-Major   Link throughput statistics are different
911241-7 3-Major   The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
872037-3 3-Major   DNS::header rd does not set the Recursion desired
864797-3 3-Major   Cached results for a record are sent following region modification
847105-1 3-Major   The bigip_gtm.conf is reverted to default after rebooting with license expired
1030881-2 3-Major   [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.
1026621-3 3-Major   DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist
1021417-2 3-Major   Modifying GTM pool members with replace-all-with results in pool members with order 0
1018613-2 3-Major   Modify wideip pools with replace-all-with results pools with same order 0
1012061-2 3-Major   Link Controller auto-discovery does not remove deleted virtual servers
1011285-4 3-Major   The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects.
1001101-2 3-Major   Cannot update/display GTM/DNS listener route advertisement correctly
996261-2 4-Minor   Zrd in restart loop with empty named.conf
995369-2 4-Minor   DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm
885201-1 4-Minor   BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
1026813-6 4-Minor   LCD IP address is missing from /etc/hosts on iSeries
1014761-3 4-Minor   [GTM][GUI] Not able to enable/disable pool member from pool member property page
1008233-2 4-Minor   The gtm_add command fails but reports no error
985001-4 5-Cosmetic   Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
993613-6 2-Critical   Device fails to request full sync
965229-1 2-Critical   ASM Load hangs after upgrade
956889-1 2-Critical   /var fills up very quickly
912149-6 2-Critical   ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
904593-3 2-Critical   Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
887621-3 2-Critical   ASM virtual server names configuration CRC collision is possible
1012701-1 2-Critical   BD crash on websocket traffic
995889-1 3-Major   Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive
991829-2 3-Major   Continuous connection refused errors in restjavad
985205-3 3-Major   Event Log and Traffic Learning screens fail to load request details
981069-2 3-Major   Reset cause: "Internal error ( requested abort (payload release error))"
974985-1 3-Major   Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable
974513-1 3-Major   Dropped requests are reported as blocked in Reporting/charts
966633-1 3-Major   Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies
966613-5 3-Major   Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
965785-1 3-Major   Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
964245-5 3-Major   ASM reports and enforces username always
963485-2 3-Major   Performance issue with data guard
962589-3 3-Major   Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
962493-6 3-Major   Request is not logged
962489-6 3-Major   False positive enforcement of parameters with specific configuration
961509-1 3-Major   ASM blocks WebSocket frames with signature matched but Transparent policy
959965-2 3-Major   Asmlogd stops deleting old protobufs
959957-2 3-Major   Asmlogd stops deleting old protobufs
943441-1 3-Major   Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK
932133-5 3-Major   Payloads with large number of elements in XML take a lot of time to process
928717-4 3-Major   [ASM - AWS] - ASU fails to sync
926845-6 3-Major   Inactive ASM policies are deleted upon upgrade
923221-2 3-Major   BD does not use all the CPU cores
921697-2 3-Major   Attack signature updates fail to install with Installation Error.
920149-4 3-Major   Live Update default factory file for Server Technologies cannot be reinstalled
907025-4 3-Major   Live update error" 'Try to reload page'
898825-1 3-Major   Attack signatures are enforced on excluded headers under some conditions
898741-1 3-Major   Missing critical files causes FIPS-140 system to halt upon boot
891181-1 3-Major   Wrong date/time treatment in logs in Turkey/Istambul timezone
890825-1 3-Major   Attack Signatures and Threat Campaigns filter incorrect behaviour
890169-3 3-Major   URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
887265-3 3-Major   BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration
871881-4 3-Major   Apply Policy action is not synchronized after making bulk signature changes
867777-4 3-Major   Remote syslog server cannot parse violation detail buffers as UTF-8.
785873-4 3-Major   ASM should treat 'Authorization: Negotiate TlR' as NTLM
703678-4 3-Major   Cannot add 'secure' attributes to several ASM cookies
1033025-1 3-Major   TMM might crash when unsupported bot iRule is used
1033017-3 3-Major   Policy changes learning mode to automatic after upload and sync
1031461-3 3-Major   Session awareness entries aren't mirrored to both sides of an active-active deployment.
1029989-1 3-Major   CORS : default port of origin header is set 80, even when the protocol in the header is https
1020149-3 3-Major   Bot Defense does not support iOS's WKWebView framework
1017557-2 3-Major   ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
1017261-6 3-Major   Configuraton update triggers from MCP to ASM are ignored
1017153-3 3-Major   Asmlogd suddenly deletes all request log protobuf files and records from the database
1014973-4 3-Major   ASM changed cookie value
1012221-4 3-Major   childInheritanceStatus is not compatible with parentInheritanceStatus
1011093-4 3-Major   Remote log messages are separated into 2 lines if max_request_size limit falls exactly on \n char.
1010585-5 3-Major   XML profile is created incorrectly from WSDL
1005105-2 3-Major   Requests are missing on traffic event logging
984521-3 4-Minor   Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name
974409-3 4-Minor   False Positive "Surfing Without Human Interaction"
957321-2 4-Minor   When BIG-IP contains an invalid DNS Resolver, Bot Defense might wrongly classify search engines as malicious
950953-2 4-Minor   Browser Challenges update file cannot be installed after upgrade
941625-2 4-Minor   BD sometimes encounters errors related to TS cookie building
938293-1 4-Minor   importing a JSON policy with Application Language "auto-detect" changes to 'utf8' policy
937541-1 4-Minor   Wrong display of signature references in violation details
932893-1 4-Minor   Content profile cannot be updated after redirect from violation details in Request Log
931033-2 4-Minor   Device ID Deletions anomaly might be raised in case of browser/hardware change
915133-2 4-Minor   Single Page Application can break the page, when hooking is done by the end server application.
907997-1 4-Minor   Source Policy Name instead of Current Policy used in Restore Policy Version
906737-4 4-Minor   Error message: 'templates/' is not a directory
905669-1 4-Minor   CSRF token expired message for AJAX calls is displayed incorrectly
893905-1 4-Minor   Wrong redirect from Charts to Requests Log when request status selected in filter
887625-4 4-Minor   Note should be bold back, not red
882729-4 4-Minor   Applied Blocking Masks discrepancy between local/remote event log
807569-4 4-Minor   Requests fail to load when backend server overrides request cookies and Bot Defense is used
746984-6 4-Minor   False positive evasion violation
1026277-1 4-Minor   Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled
1021637-3 4-Minor   In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
1017149-2 4-Minor   User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs
1016033-1 4-Minor   Remote logging of WS/WSS shows date_time equal to Unix epoch start time
1005309-3 4-Minor   Additional Tcl variables showing information from the AntiBot Mobile SDK
1005181-3 4-Minor   Bot Defense Logs indicate the mobile debugger is used even when it is not
908173-1 5-Cosmetic   Empty fields are shown in the policy version history
1011045-2 5-Cosmetic   GUI does not reflect 'Fully Automatic' state , which is substate of Automatic learning mode.


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
932189-2 3-Major   Incorrect BD Swap Size units on ASM Resources chart
932137-6 3-Major   AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
922105-2 3-Major   Avrd core when connection to BIG-IQ data collection device is not available
909161-2 3-Major   A core file is generated upon avrd process restart or stop
898333-1 3-Major   Unable to collect statistics from BIG-IP system after BIG-IQ restart
830073-6 3-Major   AVRD may core when restarting due to data collection device connection timeout
808801-5 3-Major   AVRD crash when configured to send data externally
787677-6 3-Major   AVRD stays at 100% CPU constantly on some systems
697421-4 3-Major   Monpd core when trying to restart
950305-1 4-Minor   Analytics data not displayed for Pool Names
948113-2 4-Minor   User-defined report scheduling fails
915005-2 4-Minor   AVR core files have unclear names
910777-2 4-Minor   Sending ASM report via AWS SES failed duo to wrong content type
930217-2 5-Cosmetic   Zone colors in ASM swap usage graph are incorrect


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
995029-6 2-Critical   Configuration is not updated during auto-discovery
971065-1 2-Critical   Using ACCESS::log iRule command in RULE_INIT event makes TMM crash
965777-1 2-Critical   Per-request policy authentication becomes unresponsive
904441-1 2-Critical   APM vs_score for GTM-APM load balancing is not calculated correctly
860617-4 2-Critical   Radius sever pool without attaching the load balancing algorithm will result into core
1024029-1 2-Critical   TMM may crash when processing traffic with per-session APM Access Policy
1006893-3 2-Critical   Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core
997761-1 3-Major   Subsessionlist entries leak if there is no RADIUS accounting agent in policy
984765-3 3-Major   APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)
978649 3-Major   Citrix Connection fails with Dell Wyse Client on 16.0.0.1
976501-1 3-Major   Failed to establish VPN connection
965837-3 3-Major   When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection
956645-3 3-Major   Per-request policy execution may timeout.
949477-3 3-Major   NTLM RPC exception: Failed to verify checksum of the packet
949105-1 3-Major   Error log seen on Category Lookup SNI requests for same connection
942729-1 3-Major   Export of big Access Policy config from GUI can fail
932213-3 3-Major   Local user db not synced to standby device when it is comes online after forced offline state
924697-1 3-Major   VDI data plane performance degraded during frequent session statistic updates
924521-4 3-Major   OneConnect does not work when WEBSSO is enabled/configured.
907873-1 3-Major   Authentication tab is missing in VPE for RDG-RAP Access Policy type
903573-2 3-Major   AD group cache query performance
896125-1 3-Major   Reuse Windows Logon Credentials feature does not work with modern access policies
894885-4 3-Major   [SAML] SSO crash while processing client SSL request
891613-2 3-Major   RDP resource with user-defined address cannot be launched from webtop with modern customization
883577-5 3-Major   ACCESS::session irule command does not work in HTTP_RESPONSE event
842149-3 3-Major   Verified Accept for SSL Orchestrator
827393-3 3-Major   In rare cases tmm crash is observed when using APM as RDG proxy.
788473-4 3-Major   Email sent from APM is not readable in some languages
752077-3 3-Major   Kerberos replay cache leaks file descriptors
744316-7 3-Major   Config sync of APM policy fails with Cannot update_indexes validation error.
738865-7 3-Major   MCPD might enter into loop during APM config validation
738547-5 3-Major   SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
680855-5 3-Major   Safari 11 sometimes start more than one session
597955-4 3-Major   APM can generate seemingly spurious error log messages
578989-12 3-Major   Maximum request body size is limited to 25 MB
1022493-3 3-Major   Slow file descriptor leak in urldbmgrd (sockets open over time)
1013729-1 3-Major   Changing User login password using VMware View Horizon client results in “HTTP error 500”
1001041-5 3-Major   Reset cause 'Illegal argument'
958201 4-Minor   'Restrict to Single Client IP' option is missing in VMware iApp.
944093-1 4-Minor   Maximum remaining session's time on user's webtop can flip/flop
943033-1 4-Minor   APM PRP LDAP Group Lookup agent has a syntax error in built in VPE expression
867705-5 4-Minor   URL for IFRAME element may not be normalized in some cases
866953 4-Minor   Portal Access: F5_Inflate_onclick wrapper functionality needs refining
860041 4-Minor   Portal Access: 5_Deflate_removeEventListener wrapper need to be added
848217 4-Minor   Portal Access: default port encoded in rewritten url, need to be removed from host header in request to backend
840257 4-Minor   Portal Access: HTML iframe sandbox attribute is not supported
840249 4-Minor   With BIG-IP as a SAML IdP, important diagnostic information is not logged
712542 4-Minor   Network Access client caches the response for /pre/config.php
707294-5 4-Minor   When BIG-IP as OAuth AS has missing OAuth Profile in the Access profile, the error log is not clear
636866-1 4-Minor   Access Policy with a secure attribute object can fail at runtime for users, if admins perform AP export/import at the same time
1022973-1 4-Minor   Sessiondb entries related to Oauth module not cleaned up in certain conditions
1004077-3 4-Minor   When configuring from VPE, audit logs from mcp records the user as admin, even if done by another user


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
941961-1 3-Major   Upgrading system using WAM TCP profiles may prevent the configuration from loading


Wan Optimization Manager Issues

ID Number Severity Solution Article(s) Description
863601-4 2-Critical   Panic in TMM due to internal mirroring interactions


Service Provider Issues

ID Number Severity Solution Article(s) Description
993913-3 2-Critical   TMM SIGSEGV core in Message Routing Framework
901033-4 2-Critical   TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window
1012533-2 2-Critical   `HTTP2::disable serverside` can cause cores
1007821-2 2-Critical   SIP message routing may cause tmm crash
1007113-2 2-Critical   Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds
1007109-2 2-Critical   Flowmap entry is deleted before updating its timeout to INDEFINITE
996113-3 3-Major   SIP messages with unbalanced escaped quotes in headers are dropped
921441-3 3-Major   MR_INGRESS iRules that change diameter messages corrupt diam_msg
917637-4 3-Major   Tmm crash with ICAP filter
911141-2 3-Major   GTP v1 APN is not decoded/encoded properly
908477-1 3-Major   Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request
895801-1 3-Major   Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
753501-6 3-Major   iRule commands (such as relate_server) do not work with MRP SIP
749528-7 3-Major   IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
748355-6 3-Major   MRF SIP curr_pending_calls statistic can show negative values.
1008169-2 3-Major   BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP
919301-2 4-Minor   GTP::ie count does not work with -message option
913413-2 4-Minor   'GTP::header extension count' iRule command returns 0
1003633-2 4-Minor   There might be wrong memory handling when message routing feature is used


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
965897-1 2-Critical   Disruption of mcpd with a segmentation fault during config sync
964989-3 2-Critical   AFM DOS half-open does not handle wildcard virtual servers properly.
995433-2 3-Major   IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT
993269-2 3-Major   DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
990461-4 3-Major   Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade
988761-2 3-Major   Cannot create Protected Object in GUI
987637-1 3-Major   DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
987605-1 3-Major   DDoS: ICMP attacks are not hardware-mitigated
987133-3 3-Major   Non-EDNS response with RCODE FORMERR are blocked by dns-qdcount-limit vector.
980593-2 3-Major   LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table
977153-2 3-Major   Packet with routing header IPv6 as next header in IP layer fails to be forwarded
968953-2 3-Major   Unnecessary authorization header added in the response for an IP intelligence feed list request
964625-4 3-Major   Improper processing of firewall-rule metadata
959609-2 3-Major   Autodiscd daemon keeps crashing
953425-4 3-Major   Hardware syncookie mode not cleared when changing dos-device-vector enforcement
937749-1 3-Major   The 'total port blocks' value for NAT stats is limited to 64 bits of range
935769-4 3-Major   Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time
926549-2 3-Major   AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'
918905-1 3-Major   PCCD restart loop when using more than 256 FQDN entries in Firewall Rules
915221-5 3-Major   DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
905153-3 3-Major   HW offload of vector 22 (IPv6 Duplicate Extension Headers) not operational
857897-3 3-Major   Address and port lists are not searchable within the GUI
818705-3 3-Major   afm_cmi.py daemon can cause very high BIG-IP CPU utilization(>90%)
757279-4 3-Major   LDAP authenticated Firewall Manager role cannot edit firewall policies
1022613-2 3-Major   Cannot modify Security "global-network" Logging Profile
1019453-2 3-Major   Core generated for autodosd daemon when synchronization process is terminated
1012581-2 3-Major   Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered
1012413-2 3-Major   Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled
1003397-2 3-Major   DoS TCP SYN-ACK vector with 'suspicious' set to true impacts MD5 AUTH (BGP) functionality
981145-2 4-Minor   DoS events do not include the attack name for "tcp syn ack flood"
967245-2 4-Minor   Incorrect SPVA counter incremented during Sweep attack on profile
942665-1 4-Minor   Rate limit and threshold configuration checks are inconsistent when applied to Basic DoS Vectors and Bad Actors DoS vectors
935865-6 4-Minor   Rules that share the same name return invalid JSON via REST API
928177-3 4-Minor   Syn-cookies might get enabled when performing multiple software upgrades.
926425-2 4-Minor   Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
920361-1 4-Minor   Standby device name sent in Traffic Statistics syslog/Splunk messages
885373-3 4-Minor   Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
760355-5 4-Minor   Firewall rule to block ICMP/DHCP from 'required' to 'default'
1003377-2 4-Minor   Disabling DoS TCP SYN-ACK does not clear suspicious event count option
987345-2 5-Cosmetic   Disabling periodic-refresh-log has no effect
906885-2 5-Cosmetic   Spelling mistake on AFM GUI Flow Inspector screen


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
829657-4 2-Critical   Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses
956013-2 3-Major   System reports{{validation_errors}}
941169-5 3-Major   Subscriber Management is not working properly with IPv6 prefix flows.
924589-5 3-Major   PEM ephemeral listeners with source-address-translation may not count subscriber data
1020041-5 3-Major   "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs
1015501-2 3-Major   Changes to DHCP Profile are not used by tmm
911585-4 4-Minor   PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
981689-3 2-Critical   TMM memory leak with IPsec ALG
1019613-4 2-Critical   Unknown subscriber in PBA deployment may cause CPU spike


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
905621-1 2-Critical   Incorrect interaction between DataSafe credential protection and modern customization Logon Page
1016481-2 3-Major   Special JSON characters in Dom Signatures breaks configuration


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
923125-3 3-Major   Huge amount of admd processes caused oom
1010717-2 3-Major   Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
913453-6 2-Critical   URL Categorization: wr_urldbd cores while processing urlcat-query
893721-3 2-Critical   PEM-provisioned systems may suffer random tmm crashes after upgrading
887609-6 2-Critical   TMM crash when updating urldb blacklist
958085-4 3-Major   IM installation fails with error: Spec file not found
974205-4 4-Minor   Unconstrained wr_urldbd size causing box to OOM
941773-2 4-Minor   Video resolution mis-prediction
941765-2 4-Minor   Video resolution mis-predictions
776285-2 4-Minor   No stats returned for 'ltm classification stats urlcat-cloud' component at system startup


Device Management Issues

ID Number Severity Solution Article(s) Description
942521-6 3-Major   Certificate Managers are unable to move certificates to BIG-IP via REST
929213-4 3-Major   iAppLX packages not rolled forward after BIG-IP upgrade
717174-4 3-Major   WebUI shows error: Error getting auth token from login provider


iApp Technology Issues

ID Number Severity Solution Article(s) Description
974193-1 3-Major   Error when trying to create a new f5.vmware_view.v1.5.9 iApp
946185-2 3-Major   Unable to view iApp component due to error 'An error has occurred while trying to process your request.'
818069-7 3-Major   GUI hangs when iApp produces error message


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
778225-4 3-Major   vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
935825-1 4-Minor   Cannot update_indexes/checkpoint DB object
760740-4 4-Minor   Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running


Guided Configuration Issues

ID Number Severity Solution Article(s) Description
960133 1-Blocking   AGC 8.0 installation failure


In-tmm monitors Issues

ID Number Severity Solution Article(s) Description
944121-5 3-Major   Missing SNI information when using non-default domain https monitor running in tmm mode
1016973-2 3-Major   Invalid send strings for in-TMM HTTP monitors cause monitor probes to not be sent, and nothing is logged to indicate why
1002345-3 3-Major   Transparent DNS monitor does not work after upgrade
822245-1 4-Minor   Large number of in-TMM monitors results in some monitors being marked down
788257-3 4-Minor   Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart

 

Known Issue details for BIG-IP v16.0.x

999881-5 : Tcl command 'string first' not working if payload contains Unicode characters.

Component: Local Traffic Manager

Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.

Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.

Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.

Workaround:
You can use any of the following workarounds:

-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex


999709-5 : iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.

Component: Local Traffic Manager

Symptoms:
The 'pool'/'virtual' iRule commands cause the specified pool to be used directly. However, with HTTP/2, the 'pool'/'virtual' command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent.

Conditions:
-- A 'pool'/'virtual' command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
-- HTTP/2 Message Routing is disabled.

Impact:
With HTTP/2 configured, the iRule 'pool'/'virtual' commands fail to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired pool/virtual.

Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.


999097-2 : SSL::profile may select profile with outdated configuration

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the VIP, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.


998957-2 : Mcpd consumes excessive CPU while collecting stats.

Component: TMOS

Symptoms:
Mcpd CPU utilization is 100%.

Conditions:
This can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected.

Impact:
CPU utilization by mcpd is excessive.

Workaround:
None


998945-1 : Load sys config is failing with OOM in MCPD processing

Component: TMOS

Symptoms:
While loading a large config on BIG-IP, mcpd runs at high CPU for a while, then is killed by the OOM killer when MCPD starts increasing rapidly in size.

Conditions:
-- Licensed and provisioned modules: LTM+APM+AFM
-- large number of virtual servers configured and executing "load sys config".

Impact:
Config load fails with std::badalloc with OOM.


998649-4 : Log hostname should be consistent when it contains ' . '

Component: TMOS

Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.

Conditions:
-- Hostname contains a period
-- Viewing log files emitted from journald and from syslog-ng

Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.

Workaround:
None.


998253-3 : SNI configuration is not sent via HTTPS when in-tmm monitors are disabled

Component: Local Traffic Manager

Symptoms:
The Server Name Indication (SNI) extension is missing on the HTTPS handshake.

Conditions:
-- Global in-tmm monitors are disabled
-- HTTPS monitor traffic

Impact:
The HTTPS client-server handshake occurs without a TLS SNI.

Workaround:
None


997793-4 : Error log: Failed to reset strict operations; disconnecting from mcpd

Component: TMOS

Symptoms:
After rebooting the device you are unable to access the GUI. When checking the ltm logs in the SSH / console, it repeatedly prompts an error:

Failed to reset strict operations; disconnecting from mcpd.

Conditions:
Previous EPSEC packages that are still residing on the system from old BIG-IP versions is installing upon boot. An internal timer can cause the installation to be aborted and all daemons to be restarted via 'bigstart restart'

Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.

Workaround:
1. Stop the overdog daemon first by issuing the command:
   systemctl stop overdog

2. Restart all services by issuing the command:
   bigstart restart

3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.


997761-1 : Subsessionlist entries leak if there is no RADIUS accounting agent in policy

Component: Access Policy Manager

Symptoms:
Subsessionlist entries are not cleaned up when subsessions are deleted. For long-lived main sessions, use cases such as API protection, the number of leaked subsessionlist entries increases over time, resulting in increasing memory consumption. If high availability (HA) is configured, the standby device can experience even more memory pressure when a very large number of subsessionlist entries are sent to it for mirroring.

Conditions:
This issue occurs if the main session is long-lived and there is no RADIUS accounting agent in the policy.

Impact:
TMM may run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None


997561-4 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic

Component: TMOS

Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.

In some circumstances, handling this traffic should not require maintaining state across TMMs.

Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.

Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.

Workaround:
None


997541-4 : Round-robin Disaggregator for hardware and software

Component: TMOS

Symptoms:
GRE tunnel traffic is pinned to one CPU.

Conditions:
GRE traffic is passed through BIG-IP system.

Impact:
Traffic is pinned to one CPU and overall performance is degraded.

Workaround:
None


997313-1 : Unable to create APM policies in a sync-only folder

Component: TMOS

Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:

-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices

Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.

Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.

Workaround:
You can use either of the following strategies to prevent the issue:

--Do not create APM policies in a sync-only folder.

--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
    tmsh modify sys folder /Common/sync-only no-ref-check true
    tmsh save sys config


996649-5 : Improper handling of DHCP flows leading to orphaned server-side connections

Component: Local Traffic Manager

Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.

Conditions:
Regular DHCP virtual server in use.

Impact:
Traffic is not passed to the client.

Workaround:
None.


996261-2 : Zrd in restart loop with empty named.conf

Component: Global Traffic Manager (DNS)

Symptoms:
The zrd process enters a restart loop:
logger[20015]: Re-starting zrd

Conditions:
This occurs when /var/named/config/named.conf is empty.

Impact:
The zrd process enters a restart loop. If the device is in a sync group, zrd enters a restart loop on all devices.

Workaround:
Restore content to the named.conf file.


996113-3 : SIP messages with unbalanced escaped quotes in headers are dropped

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None


996001-4 : AVR Inspection Dashboard 'Last Month' does not show all data points

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None


995889-1 : Username/Password JSON elements of login page detected as case sensitive when the policy is configured as case insensitive

Component: Application Security Manager

Symptoms:
A JSON element of a page behaves in a case-sensitive manner even if the policy is configured as case insensitive.

Conditions:
- Using JSON in a page
- Authentication type is json/ajax
- The policy is configured case-insensitive
- JSON element seen in a request has uppercase letter(s)

Impact:
Case-insensitive configuration fails to detect uppercase JSON elements in a page. This may cause, for example, brute force protection to not trigger.

Workaround:
None


995433-2 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT

Component: Advanced Firewall Manager

Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.

Conditions:
This is encountered when viewing PPTP log entries.

Impact:
IPV6 addresses in PPTP logs are truncated.

Workaround:
None


995369-2 : DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm

Component: Global Traffic Manager (DNS)

Symptoms:
Generated DNSSEC keys always use RSA/SHA1 algorithm.

Conditions:
DNSSEC keys are generated with manual key management method.

Impact:
You are unable to create DNSSEC keys with other algorithms.

Workaround:
Choose automatic key management method.


995097-2 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.

Component: TMOS

Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.

For instance, after reloading the configuration, the following section:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { "example.com" }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { "example.com" }
        }
    }
}

Becomes:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { example.com }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { example.com }
        }
    }
}

This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.

Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.

The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).

Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.

The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.

As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.

Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.

Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.

For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:

# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config

On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:

bigstart restart dhclient dhclient6

Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.


995029-6 : Configuration is not updated during auto-discovery

Component: Access Policy Manager

Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:

-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token

Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).

Impact:
JWT auto-discovery fails and the configuration is not updated.

Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.


994969-1 : Possible installation failure with three software volumes on a BIG-IP system

Component: TMOS

Symptoms:
When you attempt to create a third software volume (slot) on a BIG-IP device, a 'disk full' error occurs:

HD1.3 BIG-IP 16.1.0 0.0.1481 no failed (Disk full (volume group). See SOL#10636) yes

Conditions:
-- Using iSeries platforms.

-- Attempt to install certain BIG-IP software versions on a third installation volume on a BIG-IP device.

Impact:
Installation to the third volume fails with a disk full error.

Workaround:
You can work around this issue by reducing the dat.appdata volume size. For instructions on how to do so, see K74200262: Reducing the size of the appdata volume with the lvreduce utility ::
https://support.f5.com/csp/article/K74200262


Notes
======
-- Depending on which software versions exist, installation might succeed, or it might fail; e.g., these existing configuration succeed:

  - v12.1.2 + v16.0.0 + v16.1.0
  - v15.1.3 + v16.0.0 + v16.1.0

-- Even though v15.1.3 and 16.0.x have a smaller footprint, if there are two 16.1.0 installation locations, the third volume installation/upgrade does not succeed.

-- You can avoid the issue completely formatting the system while you install (i.e., using 'image2disk --format=volumes').

Important: Make sure to back up your configuration before formatting the system.


994365-2 : Inconsistency in tmsh 'object mode' for some configurations

Component: TMOS

Symptoms:
Tmsh does not support object mode when modifying certain configurations, such as the node configuration. This results in misleading error 'not found' even though the configuration is available.

Conditions:
Modify node config results in error, even though the config is present.

# Node Object 'example' is created successfully
(tmos)# create ltm node example address 1.2.3.4

# On modifying the node 'example', tmsh gives error
(tmos)# modify ltm node example
      Data Input Error: node "example" not found

The modify command does work when a property is specified:
(tmos)# modify ltm node example description "Node 1234"

Impact:
Inconsistent tmsh syntax when using 'object mode' for modifying the configuration.

Workaround:
Use 'tmsh modify' commands, or the GUI, to make the required changes without 'entering' the object in tmsh.


994305-2 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools are not available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools are not available.

Workaround:
None.


994221-2 : ZoneRunner returns error 'Resolver returned no such record'

Component: Global Traffic Manager (DNS)

Symptoms:
ZoneRunner returns error 'Resolver returned no such record'.

Conditions:
When trying to retrieve TXT records with single backslash.

Impact:
Not able to manage TXT record.

Workaround:
Use double backslashes to retrieve TXT records.


993921-3 : TMM SIGSEGV

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use 'pool XXXX member XXXX' iRule command.


993913-3 : TMM SIGSEGV core in Message Routing Framework

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


993613-6 : Device fails to request full sync

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.


993517-2 : Loading an upgraded config can result in a file object error in some cases

Component: Local Traffic Manager

Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:

-- 0107134a:3: File object by name (DEFAULT) is missing.

If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.

Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).

Impact:
Other than the error message, there is no impact.

Workaround:
After the initial reboot, save the configuration.


993269-2 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option

Component: Advanced Firewall Manager

Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.

DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.

Conditions:
-- DoS timestamp cookies are enabled, and either of the following:

-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.

Impact:
Traffic is dropped due to incorrect timestamps.

Workaround:
Disable timestamp cookies on the affected VLAN.


992813-1 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.

Component: TMOS

Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.

As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.

For example, you may be returned the following error when attempting to supersede the domain-search option:

01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search

Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.

Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.

Impact:
You are unable to instantiate the desired management-dhcp configuration.

Workaround:
None


992449-2 : The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI

Component: TMOS

Symptoms:
The total number of cores for a multi-slot vCMP guest is not shown correctly on the GUI page for a vCMP guest.

Conditions:
-- vCMP Host on VIPRION platforms with multiple blades.
-- vCMP guest spanning two or more blades.

Impact:
Incorrect number of cores listed.

-- The vCMP :: Guest List page shows all cores for all slots.
-- The vCMP -> Guest List specific_guest page shows only cores for that guest's slot.

Workaround:
View the Guest List page to see a graphical representation of the number of cores per guest.


992253-3 : Cannot specify IPv6 management IP addresses using GUI

Component: TMOS

Symptoms:
You are unable to set the IPv6 mgmt IP address using the GUI, even if the IPv6 address format is a not a short address. When you submit the change, the field is empty.

Conditions:
Attempt to set up IPv6 management address using the GUI

Impact:
You are unable to configure IPv6 management addresses using the GUI.

Workaround:
Use tmsh:

tmsh create sys management-ip <address>/<netmask>
tmsh create sys management-route default-inet6 <address>


992241-2 : Unable to change initial admin password from GUI after root password change

Component: TMOS

Symptoms:
While trying to change the admin password from GUI, an error occurs:
-- Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Change the password for the root user the first time, before the admin password has been changed. This action sets both the root and admin password at the same time.

-- Navigate to the GUI and attempt to update the admin password.

Impact:
GUI password change fails.

Workaround:
You can use either of the following workarounds:

-- Change the password admin via the GUI before changing the root admin via ssh.

-- After changing the root password, use tmsh to set the admin password using the command:

modify auth user admin password.


992097-3 : Incorrect hostname is seen in logging files

Component: TMOS

Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".

Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.

Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.

Workaround:
None


992053-3 : Pva_stats for server side connections do not update for redirected flows

Component: TMOS

Symptoms:
Pva_stats for server side connections do not update for the re-directed flows

Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.

Impact:
PVA stats do not reflect the offloaded flow.

Workaround:
None


991829-2 : Continuous connection refused errors in restjavad

Component: Application Security Manager

Symptoms:
Continuous connection refused errors observed in restjavad.

[com.f5.rest.workers..AsmConfigWorker] nanoTime:[879945045679087] threadId:[63] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)

[8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Unexptected exception in getting all the polcies: org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)

Conditions:
The errors are observed regardless of asm provisioning

Impact:
This causes noisy log file of restjavad.

Workaround:
None


991501-4 : Pool members with HTTPS monitor may be incorrectly marked down.

Component: Local Traffic Manager

Symptoms:
A pool with an HTTPS monitor may have its members marked down due to the monitor not being able to find a matching cipher for the SSL connection. This occurs when the @STRENGTH keyword is provided in the cipher suites list in the server SSL profile used by the HTTPS monitor, because bigd does not handle this keyword correctly.

Conditions:
Problem is observed when all conditions listed below are met:
- The db variable bigd.tmm set to disable (default setting).
- Pool is using an HTTPS monitor.
- The HTTPS monitor uses a custom server SSL profile.
- The server SSL profile uses a cipher string with @STRENGTH keyword.

Impact:
Pool members are wrongly marked down, preventing them from handling incoming traffic.

Workaround:
1. Select the cipher group instead of cipher suites in the server SSL profile.
2. Manually enter the ciphers in the desired order.


991265-4 : Persistence entries point to the wrong servers for longer periods of time

Component: Local Traffic Manager

Symptoms:
Persistence entries point to the wrong servers for a longer than expected.

Conditions:
A pool member goes down, causing the persistence entry to change to a new pool member. Then, the pool member comes back up.

Impact:
The persistence entry does not change to the pool member that came back up. It does not expire as client requests using this cookie continue to refresh the persistence entry that goes to the wrong server.

This can delay recovery of the pool members when they are marked down for regular maintenance, or if all pool members are cycled up/down periodically, it causes persistence entries to point to the wrong servers for longer periods of time than necessary.

Workaround:
None.


990929-1 : Status of GTM monitor instance is constantly flapping

Component: Global Traffic Manager (DNS)

Symptoms:
Status of GTM monitor instance is constantly flapping.

Conditions:
GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other.

Impact:
Resources are marked offline constantly.

Workaround:
Remove from the GTM server object definition the IP addresses that do not communicate with each other.


990853-2 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.

Component: TMOS

Symptoms:
The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file:

-- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition
-- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410.

Conditions:
-- Multi-blade VIPRION system provisioned as vCMP host.
-- The system is configured with partitions using non-default route-domains.
-- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest.
-- A non-Common partition is selected in the GUI Partition drop-down menu when making the change.

Impact:
MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart.

Workaround:
Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI.


990461-4 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.


990173-2 : Dynconfd repeatedly sends the same mcp message to mcpd

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.

This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.


989517-1 : Acceleration section of virtual server page not available in DHD

Component: TMOS

Symptoms:
The acceleration section in the virtual server page(UI) is not visible if a DHD license is installed.

Conditions:
The acceleration section is not visible in case "Dos" is provisioned

Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.

2) Loss of configuration items if making changes via the GUI.

Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH


988761-2 : Cannot create Protected Object in GUI

Component: Advanced Firewall Manager

Symptoms:
GUI Page stuck in loading phase and never completes the Protected Object creation step

Conditions:
This occurs in normal operation

Impact:
Cannot create Protected Objects using the GUI

Workaround:
Use tmsh to create Protected Objects


987885-5 : Half-open unclean SSL termination might not close the connection properly

Component: Local Traffic Manager

Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.

Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.

Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.

Workaround:
None.


987709-5 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load with errors similar to this:

01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2
Unexpected Error: Loading configuration process failed

Conditions:
There is a wide IP with the same name in another partition as the static target CNAME pool member.

Impact:
Gtm config fails to load.

Workaround:
Create the wide IP first and then add the static target CNAME pool member.


987637-1 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.

Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server

Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.

Workaround:
None


987605-1 : DDoS: ICMP attacks are not hardware-mitigated

Component: Advanced Firewall Manager

Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.

Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.

Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.

Workaround:
None


987401-3 : Increased TMM memory usage on standby unit after pool flap

Component: Local Traffic Manager

Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device.

Conditions:
Standby device with UDP mirroring traffic and datagram-load-balancing disabled.

Impact:
The standby device may not be able to take over traffic when failover happens.

Workaround:
None.


987345-2 : Disabling periodic-refresh-log has no effect

Component: Advanced Firewall Manager

Symptoms:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is not honored. You might see messages similar to the following logged in /var/log/ltm or sent to remote logging destinations:

info tmm[6215]: 23003168 "Port Block Periodic Log","10.10.10.10","0","","10.10.10.10","0","1024","1031","16164968240","","unknown".

Conditions:
PBA periodic-refresh-log set to '0'.

Impact:
System provides unnecessary, excessive logging.

Workaround:
None


987133-3 : Non-EDNS response with RCODE FORMERR are blocked by dns-qdcount-limit vector.

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a non-EDNS-capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests if the dns-qdcount-limit vector is enabled.

Conditions:
-- The client sends a DNS request to NON-EDNS capable server.
-- The server replies with RCODE FORMERR and no DNS data.
-- The dns-qdcount-limit vector is enabled.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a response from the EDNS server

Workaround:
Disable dns-qdcount-limit vector:

security dos device-config /Common/dos-device-config {
    dos-device-vector {
        dns-nxdomain-query {
            state disabled
        }
    }
}


987081-2 : Alarm LED remains active on Secondary blades even after LCD alerts are cleared

Component: TMOS

Symptoms:
When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition.

When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared).

However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages.

Conditions:
This occurs when:
-- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display.
-- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command.

Impact:
The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared.

Workaround:
To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade.

For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis:
-- clsh --slot=4 "bigstart restart fpdd"
-- ssh slot4 "bigstart restart fpdd"

Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly.


987077-2 : TLS1.3 with client authentication handshake failure

Component: Local Traffic Manager

Symptoms:
SSL handshakes are failing, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OSCP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
A handshake failure occurs.

Workaround:
Use TLS1.2 or use TLS1.3 without LTM authentication profile.


985953-4 : GRE Transparent Ethernet Bridging inner MAC overwrite

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None


985925-2 : Ipv6 Routing Header processing not compatible as per Segments Left value.

Component: Local Traffic Manager

Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.

Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.

Workaround:
None


985749-2 : TCP exponential backoff algorithm does not comply with RFC 6298

Component: Local Traffic Manager

Symptoms:
The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets.

Conditions:
Using TCP.

Impact:
Retransmission timeout interval depends on the inclusion/exclusion of SYN flag.

Workaround:
None


985537-4 : Upgrade Microsoft Hyper-V driver

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host.

When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.

Conditions:
-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.
-- Running performance tests of VE in Azure.

Impact:
The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.

Workaround:
None.


985433-1 : Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset.

Component: Local Traffic Manager

Symptoms:
Some client connections are being reset with rst-cause 'Unknown reason'.

Conditions:
--- Standard virtual server with the TCP and HTTP profiles.

--- The HTTP profile is configured to insert the X-Forwarded-For header.

--- The client supplies an empty X-Forwarded-For header in the HTTP request.

Impact:
Affected client connections are reset, leading to application failures.

Workaround:
You can work around this issue by disabling the header insertion in the HTTP profile and instead using an iRule similar to the following example:

when HTTP_REQUEST {
   HTTP::header replace X-Forwarded-For [IP::remote_addr]
}


985401-2 : ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached

Component: Local Traffic Manager

Symptoms:
Attempting to attach a web acceleration profile to a virtual server that has an SSL profile with ProxySSL enabled will result in the following validation error:

A validation error similar to:

01070734:3: Configuration error: Proxy SSL is not compatible with Web Acceleration profile on Virtual Server (<virtual server name>).

Conditions:
-- Virtual server using an SSL profile with ProxySSL enabled.
-- Attaching a web acceleration (webacceleration) profile to the virtual server.

Impact:
Unable to use the web acceleration profile with ProxySSL virtual servers.

Workaround:
Avoid using ProxySSL virtual servers with web acceleration (ramcache) profiles attached.


985205-3 : Event Log and Traffic Learning screens fail to load request details

Component: Application Security Manager

Symptoms:
Event Log and Traffic Learning screens get stuck with loading animation. and request details are not displayed.

Conditions:
This problem might be introduced during upgrading, so you see the symptom with the post-upgrade version (boot location).

Impact:
Event Log and Traffic Learning screens do not function as expected.

Workaround:
You can manually trigger populating missing items in the database to recover from the problem.

1. When this problem occurs, you see all or some of rows have no value in the following output:

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "select rest_uuid from PLC.VIOLATIONS"
+-----------+
| rest_uuid |
+-----------+
| |
| |
| |
...snip...

2. Trigger populating those missing values:

# perl -MF5::ASMConfig::Entity::Base -MF5::DbUtils -MF5::Utils::Rest -e 'F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh())'

3. Verify those values are indeed populated"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "select rest_uuid from PLC.VIOLATIONS"
+------------------------+
| rest_uuid |
+------------------------+
| -GXGw7y7XeOe4EYDgpXA9g |
| -wRSIageblaImzwhL3Pobw |
| 0GtnXx4yBFSqaB7STLh1tA |
...snip...

4. You might need to restart this daemon to make the changes take effect.
 
# pkill -f asm_config_server

5. Wait 30 seconds.

NOTE: None of these steps have any impact on traffic. The last step halts ASM control plane functionality for 30 seconds or so. During that time you lose access to the ASM part of GUI, cannot change the ASM configuration, and cannot perform config-sync operations.


985001-4 : Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition

Component: Global Traffic Manager (DNS)

Symptoms:
Taiwan, Hong Kong, and Macau are defined as countries in DNS/GTM Topology definition.

Conditions:
In GUI screen, under GSLB/Topology/Records and GSLB/Topology/Regions, 'Country' field can be used to specify Taiwan, Hong Kong, and Macau.

Impact:
Taiwan, Hong Kong, and Macau can be configured as countries in GSLB/Topology screens.

Workaround:
Change 'Country' label to 'Country/Location' and the 'Country/State' label to 'Country/Location/State'.


984897-2 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.

Component: Local Traffic Manager

Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.

Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.

Conditions:
A virtual server configured to perform SSL connection mirroring.

Impact:
Should the units fail over, some connections may not survive as expected.

Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.

Workaround:
None.


984765-3 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)

Component: Access Policy Manager

Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.

Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.

Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.

Workaround:
To resolve the issue temporarily, use either of the following:

-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.

-- Run the command:
bigstart restart nlad

The problem can reappear after a week, so you must repeat these steps each time the issue occurs.


984585-2 : IP Reputation option not shown in GUI.

Component: TMOS

Symptoms:
Cannot configure IP Reputation option from the GUI.

Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.

Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.

Workaround:
Use tmsh to configure IP Reputation.


984521-3 : Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name

Component: Application Security Manager

Symptoms:
Bot Defense profile checks if a page is not an HTML page by checking the file extension (among other ways).

In case the filename contains a dot (.) - the parsing is wrong and it is not detected as incompatible. As a result, the Accept-Encoding header is removed (to allow injection in the response).

Conditions:
-- Bot Defense profile is attached to s virtual server configured with any response injection (Device ID, Browser Verification, or Single Page Application).
Request is sent to an incompatible file extension (one of gif,png,bmp,jpg,ico,css,mp3,mp4,mpg,avi,wmv,mov,3gp,fla,swf,js), and filename contains a dot (.).

Impact:
Accept-Encoding header is removed, causing the server to not send a gzipped response.

Workaround:
Add this specific URL to sys db:

dosl7.parse_html_excluded_urls


983021-1 : Tmsh does not correctly handle the app-service for data-group records

Component: TMOS

Symptoms:
-- The guishell shows the app_id as the default application for the folder /Common/example_app.app and not what was specified, which was 'none'.

-- If the record has an app_id configured, the output of tmsh list data-group should list the app-service.

Conditions:
Create an application service using tmsh.

Impact:
-- Unable to properly manage the lifecycle of data-group records created via an iApp.

-- Unable to update data-group records at all via iControl REST, because the entire set of records must be managed altogether, and strict-updates prevents the existing records from being modified.

-- Inconsistent behavior across a save-and-load operation.

(The app-service is not serialized to the configuration, so after save and load, the app-service is dropped from the data-group records.)

Workaround:
After every iApp template deploy/update, run the following command:

tmsh save sys config && tmsh load sys config


982993-5 : Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail

Component: Local Traffic Manager

Symptoms:
Gateway ICMP monitors configured with IPv6 destinations and IPv6 transparent nexthop do not work if the IPv6 destination address is not directly connected, but reachable via an intermediate hop.

Conditions:
An IPv6 monitor's destination address is not directly connected, but reachable via intermediate hop.

Impact:
Monitor status remains DOWN.

Workaround:
Consider monitoring the actual target.


982361-2 : SNAT on wildcard virtual server does not work

Component: Global Traffic Manager (DNS)

Symptoms:
SNAT on wildcard virtual server does not work.

Conditions:
Wildcard DNS virtual server with SNAT enabled.

Impact:
SNAT does not work on DNS cache resolver.

Workaround:
None.


981689-3 : TMM memory leak with IPsec ALG

Component: Carrier-Grade NAT

Symptoms:
TMM crash due to out of memory.

Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.

Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.

Workaround:
None


981485-5 : Neurond enters a restart loop after FPGA update.

Component: TMOS

Symptoms:
After FPGA firmware upgrade, the neurond process might enter a restart loop, unable to recover.

When the problem is present you might see logs similar to:
-- notice chmand[6674]: 012a0005:5: FPGA PNP FW upgrade check: req type 0, file:Latest
-- notice chmand[6674]: 012a0005:5: FPGA: Requesting type: 0, vers: Latest
-- notice chmand[6674]: 012a0005:5: FPGA: current type: 2, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.23.5.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: FPGA: match for type: 0, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.6.7.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: removed /var/db/mcpdb.* FPGA current disk firmware updated to: /L7L4_BALANCED_FPGA type: 0
-- notice chmand-fpga-pnp[17551]: Stopping TMM, BCM56xxd, and neurond
-- notice logger[17553]: /bin/bash /etc/init.d/fw_pnp_upgrade upgrade restart ==> /usr/bin/bigstart stop tmm bcm56xxd neurond

Conditions:
FPGA firmware mismatch, leading to FPGA firmware upgrade.

Impact:
Enhanced flow acceleration provided by the Neuron chip cannot be utilized.

Workaround:
Perform a full system restart.


981145-2 : DoS events do not include the attack name for "tcp syn ack flood"

Component: Advanced Firewall Manager

Symptoms:
BIG-IQ does not display the attack name for a 'tcp syn ack flood' attack.

Conditions:
DoS on BIG-IP enabled to address 'tcp syn ack flood' attack.

Impact:
Lack of DoS attack information. The mitigation occurs as expected. Only the notification information is missing.

Workaround:
None.


981069-2 : Reset cause: "Internal error ( requested abort (payload release error))"

Component: Application Security Manager

Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"

Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type

Impact:
Traffic is affected.

Workaround:
Any of the following actions can resolve the issue:

1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}


980617-2 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles

Component: Local Traffic Manager

Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.

Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured

Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.

Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.


980593-2 : LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table

Component: Advanced Firewall Manager

Symptoms:
LSN logging stats are always 0 (zero) for log_attempts and log_failures in tmctl table fw_lsn_log_stat if lsn_legacy_mode is set as disabled.

Conditions:
The lsn_legacy_mode value is disabled.

Impact:
The log_attempts and log_failures are always 0 in tmctl table fw_lsn_log_stat.

Workaround:
None


980325-6 : Chmand core due to memory leak from dossier requests.

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.


979045-2 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms

Component: TMOS

Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.

Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
   - ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
   - i11600 / i11800
   - i11400-DS / i11600-DS / i11800-DS

Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.

Workaround:
None.


978649 : Citrix Connection fails with Dell Wyse Client on 16.0.0.1

Component: Access Policy Manager

Symptoms:
On 16.0.0.1, Wyse clients fail to connect to Citrix Virtual Desktop Interface (VDI).

Conditions:
- Configure Citrix VDI.
- Connect to virtual server from Dell Wyse client.

Impact:
The client cannot connect and the following error is seen in apm log file:

server-side connection was reset, reason: iRule execution error


977625-2 : GTM persistence records linger in tmm

Component: Global Traffic Manager (DNS)

Symptoms:
-- GTM persistence records are not cleared.
-- GTM still answers from persist records even though the persist records not listed by the "tmsh show gtm persist" command.

Conditions:
Persistence for wideip or application is disabled and then enabled quickly afterwards

Impact:
GTM answers from stale persist records.

Workaround:
Do not enable persistence right after disabling.


977153-2 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.

Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.

Workaround:
None.


976669-1 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/


976525-4 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled

Component: Local Traffic Manager

Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.

Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.

Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.

Workaround:
Use either of the following workarounds:

-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable

-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.


976517-3 : Tmsh run sys failover standby with a device specified but no traffic group fails

Component: TMOS

Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:

Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).

Conditions:
Two or more BIG-IPs configured with high availability (HA)

Impact:
You are required to specify all the traffic groups you want to failover to a peer.

Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.

For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1

tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2

If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):

tmsh run /sys failover standby


976501-1 : Failed to establish VPN connection

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.


976101-3 : TMM crash after deleting an interface from a virtual wire vlan

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual wire enabled
-- Delete an interface from the virtual wire vlan.

Impact:
Traffic disrupted while tmm restarts.


976013-5 : If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards

Component: TMOS

Symptoms:
A disabled interface is not getting enabled.

Conditions:
-- An interface is disabled
-- bcm56xxd is restarted

Impact:
The interface remains on disable state and no traffic passes via that interface.

Workaround:
Restart bcm56xxd again.


975725-4 : Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast

Component: Local Traffic Manager

Symptoms:
L3 unicast traffic with L2 broadcast destination MAC (ff:ff:ff:ff:ff:ff) matching wildcard virtual servers is not handled properly.

Conditions:
Wildcard virtual server is configured to handle such traffic.

Impact:
Traffic will not be forwarded properly.

Workaround:
Use specific non-wildcard virtual-server.


974985-1 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable

Component: Application Security Manager

Symptoms:
Non http traffic isn't forwarded to the backend server

Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-http traffic

Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>


974513-1 : Dropped requests are reported as blocked in Reporting/charts

Component: Application Security Manager

Symptoms:
Dropped requests are reported as blocked in Reporting/charts.

Conditions:
Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request.

Impact:
Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops.

Workaround:
None.


974501-2 : Excessive memory usage by mirroring subsystem when remirroring

Component: Local Traffic Manager

Symptoms:
Aggressive sweeper messages are seen in /var/log/ltm similar to the following:
Dec 31 02:35:44 bigip1 warning tmm[25306]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory). (26227799/30854144 pages)

In severe cases, tmm might restart and generate a core file due to an out of memory condition.

Conditions:
The active BIG-IP has a large number of mirrored fastL4 connections.
The active BIG-IP reconnects the statemirror connection to the standby BIG-IP. This is indicated by messages similar to the following in /var/log/ltm:
Dec 31 02:35:37 bigip1 err tmm[25306]: 01340001:3: high availability (HA) Connection with peer 10.25.0.11:1029 for traffic-group /Common/traffic-group-1 established.

Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections. In severe cases, tmm might restart causing traffic interruption.


974409-3 : False Positive "Surfing Without Human Interaction"

Component: Application Security Manager

Symptoms:
When using Bot Defense profile, and an application contains many HTML pages which are not qualified (not even accept: text/html), a "Surfing Without Human Interaction" anomaly is mis-counted and falsely raised.

Conditions:
-- Bot Defense Profile is attached to a virtual server.
-- The application contains many HTML pages which can be detected as such from the request.

Impact:
Real clients might or might not be blocked, it depends on the environment.

Workaround:
None.


974241-2 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades

Component: TMOS

Symptoms:
Mcpd exists with error similar to:

01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'

Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled

Impact:
Mcpd restarts leading to failover.

Workaround:
Use standard customization and not modern customization.


974225-1 : Link Status traps are not issued on VE based BIG-IP systems

Component: TMOS

Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.

Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).

Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.

On BIG-IP Virtual Edition, logs are emitted but traps do not occur.

An SNMP client waiting for a Link Status trap on an administrator to enable or disable then, does not receive the trap.

Workaround:
None.


974205-4 : Unconstrained wr_urldbd size causing box to OOM

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd


974193-1 : Error when trying to create a new f5.vmware_view.v1.5.9 iApp

Component: iApp Technology

Symptoms:
Error when trying to create a f5.vmware_view.v1.5.9 iApp

Configuration Warning: New virtual address (/Common/10.10.10.10) used by server with access profile attached has traffic group (/Common/traffic-group-1) that is different from existing one (/Common/traffic-group-exchange). Change it to the existing one

Conditions:
-- Create a new f5.vmware_view.v1.5.9 iApp
-- iApp uses a traffic group other than the default traffic-group-1

Impact:
Unable to create new f5.vmware_view.v1.5.9 iApp

Workaround:
None.


972785-7 : Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP

Component: TMOS

Symptoms:
While creating a virtual server using iControl SOAP you get an error:

error_string : 0107004d:3: Virtual address (/VPN_WEB_01/0.0.0.0%201) encodes IP address (0.0.0.0%201) which differs from supplied IP address field (10.10.10.50%201).'

Conditions:
-- Using iControl SOAP to create a virtual server.
-- The virtual server is assigned to a partition that uses a non-default route domain.

Impact:
Unable to create the virtual server with the iControl SOAP command.

Workaround:
First create the virtual server with a default Virtual Address ('0.0.0.0'). and then update the virtual address with the desired address.

Example:
ltm.LocalLB.VirtualServer.create([{'name': 'vs_test_9095', 'address': '0.0.0.0', 'port': 9090, 'protocol': 'PROTOCOL_TCP'}], ['255.255.255.255'], [{'type': 'RESOURCE_TYPE_POOL'}], [[{'profile_context': 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name': 'fastL4'}]])
ltm.LocalLB.VirtualServer.set_destination_v2(['vs_test_9095'],[{'address': '10.10.10.50', 'port': 9090}])


971217-1 : AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.

Component: Local Traffic Manager

Symptoms:
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.

Conditions:
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check.

-- Client sends HTTP POST request with Content-Length:0

Impact:
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".

Workaround:
None.


971065-1 : Using ACCESS::log iRule command in RULE_INIT event makes TMM crash

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
- APM is provisioned.
- ACCESS::log command is invoked in RULE_INIT iRule event handler.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using ACCESS::log in the RULE_INIT event.


969737-3 : Snmp requests not answered if V2 traps are configured

Component: TMOS

Symptoms:
SNMP requests are not answered except the ones sent to the localhost ip address.

Conditions:
V2 traps are configured, for example:

tmsh modify sys snmp v2-traps add { ...

Impact:
SNMP external requests fail

Workaround:
Move all traps configured under 'v2-traps' to 'traps' in the configuration


969637-1 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"

Conditions:
-- A small subset of the following BIG-IP platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Configuration load fails and the device does not come online.


969329-3 : Dashboard: Chart title/legend 'Control Plane' needs to be modified within dashboard of BIG-IP

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) uses a virtualized core, so there is no hyper-threading. This means the data plane and control plane share a single CPU core. However, the Dashboard allows you to select CPU data for 'Control Plane' beside System Average.

Conditions:
View GUI Dashboard on BIG-IP VE or HTsplit-disabled appliances.

Impact:
Dashboard chart title creates confusion.

Workaround:
None.


969105-3 : HA failover connections via the management address do not work on vCMP guests running on VIPRION

Component: TMOS

Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION.

BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.

HA failover connections using self IPs are unaffected.

Conditions:
-- vCMP guest running on a VIPRION
-- HA failover connection using the management IP addresses (unicast and/or multicast)

Impact:
Failover state determination over the management port is permanently down.

Workaround:
While self IP-based HA failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).

To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid


The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.

Add this line to the end of /config/startup:

(sleep 120; touch /var/run/chmand.pid) &

Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.


Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:

#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready

# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.


968953-2 : Unnecessary authorization header added in the response for an IP intelligence feed list request

Component: Advanced Firewall Manager

Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.

Conditions:
Feed list configured without username/password pair.

Impact:
Feed List request from dwbld adds unnecessary Authorization header. There is no functional impact.

Workaround:
None.


968949-6 : Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile

Component: Local Traffic Manager

Symptoms:
When a client-side connection goes into FIN_WAIT_2, BIG-IP does not send keepalives even if they are being sent on the server-side connection.

Conditions:
- Virtual server configured with a TCP profile and network listener.

Impact:
Client-side connections timeout prematurely.
As a result, the server-side connections end up being open indefinitely.

Workaround:
No workaround currently known.


968929-1 : TMM may crash when resetting a connection on an APM virtual server

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- HTTP profile without fallback host.
- iRules.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.


968581-1 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description

Component: Local Traffic Manager

Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.

Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.

Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.


967737-1 : DNS Express: SOA stops showing up in statistics from second zone transfer

Component: Global Traffic Manager (DNS)

Symptoms:
Start of Authority (SOA) record is not displayed in zone statistics.

Conditions:
The issue appears after the 2nd zone transfer.

Impact:
This is a cosmetic issue without any actual impact.

Workaround:
None


967573-1 : Qkview generation from Configuration Utility fails

Component: TMOS

Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.

Conditions:
Trying to generate a Qkview using the Configuration Utility.

Impact:
The Configuration Utility cannot be used to generate a qkview.

Workaround:
Use the qkview command to generate a qkview from the command line.


967425-1 : mcp error: 0x1020036 at ../mcp/db_pool.c:461

Component: Local Traffic Manager

Symptoms:
After a node has been 'moved' / renamed, modification of objects referencing the node may result in a database error and issues with the intended action.

In particular, when a node which is associated with a pool is moved, it will appears to be successful, however, after modifying the session / user status, it will result in an error.:
mcp error: 0x1020036 at ../mcp/db_pool.c:461

Conditions:
In particular, when a node which is associated with a pool is moved, it will appears as successful, however, after modifying the session / user status, it will result in a DB error.

Impact:
A after modifying the pool, an error will be logged.

Connections will continue to be accepted despite all members in the pool being down/disabled.


967353-2 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.

Component: Local Traffic Manager

Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.

Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.

Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.

Workaround:
None


967249-1 : TMM may leak memory early during its startup process, and may continue to do so indefinitely.

Component: Local Traffic Manager

Symptoms:
TMM leaks memory in the packet and xdata components. The aggressiveness of the leak depends on how much traffic TMM receives from the Linux host subsystem.

Conditions:
- A BIG-IP system running more than 1 TMM instance.

- Early during its startup process, TMM begins receiving traffic from the Linux host subsystem destined to the network (e.g., remote syslog traffic routed to its destination through TMM).

- Depending on the system's configuration, TMM attempts to set up flow forwarding for the aforementioned traffic. This may happen, for instance, if the egress VLAN is configured for 'cmp-hash src-ip'.

- TMM hasn't fully completed its startup process yet.

Impact:
TMM leaks memory.

If the flow set up during early TMM startup continues to receive a constant stream of new packets, then the flow may live on indefinitely, and TMM may continue to leak memory indefinitely.

In the example of remote syslog traffic, this could happen, for instance, if the box keeps logging messages at a sustained rate.

Eventually, TMM may be unable to allocate any more memory and crash. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by ensuring that TMM does not receive any traffic from the Linux host subsystem for forwarding during early startup.

In the example of remote syslog destinations, you could specify the management IP address of the system as the source IP address for the traffic, thus forcing the traffic out of the management port instead of TMM. This implies the management port has a suitable working route to the destination.


967245-2 : Incorrect SPVA counter incremented during Sweep attack on profile

Component: Advanced Firewall Manager

Symptoms:
Incorrect SPVA counters updated.

Conditions:
Configure DoS Sweep vector on an SPVA supported device.

Impact:
Usage of dos_spva_stat will result in displaying incorrect counters.


967093-2 : In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail

Component: Local Traffic Manager

Symptoms:
In SSL forward proxy, the client side handshake may fail with the message: fwdp lookup error.

Conditions:
The handshake failure occurs when the certificate chain consists of different key types. For example, the following cert chain may fail the handshake:

root CA (rsa) --> intermediate CA1 (rsa) --> intermediate CA2 (ec) --> end-entity cert (ec)

The signing CA which is intermediate CA2 has a key of EC type, but cert is signed by RSA signature. The end-entity cert has a key of EC type, but cert is signed by ECDSA.
In this case, the signer cert has different signature from that of the end-entity cert.

Impact:
SSL forward proxy handshake fails.


966949-1 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")


966633-1 : Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies

Component: Application Security Manager

Symptoms:
WAF policy entities (such as parameters) are not found when filtering by non-ASCII values in REST/GUI in non-UTF-8 policies.

Conditions:
WAF policy is defined as non-UTF-8, and a non-ASCII value is used in an entity search filter.

Impact:
No results are returned.

Workaround:
None


966613-5 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’

Component: Application Security Manager

Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node "<soap:address/>".

Conditions:
Creating a new content profile using a wsdl file which contains a "<soap:address/>" node which does not have a "location" attribute value.

When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation.

Impact:
After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null"

Workaround:
Delete the node "<soap:address/>" from the wsdl file


965941-1 : Creating a net packet filter in the GUI does not work for ICMP for IPv6

Component: TMOS

Symptoms:
When using the GUI to create a 'net packet-filter' rule to block ICMP packets, the filter does not block IPv6 packets.

Conditions:
-- Using the GUI to create a packet filter rule to block incoming ICMP packets.
-- Attempting to block an IPv6 address.

Impact:
Packets get through the filter unexpectedly.

Workaround:
Modify the packet filter manually using tcpdump syntax. For example, the following syntax is used to block ICMP packets for both IPv4 and IPv6:

icmp or icmp6


965897-1 : Disruption of mcpd with a segmentation fault during config sync

Component: Advanced Firewall Manager

Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop

Numerous messages may be logged in the "daemon" logfile of the following type:

emerg logger[2020]: Re-starting mcpd

Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs

Impact:
Continuous restarts of mcpd process on the peer device.

Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.

  # tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP


965837-3 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.

Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.


965785-1 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine

Component: Application Security Manager

Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.

Conditions:
There is no specific condition, the problem occurs rarely.

Impact:
Sync process requires an additional ASM restart

Workaround:
Restart ASM after sync process finished


965777-1 : Per-request policy authentication becomes unresponsive

Component: Access Policy Manager

Symptoms:
Per-request policy execution can appear to be slow during subroutine evaluation, and apmd appears to take a large amount of CPU.

Conditions:
The per-request policy is using subroutine to execute an authentication related agent that is dispatched to apmd for completion. These typically involve authentication agents that interact with an external authentication server, such as LDAP, RADIUS, or AD.

Impact:
Connectivity may be impaired or lost.

Workaround:
Failover the high availability (HA) pair, or restart apmd.


965457-5 : OSPF duplicate router detection might report false positives

Component: TMOS

Symptoms:
OSPF duplicate router detection might report false positives

Conditions:
Router sends LSA that is looped in network and sent back to its origin.

Impact:
Cosmetic


965229-1 : ASM Load hangs after upgrade

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None


965205-1 : BIG-IP dashboard downloads unused widgets

Component: TMOS

Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.

Conditions:
This occurs when viewing the BIG-IP dashboard.

Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.

Workaround:
None.


965037-2 : SSL Orchestrator does not send HTTP CONNECT tunnel payload to services

Component: Local Traffic Manager

Symptoms:
In some cases, when Services in SSL Orchestrator (service-connect agent in per-request policy) is inserted after Category lookup for CONNECT request hostname, the HTTP CONNECT tunnel payload/data is not sent to services.

Conditions:
SSL Orchestrator use case and Services are inserted after Category lookup for CONNECT request hostname

Impact:
HTTP CONNECT tunnel payload is not sent to services

Workaround:
None


964989-3 : AFM DOS half-open does not handle wildcard virtual servers properly.

Component: Advanced Firewall Manager

Symptoms:
AFM DOS half-open vector does not handle wildcard virtual servers properly.

Conditions:
-- Wildcard virtual-server.
-- AFM DOS half-open vector configured.
-- Attacks towards multiple destinations covered by a single virtual-server.

Impact:
- Wrong statistics reporting.
- Wrong status of syncookie protection.
- Unexpected traffic drops.

Workaround:
Split wildcard virtual server into a series of /32 virtual servers.


964941-2 : IPsec interface-mode tunnel does not initiate or respond after config change

Component: TMOS

Symptoms:
After reconfiguring an interface-mode IPsec tunnel, the IPsec tunnel may fail to initiate or negotiate as a Responder.

Conditions:
-- IPsec interface mode
-- Changing the IPsec tunnel configuration

Impact:
Remote networks cannot be reached because BIG-IP refuses to negotiate IPsec tunnel.

Workaround:
Reboot or restart tmm


964625-4 : Improper processing of firewall-rule metadata

Component: Advanced Firewall Manager

Symptoms:
The 'mcpd' process may suffer a failure and be restarted.

Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.

Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.

Workaround:
Reduce the number of firewall policy rules.


964533-1 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
This can occur while passing normal traffic, if a session is deleted before all the session db callback events are handled.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.


964421-1 : Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'

Component: TMOS

Symptoms:
The error message '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' is unclear.

It fails to indicate which rewrite profile has failed validation, and it is not clear that the error has something to do with the validation of rewrite profiles.

Conditions:
A BIG-IP Administrator is attempting to configure an invalid rewrite profile (one where the 'signing certificate' and 'signing key' options are not simultaneously set).

Impact:
A confusing error message is logged, which makes it difficult to know what to do next.


964245-5 : ASM reports and enforces username always

Component: Application Security Manager

Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.

Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.

Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.

Workaround:
None


964125-1 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.


963713-2 : HTTP/2 virtual server with translate-disable can core tmm

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing HTTP/2 traffic

Conditions:
-- HTTP/2 virtual server
-- Port and address translation disabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not configure an HTTP/2 virtual server with translate-disable


963705-4 : Proxy ssl server response not forwarded

Component: Local Traffic Manager

Symptoms:
A server response may not be forwarded after TLS renegotiation.

Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs

Impact:
Server response may not be not forwarded


963541-1 : Net-snmp5.8 crash

Component: TMOS

Symptoms:
Snmpd crashes.

Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.

Impact:
Snmpd crashes.


963485-2 : Performance issue with data guard

Component: Application Security Manager

Symptoms:
End user clients encounter poor network performance. Due to a correlation with ID 963461 it can lead to a crash.

Conditions:
-- The server response is compressed.
-- Data guard is enabled.

Impact:
Slow response time.

Workaround:
-- Disable data guard or block the data instead of masking it.

-- Force server sending uncompressed response using an iRule:

when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}


963017-1 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed

Component: TMOS

Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):

err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid

In addition, a message similar to the following may appear on the serial console while the system is booting:

[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid

Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:

# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
   Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since <...>
 Main PID: #### (code=exited, status=1/FAILURE)

<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.


However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.

Conditions:
This may occur under the following conditions:

-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
   - BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
   - VIPRION B4450 blades

Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.

This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.

Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check


962913-5 : The number of native open connections in the SSL profile is higher than expected

Component: Local Traffic Manager

Symptoms:
The number of native open connections in the SSL profile shows a value that is higher than expected.

Conditions:
SSL renegotiation is enabled. Other conditions are unknown.

Impact:
The SSL stats are incorrectly reading higher than expected.

Workaround:
Disable SSL renegotiation.


962605-5 : BIG-IP may go offline after installing ASU file with insufficient disk space

Component: TMOS

Symptoms:
When installing an ASU file, if there is not enough disk space in /var, the clntcp update file might become corrupted, causing datasyncd to be offline (and thus cause the entire BIG-IP offline)

Conditions:
-- ASM/FPS provisioned.
-- Installing ASU file.
-- Not enough space in /var partition.

Impact:
Device goes offline.

Workaround:
Delete the update file:
tmsh delete security datasync update-file /Common/datasync-global/update-file-clntcap_update_ (auto complete)


962589-3 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.


962493-6 : Request is not logged

Component: Application Security Manager

Symptoms:
A request is not logged in the local and/or remote logs.

Conditions:
A request has evasions detected on very large parameters.

Impact:
A missing request in the log.

Workaround:
N/A


962489-6 : False positive enforcement of parameters with specific configuration

Component: Application Security Manager

Symptoms:
False positive parameters are being detected in the payload and enforced wrongly.

Conditions:
The URL is not defined (also not as wildcard - not defined at all) and the request has a payload.

Impact:
False positive enforcement - may lead to wrong violations and wrong blocking of requests.

Workaround:
None.


962181-1 : iRule POLICY command fails in server-side events

Component: Local Traffic Manager

Symptoms:
BIG-IP provides an iRule command POLICY to retrieve information on or manipulate an LTM policy attached to a virtual. This command fails when it is used in server-side event like HTTP_RESPONSE.

Conditions:
-- Configure a virtual server with one or more LTM policies.
-- The virtual server has an iRule with a POLICY command executed on a server side (e.g. HTTP_RESPONSE).

Impact:
A command returns an incorrect value and may cause unexpected outcomes in an iRule execution.


961509-1 : ASM blocks WebSocket frames with signature matched but Transparent policy

Component: Application Security Manager

Symptoms:
WebSocket frames receive a close frame

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled

Impact:
WebSocket frame blocked in transparent mode

Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No


961001-1 : Arp requests not resolved for snatpool members when primary blade goes offline

Component: Local Traffic Manager

Symptoms:
Arp requests not resolved for snatpool members and traffic does not go through when the primary blade becomes offline.

Conditions:
-- VIPRION platforms serving as AAA and Diameter virtual server to load-balance.
-- route-domain configured other than 0.
-- Radius authentication pool and snatpool are configured.
-- Primary blade goes offline and new Primary is not elected.

Impact:
Traffic failure when primary became offline.

Workaround:
Disable primary blade which is offline.


960133 : AGC 8.0 installation failure

Component: Guided Configuration

Symptoms:
Attempting to install the AGC 8.0 results in the following error:

"Failed to load IApp artifacts from f5-iappslx-waf-bot-protection: java.lang.IllegalStateException: Failed to post template to block collection: ..."

Conditions:
The AGC is upgraded to a newer version via the "Access >> Guided Configuration" -> " Upgrade Guided Configuration".

Impact:
AGC 8.0 package is not installed.

Workaround:
Important: This workaround will delete all existing iApp configurations.

1. Download the latest AGC 8.0 package.
2. Open a new browser tab (first) and navigate to "Access >> Guided Configuration"
3. Open a new browser tab (second) and navigate to iApps >> Templates: Templates LX. Select all templates and click “Delete”.
4. In the second tab navigate to iApps >> Package Management LX. Select all existing packages and click “Uninstall”.
5. In the first tab click "Upgrade Guided Configuration" click and install the downloaded package.


960029-1 : Viewing properties for IPv6 pool members in the Statistics page in the GUI returns an error

Component: TMOS

Symptoms:
While attempting to view the properties for pool members via the Statistics page in the GUI, you see an error:

Instance not found: /Common/1234:80

Conditions:
-- A pool with at least one pool member with an IPv6 address.
-- Attempting to view the IPv6 pool member's properties via the Statistics page in the GUI.

Impact:
Unable to see the pool member's properties.

Workaround:
Use TMSH to view pool member properties:

# tmsh show ltm pool <pool name> members {<pool members>}


959965-2 : Asmlogd stops deleting old protobufs

Component: Application Security Manager

Symptoms:
Protobuf files are being cleaned only when trying to write to the protobuf file and on startup.

Conditions:
This occurs during normal operation.

Impact:
/var/asmdata1 can run out of disk space.

Workaround:
None


959957-2 : Asmlogd stops deleting old protobufs

Component: Application Security Manager

Symptoms:
Asmlogd restarts and there are asmlogd errors:

asmlogd|ERR|Oct 19 13:46:35.199|6005|,,asmlogd ended unexpectedly
asmlogd|ERR|Oct 19 13:46:35.203|6005|,,Can't call method "size" on an undefined value at /usr/local/share/perl5/F5/RequestLog.pm line 1902.

Conditions:
Disk is full -- the following warnings are being displayed:

err diskmonitor[3483]: 011d0004:3: Disk partition /var/asmdata1 (slot 1) has only 0% free

Impact:
Old protobuf files are not cleaned up.

Workaround:
0) If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

1) To identify the empty partitions, look into:
   SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G

2) For every partition that is empty, manually (or via shell script) execute this sql:
   ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where 'empty_partition_name' is the partition name as 'p100001'

4) Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5) pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.


959609-2 : Autodiscd daemon keeps crashing

Component: Advanced Firewall Manager

Symptoms:
Autodiscd daemon keeps crashing.

Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.

Impact:
Auto discovery feature is not working as expected

Workaround:
None.


959057-2 : Unable to create additional login tokens for the default admin user account

Component: TMOS

Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.

Conditions:
Remote Authentication is configured

Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured


958833-2 : After mgmt ip change via GUI, brower is not redirected to new address

Component: TMOS

Symptoms:
After changing the management IP address via the GUI, the browser is not redirected, and reports Unable to connect BIG-IP device.

Conditions:
Change the Management IP address from the GUI and submit the change.

Impact:
Browser does not get redirected to the new address

Workaround:
Access the GUI by manually going to the new Management IP.


958785-7 : FTP data transfer does not complete after QUIT signal

Component: Local Traffic Manager

Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.

Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.

Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.

Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.


958601-1 : In the GUI, searching for virtual server addresses does not match address lists

Component: TMOS

Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.

Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.

Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.

Impact:
Virtual servers that should match a search are not found.

Workaround:
None.


958201 : 'Restrict to Single Client IP' option is missing in VMware iApp.

Component: Access Policy Manager

Symptoms:
'Restrict to Single Client IP' is available only in the access policy.

Conditions:
Configure VMware VDI using iApp.

Impact:
'Restrict to Single Client IP' option cannot be configured directly in the iApp.

Workaround:
'Restrict to Single Client IP' can be configured from the access policy.


958093-4 : IPv6 routes missing after BGP graceful restart

Component: TMOS

Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.

Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.

Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.


958085-4 : IM installation fails with error: Spec file not found

Component: Traffic Classification Engine

Symptoms:
IM installation fails with an error message:

ERROR Error during switching: Spec file not found

Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.

Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.

Workaround:
None.


957993-1 : Unable to set a port list in the GUI for an IPv6 address for a virtual server

Component: TMOS

Symptoms:
When creating a virtual server in the GUI with an IPv6 destination address and a port list (shared object) or a source address list (shared object), the system returns an error similar to:

0107028f:3: The destination (0.0.0.0) address and mask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) for virtual server (/Common/vs03-v6_dns) must be be the same type (IPv4 or IPv6).

Conditions:
-- Creating or updating a virtual server.
-- Attempting to use an IPv6 Host address with a Port List shared object or a Source Address List shared object.

Impact:
Unable to create/modify virtual server.

Workaround:
Create an Address List shared object with the IPv6 address in it and use that instead of the Host address.


957461-1 : Creating virtual server with IPv6 address or port list in destination should display source address in IPv6 format

Component: TMOS

Symptoms:
In the GUI, while creating a virtual server with an IPv6 address or a port list in destination, the BIG-IP system should display the source address in IPv6 format rather than IPv4 format 0.0.0.0/0.

Conditions:
This is encountered while creating a virtual server with an IPv6 address or port list in destination.

Impact:
The IPv6 address list is displayed in IPv4 notation.

Workaround:
This is a cosmetic issue. The correct addresses are used.


957321-2 : When BIG-IP contains an invalid DNS Resolver, Bot Defense might wrongly classify search engines as malicious

Component: Application Security Manager

Symptoms:
When the first DNS resolver is invalid, Bot Defense is unable to verify trusted bots, and is classifying them as malicious bots.

Conditions:
-- First DNS resolver in the list is invalid.
-- Bot Defense profile is attached to a virtual server.
-- Request from a search engine arrives.

Impact:
Bot Defense wrongly classifies valid search engines as malicious bots (and might block them if enforcement is enabled).

Workaround:
Fix the first DNS resolver in the list. It's possible that the first DNS resolver is the built in DNS resolver "f5-aws-dns".


956889-1 : /var fills up very quickly

Component: Application Security Manager

Symptoms:
Policy history files fill /var disk partition

Conditions:
Very large configuration with substantial history and config sync enabled

Impact:
ASM sync fails due to /var being full

Workaround:
The properties in '/etc/ts/tools/policy_history.cfg' file, for cleaning as a file-based configuration option, are a Support-oriented configuration option aimed to help in these cases.


956645-3 : Per-request policy execution may timeout.

Component: Access Policy Manager

Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.

Impact:
Some clients will fail to connect to their destination.

Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).

Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.


956625-1 : Port and port-list type are both stored in a traffic-matching-criteria object

Component: TMOS

Symptoms:
Using "tmsh load sys config replace file ..." to change a traffic matching criteria's port type from port to port-list (or vice-versa) results in both types ending up in the traffic matching criteria object.

Conditions:
-- Using traffic-matching-criteria.
-- Using "tmsh load sys config replace file ..." or "tmsh load sys config merge file ..." to change the port to a port-list (or vice-versa).

Impact:
-- System does not load the desired configuration.
-- Virtual servers may match/process more traffic than expected.


956589-3 : The tmrouted daemon restarts and produces a core file

Component: TMOS

Symptoms:
The tmrouted daemon restarts and produces a core file.

Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover

Impact:
Traffic disrupted while tmrouted restarts.

Workaround:
None


956133-1 : MAC address might be displayed as 'none' after upgrading

Component: Local Traffic Manager

Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.

Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0

Impact:
Traffic disrupted when the MAC address is set to 'none'

Workaround:
None.


956109-1 : Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target

Component: TMOS

Symptoms:
In a device service cluster, changing a traffic-matching-criteria object's port configuration and then performing a full-sync will cause the sync target's traffic-matching-criteria ports to be modified incorrectly.

Once systems are in this state, further ConfigSyncs may result in these error messages:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 250 6869100131892804718 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
-- Two or more BIG-IPs in a DSC.
-- Using traffic-matching-criteria, and making changes.

Impact:
BIG-IP configurations are out of sync (even though they show "In Sync"). Affected virtual servers will process more traffic than configured.

Workaround:
On an affected system, perform one of the two procedures to correct MCPD's in-memory configuration:

1. Remove the traffic-matching criteria from all virtual servers (or only affected virtual servers, if known), and then re-add the traffic-matching criteria.

2. Save the configuration and then follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot


956025-1 : HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header

Component: Local Traffic Manager

Symptoms:
When the HTTP profile response-chunking option is set to "unchunk", chunked responses will be unchunked and the Transfer-Encoding header is removed.

If the server sends a chunked response with both Transfer-Encoding and Content-Length headers, Transfer-Encoding is removed but Content-Length is not. This causes the client to receive a response with an erroneous Content-Length header.

Conditions:
- HTTP virtual server with response-chunking set to "unchunk"
- Server response with both Transfer-Encoding and Content-Length headers present

Impact:
Malformed HTTP response received by client as length of response should be determined by closure of connection, not erroneous Content-Length header.

Workaround:
Implement iRule: at HTTP_RESPONSE time, remove the Content-Length header if the Transfer-Encoding header is also present.


956013-2 : System reports{{validation_errors}}

Component: Policy Enforcement Manager

Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses

Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.

Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.

Workaround:
None.


955953-1 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'

Component: TMOS

Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.

Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled

Impact:
Traffic processing halts (no crash)


955897-1 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain

Component: TMOS

Symptoms:
When reading the configuration from /config files, the BIG-IP system may fail to load the configuration regarding a virtual server with a named virtual-address for address 0.0.0.0 in a non-default route domain:

err mcpd[21812]: 0107028b:3: The source (0.0.0.0%123) and destination (0.0.0.0) addresses for virtual server (/Common/vs1) must be in the same route domain.
Unexpected Error: Loading configuration process failed.

Conditions:
-- An LTM virtual-address object with a name.
-- The virtual-address's address is 0.0.0.0 (or the keyword 'any'). The IPv6 address :: (or the keyword 'any6') is not affected.
-- The virtual-address's address is in a route domain other than route domain 0. The route domain can be the partition's default route domain.
-- An LTM virtual server that uses the affected address as its destination.

Example:
tmsh create net route-domain 123
tmsh create ltm virtual-address allzeros-rd123 address 0.0.0.0%123
tmsh create ltm virtual allzeros-rd123 destination 0.0.0.0%123:0
tmsh save sys config

Impact:
The configuration fails to load from disk when the affected objects do not yet exist in running memory or binary cache, for example, during:

- Reinstalling
- Upgrading
- Loading manual changes to the /config/*.conf files
- MCP force-reload

Other operations such as rebooting, relicensing, and reloading the same configuration (such as 'tmsh load sys config' are not affected.

Workaround:
Replace the configuration that uses a named virtual-address with the direct address. Here is an example of the configuration in bigip.conf:

ltm virtual-address allzeros-rd123 {
    address any%123
    mask any
}
ltm virtual allzeros-rd123 {
    destination allzeros-rd123:0
    mask any
    source 0.0.0.0%123
}

This can be rewritten to remove the virtual-address object, and replace the virtual server destination with the address (0.0.0.0 or 'any'):

ltm virtual allzeros-rd123 {
    destination any%123:0
    mask any
    source 0.0.0.0%123
}


955617-1 : Cannot modify properties of a monitor that is already in use by a pool

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.


955593-1 : "none" missing from the error string when snmp trap is configured with an invalid network type

Component: TMOS

Symptoms:
When you try to configure an SNMP trap with an invalid network type, you get a confusing error:

01070911:3: The requested enumerated (aaa) is invalid (, mgmt, other) for network in /Common/snmpd trapsess (/Common/i2_2_2_1_1)

Conditions:
SNMP trap is configured with an invalid network enum type.

Impact:
The word 'none' is not shown in the error string.


955057-1 : UCS archives containing a large number of DNS zone files may fail to restore.

Component: TMOS

Symptoms:
This issue can manifest in the following ways:

- Failure to restore a UCS archive to the currently active boot location (i.e. restoring a backup).

- Failure to restore a UCS archive to a different boot location by means of using the cpcfg utility (or the the "Install Configuration" option when changing boot locations in the Web UI).

- Failure to restore a UCS archive as part of a software upgrade (if rolling forward the configuration was requested, which is the default BIG-IP behavior).

In all cases, error messages similar to the following example are returned to the user:

/bin/sh: /bin/rm: Argument list too long
Fatal: executing: /bin/sh -c rm -fr /var/named/config/namedb/*
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

Conditions:
This issue occurs when a large number of DNS zone files are already present in the /var/named/config/namedb directory of the boot location to which the UCS archive is being restored.

Impact:
The UCS archive fails to restore. Additionally:

- If the UCS archive was being restored on the currently active boot location, the named and zrd daemons may not be running after the failure, leading to traffic outages.

- If the UCS archive was being restored as part of an upgrade, the installation will fail and the destination boot location will be marked as failed (thus preventing a BIG-IP Administrator from activating it).

Workaround:
Depending on the failure mode, perform one of the following workarounds:


- If you were restoring a UCS archive on the currently active boot location, run the following command, and then attempt the UCS archive restore operation again:

find /var/named/config/namedb -mindepth 1 -delete

- If you encountered the failure during an upgrade, it should mean you were installing an Engineering Hotfix (otherwise the /var/named/config/namedb directory on the destination boot location would have been empty).

Installing an Engineering Hotfix will actually perform two separate installations - first the base version, and then the hotfix on top of that. Each installation restores the source location's UCS archive.

The UCS installation performed during the base installation will work, and the one performed during the hotfix installation will fail (because DNS zone files are already in place now, and they will fail to be deleted).

In this case, you can work around the issue by performing two distinct installations (to the same destination boot location). First the base version by itself, and then the hotfix installation by itself:

Perform the first installation with the liveinstall.moveconfig and liveinstall.saveconfig db keys disabled. Perform the second installation after enabling the liveinstall.moveconfig and liveinstall.saveconfig db keys again.

- If you encountered the failure while using the cpcfg utility (or equivalent WebUI functionality), take a UCS archive instead, download it off of the BIG-IP or save it in a shared directory (e.g. /var/tmp), boot the system into the destination boot location, run the below command, and then restore the UCS archive:

find /var/named/config/namedb -mindepth 1 -delete


953477-2 : Syncookie HW mode not cleared when modifying VLAN config.

Component: TMOS

Symptoms:
Changing VLAN configuration can cause BIG-IP get stuck in hardware syncookie mode.

Conditions:
- Changing VLAN configuration when vlan-based syncookies are active.

For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779

Impact:
Device is stuck in hardware syncookie mode and generates syncookies.

Workaround:
Run the following command:
tmsh restart sys service tmm

Impact of workaround: restarting tmm disrupts traffic.


953425-4 : Hardware syncookie mode not cleared when changing dos-device-vector enforcement

Component: Advanced Firewall Manager

Symptoms:
Changing DOS vector enforcement configuration can cause BIG-IP to get stuck in hardware syncookie mode.

Conditions:
- Changing DOS vector enforcement configuration when device is in global syncookie mode.

For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779

Impact:
Device is stuck in hardware syncookie mode and generates syncookies.

Workaround:
Run the following command:
tmsh restart sys service tmm

Impact of workaround: restarting tmm disrupts traffic.


950953-2 : Browser Challenges update file cannot be installed after upgrade

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP, the Browser Challenges factory default update file cannot be installed, and you see this error:

Installation error: gpg: WARNING: unsafe ownership on homedir `/usr/share/live-update/share/gpg/browser_challenges_genesis_load'gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20 "asm_sigfile_installer"gpg: Signature made Mon Aug 2

Conditions:
The new file that comes with the installation is ready to install

Impact:
New updated cannot be installed

Workaround:
There are 2 options:
1. download a new version of the update file (if exists)
2.
   2.1 download a copy of that file from the machine to your locale machine
   2.2 rename it :
       > cp BrowserChallenges_20200722_072935.im BrowserChallenges_<CURRENT_DATE>_<CURRENT_TIME>.im
       ## the date and time are for tracking and the have to be in a specific format DATE : YYYYMMDD, TIME: HHMMSS
   2.3 upload the file and install it manually from the LiveUpdate screen.


950849-5 : B4450N blades report page allocation failure.

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This occurs on B4450N blades regardless of configuration.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You must perform the workaround on each blade installed in the system.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands:

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


950673-4 : Hardware Syncookie mode not cleared when deleting/changing virtual server config.

Component: TMOS

Symptoms:
Modifying a virtual server can cause BIG-IP to get stuck in hardware syncookie mode.

Conditions:
-- A virtual server is in hardware syncookie mode.
-- Modifying or deleting the virtual server

For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779

Impact:
Device is stuck in hardware syncookie mode and generates syncookies.

Workaround:
tmsh restart sys service tmm

Impact of workaround: restarting tmm disrupts traffic.


950305-1 : Analytics data not displayed for Pool Names

Component: Application Visibility and Reporting

Symptoms:
You cannot see reports (statistics->analytics->pool) when you choose to view by pool names.

Conditions:
This is encountered in the statistics screen.

Impact:
You can't see the statistics->analytics->pool report when you choose view by pool names.


950201-2 : Tmm core on GCP

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Each of these workarounds have performance impact.


950005-1 : TCP connection is not closed when necessary after HTTP::respond iRule

Component: Local Traffic Manager

Symptoms:
HTTP does not close the TCP connection on the client if response is sent via HTTP::respond.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE_RELEASE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
None


949477-3 : NTLM RPC exception: Failed to verify checksum of the packet

Component: Access Policy Manager

Symptoms:
NTLM authentication fails with the error:

RPC exception: Failed to verify checksum of the packet.

Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.

Impact:
User authentication fails.

Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.

2. Disable encryption for nlad:
   # vim /etc/bigstart/startup/nlad

   change:
   exec /usr/bin/${service} -use-log-tag 01620000

   to:
   exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no

3. Restart nlad to make the change effective, and to force the schannel to be re-established:
   # bigstart restart nlad


949137-2 : Clusterd crash and vCMP guest failover

Component: Local Traffic Manager

Symptoms:
Clusterd crashes and a vCMP guest fails over.

Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.

Impact:
Memory corruption and clusterd can crash, causing failover.

Workaround:
None.


949105-1 : Error log seen on Category Lookup SNI requests for same connection

Component: Access Policy Manager

Symptoms:
Client connections are reset and you see an error in /var/log/apm : "(ERR_NOT_FOUND) Category Lookup failed or a Category Lookup agent is not present in the policy before Response Analytics"

Conditions:
-- Category Lookup agent (lookup type SNI) in the per-request policy before Request or Response Analytics agent
-- Multiple requests sent in the same SSL connection.

Impact:
Connections are reset or they follow the fallback branch for subsequent requests in the same SSL connection


948717-2 : F5-pf_daemon_cond_restart uses excessive CPU

Component: TMOS

Symptoms:
The script /etc/init.d/f5-pf_daemon_cond_restart spawns a lot of ephemeral processes that collectively use about 10-15% of a core, regardless of the number of cores.

This is contributing to higher CPU usage after upgrading from an earlier version

Conditions:
On upgrade to a 15.1.x version, high CPU usage is observed.

Impact:
Higher CPU utilization on control plane, typically the equivalent of about 10-15% (of one core) extra.

Workaround:
None.


948601-2 : File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU

Component: TMOS

Symptoms:
SHA1 checksum attribute/property of the file object is not persisted/published/propagated to the MCP datastore/GUI.

Conditions:
This could be observed when an external data-group file or external monitor file definition is edited from GUI.
Below mentioned is the workflow where the issue can be seen/replicated,
System ›› File Management : Data Group File List >> FILE
Edit the "definition" field of the file object & click update.
1.) edit sys file data-group "filename"
2.) list sys file data-group "filename"
Aforementioned commands can be used from TMOS shell to understand the correct behavior that is expected when the same is done from GUI

Impact:
You are unable to identify whether the file object was modified by just validating/comparing the file object's metadata/schema property i.e. "checksum SHA1"

Workaround:
None


948417-3 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic

Component: Performance

Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)

Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking

Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)

Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)

     Individual VMs & VMs in an availability set
     First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
           Azure CLI
                az vm deallocate \
                --resource-group myResourceGroup \
                --name myVM
    Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
    the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
    the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.

    Once stopped, disable Accelerated Networking on the NIC of your VM:
           Azure CLI
                az network nic update \
                --name myNic \
                --resource-group myResourceGroup \
                --accelerated-networking false
    Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
           Azure CLI
                az vm start --resource-group myResourceGroup \
                --name myVM


948113-2 : User-defined report scheduling fails

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr


948065-2 : DNS Responses egress with an incorrect source IP address.

Component: Local Traffic Manager

Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.

Conditions:
Large responses of ~2460 bytes from local BIND

Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.

Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.

Note: This workaround has limitations, as some records in 'Additional Section' are truncated.


947937-1 : HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system can redirect a request to a fallback host when the target pool is unavailable. If the configured fallback host within the HTTP profile contains HTTP iRule commands such as HTTP::host or HTTP::uri, the corresponding HTTP request can fail. A connection reset may be encountered instead.

Conditions:
- HTTP profile with "fallback-host" profile option configured containing an HTTP iRule command.

Impact:
When utilizing the HTTP profile with "fallback-host" profile option with HTTP iRule commands, incorrect connection resets can be seen by the client instead of the correct HTTP response.

Workaround:
Attaching an iRule containing HTTP::redirect or similar command to the virtual server can be used instead of the fallback host-profile option to redirect traffic to another virtual server.


947865-1 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read

Component: TMOS

Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:

err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer

Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.

Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.


947745-2 : Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error

Component: Local Traffic Manager

Symptoms:
Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error message:
hud_tcp_serverside_handler/3676: 10.0.0.20.21 - 10.10.10.1.51147: unexpected serverside message HUDEVT_CHILD_CONNECTE

Conditions:
FTP profile is in use

Impact:
Logs entries in the log file

Workaround:
None


947125-1 : Unable to delete monitors after certain operations

Component: Local Traffic Manager

Symptoms:
Unable to delete monitor with an error similar to:

01070083:3: Monitor /Common/my-mon is in use.

Conditions:
-- HTTP monitors are attached directly to pool members, or node-level monitors exist.
-- Performing an operation that causes the configuration to get rebuilt implicitly, such as "reloadlic".

Impact:
Unable to delete object(s) no longer in use.

Workaround:
When the system gets into this state, save and reload the configuration:
tmsh save sys config && tmsh load sys config


946745-1 : 'System Integrity: Invalid' after Engineering Hotfix installation

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.

Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.

Workaround:
None.


946481-2 : Virtual Edition FIPS not compatible with TLS 1.3

Component: Local Traffic Manager

Symptoms:
A TLS 1.3 handshake failure occurs when using openssl's AES-GCM cipher in FIPS mode.

Conditions:
FIPS mode and attempting TLS 1.3 with cipher AES-GCM

Impact:
Handshake failure for TLS 1.3

Workaround:
Disable FIPS mode, or alternately use non AES-GCM cipher for TLS 1.3.


946185-2 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'

Component: iApp Technology

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:

An error has occurred while trying to process your request.

Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.

Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List

2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.


945413-1 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync

Component: TMOS

Symptoms:
BIG-IP systems in a device group do not stay in sync if config sync is manual and constantly syncs if config sync is automatic.

The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.

Conditions:
The CA-bundle manager is configured.

Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.


945189-4 : HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA

Component: Local Traffic Manager

Symptoms:
After upgrade, the 'DEFAULT' cipher in the serverssl profile attached to the HTTPS monitor does not include "ECDHE-RSA-AES256-CBC-SHA" cipher suite in the Client Hello.

Conditions:
After upgrade, HTTPS monitor cipherlist is read from serverssl profile ciphers and set to DEFAULT after upgrade.

Impact:
Upgrade breaks the SSL pool monitoring.

Workaround:
Set ciphers as DEFAULT:+SHA:+3DES:+EDH for profile server-ssl


944513-3 : Apache configuration file hardening

Component: TMOS

Symptoms:
Apache configuration file did not follow security best practice.

Conditions:
Normal system operation with httpd enabled.

Impact:
Apache configuration file did not follow security best practice.

Workaround:
None


944485-6 : License activation through proxy server uses IP address in proxy CONNECT, not nameserver

Component: TMOS

Symptoms:
License activation http/https request has the license server IP address instead of license server domain name.

Conditions:
When the proxy server and proxy port are configured and delete default management route.

Impact:
This causes your proxy server to disallow the connection

Workaround:
None.


944173-1 : SSL monitor stuck does not change TLS version

Component: Local Traffic Manager

Symptoms:
The SSL monitor remains in the current TLS version and does not switch to another version when a server changes.

Conditions:
-- SSL monitor configured.
-- Server configuration changes from TLSv1.2 to TLSv1.

Impact:
Pool members marked down.

Workaround:
Use the In-TMM monitor.


944121-5 : Missing SNI information when using non-default domain https monitor running in tmm mode

Component: In-tmm monitors

Symptoms:
In-tmm https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

Conditions:
-- SNI is configured in serverssl profile a
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

Impact:
The TLS connection might fail.

Workaround:
None


944093-1 : Maximum remaining session's time on user's webtop can flip/flop

Component: Access Policy Manager

Symptoms:
When an Access Policy is configured with Maximum Session Timeout, the rendered value of maximum remaining session's time can flip/flop in seconds on a user's webtop

Conditions:
Access Policy is configured with Maximum Session Timeout >= 60000 secs

Impact:
End users will see the remaining time being continually reset.


943793-3 : Neurond continuously restarting

Component: TMOS

Symptoms:
Neurond continuously restarts.

Conditions:
-- BIG-IP iSeries hardware platform
-- issuing the command "service --status-all"

Impact:
Neuron communications will be impacted


943669-2 : B4450 blade reboot

Component: TMOS

Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.

Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.

Impact:
Traffic disrupted while the blade reboots.

Workaround:
None.


943641-2 : IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfiguration

Component: TMOS

Symptoms:
After changing an element of the ike-peer configuration, such as the pre-shared secret, the related IPsec interface mode tunnel can no longer forward packets into the tunnel.

Conditions:
-- IKEv1.
-- IPsec policy in interface mode.
-- Configuration change or a new configuration.

Impact:
When the problem is exhibited on a BIG-IP Initiator, ISAKMP negotiation fails to start when interesting traffic arrives. No messages are written to /var/log/racoon.log.

When the problem is exhibited on a BIG-IP Responder, the IPsec tunnel successfully establishes, but the BIG-IP fails to forward any interesting traffic into the established tunnel. No useful log messages are seen.

Note: 'Interesting traffic' is packets that match a traffic-selector.

Workaround:
Run 'bigstart restart tmm' or reboot.


943597-1 : 'Upper Bound' and 'Lower Bound' thresholds are not displayed in Connections line chart

Component: TMOS

Symptoms:
On the dashboard, the line chart of 'Throughput', 'CPU Usage', and 'Memory Usage' can show the line of thresholds that indicates 'Upper Bound' and 'Lower Bound', but there is no line of thresholds on the line chart of 'Connections'.

Conditions:
Create a custom line chart for 'Connections' that includes 'Upper Bound' and 'Lower Bound'.

Impact:
Line Chart of 'Connections' does not display 'Upper Bound' and 'Lower Bound' thresholds.

Workaround:
None.


943577-1 : Full sync failure for traffic-matching-criteria with port list under certain conditions

Component: TMOS

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
   - a traffic-matching-criteria is attached to a virtual server
   - the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
   - the same traffic-matching-criteria is attached to the same virtual server
   - the original port-list is modified (e.g. a description is changed)
   - the TMC is changed to reference a _different_ port-list

Impact:
Unable to sync configurations.

Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.

If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.

1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:

tmsh save sys config

(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
    cat /config{/partitions/*,}/bigip{_base,}.conf |
    awk '
        BEGIN { p=0 }
        /^(ltm traffic-matching-criteria|net port-list) / { p=1 }
        /^}/ { if (p) { p=0; print } }
        { if (p) print; }
    ' ) > /var/tmp/portlists-and-tmcs.txt

2. Copy /var/tmp/portlists-and-tmcs.txt to the target system

3. On the target system, load that file:

    tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt

3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot

4. On the source system, force a full-load sync to the device-group:

    tmsh run cm config-sync force-full-load-push to-group <name of sync-group>


943473-1 : LDAP monitor's test functionality has an incorrect and non-modifiable IP address field in GUI

Component: TMOS

Symptoms:
While trying to use the monitor test page in the GUI for an LDAP monitor, the destination address field contains the value *.*(asterisk-dot-asterisk), and it is not editable.

Conditions:
-- Create an LDAP monitor.
-- Go to the Test page.

Impact:
You are unable to modify the test destination address for the LDAP monitor.

Workaround:
Use TMSH.

-- To run the test:
tmsh run /ltm monitor ldap <LDAP-Monitor-Name> destination <IP-Address>

Example: tmsh run /ltm monitor ldap myldap destination 10.10.10.10:389

-- To check test results:
tmsh show /ltm monitor ldap <LDAP-Monitor-Name> test-result
tmsh show /ltm monitor ldap myldap test-result


943441-1 : Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK

Component: Application Security Manager

Symptoms:
Verification may be incomplete when using the F5 Anti-Bot Mobile SDK with the Bot Defense profile.

Conditions:
-- Using the Bot Defense profile together with the F5 Anti-Bot Mobile SDK.
-- Enabling the Mobile Applications section in the profile.

Impact:
Mobile application verification may be incomplete.

Workaround:
None


943109-1 : Mcpd crash when bulk deleting Bot Defense profiles

Component: TMOS

Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.

Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.

Impact:
Crash of mcpd causing failover.

Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.


943045-3 : Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.

Component: TMOS

Symptoms:
When using Ansible to create a pool that contains an IPv6 pool member, you get an error:

0107003a:3: Pool member node and existing node cannot use the same IP Address.

Conditions:
-- Creating a new pool via Ansible.
-- A new IPv6 pool member is used.
-- The IPv6 pool member's name is not included.

Impact:
Pool creation fails.

Workaround:
If you are unable to specify the pool member name, you can use other available configuration tools like tmsh, the GUI, or AS3.


943033-1 : APM PRP LDAP Group Lookup agent has a syntax error in built in VPE expression

Component: Access Policy Manager

Symptoms:
PRP LDAP Group Lookup agent, the expression incorrectly places the 'string tolower' outside the square brackets. This causes an issue in the GUI of the LDAP Group Lookup object where the 'Simple' branch rules do not show up. You see this 'Warning':

Warning, this expression was made manually and couldn't be parsed, please use advanced tab.

Conditions:
Configure PRP with the LDAP Group Lookup agent in the Visual Policy Editor (VPE).

Impact:
Tcl expression containing a syntax error prevents the LDAP Group Lookup agent from functioning properly.

Workaround:
Go to the LDAP Group Lookup agent advanced tab and change this:
expr {[string tolower [mcget {session.ldap.last.attr.memberOf}]] contains string tolower["CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN"]}

To this:
expr {[string tolower [mcget {session.ldap.last.attr.memberOf}]] contains [string tolower "CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN"]}

Click finish.

Now you can click 'change', and use the 'Simple' tab and the 'Add an expression using presets' option.


942793-2 : BIG-IP system cannot accept STARTTLS command with trailing white space

Component: Local Traffic Manager

Symptoms:
When an SMTPS profile is applied on a virtual server and the SMTP client sends a STARTTLS command containing trailing white space, the BIG-IP system replies with '501 Syntax error'. The command is then forwarded to the pool member, which can result in multiple error messages being sent to the SMTP client.

Conditions:
-- A virtual server is configured with an SMTPS profile.
-- The SMTP client sends a STARTTLS command with trailing spaces.

Impact:
The SMTP client is unable to connect to the SMTP server.

Workaround:
Use an SMTP client that does not send a command containing trailing white space.


942729-1 : Export of big Access Policy config from GUI can fail

Component: Access Policy Manager

Symptoms:
Export of Access Policy times out after five minutes and fails via the GUI

Conditions:
Exact conditions are unknown, but it occurs while handling a large access policy.

Impact:
Unable to redeploy configuration

Workaround:
Use thge cli to export the access policy:

K30575107: Overview of the ng_export, ng_import and ng_profile commands
https://support.f5.com/csp/article/K30575107


942665-1 : Rate limit and threshold configuration checks are inconsistent when applied to Basic DoS Vectors and Bad Actors DoS vectors

Component: Advanced Firewall Manager

Symptoms:
Inconsistent configuration checks may result in configuration not being applied correctly.

Conditions:
DoS vectors configured on the BIG-IP

Impact:
Configuration changes may not be accepted by the BIG-IP.


942549-1 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Component: TMOS

Symptoms:
During boot of a i15xxx system you see the message:

Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Conditions:
There are no specific conditions that cause the failure.
This can occur on any i15xxx device, although some devices exhibit the failure consistently around 50% of boots and others never exhibit the issue.

Impact:
When this failure occurs in a system, the system is inoperable.

Workaround:
There is no workaround for systems that do not have software capable of resetting the hardware device during the HSB load process.


942521-6 : Certificate Managers are unable to move certificates to BIG-IP via REST

Component: Device Management

Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account

Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager

Impact:
Unable to upload certificates as Certificate Manager

Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys


942489-2 : TCP proxy with ramcache and OneConnect can result in out-of-order events which stalls the flow

Component: Local Traffic Manager

Symptoms:
Due to the client resending the request, the connection is not lost but is stalled for a considerable time.

Conditions:
-- virtual server running 16.0.0 with compression, caching, and OneConnect enabled.
-- The request has 'Accept-Encoding: gzip ...; header
-- The response has 'Cache-Control: no-cache' header.
-- The response payload is equal to or greater than 1024 bytes (otherwise the default compression profile does not consider it).

Impact:
This causes slow response times for application users.

Workaround:
Unconfigure any of the following profiles:
-- OneConnect
-- HTTP compression
-- Caching


942217-4 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'

Component: Local Traffic Manager

Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.

Conditions:
Required Configuration:

-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.

-- The pool member has rate-limit enabled.

Required Conditions:

-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.

-- At that time, one of the above events occur, the pool member's rate-limit is active.

Impact:
Virtual server keeps rejecting connections.

Workaround:
Delete one of the conditions.

Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.


941961-1 : Upgrading system using WAM TCP profiles may prevent the configuration from loading

Component: WebAccelerator

Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:

err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.

Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.

Impact:
Configuration does not load.

Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly.

Here are two examples:

-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.

-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.


941893-4 : VE performance tests in Azure causes loss of connectivity to objects in configuration

Component: TMOS

Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.

Conditions:
Running performance tests of VE in Azure.

Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.

Workaround:
Reboot from the Azure console to restore functionality.


941773-2 : Video resolution mis-prediction

Component: Traffic Classification Engine

Symptoms:
Certain video traffic is not getting classified with high accuracy.

Conditions:
- Behavioral classifier for Classification Engine is enabled

Impact:
- Mis-predictions can lead to higher definition videos being categorized as low-definition videos and vice versa.


941765-2 : Video resolution mis-predictions

Component: Traffic Classification Engine

Symptoms:
BIG-IP's traffic playback resolution prediction is calculated on all individual connections of a client's video stream.

Conditions:
- Video streaming client downloads through BIG-IP
- Video is downloaded using multiple connections.

Impact:
- Mis-prediction in the video resolution.


941625-2 : BD sometimes encounters errors related to TS cookie building

Component: Application Security Manager

Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:

-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.

-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.

Impact:
The cookie is not built and an error is logged.

Workaround:
None.


941481-1 : iRules LX - nodejs processes consuming excessive memory

Component: Local Traffic Manager

Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.

You can check the iRule LX plugins memory usage using the command:

tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):

Memory (bytes)
  Total Virtual Size 946.8M
  Resident Set Size 14.5K

Conditions:
-- iRulesLX in use.

Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.

Workaround:
Restart the iRule LX plugin that is leaking memory:

tmsh restart ilx plugin <PLUGIN_NAME>


941381-4 : MCP restarts when deleting an application service with a traffic-matching-criteria

Component: TMOS

Symptoms:
After deleting an application service that contains a virtual server and a traffic-matching-criteria, the mcpd daemon crashes.

Conditions:
-- BIG-IP application service configuration containing a virtual server with traffic-matching-criteria
-- Application service is deleted

Impact:
Traffic and control plane disrupted while mcpd restarts.

Workaround:
None.


941257-4 : Occasional Nitrox3 ZIP engine hang

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.

You can check if your platform has the nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable http compression


941169-5 : Subscriber Management is not working properly with IPv6 prefix flows.

Component: Policy Enforcement Manager

Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.

Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).

Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.

Workaround:
None.


940885-1 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter

Component: TMOS

Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.

Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.

Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.


940837-3 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.

Component: Local Traffic Manager

Symptoms:
The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node.

Conditions:
-- A node command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.

Impact:
With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node.

Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.


940733-4 : Downgrading a FIPS-enabled BIG-IP system results in a system halt

Solution Article: K29290121

Component: Global Traffic Manager (DNS)

Symptoms:
After upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version results in a libcrypto validation error and system halt.

Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into an volume running an earlier version of the software.

Impact:
System boots to a halted state.

Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.

Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified.

If the target software volume has already experienced this issue (the system boots to a halted state), follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233, in addition to deleting /shared/bin/big3d.

For additional information, see K29290121: Rollback after upgrade, FIPS halts the system on boot :: https://support.f5.com/csp/article/K29290121.


940469-1 : Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration

Component: Global Traffic Manager (DNS)

Symptoms:
The 'gtm_add' script fail to sync configuration information from the peer when 'options inet6' is present in /etc/resolv.conf.

Conditions:
The option 'options inet6' is used in /etc/resolv.conf.

Impact:
The 'gtm_add' script removes the current config and attempts to copy over the config from the remote GTM. When the remote copy fails, the local device is left without any config.

Workaround:
Remove the 'options inet6' from /etc/resolv.conf.


940225-1 : Not able to add more than 6 NICs on VE running in Azure

Component: TMOS

Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.

Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.

Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs

Adding more NICs to the instance makes the device fail to boot.

Workaround:
None


940177-2 : Certificate instances tab shows incorrect number of instances in certain conditions

Component: TMOS

Symptoms:
The SSL Certificate instances tab shows an incorrect number of instances when the Cert name and the Key name match. This does not occur when the cert and key are different names.

Conditions:
-- SSL certificate and key names match
-- Viewing the SSL certificate list in the GUI

Impact:
All the custom profiles will be listed when only select instances for ca-bundle cert are expected


939757-5 : Deleting a virtual server might not trigger route injection update.

Component: TMOS

Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.

Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted

Impact:
The route remains in the routing table.

Workaround:
Disable and re-enable the virtual address after deleting a virtual server.


939517-5 : DB variable scheduler.minsleepduration.ltm changes to default value after reboot

Component: TMOS

Symptoms:
Running the command 'tmsh list /sys db scheduler.minsleepduration.ltm'
shows that the value is -1.

The db variable 'scheduler.minsleepduration.ltm' is set to -1 on mcpd startup.

This overwrites a custom value.

Conditions:
-- The db variable 'scheduler.minsleepduration.ltm' has a non-default value set.
-- A reboot occurs.

Impact:
The db variable 'scheduler.minsleepduration.ltm' reverts to the default value. When the db variable reverts to the default value of unset -1, tmm uses more CPU cycles when idle.

Workaround:
None


939249-2 : iSeries LCD changes to secure mode after multiple reboots

Component: TMOS

Symptoms:
After repeatedly rebooting an iSeries platform, the LCD can become erroneously set to secure mode on its own, and you are unable to use the menus on the LCD.

Conditions:
-- Repeated reboots of the device.
-- The db lcd.showmenu value initially set to enable are required.
-- Other required conditions are not fully known.

Impact:
-- LCD becomes set to secure mode.
-- The bigdb variable lcd.showmenu is changed to 'disable'.

Workaround:
Run the commands:
tmsh modify sys db lcd.showmenu value disable
tmsh modify sys db lcd.showmenu value enable

This clears the secure mode of the LCD.


938545-2 : Oversize plugin Tcl object results can result in 0-length messages and plugin crash

Component: Local Traffic Manager

Symptoms:
Bd crashes.

Conditions:
-- ASM enabled.
-- iRule used.
-- Command arguments are greater than maximum MPI message size.

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None.


938309-1 : In-TMM Monitors time out unexpectedly

Component: Local Traffic Manager

Symptoms:
When using the in-TMM monitoring feature, monitored targets (nodes/pool members) may be marked DOWN unexpectedly if there is a delay in responding to ping attempts.
Specifically, if the ping response from the target is delayed by more than the 'interval' value configured for the monitor, but less than the 'timeout' value configured for the monitor, the target may be marked DOWN.

Conditions:
This may occur when either:
-- In-TMM monitoring is enabled (sys db bigd.tmm = enable) and the monitor type uses in-TMM monitoring; OR
-- Bigd is configured to NOT reuse the same socket across consecutive ping attempts (sys db bigd.reusesocket = disable)
AND:
-- The monitored target does not respond to ping attempts within the 'interval' value configured for the monitor.

Impact:
The monitored target may be marked DOWN if it does not respond to ping attempts within the 'interval' value configured for the monitor, instead of within the 'timeout' value configured for the monitor.

Workaround:
To work around this issue, use one of the following methods:
-- Disable in-TMM monitoring and enable bigd socket reuse (sys db bigd.tmm = disable, and sys db bigd.reusesocket = enable).
-- Configure the monitor with an 'interval' value longer than the expected response time for the monitored target(s).


938293-1 : importing a JSON policy with Application Language "auto-detect" changes to 'utf8' policy

Component: Application Security Manager

Symptoms:
When importing a JSON policy with Application Language "auto-detect", the policy wrongly gets set as "utf-8".

Conditions:
1. Create a policy with Application Language "auto-detect".
2. Export it as a JSON policy (Verify the policy contains: "applicationLanguage" : "auto-detect".)
3. Import it back

Application language changed to utf-8

Impact:
Application language is set to utf-8 instead of auto-detect


938145-2 : DAG redirects packets to non-existent tmm

Component: TMOS

Symptoms:
-- Connections to self-IP addresses may fail.
-- SYNs packets arrive but are never directed to the Linux host.

Conditions:
-- Provision as vCMP dedicated host.
-- Create a self-IP address with appropriate allow-service.

Impact:
Repeated attempts to connect to the self-IP (e.g., via ssh) fail.

Workaround:
None


937769-1 : SSL connection mirroring failure on standy with sslv2 records

Component: Local Traffic Manager

Symptoms:
Standby device in ssl connection mirroring config does not handle sslv2 recrods correctly.

Conditions:
SSLv2 records processed by standby high availability (HA) device.

Impact:
Standby device fails handshake, active will finish handshake resulting in non mirrored connection.


937749-1 : The 'total port blocks' value for NAT stats is limited to 64 bits of range

Component: Advanced Firewall Manager

Symptoms:
The 'total port blocks' value, which can be found in PBA 'tmctl' tables, 'tmsh show', and SNMP, is limited to 64 bits of range. The upper 64 bits of the value are not taken into account.

Conditions:
This always occurs, but affects only systems whose configuration makes the 'total port blocks' value exceed 64 bits of range.

Impact:
Incorrect statistics.

Workaround:
None.

Note: For those who really need this value, it is still possible to manually calculate it, but that is not a true workaround.


937649-1 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict

Component: Local Traffic Manager

Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.

Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.

Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.

Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.

Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.

-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes


937573-2 : Connections drop in virtual server with Immediate Action On Service Down set to Drop

Component: Local Traffic Manager

Symptoms:
In a virtual server configured with Immediate Action On Service Down set to Drop and an iRule to pick a pool different from the one attached to the virtual server, if the default pool is attached in an offline state, connections are always dropped even when the default pool becomes available later.

Conditions:
- Virtual server configured with Immediate Action On Service Down set to Drop.
- An iRule selects a different pool from the one attached to the virtual server.

Impact:
Connections are silently dropped.

Workaround:
Change the virtual server's Immediate Action On Service Down setting to None.


937541-1 : Wrong display of signature references in violation details

Component: Application Security Manager

Symptoms:
The number '1' is added to the signature reference in violation details in the Request Log.

Conditions:
You click the '?' icon near signature name to view signature details and there are references for this signature

Impact:
The number 1 is shown before the link


937481-3 : Tomcat restarts with error java.lang.OutOfMemoryError

Component: TMOS

Symptoms:
In the GUI, while trying to list a large configuration, tomcat restarts with error java.lang.OutOfMemoryError: Java heap space due to a large read operation.

Conditions:
-- From the GUI, navigate to Local Traffic :: Pools :: Pool List.
-- The configuration contains approximately 10,000 objects (objects include pools, nodes, virtual servers, etc.).

Impact:
When the system attempts to list the large configuration, tomcat restarts, resulting in 503 error.

Workaround:
Use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process.

Impact of workaround: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Technical Support after considering the impact to Linux host memory resources.

-- Using a utility such as free or top, determine if you have enough free memory available to use this procedure.

For example, the following output from the free utility shows 686844 kilobytes available:
total used free shared buffers cachedMem:
16472868 15786024 686844 807340 827748 2543836
-/+ buffers/cache: 12414440 4058428
Swap: 1023996 0 1023996

-- View the current amount of memory allocated to the tomcat process by typing one of the following commands:
ps | grep " -client" | egrep -o Xmx'[0-9]{1,5}m'

The command output appears similar to the following example:

Xmx260m
Xmx260m

-- View the current value of the provision.tomcat.extramb database variable by typing the following command
tmsh list /sys db provision.tomcat.extramb

-- Set the provision.tomcat.extramb database variable to the desired amount of additional memory to be allocated using the following command syntax:
modify /sys db provision.tomcat.extramb value <MB>

-- If the device is part of a high availability (HA) configuration, the provision.tomcat.extramb database value should be synchronized to the peer devices from the command line. To run the ConfigSync process, use the following command syntax:
tmsh run /cm config-sync <sync_direction> <sync_group>

For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group:

tmsh run /cm config-sync to-group Syncfailover

-- Restart the tomcat process by typing the following command:
restart /sys service tomcat


936557-1 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.

Component: Local Traffic Manager

Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.

Conditions:
This issue occurs when the following conditions are true:

-- Standard TCP virtual server.

-- TCP profile with Verified Accept enabled.

-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.

Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.

Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.


936441-1 : Nitrox5 SDK driver logging messages

Component: Local Traffic Manager

Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):

Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1

The above set of messages seems to be logged at about 2900-3000 times a second.

These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.

Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.

Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.


936093-1 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr


935865-6 : Rules that share the same name return invalid JSON via REST API

Component: Advanced Firewall Manager

Symptoms:
When retrieving rule stats on a firewall policy, if two rules that share the same name but one of which is directly attached to the policy while the other is attached via a rule list, then a invalid JSON is returned. The JSON has identical keys for each entry associated with the rule. This is an invalid JSON structure that cannot be parsed correctly (Or data for one of the rules is lost)

Conditions:
A firewall policy that has one of rule directly attached to the policy while the other is attached via a rule list, and both rules share the same name.

Impact:
Invalid JSON structure returned for stat REST API call

Workaround:
Ensure that no rule shares its name with another rule.


935825-1 : Cannot update_indexes/checkpoint DB object

Component: Protocol Inspection

Symptoms:
Creation of a security protocol-inspection profile via the CLI fails with an unclear error:

01070710:3: Cannot update_indexes/checkpoint DB object, class:ips_port_service_profile status:13 - EdbCfgObj.cpp, line 127

Conditions:
Create a security protocol-inspection profile on a BIG_IP without a "port".

Impact:
Unclear error on the TMSH that does not provide detail on the exact root cause of the failure.


935793-1 : With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)

Component: Local Traffic Manager

Symptoms:
When a virtual server with a SIP profile has mirroring enabled, connections on the standby unit will be removed shortly after being created. If tm.rstcause.log is enabled the reset cause message appears similar to the following:

-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.208:5080 to 10.2.207.201:31597, [0x2c1c820:1673] MBLB internal error (Routing problem).
-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.209:51051 to 10.2.207.202:5080, [0x2c1c820:931] MBLB internal error.

Conditions:
-- BIG-IP Virtual Edition (VE) running on 2000/4000 platforms using RSS hash.
-- Platforms with more than 1 tmm.

Impact:
Mirrored connections on the standby unit are removed.

Workaround:
-- On BIG-IP VE, add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes


935769-4 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Attempt upgrade / reboot of the platform.

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.


935485-1 : BWC: flows might stall when using dynamic BWC policy

Component: TMOS

Symptoms:
When multiple flows are passing through the single instance of BWC policy, one or more flows might stall for a few seconds or more. The fairness among the flows is also affected.

Conditions:
-- BWC dynamic policy is enabled.
-- Multiple flows are passing through a single instance of the BWC dynamic policy.

Impact:
Some of the flows may stall.

Workaround:
None.


935249-1 : GTM virtual servers have the wrong status

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).

Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.


935193-2 : With APM and AFM provisioned, single logout ( SLO ) fails

Component: Local Traffic Manager

Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:

-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message

Conditions:
Failures occur with Redirect SLO.

Impact:
SAML single logout does not work.

Workaround:
Use POST binding SLO requests.


935177-1 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm

Component: TMOS

Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.

Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.

The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.


934941-1 : Platform FIPS power-up self test failures not logged to console

Component: TMOS

Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.

Conditions:
A FIPS failure occurs during the power-up self test.

Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.

Workaround:
None.


934697-4 : Route domain not reachable (strict mode)

Component: Local Traffic Manager

Symptoms:
Network flows are reset and errors are found in /var/log/ltm:

Route domain not reachable (strict mode).

Conditions:
This might happen in either of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.

Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.

Impact:
Traffic is not sent to the node that is in a route domain.

The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.

Workaround:
Specify the node along with Route domain ID.

-- For iRules, change from this:
when HTTP_REQUEST {
 node 10.10.10.10 80
}

To this (assuming route domain 1):
when HTTP_REQUEST {
 node 10.10.10.10%1 80
}


-- For LTM policies, change from this:
actions {
    0 {
        forward
        select
        node 10.2.35.20
    }
}

To this (assuming route domain 1):
actions {
    0 {
        forward
        select
        node 10.2.35.20%1
    }
}


934241-1 : TMM may core when using FastL4's hardware offloading feature

Component: TMOS

Symptoms:
TMM cores.

Conditions:
FastL4's hardware offloading is used.

Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.

Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.

Workaround:
Disable PVA/EPVA on all FastL4 profiles


933329-1 : The process plane statistics do not accurately label some processes

Component: TMOS

Symptoms:
The plane process statistics can be used to track the statistics of processes even though the process ID has changed over time. The processes are characterized as belonging to the control plane, data plane, or analysis plane. Some of the processes are incorrectly labeled.

Conditions:
Viewing the plane process statistics when diagnosing plane usage on the BIG-IP system.

Impact:
The percentage of usage of each plane can be confusing or incorrect.

Workaround:
None.


932893-1 : Content profile cannot be updated after redirect from violation details in Request Log

Component: Application Security Manager

Symptoms:
BIG-IP issues a redirect to the content profile form that contains relevant violation details in the Request Log. If you follow this redirect and try to update profile, the action fails.

Conditions:
This occurs if you follow the redirect to the content profile page from the violation details page in the Request Log, and then try to update the profile

Impact:
You are unable to update the content profile.

Workaround:
Go to the list content profile page, and update the content profile from there.


932857-1 : Delays marking Nodes or Pool Members DOWN with in-TMM monitoring

Component: Local Traffic Manager

Symptoms:
When configured with a large number of in-TMM monitors, Nodes or Pool Members may not be marked DOWN immediately after the configured timeout period once the target stops responding to pings.

Conditions:
This may occur when:
-- In-TMM monitoring is enabled (via sys db bigd.tmm).
-- A large number of Nodes and/or Pool Members (several hundreds or thousands) are configured and monitored.

Impact:
Nodes or Pool Members which are not responsive may not be marked DOWN in a timely fashion.

Workaround:
You can work around this issue by disabling in-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).


932825-1 : Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device

Component: Local Traffic Manager

Symptoms:
When the standby system in a High Availability (HA) group becomes active, it sends out gratuitous ARPs to advertise its ownership of IP addresses and direct traffic to itself. In rare conditions, when becoming active, other processes may send out traffic before Gratuitous ARPs are generated.

Conditions:
-- HA configured
-- Protocols in use that generate frequent and fast signaling messages

Impact:
This has been observed as an issue for IPsec during failover, causing tunnel stability issues after failover. No other protocols are known to be affected by the issue.

Workaround:
None


932553-5 : An HTTP request is not served when a remote logging server is down

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.


932461-4 : Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.

Component: Local Traffic Manager

Symptoms:
If you overwrite the certificate that is configured on the server SSL profile and used with the HTTPS monitor, the BIG-IP system still uses an old certificate.

After you update the certificate, the stored certificate is incremented, but monitor logging indicates it is still using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with cert and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate via GUI or tmsh.

Impact:
The monitor still tries to use the old certificate, even after the update.

Workaround:
Use either of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile cert key, set it to 'none', and switch back to the original cert key name.

The bigd utility successfully loads the new certificate file.


932213-3 : Local user db not synced to standby device when it is comes online after forced offline state

Component: Access Policy Manager

Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.

Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.

Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.

Workaround:
None


932189-2 : Incorrect BD Swap Size units on ASM Resources chart

Component: Application Visibility and Reporting

Symptoms:
The 'BD Swap Size' reported on the 'Security :: Reporting : ASM Resources : Memory Utilization' page is much too high and incorrect.

Conditions:
ASM provisioned.

Impact:
Graphically reported BD swap memory usage is incorrect.

Workaround:
None.


932137-6 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.


932133-5 : Payloads with large number of elements in XML take a lot of time to process

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None


932045-4 : Memory leak when creating/deleting LTM node object

Component: Local Traffic Manager

Symptoms:
A memory leak occurs when creating/deleting an LTM node object.

Conditions:
-- Create a node object.
-- Delete the node object.

Impact:
This gradually causes tmm memory pressure, and eventually severe outcome is possible such as aggressive mode sweeper and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Refrain continuous creation/deletion of LTM nodes.


931629-4 : External trunk fdb entries might end up with internal MAC addresses.

Component: TMOS

Symptoms:
The vCMP host might have external trunk with internal MAC addresses. This is visible via 'tmsh show net fdb'.

Conditions:
-- vCMP is provisioned and has guests deployed on it.
-- vCMP host uses trunks.
-- Create VLANs using trunks and assign it to guests.
-- Guests need to be in high availability (HA) configuration.

Impact:
Traffic processing is disrupted.

Workaround:
None.


931469-8 : Redundant socket close when half-open monitor pings

Component: Local Traffic Manager

Symptoms:
Sockets and log files are closed and re-opened twice instead of one time when the half-open TCP monitor pings successfully.

Conditions:
This occurs when the half-open monitor pings successfully.

Impact:
Minor performance impact.

Workaround:
None.


931149-2 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr


931033-2 : Device ID Deletions anomaly might be raised in case of browser/hardware change

Component: Application Security Manager

Symptoms:
-- Valid users complain they are unable to connect, or they are required to do CAPTCHA frequently.
-- On the BIG-IP device, 'Device ID Deletion' violations are being raised.

Conditions:
-- Bot Defense Profile with 'Device ID' mode set to 'Generate After Access' is attached to the virtual server.
-- Some change in the browser or computer hardware occurs.
-- Surfing to multiple qualified pages at the same time.

Impact:
Valid requests might be mitigated.

Workaround:
Raise the threshold of 'Device ID Deletion' anomaly (recommended value according to the webserver, is approximately 4).


930825-5 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors

Component: TMOS

Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the current behavior is to failover to the peer unit and go-offline and down links.

This can be seen the TMM logs:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice high availability (HA) failover action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice high availability (HA) failover action is cleared.

Followed by a failover event.

Conditions:
It is unknown under what conditions the XLMAC errors occur.

Impact:
The BIG-IP system fails over.

Workaround:
Modify the default high availability (HA) action for the switchboard-failsafe to reboot instead of go offline and down links.


930741-3 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.


930217-2 : Zone colors in ASM swap usage graph are incorrect

Component: Application Visibility and Reporting

Symptoms:
In GUI ASM memory utilization chart, 'BD swap size, Total swap size' graph show inconsistent background colors. It looks like these colors are assigned with an assumption that swap usage is shown as percentage but it is shown as absolute value.

Conditions:
-- ASM is provisioned.
-- Viewing ASM memory utilization chart/

Impact:
Potential confusion viewing colors in ASM memory utilization chart.

Workaround:
None. This is a cosmetic issue only.


929813-3 : "Error loading object from cursor" while updating a client SSL profile

Component: TMOS

Symptoms:
When updating a client-ssl profile in the GUI, the update fails and the GUI displays the following error:
  "Error loading object from cursor"

Conditions:
- Client SSL profiles with inheritance: Parent -> Child -> Grand Child.

- Parent SSL profile uses cert-key-chain

Impact:
Unable to edit the profile using the GUI.

Workaround:
Use tmsh or iControl to update the Client SSL profile


929429-1 : Oracle database monitor uses excessive CPU when Platform FIPS is licensed

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle LTM monitor.
-- Add a pool member to the Oracle monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.


929213-4 : iAppLX packages not rolled forward after BIG-IP upgrade

Component: Device Management

Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.

1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

-> Performing an upgrade

-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX

Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI

Workaround:
The package needs to be uninstalled and installed again for use.

Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again


929133-1 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'

Component: TMOS

Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.

Conditions:
Vlan name that starts with "eth"

Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.

Workaround:
Rename all vlans that start with "eth"


928857-1 : Use of OCSP responder may leak X509 store instances

Component: Local Traffic Manager

Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


928805-1 : Use of OCSP responder may cause memory leakage

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


928789-1 : Use of OCSP responder may leak SSL handshake instances

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.

Workaround:
No workaround.


928717-4 : [ASM - AWS] - ASU fails to sync

Component: Application Security Manager

Symptoms:
Live Update configuration is not updated.

Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.

Impact:
Automatic signature updates (ASU) fail to sync.

Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:

1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.


928665-3 : Kernel nf_conntrack table might get full with large configurations.

Component: TMOS

Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:

warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.

Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries.

Impact:
Monitors are unstable/not working at all.

Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:

options nf_conntrack hashsize=262144

2. Save the file.
3. Reboot the system.


928389-1 : GUI becomes inaccessible after importing certificate under import type 'certificate'

Component: TMOS

Symptoms:
After importing a new certificate, httpd goes down and the GUI becomes inaccessible.

Conditions:
Upload new certificate using Import-type 'Certificate' option.

Impact:
The GUI is inaccessible as soon as you import a new device certificate using import-type 'Certificate'.

Workaround:
Manually copy the matching key to /config/httpd/conf/ssl.key/server.key and restart apache (bigstart restart httpd)

If you do not have the matching key, generate a new key/cert pair from the command line by following K9114


928353-1 : Error logged installing Engineering Hotfix: Argument isn't numeric

Component: TMOS

Symptoms:
When installing an Engineering Hotfix, the following error may be logged in /var/log/liveinstall.log:

Argument "" isn't numeric in numeric eq (==) at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/Hotfix.pm line 651.

Conditions:
This error may occur when installing an Engineering Hotfix, if the Engineering Hotfix does not include an update to the nash-initrd component.

Impact:
The error message gives a mistaken impression that the Engineering Hotfix did not install successfully. However, it does install correctly, and the system operates without issue. You can safely ignore this message.

Workaround:
None.


928177-3 : Syn-cookies might get enabled when performing multiple software upgrades.

Component: Advanced Firewall Manager

Symptoms:
Syn-cookie protection of FastL4/TCP profile might get enabled when performing multiple software upgrades.

Conditions:
-- Performing an upgrade from version earlier than 14.0.0 to a version higher than or equal to 14.0.0.
-- Then performing another upgrade.

Impact:
Value of profile attribute syn-cookie-enable might be changed during an upgrade.

Workaround:
Save configuration before starting each upgrade.


928161-2 : Local password policy not enforced when auth source is set to a remote type.

Component: TMOS

Symptoms:
The local password policy is not enforced when the auth source type is set to the value of 'Remote'. Any non-default password policy changes are not enforced for local users.

Conditions:
1) Some parts of the local password policy has been changed from the default values, for example, changing the password required-uppercase to 2.

2) The auth source is set to a remote source, such as LDAP, AD, or TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the required-uppercase is set to 2, a local user's password can be set to something less than 2.

Even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None


927713-3 : Secondary blade IPsec SAs lost after standby reboot using clsh reboot

Component: Local Traffic Manager

Symptoms:
-- When 'clsh reboot' is executed on the primary blade, it internally calls ssh reboot on all secondary blades and then reboots the primary blade. The 'clsh reboot' script hangs, and there is a delay in rebooting the primary blade.
-- Running 'ssh reboot' on secondary blades hangs due to sshd sessions getting killed after network interface down.

Conditions:
-- Running 'clsh reboot' on the primary blade.
-- Running 'ssh reboot' on secondary blades.

Impact:
A secondary blade is not rebooted until clsh or ssh closes the connection to that blade.

Workaround:
Perform a reboot from the GUI.


927633-1 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic

Component: Local Traffic Manager

Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.

Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.

Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.

Workaround:
None.


927589-2 : ILX::call command response get truncated

Component: Local Traffic Manager

Symptoms:
If a response to an ILX::call command is larger than 64 KB, data is truncated.

Conditions:
-- iRule script including an ILX::call command in use.
-- Return response is greater than 64 KB.

Impact:
iRule fails and the connection aborts.

Workaround:
None.


927569-1 : HTTP/3 rejects subsequent partial SETTINGS frames

Component: Local Traffic Manager

Symptoms:
HTTP/3 aborts the connection upon receipt of a 'second' SETTINGS frame.

Conditions:
HTTP/3 first receives an incomplete SETTINGS frame, followed by more SETTINGS frame bytes.

Impact:
Connection fails to complete.

Workaround:
None.


927441-4 : Guest user not able to see virtual server details when ASM policy attached

Component: TMOS

Symptoms:
When ASM is attached to a Virtual Server, a BIG-IP user account configured with the Guest role cannot see virtual server details. An error message is printed instead:
01070823:3: Read Access Denied: user (guestuser) type (GTM virtual score).

Conditions:
-- ASM Policy attached to virtual server.
-- Logging onto the BIG-IP system using an account configured with the guest user role.
-- Running the command:
tmsh show ltm virtual detail

Impact:
Cannot view virtual server details.

Workaround:
None.


927025-2 : Sod restarts continuously

Component: TMOS

Symptoms:
After upgrading to v14.1.2.6, sod keeps restarting and dumping core.

Conditions:
This occurs when /dev/shm/chmand is missing and the system restarts chmand and sod upon reload.

Note: It is unknown how this condition might occur.

Impact:
Unstable sod process can affect failover functionality in BIG-IP systems.

Note: This happens only the first time after upgrade. To recover, you must power down the system for a full reboot.

Workaround:
Run the following command:

restorecon /dev/shm/chmand


926985-1 : HTTP/3 aborts stream on incomplete frame headers

Component: Local Traffic Manager

Symptoms:
HTTP/3 streams abort at seemingly arbitrary times when BIG-IP is receiving large amounts of data.

Conditions:
HTTP/3 receives an incomplete frame header on a given stream.

Impact:
Data transfer is incomplete.

Workaround:
None


926845-6 : Inactive ASM policies are deleted upon upgrade

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.


926757-3 : ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Component: Local Traffic Manager

Symptoms:
ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Conditions:
Virtual-server with an address space overlapping with a self-IP, capable of handling ICMP traffic, for example:
ip-forward wildcard 0.0.0.0/0 virtual-server

Impact:
ICMP traffic to a virtual-address might be handled by a virtual-server.

Workaround:
There is no workaround.


926549-2 : AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'

Component: Advanced Firewall Manager

Symptoms:
With some configurations, executing a command such as 'tmsh show security firewall global-rules active' loops continuously, causing stat counters to rise, and possibly log messages to be written to /var/log/ltm.

Conditions:
-- AFM is routing traffic to a Virtual Server through the 'Send to Virtual' option.
-- The target Virtual Server uses the 'LB_FAILED' iRule to select a new Virtual Server through virtual command and 'LB::reselect'.

Impact:
The iRule loops continuously, causing stat counters to rise, and possibly logging messages in /var/log/ltm.

Workaround:
This configuration should be avoided, but if it is used, and if this does happen, you can restart tmm:
bigstart restart tmm

This stops the current looping, until it is triggered again.

Impact of workaround: Traffic disrupted while tmm restarts.


926513-1 : HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.

Component: Local Traffic Manager

Symptoms:
HTTP/2 Clone pools are not working when the Clone Pool (Server) option is selected. This issue occurs when a HTTP/2 profile (Server) or HTTP/2 full-proxy configuration is enabled and an HTTP/2 clone pool is set on a virtual server. This issue prevents traffic from being copied to the appropriate clone pool member.

Conditions:
A virtual server provisioned with the following configuration:

--HTTP/2 default pool.
--HTTP/2 clone pool (server).
--HTTP/2 profile (server) or HTTP/2 profile full-proxy configuration.

Impact:
Clone pools (server) do not mirror HTTP/2 traffic.

Workaround:
None.


926425-2 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Component: Advanced Firewall Manager

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into BIG-IP system.

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.


925797-1 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members

Component: TMOS

Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.

The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.

One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.

Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.

Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.

Workaround:
None.


924697-1 : VDI data plane performance degraded during frequent session statistic updates

Component: Access Policy Manager

Symptoms:
Data plane performance for VDI use cases (Citrix/VMware proxy) is degraded during frequent access session statistic updates.

Conditions:
APM is used as VDI proxy for Citrix or VMware.

Impact:
APM's VDI proxy does not perform to its full capacity.

Workaround:
None.


924589-5 : PEM ephemeral listeners with source-address-translation may not count subscriber data

Component: Policy Enforcement Manager

Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.

Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)

Impact:
Inaccurate subscriber traffic reporting and classification.

Workaround:
None.


924521-4 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.

Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.

Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.


924297-3 : Ltm policy MCP objects are not being synced over to the peer device

Component: TMOS

Symptoms:
An LTM policy does not sync to the peer device, but the devices report "In Sync".

Conditions:
-- Sync/failover device group with full load on sync disabled
-- A draft policy is attached to a parent policy's rule actions and published.
-- A config sync occurs (manually or automatically)

Impact:
The LTM policy does not sync to the peer device.

Workaround:
Perform a full config sync:

tmsh run cm config-sync force-full-load-push to-group <device group name>


923745-4 : Ctrl-Alt-Del reboots the system

Component: TMOS

Symptoms:
A device reboot occurs when pressing Ctrl-Alt-Del.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.

Impact:
Accidental reboots are possible. You should not reboot VE using Ctrl-Alt-Del.

Workaround:
Run the following command:

systemctl mask ctrl-alt-del.target


923221-2 : BD does not use all the CPU cores

Component: Application Security Manager

Symptoms:
Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
1. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm

Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF'

To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

2. Restart the asm process:
   bigstart restart asm.


923125-3 : Huge amount of admd processes caused oom

Component: Anomaly Detection Services

Symptoms:
The top command shows that a large number of admd processes are running.

Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.

Impact:
Memory is exhausted.

Workaround:
Restart admd:
bigstart restart admd


922885-1 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.5

Solution Article: K27872027

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.5 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

'tmsh show net interface' indicates that one or more interfaces are not initialized.

Conditions:
-- BIG-IP VE running on VMware ESXi 6.5 hypervisor.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
-- On the BIG-IP systems, you can switch to the 'sock' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.

1, At the command prompt, run the following command to enable the sock driver in tmm_init.tcl:

echo "device driver vendor_dev 15ad:07b0 sock" >> tmm_init.tcl

2. Restart tmm:

tmsh restart sys service tmm

-- After restarting, the sock driver should be listed in the 'driver_in_use' column when running the following command.

tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- --------------------- -------------
0000:03:00.0 F5DEV_PCI xnet, vmxnet3, sock,
0000:0b:00.0 1.1 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:13:00.0 1.2 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:1b:00.0 1.3 F5DEV_PCI xnet, vmxnet3, sock, sock


922641-5 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow

Component: Local Traffic Manager

Symptoms:
iRule commands issued after a clientside or serverside command operate on the wrong peer flow.

Conditions:
An iRule contains a script that parks in a clientside or serverside command.

Examples of parking commands include 'table' and 'persist'.

Impact:
The iRule commands operate on the wrong peer flow.

Workaround:
Avoid using commands that park inside the clientside or serverside command.


922613-3 : Tunnels using autolasthop might drop traffic with ICMP route unreachable

Component: TMOS

Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.

Conditions:
No route exists to the other end of the tunnel.

Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.

Workaround:
Create a route towards the other remote end of the tunnel.


922413-1 : Excessive memory consumption with ntlmconnpool configured

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.


922185-2 : LDAP referrals not supported for 'cert-ldap system-auth'

Component: TMOS

Symptoms:
Admin users are unable to log in.

Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.

Impact:
The cert-ldap authentication does not work, so login fails.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.


922153-1 : Tcpdump is failing on tmm 0.x interfaces

Component: TMOS

Symptoms:
The tcpdump command exits immediately with an error:
 errbuf ERROR:TMM side closing: Aborted
tcpdump: pcap_loop: TMM side closing: Aborted

Conditions:
Capturing the packets on tmm interfaces.

Impact:
Unable to capture the packets on specific tmm interfaces.

Workaround:
There are two possible workarounds:

-- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command:

TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16


-- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20.<slot>.<tmmnumber+1> (e.g. 127.20.1.1 == slot1/tmm0, 127.20.2.16 == slot2/tmm15):

TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16


922105-2 : Avrd core when connection to BIG-IQ data collection device is not available

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled


922053-2 : inaccurate number of trunk members reported by bcm56xxd/bcmLINK

Component: TMOS

Symptoms:
The "bcmLINK" process (sometimes referred to as "bcm56xxd") may fail with a segmentation fault and be restarted, leaving behind a core-dump file for "bcmLINK".

An error message may be logged about the condition "max_mbrs > 0".

Conditions:
-- occurs in multi-blade VIPRION system with trunked interfaces
-- precise trigger is not known

Impact:
Momentary disruption of traffic handling by TMM.

Workaround:
None known.


922005-2 : Stats on a certain counter for web-acceleration profile may show excessive value

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is configured to use the RAM Cache feature, a corresponding profile may report an excessively large value for the cache_misses_all counter under certain conditions.

Conditions:
-- The BIG-IP system has a virtual server with web-acceleration profile without an application (RAM Cache feature).
-- The virtual receives uncacheable requests which are interrupted by a client or are not served by a server.

Impact:
A value for cache_misses_all incurs an arithmetic overflow, and shows an excessive number comparable with 1.8e19. The issue has no functional impact; the system operates as normal.

Workaround:
None.


921993-2 : LTM policy with a 'contains' operator does not work as expected when using an external data group.

Component: Local Traffic Manager

Symptoms:
If a combination of other operators and the 'contains' operator are used in LTM Policy, searches might fail if the hashing-based operators have not populated the target entries.

Conditions:
-- LTM policy with 'contains' operator.
-- Use of external datagroups.

Impact:
LTM policy might not work as expected with external data groups.

Workaround:
Use either of the following workarounds:

-- If applicable, change the 'contains' operator to 'starts_with' in the policy.

-- Change the policy into an iRule (executing '[class get <datagroup]' )


921697-2 : Attack signature updates fail to install with Installation Error.

Component: Application Security Manager

Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:

/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)

/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781

Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.

2. Installing a new ASU file

Impact:
The attack signature update fails.

Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.

Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:

1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg

2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800

3. Restart ASM.
# bigstart restart asm


921541-2 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.


921477-1 : Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.

Component: Local Traffic Manager

Symptoms:
With the HTTP RFC enforcement profile option enabled, incoming health monitor requests without an HTTP version in the request line (HTTP/0.9) may fail to produce the correct result for dual BIG-IP configurations. This can result in incoming health monitor traffic being incorrectly blocked when traveling through a virtual server. These health monitors will be unable to provide the correct availability of the intended resource. The default HTTP and HTTPS monitors as well as any custom monitors with a missing HTTP version in their requests could see this issue.

Conditions:
A dual BIG-IP configuration may provisioned with the following considerations.

-- One or more BIG-IP systems are in the network path for monitor traffic.

-- The first BIG-IP system uses a health monitor that initiates a health check request (without an HTTP version) in the request line (HTTP/0.9) against a second BIG-IP system.

-- The second (downstream) BIG-IP system has a virtual server that is the endpoint for the monitor. The virtual server is configured with an HTTP profile with the HTTP RFC Compliance profile option selected.

Impact:
Rather than receiving the correct health check result, the original BIG-IP system can fail to report whether the second BIG-IP is available.

Workaround:
You can use http_head_f5 monitor to perform health checks.


921441-3 : MR_INGRESS iRules that change diameter messages corrupt diam_msg

Component: Service Provider

Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.

There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found

Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:

ltm rule Diameter - iRule {
  when MR_INGRESS {
    DIAMETER:: host origin "hostname.realm.example"
  }
}

-- Traffic arrives containing CER and ULR messages.

Impact:
Using the iRule to change the host origin corrupts the diameter message.

Workaround:
None.


921369-3 : Signature verification for logs fails if the log files are modified during log rotation

Component: TMOS

Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.

Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs

Impact:
Signature verification may fail on rotated log files.


921149-4 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.


921121-5 : Tmm crash with iRule and a PEM Policy with BWC Enabled

Component: TMOS

Symptoms:
Tmm crashes while passing traffic through PEM.

Conditions:
-- PEM policy with bandwidth controller.
-- iRule makes a traffic decision based on certain unique PEM sessions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


921065-2 : BIG-IP systems not responding to DPD requests from initiator after failover

Component: TMOS

Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.

Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.

Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.

Workaround:
None.


921001-5 : After provisioning change, pfmand might keep interfaces down on particular platforms

Component: TMOS

Symptoms:
After a provisioning change, pfmand might keep interfaces down.

Conditions:
-- Provisioning change on the following platforms:
   + i850
   + i2600 / i2800
   + i4600 / i4800
   + 2000- and 4000-series

-- Link Down Time on Failover configured to a non-zero value (the default is '10').

Impact:
Interfaces remain DOWN.

Workaround:
Follow this procedure:

1. Set db failover.standby.linkdowntime to '0'.

2. To bring interfaces UP again, restart pfmand:
bigstart restart pfmand


920789-1 : UDP commands in iRules executed during FLOW_INIT event fail

Component: Local Traffic Manager

Symptoms:
UDP commands in iRules executed during FLOW_INIT event fail.

Conditions:
An iRule that contains UDP commands is executed on the FLOW_INIT event.

Impact:
UDP commands in iRules executed during FLOW_INIT event fail.

Workaround:
None.


920761-1 : Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values

Component: TMOS

Symptoms:
In the GUI if you change a virtual server from one type to another, there may be changes automatically applied to some of the settings. If you change the type back to its original value, those changes remain, and are saved when you click Update.

Conditions:
-- Modifying a virtual server from one type to another, and then changing it back to the original type.
-- Clicking Update.

Impact:
Unexpected configuration changes, which can lead to unexpected behavior of the BIG-IP system.

Workaround:
To prevent unwanted changes, when you change a virtual server's type and then change it back within the same session, click Cancel instead of Update.


920517-1 : Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI

Component: TMOS

Symptoms:
When creating a Rate Shaping Rate Class in the GUI, the default values for 'Queue Method' and 'Drop Policy' are not correct.

Conditions:
-- Creating a Rate Shaping Rate Class in the GUI.
-- Leaving 'Queue Method' and 'Drop Policy' settings as their defaults.

Impact:
Unexpected values in the configuration: 'Queue Method' is 'sfq' and 'Drop Policy' is 'tail'.

Workaround:
You can use either of the following workarounds:

-- Manually set the 'Queue Method' and 'Drop Policy' when creating a Rate Shaping Rate Class object. These settings are available in the 'Advanced' view of the 'General Properties' section. 'Queue Method' should be 'pfifo' and 'Drop Policy' should be 'fred'.

-- Use TMSH to create Rate Shaping Rate Class objects.


920361-1 : Standby device name sent in Traffic Statistics syslog/Splunk messages

Component: Advanced Firewall Manager

Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.

Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.

Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.

Workaround:
None.


920205-3 : Rate shaping might suppress TCP RST

Component: Local Traffic Manager

Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.

Conditions:
Rate shaping is configured.

Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.

Workaround:
Do not use rate-shaping.


920149-4 : Live Update default factory file for Server Technologies cannot be reinstalled

Component: Application Security Manager

Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.

Conditions:
This occurs:

-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.

Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.

Workaround:
None.


919861-2 : Tunnel Static Forwarding Table does not show entries per page

Component: TMOS

Symptoms:
On the Network :: Tunnels page of the GUI, if the Tunnel Static Forwarding Table contains more than one page of data, you are unable to advance past the first page.

Conditions:
Tunnel Static Forwarding Table contains a large number of configured tunnels.

Impact:
The content displayed on screen and does not conform to the system preference for Records Per Screen.

Workaround:
None.


919401-1 : Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed

Component: TMOS

Symptoms:
If ICAP is not licensed, the system does not prevent you from adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in the CLI. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.


919317-6 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.


919301-2 : GTP::ie count does not work with -message option

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.


919185-1 : Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed

Component: TMOS

Symptoms:
The Request Adapt Profile and Response Adapt Profile settings are visible when creating or editing a virtual server in the GUI on systems that do not have ICAP licensed. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.


918905-1 : PCCD restart loop when using more than 256 FQDN entries in Firewall Rules

Component: Advanced Firewall Manager

Symptoms:
PCCD enters a restart loop, until the configuration is changed such that 256 or fewer FQDN entries are in use. Errors are reported to the terminal screen:

pccd[23494]: 015d0000:0: pccd encountered a fatal error and will be restarted shortly...

Conditions:
Greater than 256 FQDN entries are in use in Firewall Rules.

Impact:
PCCD goes into a restart loop. PCCD is not functional until there are 256 or fewer entries.

Workaround:
Use 256 or fewer FQDN entries in Firewall Rules.

To aid in the removal of extra rules when using tmsh, you can prevent PCCD restart messages from flooding the console:
1. Stop PCCD to halt the restart messages:
bigstart stop pccd
2. Modify the configuration.
3. Bring PCCD back up:
bigstart start pccd


918409-1 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures

Component: TMOS

Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.

Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.

Impact:
Traffic disrupted on the tmm process that is looping indefinitely.

Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.

Note: The change does not persist across software installs.

    a. mount -o remount,rw /usr
    b. Edit /defaults/daemon.conf and put these contents at the top of the file:

sys daemon-ha tmm24 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm25 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm26 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm27 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}

    c. mount -o remount,ro /usr

2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:

    tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm


918277-1 : Slow Ramp does not take into account pool members' ratio weights

Component: Local Traffic Manager

Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.

Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.

Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.

Workaround:
None.


917637-4 : Tmm crash with ICAP filter

Component: Service Provider

Symptoms:
Tmm crashes while passing traffic.

Conditions:
-- Per-request policies configured.
-- ICAP is configured.

This is rare condition that occurs intermittently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


916485-3 : Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object

Component: Local Traffic Manager

Symptoms:
Running 'tmsh install sys crypto key' command for SafeNet keys creates a new mcp object with the keyname as the label name in HSM, and with the duplicate key-id.

Conditions:
This happens when trying to install the key using the key-label as the argument.

Impact:
Even after deleting the tmsh key (tmsh delete sys crypto key), the BIG-IP system can still pass traffic because there's a duplicate key pointing to the same key in the HSM.

Workaround:
None.


915969-2 : Truncated QUIC connection close reason

Component: Local Traffic Manager

Symptoms:
The connection close reason in QUIC is limited to 5 bytes prior to the path being validated. This makes it difficult to debug early connection failures.

Conditions:
A connection close is sent in QUIC before the path is validated.

Impact:
Connection close reason is limited to 5 bytes before the path is validated.

Workaround:
None


915829-3 : Particular Users unable to login with LDAP Authentication Provider

Component: TMOS

Symptoms:
With LDAP as authentication provider, some administrative users are unable to login to BIG-IP.

Conditions:
-- LDAP remote authentication.
-- Certain users, whose characteristics have not been identified.

Impact:
Certain client users cannot login to administer the BIG-IP system.

Workaround:
None.


915825-1 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.


915773-3 : Restart of TMM after stale interface reference

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


915557-1 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.

Component: TMOS

Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:

General database error retrieving information.

Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.

Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.

Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.


915493-5 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
Running the imish command hangs when ospfd is enabled.

Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.

Impact:
The imish operation hangs.

Workaround:
Restart the ospfd daemon.


915473-3 : Accessing Dashboard page with AVR provisioned causes continuous audit logs

Component: TMOS

Symptoms:
Navigating to Statistics :: Dashboard in the GUI with AVR or APM provisioned causes continuous audit logging and restjavad logs.

Conditions:
-- AVR provisioned
-- An administrator navigates to Statistics :: Dashboard.

Impact:
The continuous extra logs might lead to confusion and may not be helpful.

Workaround:
None.


915221-5 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.


915141-1 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'

Component: TMOS

Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.

Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.

Impact:
Inconsistent availability status of pool and virtual server.

Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.


915133-2 : Single Page Application can break the page, when hooking is done by the end server application.

Component: Application Security Manager

Symptoms:
When the end server application hooks some of the XHR callback functions (onload, onreadystate, send, open..), and a Single Page Application is used, the application page may malfunction.

Conditions:
This may occur when a server application hooks some XHR callbacks, and one of the following:

-- Bot Defense Profile with 'Single Page Application' enabled and attached to the virtual server.

-- ASM Policy with 'Single Page Application' enabled and a JS feature is attached to the virtual server.

-- DoS Profile with Application Security and 'Single Page Application' enabled and is attached to the virtual server.

Impact:
Web page does not render properly. It might result in a blank page, missing functionality, etc.

Workaround:
Run the command:
tmsh modify sys db dosl7.parse_html_inject_tags value "after,body"


915005-2 : AVR core files have unclear names

Component: Application Visibility and Reporting

Symptoms:
If avrd fails a core file created in this case is named accordung to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz

Conditions:
Avrd fails with a core

Impact:
It is inconvenient for identifying the process that caused the core.


914589-1 : VLAN Failsafe timeout is not always respected

Component: Local Traffic Manager

Symptoms:
VLAN Failsafe timeout is triggered later than its configured interval.

Conditions:
-- Rarely happen on first failover. More commonly occurs on 3rd/4th failover.
-- Specific conditions that cause this issue are not known.

Impact:
VLAN Failsafe timeout might be triggered later than it is configured.

The exact impact varies based on the configuration and traffic activity.

Workaround:
Use another form of automatic failover if needed (gateway failsafe, ha-groups, etc.).


914309-4 : TMM crash seen with FTP and Classification profiles

Component: Local Traffic Manager

Symptoms:
TMM might core and restart when FTP traffic is being proxied by a BIG-IP device.

Conditions:
-- Both FTP and Classification profiles are applied to a virtual server.
-- The FTP profile has inherit-parent-profile enabled.

Impact:
-- TMM crashes and restarts
-- Failover, loss of service during restart.
-- Traffic disrupted while tmm restarts.

Workaround:
None.


914061-1 : BIG-IP may reject a POST request if it comes first and exceeds the initial window size

Component: Local Traffic Manager

Symptoms:
HTTP/2 protocol allows a negative flow-control window on initial stage of communication while first 65,535 bytes of payload are delivered from a peer. BIG-IP may break this requirement.

Conditions:
-- BIG-IP has a virtual server with http2 profile.
-- A configured receive window size in the http2 profile is below 64K (default 32K).
-- A peer sends POST request with payload exceeding initial receive window size over HTTP/2 connection.

Impact:
BIG-IP denies the POST request and sends RST_STREAM.


913713-1 : Rebooting a blade causes MCPd to core as it rejoins the cluster

Component: TMOS

Symptoms:
Tmm and mcpd cores for slot2

Conditions:
On the standby chassis, reboot the primary blade and wait for it to rejoin the cluster. Once it does, mcpd will core.

Impact:
Traffic disrupted while tmm and mcpd mcpd restarts.

Workaround:
N/A


913573-3 : Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.

Component: TMOS

Symptoms:
When REST API PUT request is call to modify LTM data-group internal without 'type' field in body-content, it fails intermittently with a 400 error.

--{"code":400,"message":"invalid property value \"type\":\"\"","errorStack":[],"apiError":26214401}

The 'type' field is not getting populated with default value and is set to null string "" instead.

Conditions:
-- PUT REST API request used to modify LTM data-group internal.
-- Type field is not specified in the body-content.

Impact:
Unable to update the configuration object (LTM data-group internal) with REST API PUT.

Workaround:
Include 'type' field inside PUT request body content for the operation to succeed.

Example Curl Command:
-- curl -isku <username>:<password> -H "Content-Type: application/json" -X PUT -d '{"records":[{"name":"1.1.1.1"}, {"name":"1.1.1.2"}], "type":"ip"}' https://localhost/mgmt/tm/ltm/data-group/internal/~Common~<Name>


913453-6 : URL Categorization: wr_urldbd cores while processing urlcat-query

Component: Traffic Classification Engine

Symptoms:
The webroot daemon (wr_urldbd) cores.

Conditions:
This can occur while passing traffic when webroot is enabled.

Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.

Workaround:
None.


913413-2 : 'GTP::header extension count' iRule command returns 0

Component: Service Provider

Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).

Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.

Impact:
The command returns false information.

Workaround:
None


913385-2 : TMM generates core while deleting iFiles

Component: Local Traffic Manager

Symptoms:
While deleting iFiles, TMM might crash and generates a core.

Conditions:
-- There is any ifile command in an iRule where you are giving a list object to the file name argument instead of to a string object, for example:

The 2nd line returns a list object, and the 3rd line is giving it to ifile command:

set ifile_name tcl.1
set ifile_name [lsearch -glob -inline [ifile listall] "*$ifile_name"]
ifile get $ifile_name

-- A request is processed by the iRule.
-- Attempt to delete the file in which the issue occurred.

Impact:
TMM crashes and restarts, triggering failover in high availability (HA) configurations. Traffic disruption while TMM restarts on a standalone configuration.

Workaround:
Ensure that the iRule gives a string object to ifile commands. Here is a sample iRule that implements the workaround:

set ifile_name tcl.1
set ifile_name [lsearch -glob -inline [ifile listall] "*$ifile_name"]
ifile get [format "%s" $ifile_name]


912945-1 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed

Component: Local Traffic Manager

Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.

Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.

Impact:
The incorrect client SSL profile is selected.

Workaround:
Configure the 'Server Name' option in the client SSL profile.


912761-1 : Link throughput statistics are different

Component: Global Traffic Manager (DNS)

Symptoms:
Different link throughput statistics are seen on GTM/DNS systems that are connected by full-mesh iQuery.

Conditions:
-- The same link is used on different BIG-IP addresses as a pool member in the default gateway pool.
-- A forwarding virtual server is used.

Impact:
Each GTM/DNS server might get different link throughput for the same link, and therefore make less-than-optimal decisions.

Workaround:
Do not use the same uplink for different BIG-IP devices.


912517-1 : MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).


912293-4 : Persistence might not work properly on virtual servers that utilize address lists

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.


912149-6 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'

Component: Application Security Manager

Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:

/var/log/:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.

ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0

Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.

Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.

Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.

-- Security log profile changes are not propagated to other devices.

-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.

-- Policies with learning enabled do not generate learning suggestions.

Workaround:
Restart asm_config_server on the units in the device group.

# pkill -f asm_config_server


911853-6 : Stream filter chunk-size limits filter to a single match per ingress buffer

Component: Local Traffic Manager

Symptoms:
The chunk-size profile setting of the stream filter limits memory by capping the match string allocated from an ingress buffer to <chunksize> bytes. This implicitly limits the maximum size of the match, potentially resulting in missed matches beyond chunk-size within the same ingress buffer. For more information, see:

https://support.f5.com/csp/article/K39394712

Conditions:
A stream filter is configured with the chunk-size parameter set and ingress data arrives which contains matches beyond the configured chunk-size in the buffer.

Impact:
Potential matches beyond the configured chunk-size will be sent unmodified by the stream filter, potentially resulting in missed matches.

Workaround:
None.


911777-1 : BIG-IP SSL forward proxy might drop connection to servers with revoked certificate status.

Component: Local Traffic Manager

Symptoms:
If the server certificate status is revoked, SSL forward proxy configured with a new server SSL profile might drop the connection.

Conditions:
-- New SSL forward proxy server SSL profile is attached to the virtual server.
-- Revoked-cert-status-response-control is set to the default value (drop).
-- Certificate status service (e.g., CRL/OCSP) is configured on the server SSL profile.

Impact:
BIG-IP client connections are reset.

Workaround:
Change revoked-cert-status-response-control to ignore on the server SSL profile.


911713-4 : Delay in Network Convergence with RSTP enabled

Component: TMOS

Symptoms:
The BIG-IP system does not to Rapid Spanning Tree Protocol (RSTP) Bridge Protocol Data Units (BPDUs) with only the proposal flag ON (i.e., without the agreement flag ON).

Conditions:
-- Neighbor Switch sends RSTP BPDU with only proposal flag ON.
-- The agreement flag is not ON.

Impact:
Network convergence takes more time than expected.

Workaround:
None.


911585-4 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.


911241-7 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.


911141-2 : GTP v1 APN is not decoded/encoded properly

Component: Service Provider

Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.

Conditions:
- GTP version 1.
- APN element.

Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.

Workaround:
Use iRules to convert between octetstring and dotted style domain name values.


910965-1 : Overflow of Multicast table filling the tmm log

Component: Local Traffic Manager

Symptoms:
Whenever a new multicast entry is added to an already full table, an error is logged to /var/log/tmm

Conditions:
This warning occurs when the multicast table is full

Impact:
When this condition occurs, this can fill the tmm log with these warning messages

Workaround:
None.


910777-2 : Sending ASM report via AWS SES failed duo to wrong content type

Component: Application Visibility and Reporting

Symptoms:
When you attempt to send an ASM report via AWS SES, the message bounces with the following message:
  Could not send e-mails: SMTP Error: data not accepted.; Transaction failed: Expected MIME type, got ;; Error code: 554.

This occurs because the BIG-IP system is sending out the report message with an empty Content-Type in the multipart MIME, which the AWS mail host cannot process.

Conditions:
This is encountered in the following scenario:
1. Set up SMTP and ASM schedule report.
2. Click Send Now, and get the error message in GUI.
3. SSH into the BIG-IP system.
4. Add this line under the following snippet:

[admin@bigip:Active:Standalone] ~ # chmod 644 /var/ts/dms/script/avrexport/avrmail.php
[admin@bigip:Active:Standalone] ~ # vi /var/ts/dms/script/avrexport/avrmail.php

if (!$mail_subject) $mail_subject = "BIG-IP Analytics Report";
if (!$mail_body) $mail_body = "Attached to this e-mail is a BIG-IP Analytics Report issued at $mail_time\n\n";
if (!$mail_from) $mail_from = 'BIG-IP Reporter';
if (!$mail_content_type) $mail_content_type = 'text/html'; <<<< Add this line for add text/html into content type.

[admin@bigip:Active:Standalone] ~ # chmod 444 /var/ts/dms/script/avrexport/avrmail.php

5. Click Send Now again and it works.


Note: To use AWS SES, you must verify your email address first (as a Sender). You can search SES in AWS and verify your email in Email Addresses. AWS sends an email. Click the embedded link after receipt, and then you can use it as the Sender address on the BIG-IP system.

Impact:
Cannot receive ASM reports.


910673-1 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'

Component: Local Traffic Manager

Symptoms:
Thales installation script fails with error message.

ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.

Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.

Impact:
Thales/nCipher NetHSM client software installation fails.

Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.


910645-2 : Upgrade error 'Parsing default XML files. Failed to parse xml file'

Component: TMOS

Symptoms:
After upgrading BIG-IP APM, multiple error messages appear in /var/log/ltm:

-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) errno(2) strerror(No such file or directory)
-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) errno(2) strerror(No such file or directory)

Conditions:
-- APM configuration.
-- Upgrade the BIG-IP system to v15.1.0 or newer.

Impact:
These are benign messages that do not indicate a functional issue. There is no impact; the system works correctly.

The errors occur when the upgraded BIG-IP APM configuration attempts to load resource definitions for the modern customization schema. However, by design, the modern customization schema does not define resources. Only the standard customization schema defines resources found under '/var/sam/www/client/customization-source/Common/standard/'.

Workaround:
None.


910213-1 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.

Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
No direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.


910105 : Partial HTTP/2 payload may freeze on the BIG-IP system

Component: Local Traffic Manager

Symptoms:
HTTP/2 allows sending the payload in both directions gradually, until a frame with an END_STREAM flag closes a direction. The BIG-IP does not properly handles an early response from a server when HTTP router is configured on a virtual and partial payload sent in each direction. In this case, communication over the stream hangs.

Conditions:
-- Virtual server is configured on the BIG-IP system with HTTP and HTTP/2 profiles on both the client and server sides.
-- HTTP router profile is configured on the virtual server.
-- Client sends a request and delivers a partial payload, waiting for a response from a server.
-- Server responds with a partial payload.

Impact:
A response with a partial payload is not delivered to a client. Communication freezes on that specific stream.

Workaround:
None.


909997-2 : Virtual server status displays as unavailable when it is accepting connections

Component: Local Traffic Manager

Symptoms:
After a rate limit is triggered and released, the virtual server status in the GUI remains as 'unavailable'. The virtual server resumes accepting new connections while the GUI shows the virtual server is unavailable.

Conditions:
-- The virtual server has a source address list configured.
-- Address lists define more than one address.
-- The connections are over the rate limit, and the virtual server status is marked unavailable.
-- The number of connections falls below the limit.

Impact:
Actual virtual server status is not reflected in GUI.

Workaround:
If the deployment design allows, you can use either of the following workarounds:

-- Remove the source address list from the virtual server.

-- Have a single address in the source address list.


909677-1 : HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted

Component: Local Traffic Manager

Symptoms:
When using HTTP/2, the :scheme pseudo-header appears to al