999021-1 : IPsec IKEv1 tunnels fail after a config sync from Standby to Active

Component: TMOS

Symptoms:
When racoon (the IKEv1 daemon) sees a tunnel config change, which occurs due to a config sync from the standby device, the change causes tmm and racoon to have conflicting views on the state of that tunnel.

If the IKEv1 tunnel is up at the time of the config change, tmm fails to restart the tunnel.

Conditions:
-- IPsec IKEv1 tunnel in use.
-- Changes made to IPsec IKEv1 tunnel on the Standby BIG-IP device, which are then sync'd to the Active BIG-IP device.
-- And/or a full config sync from the Standby to Active BIG-IP system.

Impact:
IPsec IKEv1 tunnels fail and do not start again.

Workaround:
-- Do not make changes to IPsec IKEv1 tunnels on the Standby device.

-- Avoid full syncs from Standby to Active.

How to recover when the problem occurs:

-- Disable the affected ike-peer and re-enable it.

Fix:
IKEv1 tunnels are able to negotiate after Standby to Active config sync.

998221-2 : Accessing pool members from configuration utility is slow with large config

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

997929-2 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic

Component: Local Traffic Manager

Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.

If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.

Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.

-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.

Impact:
The virtual server stops processing traffic.

Workaround:
To recover, you can do either of the following:

-- Restart tmm:
bigstart restart tmm

-- Change the virtual server's port back to 'any' (0).

996753-3 : ASM BD process may crash while processing HTML traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM BD process may crash while processing HTML traffic

Conditions:
- ASM profile enabled

Impact:
ASM traffic disrupted while BD restarts.

Workaround:
None.

Fix:
ASM now processes HTML traffic as expected.

996593-1 : Password change through REST or GUI not allowed if the password is expired

Component: TMOS

Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:

Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.

Impact:
Expired password cannot be updated through REST or the GUI.

Workaround:
Update password using tmsh:

tmsh modify auth password <username>

Fix:
You can now change an expired password through REST or the GUI.

996381-2 : ASM attack signature may not match as expected

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

995629-4 : Loading UCS files may hang if ASM is provisioned★

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fails while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' and de-provision ASM. The UCS file should then load successfully.

Fix:
Loading UCS files no longer hangs if ASM is provisioned.

994801-8 : SCP file transfer hardening

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
Administrative user with SCP access.

Impact:
users with with SCP access but without shell access can run arbitrary commands

Workaround:
None

Fix:
The SCP file transfer system now follows current best practices.

993489-2 : GTM daemon leaks memory when reading GTM link objects

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

990333-6 : APM may return unexpected content when processing HTTP requests

Solution Article: K75540265

989753-1 : In HA setup, standby fails to establish connection to server

Component: Service Provider

Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:

err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config

Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.

Impact:
Standby BIG-IP system fails to establish a connection to the server.

Workaround:
None.

Fix:
Standby is now able to establish a connection to the server.

989009-2 : BD daemon may crash while processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, the BD daemon may crash while processing WebSocket traffic.

Conditions:
- ASM enabled
- WebSocket profile enabled

Impact:
BD daemon crash leading to a failover event

Workaround:
N/A

Fix:
The BD daemon now processes WebSocket traffic as expected.

988005-2 : Zero active rules counters in GUI

Component: Advanced Firewall Manager

Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).

Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules

Impact:
Incorrect information on active rules count is seen in the UI.

Workaround:
Disable firewall inline editor.

Fix:
The active rules count column now displays the correct number of times a rule has been hit.

986937-2 : Cannot create child policy when the signature staging setting is not equal in template and parent policy

Component: Application Security Manager

Symptoms:
When trying to create a child policy, you get an error:

FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."

Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.

Impact:
You are unable to create the child policy and the system presents an error.

Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.

Fix:
The error no longer occurs on child policy creation.

984657-1 : Sysdb variable not working from tmsh

Component: Traffic Classification Engine

Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh

Conditions:
The following sys db variable is enabled: cloud_only

You attempt to run the following command:

tmsh list sys db urlcat_query

Impact:
Sysdb variables does not work from tmsh

Fix:
After the fix able to verify sysdb variables from tmsh

982869-2 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0

Component: Service Provider

Symptoms:
Tmm may crash.

Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes under these conditions.

981785-4 : Incorrect incident severity in Event Correlation statistics

Component: Application Security Manager

Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".

Conditions:
Usually happens for the first incident after ASM startup.

Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.

Workaround:
Use severity info from the Incidents list.

Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.

981385-2 : AVRD does not send HTTP events to BIG-IQ DCD

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.

981169-1 : F5 TMUI XSS vulnerability CVE-2021-22994

Solution Article: K66851119

980821-3 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.

Component: Local Traffic Manager

Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.

Conditions:
There are two virtual servers configured:
  - One with a specific port and ip-protocol 'any'
  - One with port any and a specific ip-protocol

Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.

Workaround:
Create individual listeners for specific protocols.

For example, given the configuration:
  ltm virtual vs-port80-protoAny {
    destination 10.1.1.1:80
    ip-protocol any
    ...
  }
  ltm virtual vs-portAny-protoTCP {
    destination 10.1.1.1:0
    ip-protocol TCP
    ...
  }

Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
  ltm virtual vs-port80-protoTCP {
    destination 10.1.1.1:80
    ip-protocol TCP
    ...
  }
  ltm virtual vs-port80-protoUDP {
    destination 10.1.1.1:80
    ip-protcol UDP
    ...
  }

Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.

980809-1 : ASM REST Signature Rule Keywords Tool Hardening

Component: Application Security Manager

Symptoms:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Conditions:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Impact:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Workaround:
N/A.

Fix:
The ASM REST Signature Rule Keywords Tool now follows current best practices.

980125-2 : BD Daemon may crash while processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, the WAF daemon may crash while processing WebSocket traffic.

Conditions:
- ASM enabled
- WebSocket profile enabled

Impact:
WAF crash resulting in a failover event.

Workaround:
N/A

Fix:
WAF now processes WebSocket traffic as expected.

979081-1 : Hardening of ASM External References

Component: Application Security Manager

Symptoms:
Some ASM actions allow specifying external references for resources. Under certain conditions processing of the external resource does not follow current best practices.

Conditions:
-ASM provisioned
-External resources configured

Impact:
Resolution of external resources is incorrect.

Workaround:
N/A

Fix:
External resources are now processed as expected..

977053-1 : TMM crash on standby due to invalid MR router instance

Component: Service Provider

Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.

Conditions:
-- HA environment.
-- Connection mirroring is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM on the standby device no longer crashes under these conditions.

976925-1 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: K71891773

976617-1 : Manual signature sets are converted to filter based when trying to update signature set without field "type"

Component: Application Security Manager

Symptoms:
Manual signature sets are converted to filter based when trying to update signature set without field "type" in rest request.

Conditions:
Patch request to manual signature set without type.

Impact:
Manual signature set is being converted to filter based signature set

Workaround:
Update the signature set again to convert to manual, then add the appropriate signatures to it.

Fix:
Updated the logic to check the existing type of signature set before updating it.

976505-4 : Rotated restnoded logs will fail logintegrity verification.

Component: TMOS

Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restnoded logs fail logintegrity verification.

Workaround:
None

Fix:
Restnoded logs are now verified successfully by the logintegrity utility.

975809-3 : Rotated restjavad logs fail logintegrity verification.

Component: TMOS

Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restjavad logs fail logintegrity verification.

Workaround:
None

Fix:
Restjavad logs are now verified successfully by the logintegrity utility.

975465-1 : TMM may consume excessive resources while processing DNS iRules

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may consume excessive resources while processing DNS iRules

Conditions:
- RESOLVER::summarize iRule command in use

Impact:
TMM consumes excessive resources

Workaround:
Use 'DNSMSG::section <response> answer' in place of 'RESOLVER::summarize <response>'

Fix:
TMM now processes DNS iRules as expected.

975233-1 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Solution Article: K52510511

974881-3 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic

Component: Service Provider

Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.

Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to handling certain events in an iRule.

973333-6 : TMM buffer-overflow vulnerability CVE-2021-22991

Solution Article: K56715231

973261-1 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.

971297-1 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.

Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded

Impact:
The keys are stored locally following the upgrade.

Workaround:
None.

970829-6 : iSeries LCD incorrectly displays secure mode

Solution Article: K03310534

Component: Device Management

Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.

Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.

Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:

-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.


The restjavad-audit.*.log may contain similar messages

[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}

Workaround:
None

Fix:
The LCD now functions normally, and no authentication errors appear in the logs.

969509-1 : Possible memory corruption due to DOS vector reset

Component: Advanced Firewall Manager

Symptoms:
Unpredictable result due to possible memory corruption

Conditions:
DOS vector configuration change

Impact:
Memory corruption

Fix:
Added correct logic to reset DOS vector.

969385-1 : Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers.

Component: BIG-IP Risk Engine

Symptoms:
Automatic attach/detach BeWAF policy to a virtual server stops working for all virtual servers if at least one virtual server has a regular ASM policy with TAP profile

Conditions:
Define Virtual Servers with DOS profiles, along with Virtual Servers that are managed by cloud (Cortex)

Impact:
Detaching virtual servers from DOS can cause the attach option to be disabled.

Workaround:
Do not define virtual servers with cloud along with virtual servers managed by cloud (Applications).

Fix:
None

969213-3 : VMware: management IP cannot be customized via net.mgmt.addr property

Component: TMOS

Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.

Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.

Impact:
Management IP cannot be customized in VMware during the VM setup.

968733-7 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Solution Article: K42202505

968641 : Fix for zero LACP priority

Component: Local Traffic Manager

Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.

Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.

Impact:
BIG-IP may be unable to connect to Cisco trunks.

Workaround:
None.

Fix:
Eliminate LACP priority equal 0

968421-1 : ASM attack signature doesn't matched

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.

968349-2 : TMM crashes with unspecified message

Component: Service Provider

Symptoms:
TMM crashes with unspecified message

Conditions:
Requires specific iRule for gtp processing.

Impact:
TMM crashes with core and restarts. Traffic disrupted while TMM restarts.

Workaround:
None.

Fix:
TMM handles unspecified message properly.

967905-4 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

967745-1 : Last resort pool error for the modify command for Wide IP

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

966701-1 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP

Component: Service Provider

Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.

Conditions:
-- SCTP transport profile
-- MRF generic msg router profile

Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing

Fix:
Enable the return type in generic msg filter when data received over SCTP transport

966681-3 : NAT translation failures while using SP-DAG in a multi-blade chassis

Component: Carrier-Grade NAT

Symptoms:
NAT translation fails

Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlan's

Impact:
Traffic failure, performance degraded

Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096

Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.

966277-2 : BFD down on multi-blade system

Component: TMOS

Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.

Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots

Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.

965617-4 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode

Component: Advanced Firewall Manager

Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB

Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support

Impact:
More resources loading during DDoS attack

Fix:
Correct free spot search with offloading to HSB

965485-4 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Solution Article: K41523201

964897-1 : Live Update - Indication of "Update Available" when there is no available update

Component: Application Security Manager

Symptoms:
Live Update notifies you that an update is available even though there is no available update.

Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status

Impact:
Live Update erroneously indicates that an update is available.

Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat

Fix:
Fixed an issue with Live Update notification.

964585-2 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update

Component: Protocol Inspection

Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.

Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.

Impact:
- The error message does not accurately explain the cause of the problem.

Workaround:
None.

Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.

964577-2 : IPS automatic IM download not working as expected

Component: Protocol Inspection

Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.

IPS automatic IM download considers the BIG-IP software major and minor version numbers.

However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.

Conditions:
Auto download of IM package for IPS.

Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.

Workaround:
Manually download the IM package and upload it onto the BIG-IP system.

Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.

963461-2 : ASM performance drop on the response side

Component: Application Security Manager

Symptoms:
Clients encounter a longer time to respond from the BIG-IP

Conditions:
-- One of the following features is enabled:
   - convictions
   - csrf
   - ajax.
-- The response is HTML
-- The response has many tags

Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.

963237-4 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.

Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server

Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.

962817-1 : Description field of a JSON policy overwrites policy templates description

Component: Application Security Manager

Symptoms:
Creating a UTF-8 policy using a template for the first time creates a binary policy the system uses the next time you create a UTF-8 policy with the same template.

If the creation occurs via JSON policy import, the description field of the JSON policy overwrites the description from the template, and the next time you create a UTF-8 policy using the same template, the system uses the description from the first JSON policy.

Conditions:
Create an initial UTF-8 policy with some template using a JSON policy with a custom description.

Impact:
The next time you create a UTF-8 policy with the same template, unless you provide a description, the system uses the one from the initially created JSON policy instead the template.

Workaround:
Before creating the second policy, remove the binary file that was created from the first run. For example if the template used was Fundamental:

rm -f /ts/install/policy_templates/fundamental.bin

Fix:
The binary file now contains the correct description.

962497-1 : BD crash after ICAP response

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A

962341-5 : BD crash while processing JSON content

Component: Application Security Manager

Symptoms:
Under certain conditions, BD may crash while processing JSON content

Conditions:
- ASM enabled
- JSON content profile enabled

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A

962333-1 : FIN from client does not get propagated to server side, if the FIN arrives before server side reaching ESTABLISHED

Component: Local Traffic Manager

Symptoms:
FIN from client will not be propagated to server side, if the FIN arrives in BIG-IP before the corresponding server side connection reaches ESTABLISHED.

Conditions:
- standard virtual server with the default tcp profile
- client sends FIN immediately after 3WHS

Impact:
These connections remain until the idle timeout is reached.

Workaround:
None

962177-1 : Results of POLICY::names and POLICY::rules commands may be incorrect

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

960749-1 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.

960437-1 : The BIG-IP system may initially fail to resolve some DNS queries

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.

960385-1 : In rare conditions modal does not close when it should

Component: Application Security Manager

Symptoms:
When one modal is already opened in the GUI and the system tries to open another one, first one is not closed

Conditions:
In new policy settings pages following steps are needed:
 - open settings page and change something so that Save button becomes active
 - open modal (e.g. Add Webhook in General Settings)
 - press back in browser

Impact:
Unsaved changes modal is not visible.

Workaround:
Close modals before navigating back in the browser

Fix:
On open of new modal - all previous are forced to close

960369-1 : Negative value suggested in Traffic Learning as max value

Component: Application Security Manager

Symptoms:
Negative value suggested in Traffic Learning as max value

Conditions:
A huge parameter value is seen in traffic

Impact:
Wrong learning suggestion issued

Workaround:
Manually change maximum allowed value on the parameter to ANY

Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY

959629-1 : Logintegrity script for restjavad/restnoded fails

Component: TMOS

Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:

find: '14232restnoded_log_pattern': No such file or directory.

Conditions:
When the logintegrity script runs.

Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.

Workaround:
Modify the script file /usr/bin/rest_logintegrity:

1. mount -o remount,rw /usr

2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original

3. vi /usr/bin/rest_logintegrity

4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log

With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log

5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)

With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)

6. mount -o remount,ro /usr

Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.

959121-5 : Not following best practices in Guided Configuration Bundle Install worker

Solution Article: K74151369

958465-1 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization

Component: TMOS

Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):

MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.

The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.

958353-1 : Restarting the mcpd messaging service renders the PAYG VE license invalid.

Component: TMOS

Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.

Conditions:
Restarting the mcpd messaging service.

Impact:
The license becomes expired. A message is displayed in the console:

mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).

Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).

Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.

957337-2 : Tab complete in 'mgmt' tree is broken

Component: TMOS

Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:

(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"

Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete

Impact:
You are unable to configure objects in mgmt.

This issue also prevents users with the admin role from accessing the following REST endpoints:

shared/authz/users
shared/echo-js

The error returned was HTTP/1.1 401 F5 Authorization Required

Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.

957029-2 : MRF Diameter loop-detection is enabled by default

Component: Service Provider

Symptoms:
The default value of Message Routing Framework (MRF) Diameter loop detection is enabled.

Conditions:
Default diameter session profile loop detection configuration.

Impact:
System performance is impacted even if MRF Diameter loop detection is not used.

Workaround:
Disable loop detection in all message routing Diameter profiles when it is not needed.

Fix:
MRF Diameter loop detection is now disabled by default.

Note: If you expect MRF Diameter loop detection to be enabled, you must manually change the value after upgrading.

956373-1 : ASM sync files not cleaned up immediately after processing

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.

956105-1 : Websocket URLs content profiles are not created as expected during JSON Policy import

Component: Application Security Manager

Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import

Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.

Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.

Workaround:
The content profiles can be manually associated after the import process using REST or GUI.

Fix:
Setting the correct profile reference during import.

955145-1 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991

955017-1 : Excessive CPU consumption by asm_config_event_handler

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.

954937 : Tmm crash when GPA POLICY is used

Component: Traffic Classification Engine

Symptoms:
Tmm crashes while passing traffic.

Conditions:
-- Traffic classification policy exists and is configured to block the application traffic
-- Application traffic is passed

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a PEM policy to block the traffic instead of a traffic classification policy

Fix:
Fixed a tmm crash when a traffic classification policy is configured to block application traffic.

954429-1 : User authorization changes for live update

Solution Article: K23203045

954381-1 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991

953845-2 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.

953729-1 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Solution Article: K56142644 K45056101

953677-1 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488 K70031188

953393-1 : TMM crashes when performing iterative DNS resolutions.

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes and produces a core file.

Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.

To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.

The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).

Fix:
TMM no longer crashes.

952545-1 : 'Current Sessions' statistics of HTTP2 pool may be incorrect

Component: Service Provider

Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552

Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.

Workaround:
None.

Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.

952509-3 : Cross origin AJAX requests are blocked in case there is no Origin header

Component: Application Security Manager

Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.

Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.

Impact:
Request is blocked.

Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix:
Check referrer header also when modifying CORS headers.

951705-1 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991

951133-3 : Live Update does not work properly after upgrade★

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat

950077-1 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488 K70031188

950017-1 : TMM may crash while processing SCTP traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing SCTP traffic. After this crash logs will show the message: "flow not in use".

Conditions:
- SCTP profile enabled

Impact:
TMM crashing leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes SCTP traffic as expected.

949933-5 : BIG-IP APM CTU vulnerability CVE-2021-22980

Solution Article: K29282483

949889-4 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Solution Article: K04107324

949721-1 : QUIC does not send control frames in PTO packets

Component: Local Traffic Manager

Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.

Conditions:
A control frame is in-flight when the PTO timer fires.

Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.

Workaround:
None.

Fix:
Retransmittable control frames are now sent when the PTO timer fires.

949593-4 : Unable to load config if AVR widgets were created under '[All]' partition★

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.

949145-6 : Improve TCP's response to partial ACKs during loss recovery

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.

948769-6 : TMM panic with SCTP traffic

Solution Article: K05300051

948757-1 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

Component: Local Traffic Manager

Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.

Conditions:
A snat-translation address is configured with ARP enabled.

Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.

Workaround:
None.

Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.

948573-5 : Wr_urldbd list of valid TLDs needs to be updated

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.

947905-1 : Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails★

Component: TMOS

Symptoms:
Loading configuration process fails after an upgrade from 13.1.4, 14.1.4, or 15.1.1 to release 14.0.0, 15.0.0, 16.0.0 or 16.0.0.1.

The system posts errors similar to the following:

-- info tmsh[xxxx]: cli schema (15.1.1) has been loaded from schema data files.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (user-account.session_limit) : framework/SchemaCmd.cpp, line 825.
-- emerg load_config_files[xxxx]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.1.
-- err mcpd[xxxx]: 01070422:3: Base configuration load failed.
-- Unexpected Error: "Can't load keyword definition (user-account.session_limit)".
-- Syntax Error:(/config/bigip_user.conf at line: 10) "session-limit" unknown property

Conditions:
Upgrade from one of the following release:

-- v13.1.4 or later within the v13.1.x branch
-- v14.1.4 or later within the v14.1.x branch
-- v15.1.1 or later within the v15.1.x branch

to one of the following releases:

-- v14.0 through v14.1.3.1
-- v15.0 through v15.1.0.5
-- v16.0.0 and v16.0.0.1

Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status.

Workaround:
Although there is no workaround, you can avoid this issue by upgrading to the most recent maintenance or point release in v14.1.x, v15.1.x, or v16.x.

You can find a list of most current software releases in K5903: BIG-IP software support policy :: https://support.f5.com/csp/article/K5903

947341-2 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries containing:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL out of resources when opening files
PRX.REQUEST_LOG Corrupt

Workaround:
0) If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

1) To identify the empty partitions, look into:
   SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G

2) For every partition that is empty, manually (or via shell script) execute this sql:
   ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where 'empty_partition_name' is the partition name as 'p100001'

4) Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5) pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases 'open_files_limit' to '10000'.

946953-2 : HTTP::close used in iRule might not close connection.

Component: Local Traffic Manager

Symptoms:
HTTP::close used in an iRule might not close the connection. For example:

when HTTP_REQUEST {
    HTTP::close
    HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
  }

Conditions:
Using HTTP::close along with HTTP::respond

Impact:
HTTP connection can be re-used.

Workaround:
Explicitly add close header in the HTTP::respond. For example:

HTTP::respond 200 content "OK" Connection close

Fix:
Fixed an issue where HTTP::close might not close a connection.

946377-1 : HSM WebUI Hardening

Component: Local Traffic Manager

Symptoms:
The HSM Management WebUI does not follow current best practices.

Conditions:
HSM Management WebUI accessed by an authorized administrative user.

Impact:
The HSM Management WebUI does not follow current best practices.

Workaround:
N/A

Fix:
The HSM Management WebUI now follows current best practices.

946089-3 : BIG-IP might send excessive multicast/broadcast traffic.

Component: TMOS

Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.

Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.

Impact:
Excessive multicast/broadcast traffic.

946081-5 : Getcrc tool help displays directory structure instead of version

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.

Fix:
Getcrc utility help now displays version information.

945997-1 : LTM policy applied to HTTP/2 traffic may crash TMM

Component: Local Traffic Manager

Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.

Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.

945601-5 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.

Component: Local Traffic Manager

Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omited.

Conditions:
Policy contains multiple rules which employ TCP address matching condition.

Impact:
Inocorrect LTM policy is applied.

945265-5 : BGP may advertise default route with incorrect parameters

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>

945109-1 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Solution Article: K46641512

944785-4 : Admd restarting constantly. Out of memory due to loading malformed state file

Component: Anomaly Detection Services

Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.

Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.

Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption

Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD

If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD

Fix:
No more memory corruption, no OOM nor ADMD restarts.

944641-2 : HTTP2 send RST_STREAM when exceeding max streams

Component: Local Traffic Manager

Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.

Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.

Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.

Workaround:
None.

Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.

944441-5 : BD_XML logs memory usage at TS_DEBUG level

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None

Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.

943913-2 : ASM attack signature does not match

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.

Workaround:
N/A

Fix:
ASM now processes traffic as expected.

943125-1 : ASM bd may crash while processing WebSocket traffic

Solution Article: K18570111

943081-4 : Unspecified HTTP/2 traffic may cause TMM to crash

Solution Article: K90603426

942921-1 : BIG-IP APM vulnerability CVE-2021-22985

Solution Article: K32049501

942497-3 : Declarative onboarding unable to download and install RPM

Component: TMOS

Symptoms:
Installation of declarative onboarding RPM fails.

Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.

Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.

Workaround:
RPMs must be installed manually.

Fix:
The installation directory was updated to fix the RPM installation issue.

942185-1 : Non-mirrored persistence records may accumulate over time

Component: Local Traffic Manager

Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.

Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.

Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Persistence records are now reliably expired at the appropriate time.

941929-3 : Google Analytics shows incorrect stats, when Google link is redirected.

Component: Application Security Manager

Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
-- Google link is responded to (by the server) with a redirect.

-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
None

941853-5 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.

941621-1 : Brute Force breaks server's Post-Redirect-Get flow

Solution Article: K91414704

Component: Application Security Manager

Symptoms:
Brute Force breaks server's Post-Redirect-Get flow

Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.

Impact:
Brute Force breaks server's Post-Redirect-Get flow

Workaround:
None

Fix:
Support PRG mechanism in brute force mitigations.

941449-1 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Solution Article: K55237223

941249-5 : Improvement to getcrc tool to print cookie names when cookie attributes are involved

Component: Application Security Manager

Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server

Conditions:
This is applicable when domain and path cookie attributes are present in response from server

Impact:
ASM cookie name which is displayed is incorrect

Workaround:
None

Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s

940897-1 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.

940665-2 : DTLS 1.0 support for PFS ciphers

Component: Local Traffic Manager

Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.

* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA

Conditions:
DTLS 1.0 is configured in an SSL profile.

Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.

940401-1 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.

940249-1 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.

940021-4 : Syslog-ng hang may lead to unexpected reboot

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.

The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.

Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).

Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.

Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.

Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.

939961-1 : TCP connection is closed when necessary after HTTP::respond iRule.

Component: Local Traffic Manager

Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
N/A

Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.

939845-1 : BIG-IP MPTCP vulnerability CVE-2021-23004

Solution Article: K31025212

939841-1 : BIG-IP MPTCP vulnerability CVE-2021-23003

Solution Article: K43470422

939541-1 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE

Component: TMOS

Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
TMM no longer shuts down prematurely during initialization.

939529-1 : Branch parameter not parsed properly when topmost via header received with comma separated values

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.

939421-1 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow

Solution Article: K38481791

938233-1 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Component: Local Traffic Manager

Symptoms:
BIG-IP exhibits gradual and linear increase in memory accumulation (high xfrag accumulation) leading to high CPU utilization.

Impact:
This may start affecting BIG-IPs capacity to serve other incoming requests as CPU utilization tends towards maximum limit.

Fix:
BIG-IP no longer shows the known issues of high memory (xfrag) accumulation that leads to the high CPU utilization.

938165-3 : TMM Core after attempted update of IP geolocation database file

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.

For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.

Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.

938149-2 : Port Block Update log message is missing the "Start time" field

Component: Advanced Firewall Manager

Symptoms:
Port Block Update log message is missing the "Start time" field.

Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.

Impact:
NAT Log information is not usable for accounting purpose.

Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.

937777-1 : The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.

Component: Local Traffic Manager

Symptoms:
The iRule command HTTP::payload is not supported for use within Policy Enforcement Manager (PEM) policies. Attempting to use this within your configuration may result in the TMM crashing.

Conditions:
-- Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload

Impact:
Traffic disrupted while the TMM restarts.

Workaround:
Do not use the iRule command HTTP::payload within Policy Enforcement Manager (PEM) policies.

Fix:
Having a Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload will no longer cause the TMM to crash.

937637-2 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: K71891773

937365-1 : LTM UI does not follow best practices

Component: TMOS

Symptoms:
The SCTP component of LTM WebUI does not follow current best practices.

Conditions:
- Authenticated LTM WebUI user

Impact:
LTM WebUI does not follow current best practices.

Workaround:
None

Fix:
TMUI now follows best practices.

936125-1 : SNMP request times out after configuring IPv6 trap destination

Component: TMOS

Symptoms:
SNMP request is times out.

Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.

Impact:
No response is returned for SNMP request.

Workaround:
Restart SNMP daemon by running the following TMSH command:

restart sys service snmpd

Fix:
N/A

935721-6 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291

935593-5 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.

935433-1 : iControl SOAP Hardening

Component: TMOS

Symptoms:
Under certain condition, iControl SOAP does not follow current best practices.

Conditions:
- Undisclosed conditions.

Impact:
iControl SOAP doe not follow current best practices.

Workaround:
N/A

Fix:
iControl SOAP now follows current best practices.

935401-1 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Solution Article: K06440657

935293-6 : 'Detected Violation' Field for event logs not showing

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.

935029-4 : TMM may crash while processing IPv6 NAT traffic

Solution Article: K04048104

934993-1 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams

Component: Local Traffic Manager

Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.

Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.

Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.

Workaround:
None.

Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.

934721-4 : TMM core due to wrong assert

Component: Application Visibility and Reporting

Symptoms:
TMM crashes with a core

Conditions:
AFM and AVR provisioned and collecting ACL statistics.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.

Fix:
Fixed a tmm crash related to ACL statistics

934065-2 : The turboflex-low-latency and turboflex-dns are missing.

Component: TMOS

Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.

Conditions:
The turboflex-low-latency or turboflex-dns in use.

Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.

Workaround:
None.

Fix:
The turboflex-low-latency and turboflex-dns profiles are restored.

933777-4 : Context use and syntax changes clarification

Component: Application Visibility and Reporting

Symptoms:
There are two context and syntax-related issues:

-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.

-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.

Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.

Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.

Workaround:
None

Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

933741-1 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Solution Article: K63497634

933461-5 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.

933409-1 : Tomcat upgrade via Engineering Hotfix causes live-update files removal★

Component: TMOS

Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.

Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.

Impact:
Live-update functionality does not work properly.

Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.

Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.

933405-1 : Zonerunner GUI hangs when attempting to list Resource Records

Solution Article: K34257075

Component: Global Traffic Manager (DNS)

Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.

Conditions:
Attempt to list Resource Records in Zonerunner GUI.

Impact:
Zonerunner hangs.

Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.

932937-1 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

Component: Local Traffic Manager

Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.

Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.

Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.

Workaround:
Use an iRule to prevent connections from hanging:

when HTTP_REJECT {
    after 1
}

Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.

932737-4 : DNS & BADOS high-speed logger messages are mixed

Component: Anomaly Detection Services

Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.

Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.

Impact:
Reporting will be confusing.

932497-2 : Autoscale groups require multiple syncs of datasync-global-dg

Component: TMOS

Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.

Conditions:
Browser Challenges update image is automatically downloaded.

Impact:
Peers are not synced.

Workaround:
Manually sync datasync-global-db group.

Fix:
Perform full sync for each change when having multiple live update changes in a row.

932485-4 : Incorrect sum(hits_count) value in aggregate tables

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.

932437-1 : Loading SCF file does not restore files from tar file★

Component: TMOS

Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.

Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:

01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.

Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles

Impact:
Restoring SCF does not restore contents of file objects.

Workaround:
None.

932233-1 : '@' no longer valid in SNMP community strings

Component: TMOS

Symptoms:
The '@' character is no longer valid in SNMP community strings.

Conditions:
Attempting to use the '@' character in SNMP community strings.

Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.

Workaround:
Use a community string that does not contain the '@' character.

932065-1 : iControl REST vulnerability CVE-2021-22978

Solution Article: K87502622

931837-7 : NTP has predictable timestamps

Solution Article: K55376430

931513-1 : TMM vulnerability CVE-2021-22977

Solution Article: K14693346

930905-2 : Management route lost after reboot.

Component: TMOS

Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.

Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).

-- The instance is rebooted.

Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.

Workaround:
Use either of the following workarounds:

-- Delete the route completely and reinstall the route.

-- Restart mcpd:
bigstart restart mcpd

930017-1 : Bot defense profile upgrade fails from 14.x to 15.x/16.x with error match-order should be unique★

Component: Application Security Manager

Symptoms:
Upgrading Bot defense profile fails with match-order field 1 or 2 fails, while the error is "match-order should be unique"

Conditions:
- ASM provisioned
- Bot defense profile has allow list object (the GUI says whitelist object)
- The object has a field match-order = 1 or 2
- Upgrade happening from 14.x to 15.x/16.x

Impact:
Upgrade fails

Workaround:
Before upgrading
-- Change match-order field 1 to 3
-- Change match-order field 2 to 4

Fix:
Fix changes match-order field 1 to 3 and match-order field 2 to 4 programmatically

930005-1 : Recover previous QUIC cwnd value on spurious loss

Component: Local Traffic Manager

Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.

Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.

Impact:
Inefficient use of bandwidth in the presence of packet reordering.

Workaround:
None.

Fix:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.

Behavior Change:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.

929077-3 : Bot Defense allow list does not apply when using default Route Domain and XFF header

Component: Application Security Manager

Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from an IP address that is on the allow list is blocked.

Workaround:
Allow the IP address using an iRule.

Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.

929001-2 : ASM form handling improvements

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.

928697-1 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT

Component: TMOS

Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.

Conditions:
The initiator sends more than one proposal.

Impact:
Diagnosing connection issues is more difficult.

Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.

928685-1 : ASM Brute Force mitigation not triggered as expected

Component: Application Security Manager

Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.

Conditions:
- ASM enabled
- Brute Force mitigation enabled

Impact:
Brute Force mitigation is not triggered as expected.

Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when HTTP_REQUEST
{

    if { [catch { HTTP::username } ] } {
      log local0. "ERROR: bad username";
      ASM::raise bad_auth_header_custom_violation
    }

}

Fix:
Brute Force mitigation is now triggered as expected.

928553-4 : LSN64 with hairpinning can lead to a tmm core in rare circumstances

Component: Carrier-Grade NAT

Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.

Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.

Impact:
Tmm cores. Traffic disrupted while tmm restarts.

Workaround:
Disable full proxy config of hairpinning.

Fix:
Tmm does not crash anymore.

928321-4 : K19166530: XSS vulnerability CVE-2020-27719

Solution Article: K19166530

928037-1 : APM Hardening

Solution Article: K15310332

927941-6 : IPv6 static route BFD does not come up after OAMD restart

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.

927617-1 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Component: Application Security Manager

Symptoms:
A valid request that should be passed to the backend server is blocked.

Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.

-- The cookie header that contain the valid cookie value is encoded to base64.

Impact:
A request is blocked that should not be.

Workaround:
Disable 'Base64 Decoding' for the desired cookie.

Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.

927033-3 : Installer fails to calculate disk size of destination volume★

Component: TMOS

Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:

error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.

Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:

[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map

Impact:
Unable to successfully upgrade.

Workaround:
Create the expected symlink manually:

cd /dev/md
ln -s ../md127 _none_\:0

926997-2 : QUIC HANDSHAKE_DONE profile statistics are not reset

Component: Local Traffic Manager

Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.

Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.

Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.

Workaround:
Restart tmm to reset all statistics:

Impact of Workaround: Traffic disrupted while tmm restarts.

bigstart restart tmm

Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.

926929-4 : RFC Compliance Enforcement lacks configuration availability

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that require certain constructions after a header name may not function.

Workaround:
None.

Fix:
A configuration item is introduced to manage any RFC compliance option when enforcement is turned on:

HTTP profile option enforcement.allow-ws-header-name; prior releases Tmm.HTTP.RFC.AllowWSHeaderName DB key (necessarily a global flag, rather than per-profile control).

926593-1 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets

924961-1 : CVE-2019-20892: SNMP Vulnerability

Solution Article: K45212738

924945-4 : Fail to detach HTTP profile from virtual server

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.

924929-3 : Logging improvements for VDI plugin

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.

924857-3 : Logout URL with parameters resets TCP connection

Component: Access Policy Manager

Symptoms:
TCP connection reset when 'Logout URI Include' configured.

Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
 /logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
 /logoff.html?a=b

Impact:
TCP connection resets, reporting BIG-IP APM error messages.

'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.


Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.

Workaround:
None

Fix:
The system now ignores unsupported query parameters.

924493-1 : VMware EULA has been updated

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.

924429-1 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.

Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.

924349-3 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

Component: Service Provider

Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.

Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses

Impact:
Unable to see multiple HostIPAddress in CER/CEA

Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.

924301-2 : Incorrect values in REST response for DNS/SIP

Component: Application Visibility and Reporting

Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.

Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached

Impact:
An incorrect value is calculated in the REST response.

Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation

923301-3 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group

Component: Application Security Manager

Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.

Conditions:
Automatic installation of ASU on manual sync setup.

Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.

Workaround:
Manually sync the device group.

Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

922785-1 : Live Update scheduled installation is not installing on set schedule

Component: Application Security Manager

Symptoms:
A scheduled live update does not occur at the scheduled time.

Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.

Impact:
Automated installation does not initiate

Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14

922297-1 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

You see the following log entries in /var/log/tmm:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.

Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).

922261-1 : WebSocket server messages are logged even it is not configured

Component: Application Security Manager

Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.

Impact:
Remote logging server overloaded with unexpected WebSocket messages.

Workaround:
Set response-logging=illegal in all remote logging profiles.

Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.

921881-1 : Use of IPFIX log destination can result in increased CPU utilization

Component: Local Traffic Manager

Symptoms:
-- Increased baseline CPU.

- The memory_usage_stats table shows a continuous increase in mds_* rows.

Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.

Impact:
Increased baseline CPU may result in exhaustion of CPU resources.

Workaround:
Limiting changes to associated configuration can slow the effects of this issue.

921677-1 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.

Component: Application Security Manager

Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:

Bot defense profile <profile full name> error: match-order should be unique.

Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.

2. Delete item with the value: match-order 2 (in tmsh), and save.

3. Switch to the GUI, add new allow list item, and save.

Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.

Workaround:
Drag between two items, and then drag back.

Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.

921625-1 : The certs extend function does not work for GTM/DNS sync group

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.

921421-4 : iRule support to get/set UDP's Maximum Buffer Packets

Component: Local Traffic Manager

Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.

Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.

Impact:
Unable to dynamically change the max buffer packets setting in an iRule.

Workaround:
None

Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts

Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.

921361-3 : SSL client and SSL server profile names truncated in GUI

Component: TMOS

Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.

Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.

Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.

Note: The fields remain at the limited width even when the browser window is maximized.

Workaround:
Use tmsh to see the full SSL client and SSL server name.

921337-6 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Solution Article: K88230177

920961-1 : Devices incorrectly report 'In Sync' after an incremental sync

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
   # tmsh modify ltm policy <LTM Policy Name> legacy

Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

920197-4 : Brute force mitigation can stop mitigating without a notification

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.

919989-3 : TMM does not follow TCP best practices

Solution Article: K64571774

919885-1 : A TCP connection is not closed after invoking the HTTP::respond iRule command.

Component: Local Traffic Manager

Symptoms:
After sending a HTTP response that would normally cause the underlying TCP connection to get closed, the BIG-IP system fails to close the TCP connection.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule command is used.
- The HTTP filter sets the "Connection: close" header (for example, in response to a HTTP/1.0 request that does not request Keep-Alive behavior).

Impact:
The TCP connection lives longer than needed, and even allows the client to send subsequent requests over the same connection.

Workaround:
N/A

Fix:
TCP connection is now closed as necessary after invoking the HTTP::respond iRule command.

919841-4 : AVRD may crash while processing Bot Defense traffic

Solution Article: K45143221

919745-1 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.

919553-1 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.

919001-3 : Live Update: Update Available notification is shown twice in rare conditions

Component: Application Security Manager

Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.

Conditions:
This can be encountered on the first load of the Live Update page.

Impact:
Notification is shown twice.

Workaround:
None.

Fix:
Notification is shown only once in all cases.

918933-1 : The BIG-IP ASM system may not properly perform signature checks on cookies

Solution Article: K88162221

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221

918597-6 : Under certain conditions, deleting a topology record can result in a crash.

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.

918209-4 : GUI Network Map icons color scheme is not section 508 compliant

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.

Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.

918169-4 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.

918097-4 : Cookies set in the URI on Safari

Component: Application Security Manager

Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.

Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.

Impact:
A cookie is set on the URL.

Workaround:
None.

Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.

Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.

This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable

Default value is the original behavior (enable), which sets the cookie in the URl.

NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.

918081-2 : Application Security Administrator role cannot create parent policy in the GUI

Component: Application Security Manager

Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created

Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.

Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.

Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.

Fix:
The Application Security Administrator role can now create the parent policy when required.

917509-2 : BIG-IP ASM vulnerability CVE-2020-27718

Solution Article: K58102101

917469-1 : TMM may crash while processing FPS traffic

Solution Article: K53821711

917005-6 : ISC BIND Vulnerability: CVE-2020-8619

Solution Article: K19807532

916821-1 : iControl REST vulnerability CVE-2021-22974

Solution Article: K68652018

916781-3 : Validation error while attaching DoS profile to GTP virtual

Component: Service Provider

Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.

Conditions:
Attach DoS security profile to GTP virtual server.

Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.

Workaround:
None.

Fix:
Create GTP virtual profile and attach DoS security profile to it. No validation error should be reported.

916753-1 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.

Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:

    RESOLV::lookup @/Common/my_dns_virtual www.example.com

Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.