Applies To:
Show VersionsBIG-IP APM
- 16.1.0
BIG-IP Link Controller
- 16.1.0
BIG-IP Analytics
- 16.1.0
BIG-IP LTM
- 16.1.0
BIG-IP PEM
- 16.1.0
BIG-IP AFM
- 16.1.0
BIG-IP DNS
- 16.1.0
BIG-IP FPS
- 16.1.0
BIG-IP ASM
- 16.1.0
Version: 16.1.0
Build: 19.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Known Issues in BIG-IP v16.1.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
975233 | CVE-2021-22992 | K52510511 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 |
973333 | CVE-2021-22991 | K56715231 | TMM buffer-overflow vulnerability CVE-2021-22991 |
955145 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
954381 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
953677 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
951705 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
950077 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
989317-11 | CVE-2021-23023 | K33757590 | Windows Edge Client does not follow best practice |
981169 | CVE-2021-22994 | K66851119 | F5 TMUI XSS vulnerability CVE-2021-22994 |
968729 | CVE-2017-18344 | K07020416 | Kernel CVE-2017-18344 out-of-bounds access in the show_timer function |
959121 | CVE-2021-23015 | K74151369 | Not following best practices in Guided Configuration Bundle Install worker |
953729 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 |
949933-7 | CVE-2021-22980 | K29282483 | BIG-IP APM CTU vulnerability CVE-2021-22980 |
943125 | CVE-2021-23010 | K18570111 | ASM bd may crash while processing WebSocket traffic |
943081 | CVE-2021-23009 | K90603426 | Unspecified HTTP/2 traffic may cause TMM to crash |
941449 | CVE-2021-22993 | K55237223 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 |
935721 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 |
935029 | CVE-2020-27720 | K04048104 | TMM may crash while processing IPv6 NAT traffic |
933741 | CVE-2021-22979 | K63497634 | BIG-IP FPS XSS vulnerability CVE-2021-22979 |
932065 | CVE-2021-22978 | K87502622 | iControl REST vulnerability CVE-2021-22978 |
931837 | CVE-2020-13817 | K55376430 | NTP has predictable timestamps |
931513 | CVE-2021-22977 | K14693346 | TMM vulnerability CVE-2021-22977 |
928321 | CVE-2020-27719 | K19166530 | K19166530: XSS vulnerability CVE-2020-27719 |
921337 | CVE-2021-22976 | K88230177 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 |
917509 | CVE-2020-27718 | K58102101 | BIG-IP ASM vulnerability CVE-2020-27718 |
916821 | CVE-2021-22974 | K68652018 | iControl REST vulnerability CVE-2021-22974 |
911761 | CVE-2020-5948 | K42696541 | F5 TMUI XSS vulnerability CVE-2020-5948 |
908673 | CVE-2020-27717 | K43850230 | TMM may crash while processing DNS traffic |
891457 | CVE-2020-5939 | K75111593 | NIC driver may fail while transmitting data |
888417 | CVE-2020-8840 | K15320518 | Apache Vulnerability: CVE-2020-8840 |
882633 | CVE-2021-23008 | K51213246 | Active Directory authentication does not follow current best practices |
882189-9 | CVE-2020-5897 | K20346072 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 |
881317-10 | CVE-2020-5896 | K15478554 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 |
881293-9 | CVE-2020-5896 | K15478554 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 |
880361 | CVE-2021-22973 | K13323323 | iRules LX vulnerability CVE-2021-22973 |
879745-9 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic |
876353 | CVE-2020-5941 | K03125360 | iRule command RESOLV::lookup may cause TMM to crash |
814953-9 | CVE-2020-5940 | K43310520 | TMUI dashboard hardening |
1017973 | CVE-2021-25215 | K96223611 | BIND Vulnerability CVE-2021-25215 |
990333 | CVE-2021-23016 | K75540265 | APM may return unexpected content when processing HTTP requests |
984613-4 | CVE-2021-23022 | K08503505 | CVE-2020-5896 - Edge Client Installer Vulnerability |
976925 | CVE-2021-23002 | K71891773 | BIG-IP APM VPN vulnerability CVE-2021-23002 |
968737 | CVE-2018-18397 | K83102920 | CVE-2018-18397 : kernel: userfaultfd bypasses tmpfs file permissions |
968725 | CVE-2017-10661 | K04337834 | Linux Kernel Vulnerability CVE-2017-10661 |
965485-7 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL |
954429 | CVE-2021-23014 | K23203045 | User authorization changes for live update |
949889 | CVE-2019-3900 | K04107324 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() |
948769 | CVE-2021-23013 | K05300051 | TMM panic with SCTP traffic |
945109 | CVE-2015-9382 | K46641512 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 |
945033 | CVE-2019-9636 | K57542514 | Python Vulnerability (CVE-2019-9636): Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization |
942921 | CVE-2021-22985 | K32049501 | BIG-IP APM vulnerability CVE-2021-22985 |
939845 | CVE-2021-23004 | K31025212 | BIG-IP MPTCP vulnerability CVE-2021-23004 |
939841 | CVE-2021-23003 | K43470422 | BIG-IP MPTCP vulnerability CVE-2021-23003 |
937637-1 | CVE-2021-23002 | K71891773 | BIG-IP APM VPN vulnerability CVE-2021-23002 |
935401 | CVE-2021-23001 | K06440657 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 |
928037 | CVE-2020-27729 | K15310332 | APM Hardening |
924961 | CVE-2019-20892 | K45212738 | CVE-2019-20892: SNMP Vulnerability |
919989 | CVE-2020-5947 | K64571774 | TMM does not follow TCP best practices |
919841 | CVE-2020-27728 | K45143221 | AVRD may crash while processing Bot Defense traffic |
917469 | CVE-2020-5946 | K53821711 | TMM may crash while processing FPS traffic |
917005 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 |
912969 | CVE-2020-27727 | K50343630 | iAppsLX REST vulnerability CVE-2020-27727 |
910017 | CVE-2020-5945 | K21540525 | Security hardening for the TMUI Interface page |
905125 | CVE-2020-27726 | K30343902 | Security hardening for APM Webtop |
898949 | CVE-2020-27724 | K04518313 | APM may consume excessive resources while processing VPN traffic |
889557-8 | CVE-2019-11358 | K20455158 | jQuery Vulnerability CVE-2019-11358 |
888489 | CVE-2020-5927 | K55873574 | ASM UI hardening |
883097 | CVE-2020-5924 | K11400411 | Radius authentication may consume excessive resources |
881445-10 | CVE-2020-5898 | K69154630 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 |
877109 | CVE-2021-23012 | K04234247 | Unspecified input can break intended functionality in iHealth proxy |
842717-9 | CVE-2020-5855 | K55102004 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 |
823877 | CVE-2019-10098 CVE-2020-1927 |
K25126370 | CVE-2019-10098 apache mod_rewrite vulnerability |
803933 | CVE-2018-20843 | K51011533 | Expat XML parser vulnerability CVE-2018-20843 |
797769-11 | CVE-2019-11599 | K51674118 | Linux vulnerability : CVE-2019-11599 |
778049 | CVE-2018-13405 | K00854051 | Linux Kernel Vulnerability: CVE-2018-13405 |
743105 | CVE-2021-22998 | K31934524 | BIG-IP SNAT vulnerability CVE-2021-22998 |
718189 | CVE-2021-23011 | K10751325 | Unspecified IP traffic can cause low-memory conditions |
693360 | CVE-2020-27721 | K52035247 | A virtual server status changes to yellow while still available |
1017965 | CVE-2021-25214 | K11426315 | BIND Vulnerability CVE-2021-25214 |
1015381-3 | CVE-2021-23022 | K08503505 | Windows Edge Client does not follow best practices while installing |
1003557 | CVE-2021-23015 | K74151369 | Not following best practices in Guided Configuration Bundle Install worker |
1003105 | CVE-2021-23015 | K74151369 | iControl Hardening |
1002561 | CVE-2021-23007 | K37451543 | TMM vulnerability CVE-2021-23007 |
975589 | CVE-2020-8277 | K07944249 | CVE-2020-8277 Node.js vulnerability |
968733 | CVE-2018-1120 | K42202505 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service |
939421 | CVE-2020-10029 | K38481791 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow |
888493 | CVE-2020-5928 | K40843345 | ASM GUI Hardening |
818213 | CVE-2019-10639 | K32804955 | CVE-2019-10639: KASLR bypass using connectionless protocols |
773693-10 | CVE-2020-5892 | K15838353 | CVE-2020-5892: APM Client Vulnerability |
839145 | CVE-2019-10744 | K47105354 | CVE-2019-10744: lodash vulnerability |
834533 | CVE-2019-15916 | K57418558 | Linux kernel vulnerability CVE-2019-15916 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
994969 | 2-Critical | Possible installation failure with three software volumes on a BIG-IP system★ | |
913729 | 2-Critical | Support for DNSSEC Lookaside Validation (DLV) has been removed. | |
907765 | 2-Critical | BIG-IP system does not respond to ARP requests if it has a route to the source IP address | |
971217 | 3-Major | AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations. | |
954089 | 3-Major | Incorrect Protocol Inspection "Drop" action for UDP connection flows | |
942105 | 3-Major | Support for HTTP Trailers and gRPC | |
937881 | 3-Major | REST framework (restjavad) upgrade to 64-bit OpenJDK 8 JVM | |
930633 | 3-Major | Delay in using new route updates by existing connections on BIG-IP. | |
930005 | 3-Major | Recover previous QUIC cwnd value on spurious loss | |
928893 | 3-Major | QUIC now supports Spin Bit | |
923301 | 3-Major | ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group | |
920961 | 3-Major | Devices incorrectly report 'In Sync' after an incremental sync | |
914061 | 3-Major | BIG-IP may reject a POST request if it comes first and exceeds the initial window size | |
913829 | 3-Major | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | |
908465 | 3-Major | Unable to set LACP system priority manually | |
866073 | 3-Major | Add option to exclude stats collection in qkview to avoid very large data files | |
794417 | 3-Major | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★ | |
703610 | 3-Major | Support of virtual wire on VE | |
703510 | 3-Major | Add Minimum Up members required for GTM pool to be up | |
938537 | 4-Minor | Support draft-thomson-quic-bit-grease-00 | |
921421 | 4-Minor | iRule support to get/set UDP's Maximum Buffer Packets | |
918097 | 4-Minor | Cookies set in the URI on Safari | |
907473 | 4-Minor | MRF DIAMETER: New iRule command to skip capabilities exchange | |
898653 | 4-Minor | MR::available_for_routing iRule command prevents client side connections from being counted as available for routing towards | |
719338 | 4-Minor | Concurrent management SSH connections are unlimited |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
934241 | 1-Blocking | TMM may core when using FastL4's hardware offloading feature | |
998945 | 2-Critical | Load sys config is failing with OOM in MCPD processing | |
995629 | 2-Critical | Loading UCS files may hang if ASM is provisioned★ | |
994801 | 2-Critical | SCP file transfer hardening | |
992097 | 2-Critical | Incorrect hostname is seen in logging files | |
980325 | 2-Critical | Chmand core due to memory leak from dossier requests. | |
980117 | 2-Critical | Dynamic template HA: Missing ike-sa's are seen on standby BIG-IP when Initiator is placed behind NAT | |
976669 | 2-Critical | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | |
975093 | 2-Critical | Dynamic template HA: Missing ike/ipsec-sa's are seen on standby BIG-IP when dynamic tunnels are initiated | |
974705 | 2-Critical | Dynamic template HA: Dynamic tunnel migration with dynamic template configuration does not work after failover when more than 24G of traffic is sent. | |
957897 | 2-Critical | Unable to modify gateway-ICMP monitor fields in the GUI | |
957337 | 2-Critical | Tab complete in 'mgmt' tree is broken | |
950849 | 2-Critical | B4450N blades report page allocation failure.★ | |
950673 | 2-Critical | Hardware Syncookie mode not cleared when deleting/changing virtual server config. | |
948101 | 2-Critical | Pair of phase 2 SAs missing after reboot of standby BIG-IP device | |
944513 | 2-Critical | Apache configuration file hardening | |
942549 | 2-Critical | Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 | |
942497 | 2-Critical | Declarative onboarding unable to download and install RPM | |
941893 | 2-Critical | VE performance tests in Azure causes loss of connectivity to objects in configuration | |
940021 | 2-Critical | Syslog-ng hang may lead to unexpected reboot | |
939541 | 2-Critical | TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE | |
935433 | 2-Critical | iControl SOAP Hardening | |
933409 | 2-Critical | Tomcat upgrade via Engineering Hotfix causes live-update files removal★ | |
932437 | 2-Critical | Loading SCF file does not restore files from tar file★ | |
932285 | 2-Critical | Tmm core is seen after multiple failover/ failback with lots of tunnels. | |
927033 | 2-Critical | Installer fails to calculate disk size of destination volume★ | |
915305 | 2-Critical | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | |
910201 | 2-Critical | OSPF - SPF/IA calculation scheduling might get stuck infinitely | |
908517 | 2-Critical | LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' | |
907645 | 2-Critical | IPsec SAs may not be mirrored to HA standby | |
897509 | 2-Critical | IPsec SAs are missing on HA standby, leading to packet drops after failover | |
896217 | 2-Critical | BIG-IP GUI unresponsive | |
888341 | 2-Critical | HA Group failover may fail to complete Active/Standby state transition | |
886693 | 2-Critical | System may become unresponsive after upgrading★ | |
871561 | 2-Critical | Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★ | |
866957 | 2-Critical | Load balancing IPsec tunnels | |
856713 | 2-Critical | IPsec crash during rekey | |
837889-1 | 2-Critical | Duplicate traffic-selectors may result in failure while reloading the configuration or during upgrade★ | |
829677 | 2-Critical | .tmp files in /var/config/rest/ may cause /var directory exhaustion | |
818253 | 2-Critical | Generate signature files for logs | |
817709 | 2-Critical | IPsec: TMM cored with SIGFPE in racoon2 | |
799001 | 2-Critical | Sflow agent does not handle disconnect from SNMPD manager correctly | |
785017 | 2-Critical | Secondary blades go offline after new primary is elected | |
776393 | 2-Critical | Restjavad restarts frequently due to insufficient memory with relatively large configurations | |
739507-5 | 2-Critical | Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check | |
739505-1 | 2-Critical | Automatic ISO digital signature checking not required when FIPS license active★ | |
718573 | 2-Critical | Internal SessionDB invalid state | |
706521 | 2-Critical | K21404407 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password |
1000973 | 2-Critical | Unanticipated restart of TMM due to heartbeat failure | |
999021 | 3-Major | IPsec IKEv1 tunnels fail after a config sync from Standby to Active | |
996593 | 3-Major | Password change through REST or GUI not allowed if the password is expired | |
985537 | 3-Major | Upgrade Microsoft Hyper-V driver★ | |
976505 | 3-Major | Rotated restnoded logs will fail logintegrity verification. | |
975809 | 3-Major | Rotated restjavad logs fail logintegrity verification. | |
973577 | 3-Major | [HA template] Stop and start traffic, template objects & sa's are not mirrored on standby | |
973201-1 | 3-Major | F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★ | |
969737 | 3-Major | Snmp requests not answered if V2 traps are configured | |
969713 | 3-Major | IPsec interface mode tunnel may fail to pass packets after first IPsec rekey | |
969213 | 3-Major | VMware: management IP cannot be customized via net.mgmt.addr property | |
969105 | 3-Major | HA failover connections via the management address do not work on vCMP guests running on VIPRION | |
967745-3 | 3-Major | Last resort pool error for the modify command for Wide IP | |
965205 | 3-Major | BIG-IP dashboard downloads unused widgets | |
964941 | 3-Major | IPsec interface-mode tunnel does not initiate or respond after config change | |
963049 | 3-Major | Unexpected config loss when modifying protected object | |
963017 | 3-Major | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed | |
959889 | 3-Major | Cannot update firewall rule with ip-protocol property as 'any' | |
959629 | 3-Major | Logintegrity script for restjavad/restnoded fails | |
958833 | 3-Major | After mgmt ip change via GUI, brower is not redirected to new address | |
958465 | 3-Major | in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization | |
958353 | 3-Major | Restarting the mcpd messaging service renders the PAYG VE license invalid. | |
958093 | 3-Major | IPv6 routes missing after BGP graceful restart | |
956589 | 3-Major | The tmrouted daemon restarts and produces a core file | |
956293 | 3-Major | High CPU from analytics-related REST calls - Dashboard TMUI | |
950017 | 3-Major | TMM may crash while processing SCTP traffic | |
948717 | 3-Major | F5-pf_daemon_cond_restart uses excessive CPU★ | |
948605 | 3-Major | buffersize(2048) too small. Buffer truncated. | |
947865 | 3-Major | Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read | |
947529 | 3-Major | Security tab in virtual server menu renders slowly | |
946745 | 3-Major | 'System Integrity: Invalid' after Engineering Hotfix installation | |
946089 | 3-Major | BIG-IP might send excessive multicast/broadcast traffic. | |
945265 | 3-Major | BGP may advertise default route with incorrect parameters | |
943793-1 | 3-Major | Neurond continuously restarting | |
941381 | 3-Major | MCP restarts when deleting an application service with a traffic-matching-criteria | |
940885 | 3-Major | Add embedded SR-IOV support for Mellanox CX5 Ex adapter | |
940177 | 3-Major | Certificate instances tab shows incorrect number of instances in certain conditions | |
937365 | 3-Major | LTM UI does not follow best practices | |
936125 | 3-Major | SNMP request times out after configuring IPv6 trap destination | |
935801 | 3-Major | HSB diagnostics are not provided under certain types of failures | |
934941 | 3-Major | Platform FIPS power-up self test failures not logged to console | |
934065 | 3-Major | The turboflex-low-latency and turboflex-dns are missing. | |
933329 | 3-Major | The process plane statistics do not accurately label some processes | |
932497 | 3-Major | Autoscale groups require multiple syncs of datasync-global-dg | |
932233 | 3-Major | '@' no longer valid in SNMP community strings | |
931749 | 3-Major | Geolocation database does not show region_name for IP addresses of some Spain provinces | |
930905-3 | 3-Major | Management route lost after reboot. | |
930825 | 3-Major | System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors | |
930741 | 3-Major | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | |
928697 | 3-Major | Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT | |
927941 | 3-Major | IPv6 static route BFD does not come up after OAMD restart | |
925797 | 3-Major | Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members | |
924493 | 3-Major | VMware EULA has been updated | |
922297 | 3-Major | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | |
921361 | 3-Major | SSL client and SSL server profile names truncated in GUI | |
919317 | 3-Major | NSM consumes 100% CPU processing nexthops for recursive ECMP routes | |
918409 | 3-Major | BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures | |
915825 | 3-Major | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | |
915497 | 3-Major | New Traffic Class Page shows multiple question marks. | |
914245 | 3-Major | Reboot after tmsh load sys config changes sys FPGA firmware-config value | |
913849-3 | 3-Major | Syslog-ng periodically logs nothing for 20 seconds | |
913433 | 3-Major | On blade failure, some trunked egress traffic is dropped. | |
913361 | 3-Major | The high availability (HA) incremental sync reverts to full load after SSL Orchestrator configuration changes | |
909197 | 3-Major | The mcpd process may become unresponsive | |
908601 | 3-Major | System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option | |
908021 | 3-Major | Management and VLAN MAC addresses are identical | |
907205 | 3-Major | CentOS Security Update for libssh2 | |
907201 | 3-Major | TMM may crash when processing IPSec traffic | |
906377 | 3-Major | iRulesLX hardening | |
904845 | 3-Major | VMware guest OS customization works only partially in a dual stack environment. | |
904785 | 3-Major | Remotely authenticated users may experience difficulty logging in over the serial console | |
904705 | 3-Major | Cannot clone Azure marketplace instances. | |
903649 | 3-Major | LTM monitor hardening | |
902401-2 | 3-Major | OSPFd SIGSEGV core when 'ospf clear' is done on remote device | |
900933 | 3-Major | IPsec interoperability problem with ECP PFS | |
898705 | 3-Major | IPv6 static BFD configuration is truncated or missing | |
898461 | 3-Major | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | |
896817 | 3-Major | iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb | |
895837 | 3-Major | Mcpd crash when a traffic-matching-criteria destination-port-list is modified | |
893885-1 | 3-Major | The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation | |
892781 | 3-Major | Azure walinuxagent has been updated to v2.2.48.1 | |
892677 | 3-Major | Loading config file with imish adds the newline character | |
889041 | 3-Major | Failover scripts fail to access resolv.conf due to permission issues | |
889029 | 3-Major | Unable to login if LDAP user does not have search permissions | |
888869 | 3-Major | GUI reports General Database Error when accessing Instances Tab of SSL Certificates | |
888497 | 3-Major | Cacheable HTTP Response | |
887089 | 3-Major | Upgrade can fail when filenames contain spaces | |
886689 | 3-Major | Generic Message profile cannot be used in SCTP virtual | |
880625 | 3-Major | Check-host-attr enabled in LDAP system-auth creates unusable config | |
880289-1 | 3-Major | FPGA firmware changes during configuration loads★ | |
880165 | 3-Major | Auto classification signature update fails | |
879829 | 3-Major | HA daemon sod cannot bind to ports numbered lower than 1024 | |
879405 | 3-Major | Incorrect value in Transparent Nexthop property | |
876805 | 3-Major | Modifying address-list resets the route advertisement on virtual servers. | |
865225 | 3-Major | 100G modules may not work properly in i15000 and i15800 platforms | |
865177-6 | 3-Major | Cert-LDAP returning only first entry in the sequence that matches san-other oid | |
862937 | 3-Major | Running cpcfg after first boot can result in daemons stuck in restart loop★ | |
858197 | 3-Major | Merged crash when memory exhausted | |
852785-2 | 3-Major | Exposing counters from FIPS device registers allows debugging when cards fail | |
846317 | 3-Major | Show net ipsec ipsec-sa traffic-selector not working on secondary blade | |
844085 | 3-Major | GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address | |
839121 | 3-Major | K74221031 | A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★ |
830413-1 | 3-Major | Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure★ | |
829821 | 3-Major | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | |
828789 | 3-Major | Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters | |
820845 | 3-Major | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | |
817989 | 3-Major | Cannot change managemnet IP from GUI | |
814585 | 3-Major | PPTP profile option not available when creating or modifying virtual servers in GUI | |
811041 | 3-Major | Out of shmem, increment amount in /etc/ha_table/ha_table.conf | |
807957 | 3-Major | Link Up status should clear Link Down in Nokia Alarm database | |
807337 | 3-Major | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | |
806073 | 3-Major | MySQL monitor fails to connect to MySQL Server v8.0 | |
797829 | 3-Major | The BIG-IP system may fail to deploy new or reconfigure existing iApps | |
788577-9 | 3-Major | BFD sessions may be reset after CMP state change | |
787885 | 3-Major | The device status is falsely showing as forced offline on the network map while actual device status is not. | |
760739 | 3-Major | The Nokia alert configuration is not correct for all clearing events | |
759564 | 3-Major | GUI not available after upgrade | |
754335 | 3-Major | Install ISO does not boot on BIG-IP VE★ | |
749007 | 3-Major | South Sudan, Sint Maarten, and Curacao country missing in GTM region list | |
741702 | 3-Major | TMM crash | |
740589 | 3-Major | Mcpd crash with core after 'tmsh edit /sys syslog all-properties' | |
730852 | 3-Major | The tmrouted repeatedly crashes and produces core when new peer device is added | |
714176 | 3-Major | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed | |
692218 | 3-Major | Audit log messages sent from the primary blade to the secondaries should not be logged. | |
675911 | 3-Major | K13272442 | Different sections of the GUI can report incorrect CPU utilization |
615934-5 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
489572 | 3-Major | K60934489 | Sync fails if file object is created and deleted before sync to peer BIG-IP |
398683 | 3-Major | K12304 | Use of a # in a TACACS secret causes remote auth to fail |
1019085 | 3-Major | Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.★ | |
1013649 | 3-Major | Leftover files in /var/run/key_mgmt after key export | |
1010393 | 3-Major | Unable to relax AS-path attribute in multi-path selection | |
1010245 | 3-Major | Duplicate ipsec-sa SPI values shown by tmsh command | |
967437 | 4-Minor | HA support for dynamic templates | |
966277 | 4-Minor | BFD down on multi-blade system | |
966073 | 4-Minor | GENEVE protocol support | |
955057 | 4-Minor | UCS archives containing a large number of DNS zone files may fail to restore.★ | |
934801 | 4-Minor | Prevention of Audit data loss | |
933461 | 4-Minor | BGP multi-path candidate selection does not work properly in all cases. | |
924429 | 4-Minor | Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values | |
921369-1 | 4-Minor | Signature verification for logs fails if the log files are modified during log rotation | |
921065-1 | 4-Minor | BIG-IP systems not responding to DPD requests from initiator after failover | |
921001 | 4-Minor | After provisioning change, pfmand might keep interfaces down on particular platforms | |
919745 | 4-Minor | CSV files downloaded from the Dashboard have the first row with all 'NaN | |
918209 | 4-Minor | GUI Network Map icons color scheme is not section 508 compliant | |
914761 | 4-Minor | Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. | |
906889 | 4-Minor | Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. | |
902417 | 4-Minor | Configuration error caused by Drafts folder in a deleted custom partition★ | |
898441 | 4-Minor | Enable logging of IKE keys | |
890277 | 4-Minor | Full config sync to a device group operation takes a long time when there are a large number of partitions. | |
887505 | 4-Minor | Coreexpiration script improvement | |
884953 | 4-Minor | IKEv1 IPsec daemon racoon goes into an endless restart loop | |
879189 | 4-Minor | Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section | |
864757 | 4-Minor | Traps that were disabled are enabled after configuration save | |
822377 | 4-Minor | CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability | |
819053-10 | 4-Minor | CVE-2019-13232 unzip: overlapping of files in ZIP container | |
779857 | 4-Minor | Misleading GUI error when installing a new version in another partition★ | |
751103 | 4-Minor | TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop | |
675772 | 4-Minor | IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy | |
1004417 | 4-Minor | Provisioning error message during boot up★ | |
965457 | 5-Cosmetic | OSPF duplicate router detection might report false positives | |
964421 | 5-Cosmetic | Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
999933 | 2-Critical | TMM may crash while processing DNS traffic on certain platforms | |
989637 | 2-Critical | TMM may crash while processing SSL traffic | |
969821 | 2-Critical | HTTP::collect does not hold request/response until HTTP::release | |
967249 | 2-Critical | TMM may leak memory early during its startup process, and may continue to do so indefinitely. | |
946481 | 2-Critical | Virtual Edition FIPS not compatible with TLS 1.3 | |
945997 | 2-Critical | LTM policy applied to HTTP/2 traffic may crash TMM | |
942185 | 2-Critical | Non-mirrored persistence records may accumulate over time | |
938233 | 2-Critical | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization | |
937777 | 2-Critical | The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash. | |
931677 | 2-Critical | IPv6 hardening | |
926985 | 2-Critical | HTTP/3 aborts stream on incomplete frame headers | |
919885 | 2-Critical | A TCP connection is not closed after invoking the HTTP::respond iRule command. | |
911041 | 2-Critical | Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash | |
910653 | 2-Critical | iRule parking in clientside/serverside command may cause tmm restart | |
891849 | 2-Critical | Running iRule commands while suspending iRule commands that are running can lead to a crash | |
862885 | 2-Critical | Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error | |
738964-6 | 2-Critical | Instruction logger debugging enhancement | |
1019081 | 2-Critical | HTTP/2 hardening | |
1016657 | 2-Critical | TMM may crash while processing LSN traffic | |
1013181 | 2-Critical | TMM may produce core when dynamic CRL check is enabled on the client SSL profile | |
1008077 | 2-Critical | TMM may crash while processing TCP traffic with a FastL4 VS | |
1005489 | 2-Critical | iRules with persist command might result in tmm crash. | |
997929 | 3-Major | Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic | |
997193 | 3-Major | TCP connections may fail when AFM global syncookies are in operation. | |
995201 | 3-Major | IP fragments for the same flow are dropped if they are received on different VLANs and route domains. | |
985433 | 3-Major | Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset. | |
980821 | 3-Major | Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. | |
978833 | 3-Major | Use of CRL-based Certificate Monitoring Causes Memory Leak | |
976101 | 3-Major | TMM crash after deleting an interface from a virtual wire vlan | |
974501 | 3-Major | Excessive memory usage by mirroring subsystem when remirroring | |
969637 | 3-Major | Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★ | |
965037 | 3-Major | SSL Orchestrator does not send HTTP CONNECT tunnel payload to services | |
963869 | 3-Major | Remote Desktop app fails to launch from webtop when Per-request Policy is added to virtual server. | |
963713 | 3-Major | HTTP/2 virtual server with translate-disable can core tmm | |
963705 | 3-Major | Proxy ssl server response not forwarded | |
962913 | 3-Major | The number of native open connections in the SSL profile is higher than expected | |
962333 | 3-Major | FIN from client does not get propagated to server side, if the FIN arrives before server side reaching ESTABLISHED | |
953845 | 3-Major | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | |
950005 | 3-Major | TCP connection is not closed when necessary after HTTP::respond iRule | |
949145 | 3-Major | Improve TCP's response to partial ACKs during loss recovery | |
948757 | 3-Major | A snat-translation address responds to ARP requests but not to ICMP ECHO requests. | |
946953 | 3-Major | HTTP::close used in iRule might not close connection. | |
946377 | 3-Major | HSM WebUI Hardening | |
945601 | 3-Major | An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions. | |
944641 | 3-Major | HTTP2 send RST_STREAM when exceeding max streams | |
942701 | 3-Major | TMM may consume excessive resources while processing HTTP traffic | |
941481 | 3-Major | iRules LX - nodejs processes consuming excessive memory | |
941257-5 | 3-Major | Occasional Nitrox3 ZIP engine hang | |
940665 | 3-Major | DTLS 1.0 support for PFS ciphers | |
939961 | 3-Major | TCP connection is closed when necessary after HTTP::respond iRule. | |
939701 | 3-Major | Allow configuration of self-ip address for L2 virtual wire vlan-group | |
939209 | 3-Major | FIPS 140-2 SP800-56Arev3 compliance | |
939085 | 3-Major | /config/ssl/ssl.csr directory disappears after creating certificate archive | |
937769 | 3-Major | SSL connection mirroring failure on standy with sslv2 records | |
934993 | 3-Major | BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams | |
932825 | 3-Major | Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device | |
928857 | 3-Major | Use of OCSP responder may leak X509 store instances | |
928805 | 3-Major | Use of OCSP responder may cause memory leakage | |
928789 | 3-Major | Use of OCSP responder may leak SSL handshake instances | |
927713 | 3-Major | Secondary blade IPsec SAs lost after standby reboot using clsh reboot | |
927569 | 3-Major | HTTP/3 rejects subsequent partial SETTINGS frames | |
926929 | 3-Major | RFC Compliance Enforcement lacks configuration availability | |
926757 | 3-Major | ICMP traffic to a disabled virtual-address might be handled by a virtual-server. | |
926513 | 3-Major | HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected. | |
921881 | 3-Major | Use of IPFIX log destination can result in increased CPU utilization | |
921721 | 3-Major | FIPS 140-2 SP800-56Arev3 compliance | |
920789 | 3-Major | UDP commands in iRules executed during FLOW_INIT event fail | |
920205 | 3-Major | Rate shaping might suppress TCP RST | |
919249 | 3-Major | NETHSM installation script hardening | |
918929 | 3-Major | NetHSM install scripts - remove references to fipskey.nethsm | |
918277 | 3-Major | Slow Ramp does not take into account pool members' ratio weights | |
916589 | 3-Major | QUIC drops 0RTT packets if CID length changes | |
915713 | 3-Major | Support QUIC and HTTP3 draft-29 | |
915689 | 3-Major | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | |
915605 | 3-Major | K56251674 | Image install fails if iRulesLX is provisioned and /usr mounted read-write★ |
915281 | 3-Major | Do not rearm TCP Keep Alive timer under certain conditions | |
913249 | 3-Major | Restore missing UDP statistics | |
912001 | 3-Major | TMM cores on secondary blades of the Chassis system. | |
911777 | 3-Major | BIG-IP SSL forward proxy might drop connection to servers with revoked certificate status. | |
910905 | 3-Major | Unexpected tmm core | |
910521 | 3-Major | Support QUIC and HTTP draft-28 | |
909997 | 3-Major | Virtual server status displays as unavailable when it is accepting connections | |
909677 | 3-Major | HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted | |
906237 | 3-Major | Reject flood packets to prevent L2 learning problems when TCN is generated | |
904041 | 3-Major | Ephemeral pool members may be incorrect when modified via various actions | |
903581 | 3-Major | The pkcs11d process cannot recover under certain error condition | |
901929 | 3-Major | GARPs not sent on virtual server creation | |
896261 | 3-Major | Linkstate propagation support on virtual wire trunk interfaces | |
893865 | 3-Major | NDP learned on vlangroup instead on vlan | |
893281 | 3-Major | Possible ssl stall on closed client handshake | |
892941 | 3-Major | K20105555 | F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) |
892485 | 3-Major | A wrong OCSP status cache may be looked up and re-used during SSL handshake. | |
892385-6 | 3-Major | HTTP does not process WebSocket payload when received with server HTTP response | |
891373 | 3-Major | BIG-IP does not shut a connection for a HEAD request | |
890881-1 | 3-Major | ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address | |
889601 | 3-Major | OCSP revocation not properly checked | |
889165 | 3-Major | "http_process_state_cx_wait" errors in log and connection reset | |
888517 | 3-Major | Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★ | |
883133 | 3-Major | TLS_FALLBACK_SCSV with TLS1.3 | |
882549 | 3-Major | Sock driver does not use multiple queues in unsupported environments | |
879413 | 3-Major | Statsd fails to start if one or more of its *.info files becomes corrupted | |
876177 | 3-Major | Port and Trunk information is added to F5 trailer in tcpdump | |
868209 | 3-Major | Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection | |
858701 | 3-Major | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★ | |
845333 | 3-Major | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | |
842517-3 | 3-Major | CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails | |
819329-1 | 3-Major | Specific FIPS device errors will not trigger failover | |
816953 | 3-Major | RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy | |
803629 | 3-Major | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | |
803233 | 3-Major | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | |
793669 | 3-Major | FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value | |
785877 | 3-Major | VLAN groups do not bridge non-link-local multicast traffic. | |
785361 | 3-Major | In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped | |
774265 | 3-Major | Incorrect mac seen in the network when RST packet generated by BIG-IP in transparent vlangroup | |
767341 | 3-Major | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | |
756812-5 | 3-Major | Nitrox 3 instruction/request logger may fail due to SELinux permission error | |
756313 | 3-Major | SSL monitor continues to mark pool member down after restoring services | |
738032 | 3-Major | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | |
723112-9 | 3-Major | LTM policies does not work if a condition has more than 127 matches | |
717346-9 | 3-Major | K13040347 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total |
714642 | 3-Major | Ephemeral pool-member state on the standby is down | |
696755-7 | 3-Major | HTTP/2 may truncate a response body when served from cache | |
646440 | 3-Major | TMSH allows mirror for persistence even when no mirroring configuration exists | |
582331 | 3-Major | Maximum connections is not accurate when TMM load is uneven | |
550928 | 3-Major | TMM may crash when processing HTTP traffic with a FastL4 virtual server | |
1020941 | 3-Major | HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags | |
1015161 | 3-Major | Ephemeral pool member may not be created when FQDN resolves to address that matches static node | |
994269 | 4-Minor | Message: 'double flow removal' in LTM log file | |
982993 | 4-Minor | Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail | |
956025 | 4-Minor | HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header | |
949721 | 4-Minor | QUIC does not send control frames in PTO packets | |
947937 | 4-Minor | HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field. | |
942793 | 4-Minor | BIG-IP system cannot accept STARTTLS command with trailing white space | |
936557 | 4-Minor | Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. | |
935593 | 4-Minor | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | |
932937 | 4-Minor | HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. | |
932045 | 4-Minor | Memory leak when creating/deleting LTM node object | |
926997 | 4-Minor | QUIC HANDSHAKE_DONE profile statistics are not reset | |
926197 | 4-Minor | BIG-IP can forward HTTP headers separately from body when HTTP::collect is in use | |
915969 | 4-Minor | Truncated QUIC connection close reason | |
914681 | 4-Minor | Value of tmm.quic.log.level can differ between TMSH and GUI | |
911853 | 4-Minor | Stream filter chunk-size limits filter to a single match per ingress buffer | |
907045 | 4-Minor | QUIC HANDSHAKE_DONE is sent at the end of first flight | |
901985 | 4-Minor | Extend logging for incomplete HTTP requests | |
883105 | 4-Minor | HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect | |
869565-5 | 4-Minor | Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN | |
808409 | 4-Minor | Unable to specify if giaddr will be modified in DHCP relay chain | |
804157 | 4-Minor | ICMP replies are forwarded with incorrect checksums causing them to be dropped | |
759769 | 4-Minor | No TTL options (set, proxy, preserve, decrement) on IPOTHER profile | |
748333 | 4-Minor | DHCP Relay does not retain client source IP address for chained relay mode | |
743253 | 4-Minor | TSO in software re-segments L3 fragments. | |
873249 | 5-Cosmetic | Switching from fast_merge to slow_merge can result in incorrect tmm stats | |
859717 | 5-Cosmetic | ICMP-limit-related warning messages in /var/log/ltm |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
948417 | 3-Major | Network Management Agent (Azure NMAgent) updates causes Kernel Panic |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
960749 | 1-Blocking | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | |
953393 | 1-Blocking | TMM crashes when performing iterative DNS resolutions. | |
933405 | 1-Blocking | K34257075 | Zonerunner GUI hangs when attempting to list Resource Records |
993921 | 2-Critical | TMM SIGSEGV | |
981461 | 2-Critical | Unspecified DNS responses cause TMM crash | |
975465 | 2-Critical | TMM may consume excessive resources while processing DNS iRules | |
960437 | 2-Critical | The BIG-IP system may initially fail to resolve some DNS queries | |
919553 | 2-Critical | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | |
918597 | 2-Critical | Under certain conditions, deleting a topology record can result in a crash. | |
918169 | 2-Critical | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | |
916753 | 2-Critical | RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core | |
837637 | 2-Critical | K02038650 | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ |
788465 | 2-Critical | DNS cache idx synced across HA group could cause tmm crash | |
783125 | 2-Critical | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | |
1007049 | 2-Critical | TMM may crash while processing DNS traffic | |
982361 | 3-Major | SNAT on wildcard virtual server does not work | |
973261 | 3-Major | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | |
971297 | 3-Major | DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★ | |
958325 | 3-Major | Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB | |
940469 | 3-Major | Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration | |
939941 | 3-Major | Monitor parameter not found error | |
937333 | 3-Major | Incomplete validation of input in unspecified forms | |
933577 | 3-Major | Changes to support DNS Flag Day | |
930829 | 3-Major | A virtual server status changes to yellow because of specific sources, which causes DNS to stop responding. | |
926593 | 3-Major | GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' | |
921625 | 3-Major | The certs extend function does not work for GTM/DNS sync group | |
912761 | 3-Major | Link throughput statistics are different | |
896861 | 3-Major | PTR query enhancement for RESOLVER::name_lookup | |
891093 | 3-Major | iqsyncer does not handle stale pidfile | |
887349 | 3-Major | DNS Profile names starting with the letter a, b, or c are selected as the default DNS profile when creating listeners. | |
885201 | 3-Major | BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log | |
874221 | 3-Major | DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd | |
872037 | 3-Major | DNS::header rd does not set the Recursion desired | |
865801 | 3-Major | AFM FQDN Resolver does not honor Refresh Interval during or after disruption | |
864797 | 3-Major | Cached results for a record are sent following region modification | |
863917 | 3-Major | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | |
858973 | 3-Major | DNS request matches less specific WideIP when adding new wildcard wideips | |
853585 | 3-Major | REST Wide IP object presents an inconsistent lastResortPool value | |
847105 | 3-Major | The bigip_gtm.conf is reverted to default after rebooting with license expired★ | |
808829 | 3-Major | When 'Monitor Disabled Objects' is set to 'no', GSLB should cease monitoring disabled pool members. | |
789421 | 3-Major | Resource-administrator cannot create GTM server object through GUI | |
682395 | 3-Major | SNI support for GTM HTTPS monitors | |
644192 | 3-Major | K23022557 | Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN |
1011285 | 3-Major | The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. | |
857953 | 4-Minor | Non-functional disable/enable buttons present in GTM wide IP members page | |
807913 | 4-Minor | The word 'ceritifcate' is misspelled in an error message | |
985001 | 5-Cosmetic | Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
989009 | 2-Critical | BD daemon may crash while processing WebSocket traffic | |
980809 | 2-Critical | ASM REST Signature Rule Keywords Tool Hardening | |
980125 | 2-Critical | BD Daemon may crash while processing WebSocket traffic | |
979081 | 2-Critical | Hardening of ASM External References | |
972385 | 2-Critical | Adjust The SSRF disallowed hosts to new attack vector | |
968421 | 2-Critical | ASM attack signature doesn't matched | |
962341-7 | 2-Critical | BD crash while processing JSON content | |
957965 | 2-Critical | Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent' | |
943913 | 2-Critical | ASM attack signature does not match | |
940249 | 2-Critical | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | |
927617 | 2-Critical | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | |
920197 | 2-Critical | Brute force mitigation can stop mitigating without a notification | |
904593 | 2-Critical | Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled | |
854001 | 2-Critical | TMM might crash in case of trusted bot signature and API protected url | |
1017645 | 2-Critical | False positive HTTP compliance violation | |
996753 | 3-Major | ASM BD process may crash while processing HTML traffic | |
981785 | 3-Major | Incorrect incident severity in Event Correlation statistics | |
976617 | 3-Major | Manual signature sets are converted to filter based when trying to update signature set without field "type" | |
966633 | 3-Major | Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies | |
964245 | 3-Major | ASM reports and enforces username always | |
963485 | 3-Major | Performance issue with data guard | |
963461 | 3-Major | ASM performance drop on the response side | |
962497-2 | 3-Major | BD crash after ICAP response | |
960369 | 3-Major | Negative value suggested in Traffic Learning as max value | |
955017 | 3-Major | Excessive CPU consumption by asm_config_event_handler | |
948805 | 3-Major | False positive "Null in Request" | |
946081 | 3-Major | Getcrc tool help displays directory structure instead of version | |
945789 | 3-Major | Live update cannot resolve hostname if ipv6 is configured | |
941853 | 3-Major | Logging Profiles do not disassociate from virtual server when multiple changes are made | |
941621 | 3-Major | K91414704 | Brute Force breaks server's Post-Redirect-Get flow |
940897 | 3-Major | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | |
937445 | 3-Major | Incorrect signature context logged in remote logger violation details field | |
930017 | 3-Major | Bot defense profile upgrade fails from 14.x to 15.x/16.x with error match-order should be unique★ | |
929005 | 3-Major | TS cookie is set in all responses | |
929001 | 3-Major | ASM form handling improvements | |
928717 | 3-Major | [ASM - AWS] - ASU fails to sync | |
928685 | 3-Major | ASM Brute Force mitigation not triggered as expected | |
922261 | 3-Major | WebSocket server messages are logged even it is not configured | |
921677 | 3-Major | Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. | |
918933 | 3-Major | K88162221 | The BIG-IP ASM system may not properly perform signature checks on cookies |
918081 | 3-Major | Application Security Administrator role cannot create parent policy in the GUI | |
914277 | 3-Major | [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU | |
913761 | 3-Major | Security - Options section in navigation menu is visible for only Administrator users | |
913757 | 3-Major | Error viewing security policy settings for virtual server with FTP Protocol Security | |
913137 | 3-Major | No learning suggestion on ASM policies enabled via LTM policy | |
912089 | 3-Major | Some roles are missing necessary permission to perform Live Update | |
910253 | 3-Major | BD error on HTTP response after upgrade★ | |
907337 | 3-Major | BD crash on specific scenario | |
904053 | 3-Major | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | |
903357 | 3-Major | Bot defense Profile list is loads too slow when there are 750 or more Virtual servers | |
901061 | 3-Major | Safari browser might be blocked when using Bot Defense profile and related domains. | |
900797 | 3-Major | Brute Force Protection (BFP) hash table entry cleanup | |
900793 | 3-Major | K32055534 | APM Brute Force Protection resources do not scale automatically |
900789 | 3-Major | Alert before Brute Force Protection (BFP) hash are fully utilized | |
898741 | 3-Major | Missing critical files causes FIPS-140 system to halt upon boot | |
897681 | 3-Major | Application Security Editor user cannot create ASM policy or Logging profile on Security :: Overview : Summary page | |
895013 | 3-Major | Learning of login pages does not work | |
893061 | 3-Major | Out of memory for restjavad | |
892653 | 3-Major | Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI | |
891181 | 3-Major | Wrong date/time treatment in logs in Turkey/Istambul timezone | |
890825 | 3-Major | Attack Signatures and Threat Campaigns filter incorrect behaviour | |
886865 | 3-Major | P3P header is added for all browsers, but required only for Internet Explorer | |
885769 | 3-Major | The ASM logging Operation_id field has incorrect byte at the end | |
881757 | 3-Major | Unnecessary HTML response parsing and response payload is not compressed | |
867777 | 3-Major | Remote syslog server cannot parse violation detail buffers as UTF-8. | |
753715 | 3-Major | False positive JSON max array length violation | |
722337 | 3-Major | Always show violations in request log when post request is large | |
1016465 | 3-Major | Built-in Integrated Bot Defense iApp template "f5.ibd" | |
1015385 | 3-Major | Built-in Device ID+ iApp template "f5.apg_analytics" | |
1013813 | 3-Major | Advanced WAF GraphQL support | |
960385 | 4-Minor | In rare conditions modal does not close when it should | |
956105 | 4-Minor | Websocket URLs content profiles are not created as expected during JSON Policy import | |
952509 | 4-Minor | Cross origin AJAX requests are blocked in case there is no Origin header | |
945821 | 4-Minor | Remote logging conditions adjustments | |
944441 | 4-Minor | BD_XML logs memory usage at TS_DEBUG level | |
941929 | 4-Minor | Google Analytics shows incorrect stats, when Google link is redirected. | |
941249 | 4-Minor | Improvement to getcrc tool to print cookie names when cookie attributes are involved | |
938293 | 4-Minor | importing a JSON policy with Application Language "auto-detect" changes to 'utf8' policy | |
935293 | 4-Minor | 'Detected Violation' Field for event logs not showing | |
932893 | 4-Minor | Content profile cannot be updated after redirect from violation details in Request Log | |
923233 | 4-Minor | Incorrect encoding in 'Logout Page' for non-UTF8 security policy | |
919001 | 4-Minor | Live Update: Update Available notification is shown twice in rare conditions | |
907997 | 4-Minor | Source Policy Name instead of Current Policy used in Restore Policy Version | |
906737 | 4-Minor | Error message: 'templates/' is not a directory | |
903973 | 4-Minor | URL properties screen does not display Advanced mode | |
896285 | 4-Minor | No parent entity in suggestion to add predefined-filetype as allowed filetype | |
893905 | 4-Minor | Wrong redirect from Charts to Requests Log when request status selected in filter | |
887625 | 4-Minor | Note should be bold back, not red | |
885789 | 4-Minor | Clicking 'Fix Automatically' on PCI Compliance page does not replace non-PCI-compliant-profile with complaint one on HTTP/2 virtual servers | |
885785 | 4-Minor | Clicking 'Fix Automatically' in PCI Compliance page does not attach a PCI-compliant-profile on HTTP/2 virtual servers | |
799293 | 4-Minor | Cookie is masked when not configured to be masked | |
758336-7 | 4-Minor | Incorrect recommendation in Online Help of Proactive Bot Defense | |
746984 | 4-Minor | False positive evasion violation | |
928605 | 5-Cosmetic | Browser performs local port scanning during browser verification | |
908173 | 5-Cosmetic | Empty fields are shown in the policy version history | |
905669 | 5-Cosmetic | CSRF token expired message for AJAX calls is displayed incorrectly | |
1011045 | 5-Cosmetic | GUI does not reflect 'Fully Automatic' state , which is substate of Automatic learning mode. |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
934721 | 2-Critical | TMM core due to wrong assert | |
981385 | 3-Major | AVRD does not send HTTP events to BIG-IQ DCD | |
924301 | 3-Major | Incorrect values in REST response for DNS/SIP | |
908065 | 3-Major | Logrotation for /var/log/avr blocked by files with .1 suffix | |
902485 | 3-Major | Incorrect pool member concurrent connection value | |
898333 | 3-Major | Unable to collect statistics from BIG-IP system after BIG-IQ restart | |
841305 | 3-Major | HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log | |
819301 | 3-Major | Incorrect values in REST response for dos-l3 table | |
787677 | 3-Major | AVRD stays at 100% CPU constantly on some systems | |
648242-8 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
898373 | 4-Minor | Unclear message: TakesTooLong was 0.00 exceeded the lower threshold of 10000 |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
893953 | 1-Blocking | Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers | |
995029-4 | 2-Critical | Configuration is not updated during auto-discovery | |
981273 | 2-Critical | APM webtop hardening | |
965777 | 2-Critical | Per-request policy authentication becomes unresponsive | |
962069 | 2-Critical | Excessive resource consumption while processing OSCP requests via APM | |
910097 | 2-Critical | Changing per-request policy while tmm is under traffic load may drop heartbeats | |
904441 | 2-Critical | APM vs_score for GTM-APM load balancing is not calculated correctly | |
896709 | 2-Critical | Add support for Restart Desktop for webtop in VMware VDI | |
1020349 | 2-Critical | APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL | |
998473 | 3-Major | NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL) | |
997761 | 3-Major | Subsessionlist entries leak if there is no RADIUS accounting agent in policy | |
984765 | 3-Major | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★ | |
976501 | 3-Major | Failed to establish VPN connection | |
973673 | 3-Major | CPU spikes when the LDAP operational timeout is set to 180 seconds | |
955389 | 3-Major | Dynamic split tunneling for Zoom, Office 365 traffic | |
952557 | 3-Major | Azure B2C Provider OAuth URLs are updated for B2Clogin.com | |
949477 | 3-Major | NTLM RPC exception: Failed to verify checksum of the packet | |
949105 | 3-Major | Error log seen on Category Lookup SNI requests for same connection | |
946125 | 3-Major | Tmm restart adds 'Revoked' tokens to 'Active' token count | |
944365 | 3-Major | Session variable for Group SIDs (in Kerberos Auth agent) and Group Names (in AD Group SID Resolver agent) has a max limit | |
932213 | 3-Major | Local user db not synced to standby device when it is comes online after forced offline state | |
926973 | 3-Major | APM / OAuth issue with larger JWT validation | |
924929-4 | 3-Major | Logging improvements for VDI plugin | |
924857 | 3-Major | Logout URL with parameters resets TCP connection | |
924697 | 3-Major | VDI data plane performance degraded during frequent session statistic updates | |
924521 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. | |
918093 | 3-Major | Access-Control-Allow-Origin header with trailing white spaces causes Portal Access CORS failure. | |
916969 | 3-Major | Support of Microsoft Identity 2.0 platform | |
915509 | 3-Major | RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true | |
914649 | 3-Major | Support USB redirection through VVC (VMware virtual channel) with BlastX | |
912509 | 3-Major | Upgrade may cause an aced core file★ | |
907873 | 3-Major | Authentication tab is missing in VPE for RDG-RAP Access Policy type | |
903573-1 | 3-Major | AD group cache query performance | |
896125 | 3-Major | Reuse Windows Logon Credentials feature does not work with modern access policies | |
894885-1 | 3-Major | [SAML] SSO crash while processing client SSL request | |
892937 | 3-Major | K20105555 | F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) |
891613 | 3-Major | RDP resource with user-defined address cannot be launched from webtop with modern customization | |
888145 | 3-Major | When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property | |
883577 | 3-Major | ACCESS::session irule command does not work in HTTP_RESPONSE event | |
872505 | 3-Major | Dynamic server config on OAuth Client/RS agent in Per-Session-Policy | |
842149 | 3-Major | Verified Accept for SSL Orchestrator | |
818673 | 3-Major | F5 APM modules added capability to pull user group membership information from Kerberos authentication tickets | |
760629 | 3-Major | Remove Obsolete APM keys in BigDB | |
747020 | 3-Major | Requests that evaluate to same subsession can be processed concurrently | |
739570 | 3-Major | Unable to install EPSEC package★ | |
592353 | 3-Major | Javascript parser incompatible with ECMA6/7+ | |
1007629 | 3-Major | APM policy configured with many ACL policies can create APM memory pressure | |
1002557 | 3-Major | Tcl free object list growth | |
1001041 | 3-Major | Reset cause 'Illegal argument' | |
944093 | 4-Minor | Maximum remaining session's time on user's webtop can flip/flop | |
943033 | 4-Minor | APM PRP LDAP Group Lookup agent has a syntax error in built in VPE expression | |
942965 | 4-Minor | Local users database can sometimes take more than 5 minutes to sync to the standby device | |
918717 | 4-Minor | Exception at rewritten Element.innerHTML='<a href></a>' | |
824885 | 4-Minor | When BIG-IP is deployed as SAML SP, it cannot decrypt assertion it receives from IdP if it is signed using AES-GCM algorithm | |
766017 | 4-Minor | [APM][LocalDB] Local user database instance name length check inconsistencies★ | |
747234 | 4-Minor | Macro policy does not find corresponding access-profile directly | |
679751 | 4-Minor | Authorization header can cause a connection reset |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
974881 | 2-Critical | Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic | |
1007109 | 2-Critical | Flowmap entry is deleted before updating its timeout to INDEFINITE | |
989753 | 3-Major | In HA setup, standby fails to establish connection to server | |
982869 | 3-Major | With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 | |
977053 | 3-Major | TMM crash on standby due to invalid MR router instance | |
968349-7 | 3-Major | TMM crashes with unspecified message | |
966701 | 3-Major | Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP | |
957029 | 3-Major | MRF Diameter loop-detection is enabled by default | |
952545 | 3-Major | 'Current Sessions' statistics of HTTP2 pool may be incorrect | |
949793 | 3-Major | Fix routing server initiated request dynamically when "DIAMETER::dynamic_route_lookup" | |
939529 | 3-Major | Branch parameter not parsed properly when topmost via header received with comma separated values | |
913373 | 3-Major | No connection error after failover with MRF, and no connection mirroring | |
904373 | 3-Major | MRF GenericMessage: Implement limit to message queues size | |
898997 | 3-Major | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | |
891385 | 3-Major | Add support for URI protocol type "urn" in MRF SIP load balancing | |
876953 | 3-Major | Tmm crash while passing diameter traffic | |
876077 | 3-Major | MRF DIAMETER: stale pending retransmission entries may not be cleaned up | |
817369 | 3-Major | TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server. | |
788625 | 3-Major | A pool member is not marked up by the inband monitor even after successful connection to the pool member | |
924349 | 4-Minor | DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP | |
916781 | 4-Minor | Validation error while attaching DoS profile to GTP virtual |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
942581 | 1-Blocking | Timestamp cookies do not work with hardware accelerated flows | |
938165 | 2-Critical | TMM Core after attempted update of IP geolocation database file | |
716746-5 | 2-Critical | Possible tmm restart when disabling single endpoint vector while attack is ongoing | |
995433-3 | 3-Major | IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT | |
988761 | 3-Major | Cannot create Protected Object in GUI | |
988005 | 3-Major | Zero active rules counters in GUI | |
987133 | 3-Major | Non-EDNS response with RCODE FORMERR are blocked by dns-qdcount-limit vector. | |
980593-3 | 3-Major | LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table | |
969509 | 3-Major | Possible memory corruption due to DOS vector reset | |
967889 | 3-Major | Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) | |
965617 | 3-Major | HSB mitigation is not applied on BDoS signature with stress-based mitigation mode | |
963237 | 3-Major | Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. | |
950253 | 3-Major | Source address translation occurs with self IP after NAT policy removal from Virtual Server | |
938149 | 3-Major | Port Block Update log message is missing the "Start time" field | |
937749 | 3-Major | The 'total port blocks' value for NAT stats is limited to 64 bits of range | |
933765 | 3-Major | Automap support in FWNAT | |
932225 | 3-Major | Source translation type of automap not synced properly | |
918905 | 3-Major | PCCD restart loop when using more than 256 FQDN entries in Firewall Rules | |
910417 | 3-Major | TMM core may be seen when reattaching a vector to a DoS profile | |
907245 | 3-Major | AFM UI Hardening | |
818705 | 3-Major | afm_cmi.py daemon can cause very high BIG-IP CPU utilization(>90%) | |
759799 | 3-Major | New rules cannot be compiled | |
1012521 | 3-Major | BIG-IP UI file permissions | |
977005 | 4-Minor | Network Firewall Policy rules-list showing incorrect 'Any' for source column | |
920361 | 4-Minor | Standby device name sent in Traffic Statistics syslog/Splunk messages | |
919381-2 | 4-Minor | Extend AFM subscriber aware policy rule feature to support multiple subscriber groups | |
987345 | 5-Cosmetic | Disabling periodic-refresh-log has no effect | |
906885-3 | 5-Cosmetic | Spelling mistake on AFM GUI Flow Inspector screen |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
941593 | 3-Major | Video Traffic Management - ECN detection | |
941169 | 3-Major | Subscriber Management is not working properly with IPv6 prefix flows. | |
842989 | 3-Major | PEM: tmm could core when running iRules on overloaded systems |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
981693 | 2-Critical | TMM may consume excessive resources while processing IPSec ALG traffic | |
981689 | 2-Critical | TMM memory leak with IPsec ALG | |
928553 | 2-Critical | LSN64 with hairpinning can lead to a tmm core in rare circumstances | |
975593 | 3-Major | TMM may crash while processing IPSec traffic | |
966681 | 3-Major | NAT translation failures while using SP-DAG in a multi-blade chassis |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
1012145 | 2-Critical | TMM may crash when processing Datasafe profiles with ASM | |
998085 | 3-Major | BIG-IP DataSafe GUI does not save changes | |
942585 | 3-Major | Website slowness | |
887205 | 3-Major | Correct handling of wildcard parameters with search-in 'any' marked for data integrity | |
876581 | 3-Major | JavaScript engine file is empty if the original HTML page cached for too long | |
891729 | 4-Minor | Errors in datasyncd.log★ | |
890485 | 4-Minor | The 'noscript' injection should follow W3 HTML4.01 standards | |
759988 | 4-Minor | Geolocation information inconsistently formatted | |
940401 | 5-Cosmetic | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
944785 | 3-Major | Admd restarting constantly. Out of memory due to loading malformed state file | |
923125 | 3-Major | Huge amount of admd processes caused oom | |
922665 | 3-Major | The admd process is terminated by watchdog on some heavy load configuration process | |
922597 | 3-Major | BADOS default sensitivity of 50 creates false positive attack on some sites | |
914293 | 3-Major | TMM SIGSEGV and crash | |
915489 | 4-Minor | LTM Virtual Server Health is not affected by iRule Requests dropped |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
913453-1 | 2-Critical | URL Categorization: wr_urldbd cores while processing urlcat-query | |
901041-5 | 2-Critical | CEC update using incorrect method of determining number of blades in VIPRION chassis★ | |
893721 | 2-Critical | PEM-provisioned systems may suffer random tmm crashes after upgrading★ | |
887609 | 2-Critical | TMM crash when updating urldb blacklist | |
874677-5 | 2-Critical | Traffic Classification auto signature update fails from GUI★ | |
977305 | 3-Major | Update the latest DPI Signatures | |
976365-3 | 3-Major | Traffic Classification hardening★ | |
958085 | 3-Major | IM installation fails with error: Spec file not found★ | |
954937-1 | 3-Major | Tmm crash when GPA POLICY is used | |
950745 | 3-Major | Encrypted Video traffic classification | |
948573-1 | 3-Major | Wr_urldbd list of valid TLDs needs to be updated | |
947057 | 3-Major | Traffic intelligence feeds to do not follow best practices | |
926957 | 3-Major | Incorrect handshake RTT(RoundTripTime) reported for encrypted video traffic | |
846601 | 3-Major | Traffic classification does not update when an inactive slot becomes active after upgrade★ | |
776285 | 4-Minor | No stats returned for 'ltm classification stats urlcat-cloud' component at system startup |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
970829 | 2-Critical | K03310534 | iSeries LCD incorrectly displays secure mode |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
768085 | 2-Critical | Error in python script /usr/libexec/iAppsLX_save_pre line 79 |
Protocol Inspection Fixes
ID Number | Severity | Solution Article(s) | Description |
930561 | 2-Critical | SIGABRT from sod watchdog when IPS has large number of hyperscan matches. | |
964585 | 3-Major | "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update | |
825501-5 | 3-Major | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★ | |
964577 | 4-Minor | IPS automatic IM download not working as expected |
In-tmm monitors Fixes
ID Number | Severity | Solution Article(s) | Description |
912425 | 3-Major | Modification of in-tmm monitors may result in crash | |
822245 | 4-Minor | Large number of in-TMM monitors results in some monitors being marked down |
Cumulative fix details for BIG-IP v16.1.0 that are included in this release
999933 : TMM may crash while processing DNS traffic on certain platforms
Component: Local Traffic Manager
Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge (HSB) may crash while processing DNS traffic.
Conditions:
-DNS profile enabled
-Hardware system (or vCMP guests) with a High-Speed Bridge (HSB)
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes DNS traffic as expected.
999021 : IPsec IKEv1 tunnels fail after a config sync from Standby to Active
Component: TMOS
Symptoms:
When racoon (the IKEv1 daemon) sees a tunnel config change, which occurs due to a config sync from the standby device, the change causes tmm and racoon to have conflicting views on the state of that tunnel.
If the IKEv1 tunnel is up at the time of the config change, tmm fails to restart the tunnel.
Conditions:
-- IPsec IKEv1 tunnel in use.
-- Changes made to IPsec IKEv1 tunnel on the Standby BIG-IP device, which are then sync'd to the Active BIG-IP device.
-- And/or a full config sync from the Standby to Active BIG-IP system.
Impact:
IPsec IKEv1 tunnels fail and do not start again.
Workaround:
-- Do not make changes to IPsec IKEv1 tunnels on the Standby device.
-- Avoid full syncs from Standby to Active.
How to recover when the problem occurs:
-- Disable the affected ike-peer and re-enable it.
Fix:
IKEv1 tunnels are able to negotiate after Standby to Active config sync.
998945 : Load sys config is failing with OOM in MCPD processing
Component: TMOS
Symptoms:
While loading a large config on BIG-IP, mcpd runs at high CPU for a while, then is killed by the OOM killer when MCPD starts increasing rapidly in size.
Conditions:
-- Licensed and provisioned modules: LTM+APM+AFM
-- large number of virtual servers configured and executing "load sys config".
Impact:
Config load fails with std::badalloc with OOM.
998473 : NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Component: Access Policy Manager
Symptoms:
NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Conditions:
1. NTLM front-end authentication is enabled.
2. Active Directory users are subscribed to more than one hundred groups.
Impact:
NTLM authentication for Active Directory users which are subscribed to more than hundred groups will fail.
Workaround:
None
Fix:
A fix has been provided to the sequence number handling which is used to calculate the RPC checksum as part of ID 949477.
998085 : BIG-IP DataSafe GUI does not save changes
Component: Fraud Protection Services
Symptoms:
Due to a JavaScript error, the BIG-IP DataSafe GUI does not save changes.
Conditions:
-- Provision FPS.
-- License DataSafe.
-- Configure the system using the GUI.
Impact:
Configurations made for DataSafe using the BIG-IP Configuration Utility GUI cannot be saved.
Workaround:
Use tmsh to configure the BIG-IP system.
Fix:
BIG-IP DataSafe GUI is working properly and configurations are now saved.
997929 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
Component: Local Traffic Manager
Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.
If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.
Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.
-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.
Impact:
The virtual server stops processing traffic.
Workaround:
To recover, you can do either of the following:
-- Restart tmm:
bigstart restart tmm
-- Change the virtual server's port back to 'any' (0).
997761 : Subsessionlist entries leak if there is no RADIUS accounting agent in policy
Component: Access Policy Manager
Symptoms:
Subsessionlist entries are not cleaned up when subsessions are deleted. For long-lived main sessions, use cases such as API protection, the number of leaked subsessionlist entries increases over time, resulting in increasing memory consumption. If high availability (HA) is configured, the standby device can experience even more memory pressure when a very large number of subsessionlist entries are sent to it for mirroring.
Conditions:
This issue occurs if the main session is long-lived and there is no RADIUS accounting agent in the policy.
Impact:
TMM may run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None
997193 : TCP connections may fail when AFM global syncookies are in operation.
Component: Local Traffic Manager
Symptoms:
TCP connections are rejected by the BIG-IP system with reset cause "No flow found for ACK".
Conditions:
1) AFM is provisioned.
2) AFM global syncookies are in operation.
3a) The traffic arrives over an APM VPN tunnel, and is handled by one of the internal default APM listeners (not a more specific listener).
-or-
3b) The device is Active for multiple floating traffic-groups, said traffic-groups don't use MAC masquerading, and connection.syncookies.algorithm is set to software.
-or-
3c) The traffic belongs to traffic-group-local-only, and connection.syncookies.algorithm is set to software.
Impact:
Application failures as TCP connections fail.
Workaround:
You can work around this issue as follows.
- For the APM VPN case: define a listener (e.g. virtual server) over the tunnel to process the traffic (instead of relying on one of the default internal APM listeners). Note that the workaround may not work if the device is Active for multiple floating traffic-groups at the same time.
- For the device Active for multiple floating traffic-groups case: use MAC masquerading for all floating traffic-group, or set connection.syncookies.algorithm back to its default of hardware.
- For the traffic-group-local-only case: set connection.syncookies.algorithm back to its default of hardware, or disable AFM global syncookies by turning off the TCP Half-Open attack vector at the device level.
Fix:
TCP connections now establish successfully regardless of syncookies being in operation.
996753 : ASM BD process may crash while processing HTML traffic
Component: Application Security Manager
Symptoms:
Under certain conditions, the ASM BD process may crash while processing HTML traffic
Conditions:
- ASM profile enabled
Impact:
ASM traffic disrupted while BD restarts.
Workaround:
None.
Fix:
ASM now processes HTML traffic as expected.
996593 : Password change through REST or GUI not allowed if the password is expired
Component: TMOS
Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:
Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.
Impact:
Expired password cannot be updated through REST or the GUI.
Workaround:
Update password using tmsh:
tmsh modify auth password <username>
Fix:
You can now change an expired password through REST or the GUI.
995629 : Loading UCS files may hang if ASM is provisioned★
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
-- UCS load might fail.
-- Config save and load operations fails while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.
Workaround:
If you encounter this, run 'load sys config default' and de-provision ASM. The UCS file should then load successfully.
Fix:
Loading UCS files no longer hangs if ASM is provisioned.
995433-3 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT
Component: Advanced Firewall Manager
Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.
Conditions:
This is encountered when viewing PPTP log entries.
Impact:
IPV6 addresses in PPTP logs are truncated.
Workaround:
None
Fix:
The full IPv6 address is now logged in PPTP logs.
995201 : IP fragments for the same flow are dropped if they are received on different VLANs and route domains.
Component: Local Traffic Manager
Symptoms:
When duplicate IP fragments for the same flow (same connection tuple and flow ID) are simultaneously received on different VLANs or route domains, IP datagram reassembly fails.
Conditions:
-- Multicast traffic where identical fragments arrive on two different VLANs.
-- IP fragments for the same flow are received on different VLANs.
-- Alternatively, IP fragments for the same flow are received on different route domains.
Impact:
IP fragments that fail reassembly are dropped.
Workaround:
None
Fix:
The tm.ipfragreassemblestrict db var is disabled by default. When enabled IPv6 or IPv4 fragments arriving on different interfaces are queued separately.
Note: In order to resolve this issue, a version with this fix is necessary and the tm.ipfragreassemblestrict must be set to enable.
995029-4 : Configuration is not updated during auto-discovery
Component: Access Policy Manager
Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:
-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token
Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).
Impact:
JWT auto-discovery fails and the configuration is not updated.
Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.
Fix:
Fixed an issue with auto-discovery and JWKs.
994969 : Possible installation failure with three software volumes on a BIG-IP system★
Component: TMOS
Symptoms:
When you attempt to create a third software volume (slot) on a BIG-IP device, a 'disk full' error occurs:
HD1.3 BIG-IP 16.1.0 0.0.1481 no failed (Disk full (volume group). See SOL#10636) yes
Conditions:
-- Using iSeries platforms.
-- Attempt to install certain BIG-IP software versions on a third installation volume on a BIG-IP device.
Impact:
Installation to the third volume fails with a disk full error.
Workaround:
You can work around this issue by reducing the dat.appdata volume size. For instructions on how to do so, see K74200262: Reducing the size of the appdata volume with the lvreduce utility ::
https://support.f5.com/csp/article/K74200262
Notes
======
-- Depending on which software versions exist, installation might succeed, or it might fail; e.g., these existing configuration succeed:
- v12.1.2 + v16.0.0 + v16.1.0
- v15.1.3 + v16.0.0 + v16.1.0
-- Even though v15.1.3 and 16.0.x have a smaller footprint, if there are two 16.1.0 installation locations, the third volume installation/upgrade does not succeed.
-- You can avoid the issue completely formatting the system while you install (i.e., using 'image2disk --format=volumes').
Important: Make sure to back up your configuration before formatting the system.
Fix:
Beginning in BIG-IP 16.1.0, the disk layout created when reformatting (i.e., using 'image2disk --format=volumes') has slightly decreased the size of the 'appdata' volume to allow for three software volumes.
Behavior Change:
Beginning in BIG-IP 16.1.0, the disk layout created when reformatting (i.e., using 'image2disk --format=volumes') has slightly decreased the size of the 'appdata' volume to allow for three software volumes.
994801 : SCP file transfer hardening
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
Administrative user with SCP access.
Impact:
users with with SCP access but without shell access can run arbitrary commands
Workaround:
None
Fix:
The SCP file transfer system now follows current best practices.
994269 : Message: 'double flow removal' in LTM log file
Component: Local Traffic Manager
Symptoms:
The LTM log contains messages similar to the following:
Oops @ 0x290cfa0:1129: double flow removal.
Conditions:
FastL4 virtual server with iRule containing the FLOW_INIT command.
Impact:
Memory_usage_stat and tmm/umem_usage_stat might reflect incorrect values under increased traffic load when the underlying double flow removal messages persist continuously on the blades.
Workaround:
None
993921 : TMM SIGSEGV
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use 'pool XXXX member XXXX' iRule command.
Fix:
This rarely occurring issue is now fixed.
992097 : Incorrect hostname is seen in logging files
Component: TMOS
Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".
Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.
Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.
Workaround:
None
990333 : APM may return unexpected content when processing HTTP requests
Solution Article: K75540265
989753 : In HA setup, standby fails to establish connection to server
Component: Service Provider
Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:
err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config
Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.
Impact:
Standby BIG-IP system fails to establish a connection to the server.
Workaround:
None.
Fix:
Standby is now able to establish a connection to the server.
989637 : TMM may crash while processing SSL traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing SSL traffic
Conditions:
-SSL profile enabled
-Client authentication enabled
Impact:
TMM consumes excessive resources, potentially leading to a crash and failover event.
Workaround:
N/A
Fix:
TMM now processes SSL traffic as expected.
989317-11 : Windows Edge Client does not follow best practice
Solution Article: K33757590
989009 : BD daemon may crash while processing WebSocket traffic
Component: Application Security Manager
Symptoms:
Under certain conditions, the BD daemon may crash while processing WebSocket traffic.
Conditions:
- ASM enabled
- WebSocket profile enabled
Impact:
BD daemon crash leading to a failover event
Workaround:
N/A
Fix:
The BD daemon now processes WebSocket traffic as expected.
988761 : Cannot create Protected Object in GUI
Component: Advanced Firewall Manager
Symptoms:
GUI Page stuck in loading phase and never completes the Protected Object creation step
Conditions:
This occurs in normal operation
Impact:
Cannot create Protected Objects using the GUI
Workaround:
Use tmsh to create Protected Objects
Fix:
GUI Page no longer gets stuck in loading phase and completes the Protected Object creation step.
988005 : Zero active rules counters in GUI
Component: Advanced Firewall Manager
Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).
Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules
Impact:
Incorrect information on active rules count is seen in the UI.
Workaround:
Disable firewall inline editor.
Fix:
The active rules count column now displays the correct number of times a rule has been hit.
987345 : Disabling periodic-refresh-log has no effect
Component: Advanced Firewall Manager
Symptoms:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is not honored. You might see messages similar to the following logged in /var/log/ltm or sent to remote logging destinations:
info tmm[6215]: 23003168 "Port Block Periodic Log","10.10.10.10","0","","10.10.10.10","0","1024","1031","16164968240","","unknown".
Conditions:
PBA periodic-refresh-log set to '0'.
Impact:
System provides unnecessary, excessive logging.
Workaround:
None
Fix:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is now honored."Port Block Periodic Log" messages are no longer logged with this configuration setting.
987133 : Non-EDNS response with RCODE FORMERR are blocked by dns-qdcount-limit vector.
Component: Advanced Firewall Manager
Symptoms:
When a client sends a DNS request to a non-EDNS-capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests if the dns-qdcount-limit vector is enabled.
Conditions:
-- The client sends a DNS request to NON-EDNS capable server.
-- The server replies with RCODE FORMERR and no DNS data.
-- The dns-qdcount-limit vector is enabled.
Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a response from the EDNS server
Workaround:
Disable dns-qdcount-limit vector:
security dos device-config /Common/dos-device-config {
dos-device-vector {
dns-nxdomain-query {
state disabled
}
}
}
Fix:
Non-EDNS response with RCODE FORMERR are now processed as expected when the dns-qdcount-limit vector is enabled.
985537 : Upgrade Microsoft Hyper-V driver★
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host.
When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.
Conditions:
-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.
-- Running performance tests of VE in Azure.
Impact:
The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.
Workaround:
None.
Fix:
The Microsoft Hyper-V driver has been updated to v4.3.5.
985433 : Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset.
Component: Local Traffic Manager
Symptoms:
Some client connections are being reset with rst-cause 'Unknown reason'.
Conditions:
--- Standard virtual server with the TCP and HTTP profiles.
--- The HTTP profile is configured to insert the X-Forwarded-For header.
--- The client supplies an empty X-Forwarded-For header in the HTTP request.
Impact:
Affected client connections are reset, leading to application failures.
Workaround:
You can work around this issue by disabling the header insertion in the HTTP profile and instead using an iRule similar to the following example:
when HTTP_REQUEST {
HTTP::header replace X-Forwarded-For [IP::remote_addr]
}
Fix:
Insertion of the X-Forwarded-For header now works as expected, regardless of input client data.
985001 : Taiwan, Hong Kong, and Macau Are Defined As Countries in DNS/GTM Topology Definition
Component: Global Traffic Manager (DNS)
Symptoms:
Taiwan, Hong Kong, and Macau are defined as countries in DNS/GTM Topology definition.
Conditions:
In GUI screen, under GSLB/Topology/Records and GSLB/Topology/Regions, 'Country' field can be used to specify Taiwan, Hong Kong, and Macau.
Impact:
Taiwan, Hong Kong, and Macau can be configured as countries in GSLB/Topology screens.
Workaround:
Change 'Country' label to 'Country/Location' and the 'Country/State' label to 'Country/Location/State'.
Fix:
This version has changed the 'Country' label to 'Country/Location' and the 'Country/State' label to 'Country/Location/State'.
984765 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★
Component: Access Policy Manager
Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.
Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.
Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.
Workaround:
To resolve the issue temporarily, use either of the following:
-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.
-- Run the command:
bigstart restart nlad
The problem can reappear after a week, so you must repeat these steps each time the issue occurs.
984613-4 : CVE-2020-5896 - Edge Client Installer Vulnerability
Solution Article: K08503505
982993 : Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail
Component: Local Traffic Manager
Symptoms:
Gateway ICMP monitors configured with IPv6 destinations and IPv6 transparent nexthop do not work if the IPv6 destination address is not directly connected, but reachable via an intermediate hop.
Conditions:
An IPv6 monitor's destination address is not directly connected, but reachable via intermediate hop.
Impact:
Monitor status remains DOWN.
Workaround:
Consider monitoring the actual target.
982869 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0
Component: Service Provider
Symptoms:
Tmm may crash.
Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes under these conditions.
982361 : SNAT on wildcard virtual server does not work
Component: Global Traffic Manager (DNS)
Symptoms:
SNAT on wildcard virtual server does not work.
Conditions:
Wildcard DNS virtual server with SNAT enabled.
Impact:
SNAT does not work on DNS cache resolver.
Workaround:
None.
981785 : Incorrect incident severity in Event Correlation statistics
Component: Application Security Manager
Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".
Conditions:
Usually happens for the first incident after ASM startup.
Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.
Workaround:
Use severity info from the Incidents list.
Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.
981693 : TMM may consume excessive resources while processing IPSec ALG traffic
Component: Carrier-Grade NAT
Symptoms:
When processing IPSec ALG traffic, TMM may consume excessive resources.
Conditions:
-- IPsec ALG virtual server with ALG logging profile.
-- IPsec traffic is passed.
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes IPSec traffic as expected.
981689 : TMM memory leak with IPsec ALG
Component: Carrier-Grade NAT
Symptoms:
TMM crash due to out of memory.
Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.
Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm memory leak related to IPsec ALG connections.
981461 : Unspecified DNS responses cause TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
Unspecified DNS responses cause TMM crash
Conditions:
GTM is provisioned and handles DNS requests
Impact:
TMM crash, traffic disrupted until TMM restarts
Workaround:
None
Fix:
GTM handles DNS requests properly
981385 : AVRD does not send HTTP events to BIG-IQ DCD
Component: Application Visibility and Reporting
Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).
Conditions:
This happens under normal operation.
Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.
Workaround:
None.
981273 : APM webtop hardening
Component: Access Policy Manager
Symptoms:
Under certain conditions, the APM webtop does not follow current best practices.
Conditions:
-APM provisioned
-Webtop enabled
Impact:
APM webtop does not follow current best practices.
Workaround:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/vdesk/resource_all_info.eui" && [HTTP::query] contains "%"} {
HTTP::uri [HTTP::path]
}
}
Fix:
The APM Webtop now follows current best practices.
981169 : F5 TMUI XSS vulnerability CVE-2021-22994
Solution Article: K66851119
980821 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.
Component: Local Traffic Manager
Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.
Conditions:
There are two virtual servers configured:
- One with a specific port and ip-protocol 'any'
- One with port any and a specific ip-protocol
Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.
Workaround:
Create individual listeners for specific protocols.
For example, given the configuration:
ltm virtual vs-port80-protoAny {
destination 10.1.1.1:80
ip-protocol any
...
}
ltm virtual vs-portAny-protoTCP {
destination 10.1.1.1:0
ip-protocol TCP
...
}
Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
ltm virtual vs-port80-protoTCP {
destination 10.1.1.1:80
ip-protocol TCP
...
}
ltm virtual vs-port80-protoUDP {
destination 10.1.1.1:80
ip-protcol UDP
...
}
Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.
980809 : ASM REST Signature Rule Keywords Tool Hardening
Component: Application Security Manager
Symptoms:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.
Conditions:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.
Impact:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.
Workaround:
N/A.
Fix:
The ASM REST Signature Rule Keywords Tool now follows current best practices.
980593-3 : LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table
Component: Advanced Firewall Manager
Symptoms:
LSN logging stats are always 0 (zero) for log_attempts and log_failures in tmctl table fw_lsn_log_stat if lsn_legacy_mode is set as disabled.
Conditions:
The lsn_legacy_mode value is disabled.
Impact:
The log_attempts and log_failures are always 0 in tmctl table fw_lsn_log_stat.
Workaround:
None
Fix:
Fixed an issue with log_attempts and log_failures.
980325 : Chmand core due to memory leak from dossier requests.
Component: TMOS
Symptoms:
Chmand generates a core file when get_dossier is run continuously.
Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.
Conditions:
Repeated/continuous dossier requests during licensing operations.
Impact:
Chmand crashes; potential traffic impact while chmand restarts.
Workaround:
None.
980125 : BD Daemon may crash while processing WebSocket traffic
Component: Application Security Manager
Symptoms:
Under certain conditions, the WAF daemon may crash while processing WebSocket traffic.
Conditions:
- ASM enabled
- WebSocket profile enabled
Impact:
WAF crash resulting in a failover event.
Workaround:
N/A
Fix:
WAF now processes WebSocket traffic as expected.
980117 : Dynamic template HA: Missing ike-sa's are seen on standby BIG-IP when Initiator is placed behind NAT
Component: TMOS
Symptoms:
Missing ike-sa's are seen on standby BIG-IP when Initiator is placed behind NAT
Conditions:
-- Initiator is behind a NAT.
-- High availability (HA) pair between BIG-IP.
-- Dynamic template configuration on BIG-IP and NAT traversal is 'ON'.
-- IPsec tunnel client traffic
Impact:
IKE-SA's are not propagated to the standby device.
Workaround:
None
979081 : Hardening of ASM External References
Component: Application Security Manager
Symptoms:
Some ASM actions allow specifying external references for resources. Under certain conditions processing of the external resource does not follow current best practices.
Conditions:
-ASM provisioned
-External resources configured
Impact:
Resolution of external resources is incorrect.
Workaround:
N/A
Fix:
External resources are now processed as expected..
978833 : Use of CRL-based Certificate Monitoring Causes Memory Leak
Component: Local Traffic Manager
Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.
Conditions:
CRL certificate validator is configured.
Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.
Workaround:
None.
Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.
977305 : Update the latest DPI Signatures
Component: Traffic Classification Engine
Symptoms:
With factory defaults configured, blocking/classifying some applications will not work.
Conditions:
This is encountered when the factory default DPI signatures IM package is installed.
Impact:
Some classifications do not work properly.
Fix:
The factory default DPI signatures have been updated.
977053 : TMM crash on standby due to invalid MR router instance
Component: Service Provider
Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.
Conditions:
-- HA environment.
-- Connection mirroring is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM on the standby device no longer crashes under these conditions.
977005 : Network Firewall Policy rules-list showing incorrect 'Any' for source column
Component: Advanced Firewall Manager
Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.
Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.
Impact:
GUI shows 'Any' extra text under the source column
Workaround:
None
Fix:
The GUI no longer shows extra text
976925 : BIG-IP APM VPN vulnerability CVE-2021-23002
Solution Article: K71891773
976669 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
Component: TMOS
Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.
Conditions:
This can occur after rebooting or replacing a secondary blade.
Impact:
When the FIPS integrity checks fail the blades won't fully boot.
Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
To mitigate, copy the missing files from the primary blade to the secondary blade.
From the primary blade, issue the following command towards the secondary blade(s).
rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/
Fix:
Critical files are not deleted during secondary blade reboot.
976617 : Manual signature sets are converted to filter based when trying to update signature set without field "type"
Component: Application Security Manager
Symptoms:
Manual signature sets are converted to filter based when trying to update signature set without field "type" in rest request.
Conditions:
Patch request to manual signature set without type.
Impact:
Manual signature set is being converted to filter based signature set
Workaround:
Update the signature set again to convert to manual, then add the appropriate signatures to it.
Fix:
Updated the logic to check the existing type of signature set before updating it.
976505 : Rotated restnoded logs will fail logintegrity verification.
Component: TMOS
Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restnoded logs fail logintegrity verification.
Workaround:
None
Fix:
Restnoded logs are now verified successfully by the logintegrity utility.
976501 : Failed to establish VPN connection
Component: Access Policy Manager
Symptoms:
VPN client exits with message "Failed to establish VPN connection"
Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser
Impact:
Client will be unable to launch the VPN tunnel from the browser.
Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.
976365-3 : Traffic Classification hardening★
Component: Traffic Classification Engine
Symptoms:
Traffic Classification IM packages do not follow current best practices.
Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user
Impact:
Traffic Classification IM packages do not follow current best practices.
Workaround:
No Workaround
Fix:
Traffic Classification IM packages now follow current best practices.
976101 : TMM crash after deleting an interface from a virtual wire vlan
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
-- Virtual wire enabled
-- Delete an interface from the virtual wire vlan.
Impact:
Traffic disrupted while tmm restarts.
Fix:
After the fix no core is observed
975809 : Rotated restjavad logs fail logintegrity verification.
Component: TMOS
Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restjavad logs fail logintegrity verification.
Workaround:
None
Fix:
Restjavad logs are now verified successfully by the logintegrity utility.
975593 : TMM may crash while processing IPSec traffic
Component: Carrier-Grade NAT
Symptoms:
Under certain conditions, TMM may crash while processing IPSec traffic.
Conditions:
-IPSecAGL enabled
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes IPSec traffic as expected.
975589 : CVE-2020-8277 Node.js vulnerability
Solution Article: K07944249
975465 : TMM may consume excessive resources while processing DNS iRules
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may consume excessive resources while processing DNS iRules
Conditions:
- RESOLVER::summarize iRule command in use
Impact:
TMM consumes excessive resources
Workaround:
Use 'DNSMSG::section <response> answer' in place of 'RESOLVER::summarize <response>'
Fix:
TMM now processes DNS iRules as expected.
975233 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
Solution Article: K52510511
975093 : Dynamic template HA: Missing ike/ipsec-sa's are seen on standby BIG-IP when dynamic tunnels are initiated
Component: TMOS
Symptoms:
IPsec SA's are missing when traffic was stopped and started again.
Conditions:
-- IPSEC dynamic templates configured
-- IPSEC traffic is started, stopped, and started again
Impact:
IPSEC SA's are not propagated to the standby device.
Workaround:
None
Fix:
HA-Template : Missing IKE SA's on standby when tunnels are deleted and recreated, issue related to buffer length.
974881 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic
Component: Service Provider
Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.
Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to handling certain events in an iRule.
974705 : Dynamic template HA: Dynamic tunnel migration with dynamic template configuration does not work after failover when more than 24G of traffic is sent.
Component: TMOS
Symptoms:
When the standby device becomes active, IPSEC tunnel load balancing may be uneven and traffic may be dropped.
Conditions:
-- Dynamic templates are configured
-- A failover occurs
Impact:
- IPSEC Traffic can be dropped after a failover
- Load balancing is uneven on the standby device
Workaround:
None
Fix:
IPSEC tunnel load balancing works correctly following a failover.
974501 : Excessive memory usage by mirroring subsystem when remirroring
Component: Local Traffic Manager
Symptoms:
Aggressive sweeper messages are seen in /var/log/ltm similar to the following:
Dec 31 02:35:44 bigip1 warning tmm[25306]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory). (26227799/30854144 pages)
In severe cases, tmm might restart and generate a core file due to an out of memory condition.
Conditions:
The active BIG-IP has a large number of mirrored fastL4 connections.
The active BIG-IP reconnects the statemirror connection to the standby BIG-IP. This is indicated by messages similar to the following in /var/log/ltm:
Dec 31 02:35:37 bigip1 err tmm[25306]: 01340001:3: high availability (HA) Connection with peer 10.25.0.11:1029 for traffic-group /Common/traffic-group-1 established.
Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections. In severe cases, tmm might restart causing traffic interruption.
Fix:
The memory utilization when remirroring fastL4 flows has been improved to allow remirroring to handle a larger number of connections.
973673 : CPU spikes when the LDAP operational timeout is set to 180 seconds
Component: Access Policy Manager
Symptoms:
By default, the LDAP operation timeout is 180 seconds, and this can cause CPU spikes.
Conditions:
-- BIG-IP configured with a per-request access policy.
-- A high traffic load containing a lot of LDAP Auth and LDAP Query operations occurs.
Impact:
High LDAP traffic load can cause cpu spikes and traffic disruption.
Fix:
Reduced LDAP operational timeout to 50 sec for per-request based LDAP Auth and LDAP Query requests as accessV2 mpi request timeout is 60 sec only.
973577 : [HA template] Stop and start traffic, template objects & sa's are not mirrored on standby
Component: TMOS
Symptoms:
IPSEC template objects are not mirrored to the standby device.
Conditions:
-- IPSEC configured using templates
-- IPSEC traffic is passed, then stopped, and the ipsec-sa's and ike-sa's are deleted
-- IPSEC traffic resumes
Impact:
Ike-sa and ipsec-sa template objects are not propagated to the standby device
Workaround:
None
Fix:
Template objects are now mirrored to the standby device.
973333 : TMM buffer-overflow vulnerability CVE-2021-22991
Solution Article: K56715231
973261 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:
err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.
Conditions:
GTM HTTPS monitor with non-default cert/key.
Impact:
Unable to use HTTPs monitor.
973201-1 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★
Component: TMOS
Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.
Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.
Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.
Workaround:
None
Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.
972385 : Adjust The SSRF disallowed hosts to new attack vector
Component: Application Security Manager
Symptoms:
There is only a default 'disallow' action available for the SSRF host configuration API endpoint 'policies/ssrf-disallowed-hosts', whereas it is supposed to have 'allow' and 'resolve' options as well.
Conditions:
- AWAF enabled
- SSRF feature enabled
Impact:
This results in the improper configuration of the SSRF hosts and the feature and functionality will be limited from a usability perspective.
Workaround:
None
Fix:
The rest endpoint 'policies/ssrf-hosts' have the 'allow', 'disallow' and 'resolve' options.
971297 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.
Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded
Impact:
The keys are stored locally following the upgrade.
Workaround:
None.
971217 : AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.
Component: Local Traffic Manager
Symptoms:
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.
Conditions:
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check.
-- Client sends HTTP POST request with Content-Length:0
Impact:
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".
Workaround:
None.
Fix:
POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations and will not incorrectly be reported.
Behavior Change:
POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations within the AFM HTTP protocol security profile.
970829 : iSeries LCD incorrectly displays secure mode
Solution Article: K03310534
Component: Device Management
Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.
Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.
Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:
-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.
The restjavad-audit.*.log may contain similar messages
[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}
Workaround:
None
Fix:
The LCD now functions normally, and no authentication errors appear in the logs.
969821 : HTTP::collect does not hold request/response until HTTP::release
Component: Local Traffic Manager
Symptoms:
HTTP::collect does not hold data until HTTP::release is called.
Conditions:
-- Virtual server with HTTP profile
-- iRule with HTTP::Collect and HTTP::release
-- HTTP::Collect does not specify the length
Impact:
HTTP::collect iRule with no length does not work. The request is collected and released without being held by HTTP until HTTP::release.
Workaround:
None
Fix:
HTTP::collect iRule holds the data until HTTP::release.
969737 : Snmp requests not answered if V2 traps are configured
Component: TMOS
Symptoms:
SNMP requests are not answered except the ones sent to the localhost ip address.
Conditions:
V2 traps are configured, for example:
tmsh modify sys snmp v2-traps add { ...
Impact:
SNMP external requests fail
Workaround:
Move all traps configured under 'v2-traps' to 'traps' in the configuration
969713 : IPsec interface mode tunnel may fail to pass packets after first IPsec rekey
Component: TMOS
Symptoms:
IPsec tunnel initially works until the IPsec (ESP) SA is re-negotiated.
Conditions:
-- IKEv2
-- IPsec tunnel uses interface mode ipsec-policy
-- IPsec SAs are re-negotiated, for example after the SA lifetime expires
-- Traffic selector narrowing occurs due to the BIG-IP and remote peer having different selectors configured
Impact:
IPsec tunnel suddenly stops forwarding packets across the tunnel
Workaround:
-- Configure the traffic-selectors to be identical on both the BIG-IP and remote IPsec peer.
Fix:
IPsec tunnel forwards packets after IPsec SAs are re-established.
969637 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"
Conditions:
-- A small subset of the following BIG-IP platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
Impact:
Configuration load fails and the device does not come online.
969509 : Possible memory corruption due to DOS vector reset
Component: Advanced Firewall Manager
Symptoms:
Unpredictable result due to possible memory corruption
Conditions:
DOS vector configuration change
Impact:
Memory corruption
Fix:
Added correct logic to reset DOS vector.
969213 : VMware: management IP cannot be customized via net.mgmt.addr property
Component: TMOS
Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.
Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.
Impact:
Management IP cannot be customized in VMware during the VM setup.
969105 : HA failover connections via the management address do not work on vCMP guests running on VIPRION
Component: TMOS
Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION.
BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.
HA failover connections using self IPs are unaffected.
Conditions:
-- vCMP guest running on a VIPRION
-- HA failover connection using the management IP addresses (unicast and/or multicast)
Impact:
Failover state determination over the management port is permanently down.
Workaround:
While self IP-based HA failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).
To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid
The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.
Add this line to the end of /config/startup:
(sleep 120; touch /var/run/chmand.pid) &
Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.
Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:
#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready
# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.
968737 : CVE-2018-18397 : kernel: userfaultfd bypasses tmpfs file permissions
Solution Article: K83102920
968733 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
Solution Article: K42202505
968729 : Kernel CVE-2017-18344 out-of-bounds access in the show_timer function
Solution Article: K07020416
968725 : Linux Kernel Vulnerability CVE-2017-10661
Solution Article: K04337834
968421 : ASM attack signature doesn't matched
Component: Application Security Manager
Symptoms:
A specific attack signature doesn't match as expected.
Conditions:
Undisclosed conditions.
Impact:
Attack signature does not match as expected, request is not logged.
Workaround:
N/A
Fix:
Attack signature now matches as expected.
968349-7 : TMM crashes with unspecified message
Component: Service Provider
Symptoms:
TMM crashes with unspecified message
Conditions:
Requires specific iRule for gtp processing.
Impact:
TMM crashes with core and restarts. Traffic disrupted while TMM restarts.
Workaround:
None.
Fix:
TMM handles unspecified message properly.
967889 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)
Component: Advanced Firewall Manager
Symptoms:
Custom signature of virtual server shows incorrect attack information.
Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)
Impact:
GUI shows incorrect information for custom signature
Fix:
GUI shows correct information for custom signature
967745-3 : Last resort pool error for the modify command for Wide IP
Component: TMOS
Symptoms:
System reports error for the modify command for Wide IP.
01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.
Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.
Impact:
The object is not modified, and the system reports an error.
Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Append the command with last-resort-pool a <pool_name>, for example:
modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test
Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
967437 : HA support for dynamic templates
Component: TMOS
Symptoms:
There is no high availability (HA) support for dynamic templates. When dynamic template feature is used, tunnels do not get created on standby devices, only on the active devices.
Conditions:
Using dynamic templates.
Impact:
Tunnels do not get created on standby devices, only on the active devices.
Workaround:
None
Fix:
This release provides HA support for dynamic templates, so tunnels are created as expected to support HA configurations.
967249 : TMM may leak memory early during its startup process, and may continue to do so indefinitely.
Component: Local Traffic Manager
Symptoms:
TMM leaks memory in the packet and xdata components. The aggressiveness of the leak depends on how much traffic TMM receives from the Linux host subsystem.
Conditions:
- A BIG-IP system running more than 1 TMM instance.
- Early during its startup process, TMM begins receiving traffic from the Linux host subsystem destined to the network (e.g., remote syslog traffic routed to its destination through TMM).
- Depending on the system's configuration, TMM attempts to set up flow forwarding for the aforementioned traffic. This may happen, for instance, if the egress VLAN is configured for 'cmp-hash src-ip'.
- TMM hasn't fully completed its startup process yet.
Impact:
TMM leaks memory.
If the flow set up during early TMM startup continues to receive a constant stream of new packets, then the flow may live on indefinitely, and TMM may continue to leak memory indefinitely.
In the example of remote syslog traffic, this could happen, for instance, if the box keeps logging messages at a sustained rate.
Eventually, TMM may be unable to allocate any more memory and crash. Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue by ensuring that TMM does not receive any traffic from the Linux host subsystem for forwarding during early startup.
In the example of remote syslog destinations, you could specify the management IP address of the system as the source IP address for the traffic, thus forcing the traffic out of the management port instead of TMM. This implies the management port has a suitable working route to the destination.
966701 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP
Component: Service Provider
Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.
Conditions:
-- SCTP transport profile
-- MRF generic msg router profile
Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing
Fix:
Enable the return type in generic msg filter when data received over SCTP transport
966681 : NAT translation failures while using SP-DAG in a multi-blade chassis
Component: Carrier-Grade NAT
Symptoms:
NAT translation fails
Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlan's
Impact:
Traffic failure, performance degraded
Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096
Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.
966633 : Policy entity search with non-ASCII value filter returns no results in REST/GUI in non-UTF-8 policies
Component: Application Security Manager
Symptoms:
WAF policy entities (such as parameters) are not found when filtering by non-ASCII values in REST/GUI in non-UTF-8 policies.
Conditions:
WAF policy is defined as non-UTF-8, and a non-ASCII value is used in an entity search filter.
Impact:
No results are returned.
Workaround:
None
Fix:
Non-ASCII WAF policy entities are returned in a filtered search in REST/GUI in non-UTF-8 policies.
966277 : BFD down on multi-blade system
Component: TMOS
Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.
Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots
Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.
966073 : GENEVE protocol support
Component: TMOS
Symptoms:
BIG-IP software does not support the GENEVE protocol.
Conditions:
-- AWS Gateway load balancer is in use, which uses the GENEVE protocol
Impact:
GENEVE protocol is unsupported.
Workaround:
None.
Fix:
BIG-IP software now supports the GENEVE protocol.
965777 : Per-request policy authentication becomes unresponsive
Component: Access Policy Manager
Symptoms:
Per-request policy execution can appear to be slow during subroutine evaluation, and apmd appears to take a large amount of CPU.
Conditions:
The per-request policy is using subroutine to execute an authentication related agent that is dispatched to apmd for completion. These typically involve authentication agents that interact with an external authentication server, such as LDAP, RADIUS, or AD.
Impact:
Connectivity may be impaired or lost.
Workaround:
Failover the high availability (HA) pair, or restart apmd.
965617 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode
Component: Advanced Firewall Manager
Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB
Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support
Impact:
More resources loading during DDoS attack
Fix:
Correct free spot search with offloading to HSB
965485-7 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
Solution Article: K41523201
965457 : OSPF duplicate router detection might report false positives
Component: TMOS
Symptoms:
OSPF duplicate router detection might report false positives
Conditions:
Router sends LSA that is looped in network and sent back to its origin.
Impact:
Cosmetic
965205 : BIG-IP dashboard downloads unused widgets
Component: TMOS
Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.
Conditions:
This occurs when viewing the BIG-IP dashboard.
Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.
Workaround:
None.
965037 : SSL Orchestrator does not send HTTP CONNECT tunnel payload to services
Component: Local Traffic Manager
Symptoms:
In some cases, when Services in SSL Orchestrator (service-connect agent in per-request policy) is inserted after Category lookup for CONNECT request hostname, the HTTP CONNECT tunnel payload/data is not sent to services.
Conditions:
SSL Orchestrator use case and Services are inserted after Category lookup for CONNECT request hostname
Impact:
HTTP CONNECT tunnel payload is not sent to services
Workaround:
None
Fix:
HTTP CONNECT tunnel payload is now sent to services.
964941 : IPsec interface-mode tunnel does not initiate or respond after config change
Component: TMOS
Symptoms:
After reconfiguring an interface-mode IPsec tunnel, the IPsec tunnel may fail to initiate or negotiate as a Responder.
Conditions:
-- IPsec interface mode
-- Changing the IPsec tunnel configuration
Impact:
Remote networks cannot be reached because BIG-IP refuses to negotiate IPsec tunnel.
Workaround:
Reboot or restart tmm
Fix:
Valid changes to the IPsec tunnel configuration result in the tunnel negotiation happening.
964585 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update
Component: Protocol Inspection
Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.
Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.
Impact:
- The error message does not accurately explain the cause of the problem.
Workaround:
None.
Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.
964577 : IPS automatic IM download not working as expected
Component: Protocol Inspection
Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.
IPS automatic IM download considers the BIG-IP software major and minor version numbers.
However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.
Conditions:
Auto download of IM package for IPS.
Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.
Workaround:
Manually download the IM package and upload it onto the BIG-IP system.
Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.
964421 : Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'
Component: TMOS
Symptoms:
The error message '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' is unclear.
It fails to indicate which rewrite profile has failed validation, and it is not clear that the error has something to do with the validation of rewrite profiles.
Conditions:
A BIG-IP Administrator is attempting to configure an invalid rewrite profile (one where the 'signing certificate' and 'signing key' options are not simultaneously set).
Impact:
A confusing error message is logged, which makes it difficult to know what to do next.
Fix:
The error message has been improved to mention the name of the offending rewrite profile.
964245 : ASM reports and enforces username always
Component: Application Security Manager
Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.
Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.
Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.
Workaround:
None
Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.
963869 : Remote Desktop app fails to launch from webtop when Per-request Policy is added to virtual server.
Component: Local Traffic Manager
Symptoms:
Users are unable to launch the Remote Desktop app from the webtop.
Conditions:
-- APM is licensed and provisioned.
-- Remote Desktop is configured and attached to the per-session policy.
-- A per-request policy is attached to the virtual server.
Impact:
Users cannot access the remote desktop application.
Workaround:
Don't attach the per-request policy to the virtual server if it's not required.
Fix:
Remote Desktop app no longer fails to launch from the webtop when per-request policy is added to virtual server.
963713 : HTTP/2 virtual server with translate-disable can core tmm
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing HTTP/2 traffic
Conditions:
-- HTTP/2 virtual server
-- Port and address translation disabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not configure an HTTP/2 virtual server with translate-disable
Fix:
Tmm does not crash anymore.
963705 : Proxy ssl server response not forwarded
Component: Local Traffic Manager
Symptoms:
A server response may not be forwarded after TLS renegotiation.
Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs
Impact:
Server response may not be not forwarded
Fix:
Proxy ssl will now forward server response after renegotiation
963485 : Performance issue with data guard
Component: Application Security Manager
Symptoms:
End user clients encounter poor network performance. Due to a correlation with ID 963461 it can lead to a crash.
Conditions:
-- The server response is compressed.
-- Data guard is enabled.
Impact:
Slow response time.
Workaround:
-- Disable data guard or block the data instead of masking it.
-- Force server sending uncompressed response using an iRule:
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}
963461 : ASM performance drop on the response side
Component: Application Security Manager
Symptoms:
Clients encounter a longer time to respond from the BIG-IP
Conditions:
-- One of the following features is enabled:
- convictions
- csrf
- ajax.
-- The response is HTML
-- The response has many tags
Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.
963237 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.
Component: Advanced Firewall Manager
Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.
Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.
Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server
Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.
963049 : Unexpected config loss when modifying protected object
Component: TMOS
Symptoms:
A virtual server configuration is changed unexpectedly.
Conditions:
- Create virtual server with two client SSL profiles
- Modify same virtual server in Protected Objects panel.
Impact:
Virtual servers client SSL profiles are removed if you have more than one profile.
Workaround:
None
Fix:
Virtual server client SSL profiles are no longer removed from the config if the update happens through Protected Objects panel in the GUI.
963017 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed
Component: TMOS
Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):
err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid
In addition, a message similar to the following may appear on the serial console while the system is booting:
[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:
# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since <...>
Main PID: #### (code=exited, status=1/FAILURE)
<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.
However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.
Conditions:
This may occur under the following conditions:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
- BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
- VIPRION B4450 blades
Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.
This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.
Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check
Fix:
This incorrect status reporting has been corrected.
962913 : The number of native open connections in the SSL profile is higher than expected
Component: Local Traffic Manager
Symptoms:
The number of native open connections in the SSL profile shows a value that is higher than expected.
Conditions:
SSL renegotiation is enabled. Other conditions are unknown.
Impact:
The SSL stats are incorrectly reading higher than expected.
Workaround:
Disable SSL renegotiation.
962497-2 : BD crash after ICAP response
Component: Application Security Manager
Symptoms:
BD crash when checking ICAP job after ICAP response
Conditions:
BD is used with ICAP feature
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
962341-7 : BD crash while processing JSON content
Component: Application Security Manager
Symptoms:
Under certain conditions, BD may crash while processing JSON content
Conditions:
- ASM enabled
- JSON content profile enabled
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
962333 : FIN from client does not get propagated to server side, if the FIN arrives before server side reaching ESTABLISHED
Component: Local Traffic Manager
Symptoms:
FIN from client will not be propagated to server side, if the FIN arrives in BIG-IP before the corresponding server side connection reaches ESTABLISHED.
Conditions:
- standard virtual server with the default tcp profile
- client sends FIN immediately after 3WHS
Impact:
These connections remain until the idle timeout is reached.
Workaround:
None
962069 : Excessive resource consumption while processing OSCP requests via APM
Component: Access Policy Manager
Symptoms:
Under certain conditions, OSCP requests may consume excessive resources.
Conditions:
- SSL profile enabled
- OSCP verification enabled
Impact:
Excessive resource consumption, potentially leading to an out-of-memory condition.
Workaround:
N/A
Fix:
OSCP requests now consume resources as expected.
960749 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes, dumps a core file, and restarts.
Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.
-- The DNS Cache or Network DNS Resolver objects receive traffic.
Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.
Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.
960437 : The BIG-IP system may initially fail to resolve some DNS queries
Component: Global Traffic Manager (DNS)
Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.
Subsequent queries for the same domain name, however, work as expected.
Only some domain names are affected.
Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.
- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).
- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.
In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.
For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.
1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.
You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.
960385 : In rare conditions modal does not close when it should
Component: Application Security Manager
Symptoms:
When one modal is already opened in the GUI and the system tries to open another one, first one is not closed
Conditions:
In new policy settings pages following steps are needed:
- open settings page and change something so that Save button becomes active
- open modal (e.g. Add Webhook in General Settings)
- press back in browser
Impact:
Unsaved changes modal is not visible.
Workaround:
Close modals before navigating back in the browser
Fix:
On open of new modal - all previous are forced to close
960369 : Negative value suggested in Traffic Learning as max value
Component: Application Security Manager
Symptoms:
Negative value suggested in Traffic Learning as max value
Conditions:
A huge parameter value is seen in traffic
Impact:
Wrong learning suggestion issued
Workaround:
Manually change maximum allowed value on the parameter to ANY
Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY
959889 : Cannot update firewall rule with ip-protocol property as 'any'
Component: TMOS
Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.
Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update
Impact:
Cannot update the firewall rule from GUI.
Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.
959629 : Logintegrity script for restjavad/restnoded fails
Component: TMOS
Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:
find: '14232restnoded_log_pattern': No such file or directory.
Conditions:
When the logintegrity script runs.
Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.
Workaround:
Modify the script file /usr/bin/rest_logintegrity:
1. mount -o remount,rw /usr
2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original
3. vi /usr/bin/rest_logintegrity
4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log
With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log
5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)
With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)
6. mount -o remount,ro /usr
Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.
959121 : Not following best practices in Guided Configuration Bundle Install worker
Solution Article: K74151369
958833 : After mgmt ip change via GUI, brower is not redirected to new address
Component: TMOS
Symptoms:
After changing the management IP address via the GUI, the browser is not redirected, and reports Unable to connect BIG-IP device.
Conditions:
Change the Management IP address from the GUI and submit the change.
Impact:
Browser does not get redirected to the new address
Workaround:
Access the GUI by manually going to the new Management IP.
Fix:
GUI page is redirected to new Management IP address.
958465 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization
Component: TMOS
Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.
The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.
958353 : Restarting the mcpd messaging service renders the PAYG VE license invalid.
Component: TMOS
Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.
Conditions:
Restarting the mcpd messaging service.
Impact:
The license becomes expired. A message is displayed in the console:
mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).
Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).
Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.
958325 : Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB
Component: Global Traffic Manager (DNS)
Symptoms:
Dangling monitor rule after pool deletion.
# tmsh delete gtm monitor tcp tcp_test
01070083:3: Monitor /Common/tcp_test is in use
Conditions:
Using transaction to delete pool and create pool of same name with different monitor.
Impact:
Unable to delete the remaining monitor.
Workaround:
Run:
1. # bigstart restart mcpd
Or
2. Do not combine deletion and re-create pool in the same transaction.
958093 : IPv6 routes missing after BGP graceful restart
Component: TMOS
Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.
Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.
Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.
958085 : IM installation fails with error: Spec file not found★
Component: Traffic Classification Engine
Symptoms:
IM installation fails with an error message:
ERROR Error during switching: Spec file not found
Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.
Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.
Workaround:
None.
Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.
957965 : Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent'
Component: Application Security Manager
Symptoms:
Request is blocked by 'CSRF attack detected' violation.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- CSRF protection enabled in an ASM policy
Impact:
False positive request blocking occurs.
Workaround:
Disable 'CSRF attack detected' violation in the ASM policy.
Fix:
'CSRF attack detected' now works as expected.
957897 : Unable to modify gateway-ICMP monitor fields in the GUI
Component: TMOS
Symptoms:
While modifying a gateway-ICMP monitor you see the following error:
01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.
Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.
Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.
Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]
For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description
Fix:
You can now update the Gateway-ICMP monitor fields via the GUI.
957337 : Tab complete in 'mgmt' tree is broken
Component: TMOS
Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:
(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"
Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete
Impact:
You are unable to configure objects in mgmt.
This issue also prevents users with the admin role from accessing the following REST endpoints:
shared/authz/users
shared/echo-js
The error returned was HTTP/1.1 401 F5 Authorization Required
Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.
957029 : MRF Diameter loop-detection is enabled by default
Component: Service Provider
Symptoms:
The default value of Message Routing Framework (MRF) Diameter loop detection is enabled.
Conditions:
Default diameter session profile loop detection configuration.
Impact:
System performance is impacted even if MRF Diameter loop detection is not used.
Workaround:
Disable loop detection in all message routing Diameter profiles when it is not needed.
Fix:
MRF Diameter loop detection is now disabled by default.
Note: If you expect MRF Diameter loop detection to be enabled, you must manually change the value after upgrading.
956589 : The tmrouted daemon restarts and produces a core file
Component: TMOS
Symptoms:
The tmrouted daemon restarts and produces a core file.
Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover
Impact:
Traffic disrupted while tmrouted restarts.
Workaround:
None
Fix:
Tmrouted daemon should not restart during blade reset
956293 : High CPU from analytics-related REST calls - Dashboard TMUI
Component: TMOS
Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.
Conditions:
Leaving UI dashboard page left open.
Impact:
System performance is impacted if the dashboard page is kept open.
956105 : Websocket URLs content profiles are not created as expected during JSON Policy import
Component: Application Security Manager
Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import
Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.
Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.
Workaround:
The content profiles can be manually associated after the import process using REST or GUI.
Fix:
Setting the correct profile reference during import.
956025 : HTTP profile response-chunking "unchunk" option does not remove Content-Length from response header
Component: Local Traffic Manager
Symptoms:
When the HTTP profile response-chunking option is set to "unchunk", chunked responses will be unchunked and the Transfer-Encoding header is removed.
If the server sends a chunked response with both Transfer-Encoding and Content-Length headers, Transfer-Encoding is removed but Content-Length is not. This causes the client to receive a response with an erroneous Content-Length header.
Conditions:
- HTTP virtual server with response-chunking set to "unchunk"
- Server response with both Transfer-Encoding and Content-Length headers present
Impact:
Malformed HTTP response received by client as length of response should be determined by closure of connection, not erroneous Content-Length header.
Workaround:
Implement iRule: at HTTP_RESPONSE time, remove the Content-Length header if the Transfer-Encoding header is also present.
Fix:
HTTP now removes Content-Length header when unchunking responses.
955389 : Dynamic split tunneling for Zoom, Office 365 traffic
Component: Access Policy Manager
Symptoms:
BIG-IP APM did not support dynamic split tunneling for Zoom and Office 365 traffic. There is no capability to automatically exclude Zoom and Microsoft Office 365 traffic in APM Network Access tunnels.
Conditions:
Use network access to exclude traffic for applications.
Impact:
The traffic was routed over the tunnel instead of being excluded and passed directly to the public internet.
Workaround:
None
Fix:
BIG-IP APM now provides the ability to create a dynamic address space that contains IPv4, IPv6, and DNS names for Zoom and Microsoft Office 365 applications by using their auto-discovery URL.
You can also create custom address space objects by manually adding a static list of addresses for SaaS applications such as Cisco Webex.
You can automatically exclude Zoom and Microsoft Office 365 traffic in APM Network Access tunnels with this capability.
955145 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
955057 : UCS archives containing a large number of DNS zone files may fail to restore.★
Component: TMOS
Symptoms:
This issue can manifest in the following ways:
- Failure to restore a UCS archive to the currently active boot location (i.e. restoring a backup).
- Failure to restore a UCS archive to a different boot location by means of using the cpcfg utility (or the the "Install Configuration" option when changing boot locations in the Web UI).
- Failure to restore a UCS archive as part of a software upgrade (if rolling forward the configuration was requested, which is the default BIG-IP behavior).
In all cases, error messages similar to the following example are returned to the user:
/bin/sh: /bin/rm: Argument list too long
Fatal: executing: /bin/sh -c rm -fr /var/named/config/namedb/*
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
Conditions:
This issue occurs when a large number of DNS zone files are already present in the /var/named/config/namedb directory of the boot location to which the UCS archive is being restored.
Impact:
The UCS archive fails to restore. Additionally:
- If the UCS archive was being restored on the currently active boot location, the named and zrd daemons may not be running after the failure, leading to traffic outages.
- If the UCS archive was being restored as part of an upgrade, the installation will fail and the destination boot location will be marked as failed (thus preventing a BIG-IP Administrator from activating it).
Workaround:
Depending on the failure mode, perform one of the following workarounds:
- If you were restoring a UCS archive on the currently active boot location, run the following command, and then attempt the UCS archive restore operation again:
find /var/named/config/namedb -mindepth 1 -delete
- If you encountered the failure during an upgrade, it should mean you were installing an Engineering Hotfix (otherwise the /var/named/config/namedb directory on the destination boot location would have been empty).
Installing an Engineering Hotfix will actually perform two separate installations - first the base version, and then the hotfix on top of that. Each installation restores the source location's UCS archive.
The UCS installation performed during the base installation will work, and the one performed during the hotfix installation will fail (because DNS zone files are already in place now, and they will fail to be deleted).
In this case, you can work around the issue by performing two distinct installations (to the same destination boot location). First the base version by itself, and then the hotfix installation by itself:
Perform the first installation with the liveinstall.moveconfig and liveinstall.saveconfig db keys disabled. Perform the second installation after enabling the liveinstall.moveconfig and liveinstall.saveconfig db keys again.
- If you encountered the failure while using the cpcfg utility (or equivalent WebUI functionality), take a UCS archive instead, download it off of the BIG-IP or save it in a shared directory (e.g. /var/tmp), boot the system into the destination boot location, run the below command, and then restore the UCS archive:
find /var/named/config/namedb -mindepth 1 -delete
Fix:
The UCS restore operation succeeds, even when a large number of DNS Bind zone files are present.
955017 : Excessive CPU consumption by asm_config_event_handler
Component: Application Security Manager
Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync
Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.
Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.
Workaround:
Disable the signature staging action item for all policies.
954937-1 : Tmm crash when GPA POLICY is used
Component: Traffic Classification Engine
Symptoms:
Tmm crashes while passing traffic.
Conditions:
-- Traffic classification policy exists and is configured to block the application traffic
-- Application traffic is passed
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a PEM policy to block the traffic instead of a traffic classification policy
Fix:
Fixed a tmm crash when a traffic classification policy is configured to block application traffic.
954429 : User authorization changes for live update
Solution Article: K23203045
954381 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
954089 : Incorrect Protocol Inspection "Drop" action for UDP connection flows
Component: Protocol Inspection
Symptoms:
When a drop action is performed for a UDP connection flow, BIG-IP does not drop the connection correctly.
Conditions:
- Protocol Inspection's profile is attached at either the Virtual Server or the Firewall rule level.
- UDP traffic is processed and matches an action set to "Drop" occurs.
Impact:
Multiple connections are created on the server side, which could lead to port exhaustion.
Fix:
Protocol Inspection "Drop" action drops only packet, and keeps the connection and continues to drop the subsequent traffic for a UDP connection flow.
Behavior Change:
Protocol Inspection "Drop" action on UDP connection should only drop the packet, but keep the connection in such a state that subsequent traffic gets dropped. The old behavior was to drop the packet and remove the connection.
953845 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
Component: Local Traffic Manager
Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.
This can occur when using administrative commands such as:
-- tmsh run util fips-util init
-- fipsutil init
-- tmsh run util fips-util loginreset -r
-- fipsutil loginreset -r
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
+ vCMP guest on i5820-DF / i7820-DF
+ vCMP guest on 10350v-F
Impact:
BIG-IP is unable to communicate with the onboard HSM.
Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.
Immediately before doing this:
-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:
sys fipsuser f5cu {
password $M$Et$b3R0ZXJzCg==
}
Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.
953729 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
953677 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
953393 : TMM crashes when performing iterative DNS resolutions.
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes and produces a core file.
Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.
To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.
The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).
Fix:
TMM no longer crashes.
952557 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com
Component: Access Policy Manager
Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.
Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.
Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.
Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.
For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.
Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.
952545 : 'Current Sessions' statistics of HTTP2 pool may be incorrect
Component: Service Provider
Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552
Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.
Workaround:
None.
Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.
952509 : Cross origin AJAX requests are blocked in case there is no Origin header
Component: Application Security Manager
Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.
Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.
Impact:
Request is blocked.
Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.
Fix:
Check referrer header also when modifying CORS headers.
951705 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
950849 : B4450N blades report page allocation failure.★
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This occurs on B4450N blades regardless of configuration.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You must perform the workaround on each blade installed in the system.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands:
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
950745 : Encrypted Video traffic classification
Component: Traffic Classification Engine
Symptoms:
- Classification engine needs to classify the video playback resolution for a video session.
Conditions:
- Both ABR and Behavioral classifier need to be enabled by configuring sys db variables
* tmm.cec.classifier.behavioral.enable to true.
* tmm.cec.classifier.abr.enable to true.
Impact:
- Classification Engine (CEC) starts to classify the encrypted video traffic resolution prediction into one of the four resolutions 360p, 480p, 720p and 1080p.
- EVC support is added for multiple video applications such as YouTube, Netflix, Prime Video, Disney+.
950673 : Hardware Syncookie mode not cleared when deleting/changing virtual server config.
Component: TMOS
Symptoms:
Modifying a virtual server can cause BIG-IP to get stuck in hardware syncookie mode.
Conditions:
-- A virtual server is in hardware syncookie mode.
-- Modifying or deleting the virtual server
For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779
Impact:
Device is stuck in hardware syncookie mode and generates syncookies.
Workaround:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts traffic.
950253 : Source address translation occurs with self IP after NAT policy removal from Virtual Server
Component: Advanced Firewall Manager
Symptoms:
Address translation occurs after removal of the NAT Policy from Virtual Server
Conditions:
Attach the policy with virtual server and remove it and check the traffic flow
Impact:
Source translation happens with self IP
Workaround:
Restart tmm:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts network traffic.
Fix:
The No Translation flag is reset after policy removal if source address translation is set to None
950077 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
950017 : TMM may crash while processing SCTP traffic
Component: TMOS
Symptoms:
Under certain conditions, TMM may crash while processing SCTP traffic. After this crash logs will show the message: "flow not in use".
Conditions:
- SCTP profile enabled
Impact:
TMM crashing leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes SCTP traffic as expected.
950005 : TCP connection is not closed when necessary after HTTP::respond iRule
Component: Local Traffic Manager
Symptoms:
HTTP does not close the TCP connection on the client if response is sent via HTTP::respond.
Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE_RELEASE).
- HTTP sends "Connection: close" header.
Impact:
TCP connection lives longer than needed.
Workaround:
None
Fix:
The TCP connection is now closed after sending "Connection: close".
949933-7 : BIG-IP APM CTU vulnerability CVE-2021-22980
Solution Article: K29282483
949889 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
Solution Article: K04107324
949793 : Fix routing server initiated request dynamically when "DIAMETER::dynamic_route_lookup"
Component: Service Provider
Symptoms:
When using "DIAMETER::dynamic_route_lookup", the functionality does not work and tmm can crash.
Conditions:
-- Diameter dynamic routing enabled in diameter session profile.
-- Dynamic-route-lookup is disabled
-- An iRule DIAMETER::dynamic_route_lookup message is enabled
Impact:
Traffic disrupted while tmm restarts.
949721 : QUIC does not send control frames in PTO packets
Component: Local Traffic Manager
Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.
Conditions:
A control frame is in-flight when the PTO timer fires.
Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.
Workaround:
None.
Fix:
Retransmittable control frames are now sent when the PTO timer fires.
949477 : NTLM RPC exception: Failed to verify checksum of the packet
Component: Access Policy Manager
Symptoms:
NTLM authentication fails with the error:
RPC exception: Failed to verify checksum of the packet.
Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.
Impact:
User authentication fails.
Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.
2. Disable encryption for nlad:
# vim /etc/bigstart/startup/nlad
change:
exec /usr/bin/${service} -use-log-tag 01620000
to:
exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no
3. Restart nlad to make the change effective, and to force the schannel to be re-established:
# bigstart restart nlad
949145 : Improve TCP's response to partial ACKs during loss recovery
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
949105 : Error log seen on Category Lookup SNI requests for same connection
Component: Access Policy Manager
Symptoms:
Client connections are reset and you see an error in /var/log/apm : "(ERR_NOT_FOUND) Category Lookup failed or a Category Lookup agent is not present in the policy before Response Analytics"
Conditions:
-- Category Lookup agent (lookup type SNI) in the per-request policy before Request or Response Analytics agent
-- Multiple requests sent in the same SSL connection.
Impact:
Connections are reset or they follow the fallback branch for subsequent requests in the same SSL connection
Fix:
Fixed an issue with Category Lookup SNI requests for same connection
948805 : False positive "Null in Request"
Component: Application Security Manager
Symptoms:
A false positive violation "Null in Request" is thrown erroneously.
Conditions:
-- BIG-IP receives a query string in the "Referrer" header
Impact:
False positive violation "Null in Request" is thrown
Workaround:
None
Fix:
Fixed a false positive violation.
948769 : TMM panic with SCTP traffic
Solution Article: K05300051
948757 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
Component: Local Traffic Manager
Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.
Conditions:
A snat-translation address is configured with ARP enabled.
Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.
Workaround:
None.
Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.
948717 : F5-pf_daemon_cond_restart uses excessive CPU★
Component: TMOS
Symptoms:
The script /etc/init.d/f5-pf_daemon_cond_restart spawns a lot of ephemeral processes that collectively use about 10-15% of a core, regardless of the number of cores.
This is contributing to higher CPU usage after upgrading from an earlier version
Conditions:
On upgrade to a 15.1.x version, high CPU usage is observed.
Impact:
Higher CPU utilization on control plane, typically the equivalent of about 10-15% (of one core) extra.
Workaround:
None.
948605 : buffersize(2048) too small. Buffer truncated.
Component: TMOS
Symptoms:
While proc pid statistics are collected by the merged daemon it may encounter an error and log a message about buffer size being too small.:
notice merged[5491]: 011b0228:5: While reading file /proc/28574/cmdline, buffersize(2048) too small. Buffer truncated.
Conditions:
If a process cmdline is too long, it can be truncated while collecting statistics.
Impact:
A log message is logged to /var/log/ltm. It can be ignored.
Fix:
The buffer size has been expanded to better handle this case.
948573-1 : Wr_urldbd list of valid TLDs needs to be updated
Component: Traffic Classification Engine
Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.
Conditions:
New TLD is being queried
Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.
Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.
948417 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic
Component: Performance
Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)
Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking
Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)
Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)
Individual VMs & VMs in an availability set
First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
Azure CLI
az vm deallocate \
--resource-group myResourceGroup \
--name myVM
Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.
Once stopped, disable Accelerated Networking on the NIC of your VM:
Azure CLI
az network nic update \
--name myNic \
--resource-group myResourceGroup \
--accelerated-networking false
Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
Azure CLI
az vm start --resource-group myResourceGroup \
--name myVM
948101 : Pair of phase 2 SAs missing after reboot of standby BIG-IP device
Component: TMOS
Symptoms:
In the case of IPsec traffic-selector narrowing during tunnel negotiation, Security Associations (SAs) may not be mirrored to the Standby after the Standby is rebooted.
Conditions:
- BIG-IP systems configured in High Availability (HA).
- Mirroring is configured.
- The Standby system reboots.
Impact:
IPsec SAs may not be mirrored to the Standby device. If a failover occurs, the newly Active device cannot handle previously established tunnels.
Workaround:
Configure traffic-selectors to match exactly on both IPsec peers.
Fix:
During reboot, the IPsec object dependency chain is maintained.
947937 : HTTP iRule commands may fail to execute within the "fallback-host" HTTP profile field.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system can redirect a request to a fallback host when the target pool is unavailable. If the configured fallback host within the HTTP profile contains HTTP iRule commands such as HTTP::host or HTTP::uri, the corresponding HTTP request can fail. A connection reset may be encountered instead.
Conditions:
- HTTP profile with "fallback-host" profile option configured containing an HTTP iRule command.
Impact:
When utilizing the HTTP profile with "fallback-host" profile option with HTTP iRule commands, incorrect connection resets can be seen by the client instead of the correct HTTP response.
Workaround:
Attaching an iRule containing HTTP::redirect or similar command to the virtual server can be used instead of the fallback host-profile option to redirect traffic to another virtual server.
Fix:
The HTTP "fallback-host" profile option with HTTP iRule commands will now properly execute and result in the correct HTTP response being delivered to the client.
947865 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
Component: TMOS
Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:
err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer
Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.
Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.
947529 : Security tab in virtual server menu renders slowly
Component: TMOS
Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.
Conditions:
Large number of virtual servers using the same ASM policy
Impact:
Loading of Security tab of a virtual server takes a long time
Workaround:
NA
Fix:
Security tab of a virtual server loads fast
947057 : Traffic intelligence feeds to do not follow best practices
Component: Traffic Classification Engine
Symptoms:
Traffic intelligence feeds to do not follow best practices
Conditions:
AFM or PEM are provisioned
Impact:
Traffic intelligence feeds to do not follow best practices
Workaround:
None
Fix:
Traffic intelligence feeds now follow best practices
946953 : HTTP::close used in iRule might not close connection.
Component: Local Traffic Manager
Symptoms:
HTTP::close used in an iRule might not close the connection. For example:
when HTTP_REQUEST {
HTTP::close
HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
}
Conditions:
Using HTTP::close along with HTTP::respond
Impact:
HTTP connection can be re-used.
Workaround:
Explicitly add close header in the HTTP::respond. For example:
HTTP::respond 200 content "OK" Connection close
Fix:
Fixed an issue where HTTP::close might not close a connection.
946745 : 'System Integrity: Invalid' after Engineering Hotfix installation
Component: TMOS
Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.
Conditions:
This occurs if all of the following conditions are true:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.
946481 : Virtual Edition FIPS not compatible with TLS 1.3
Component: Local Traffic Manager
Symptoms:
A TLS 1.3 handshake failure occurs when using openssl's AES-GCM cipher in FIPS mode.
Conditions:
FIPS mode and attempting TLS 1.3 with cipher AES-GCM
Impact:
Handshake failure for TLS 1.3
Workaround:
Disable FIPS mode, or alternately use non AES-GCM cipher for TLS 1.3.
Fix:
TLS 1.3 AES-GCM in FIPS mode now works correctly.
946377 : HSM WebUI Hardening
Component: Local Traffic Manager
Symptoms:
The HSM Management WebUI does not follow current best practices.
Conditions:
HSM Management WebUI accessed by an authorized administrative user.
Impact:
The HSM Management WebUI does not follow current best practices.
Workaround:
N/A
Fix:
The HSM Management WebUI now follows current best practices.
946125 : Tmm restart adds 'Revoked' tokens to 'Active' token count
Component: Access Policy Manager
Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)
Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm
Impact:
User is denied access even though token limit per user is not reached
Fix:
Fixed an issue where users were unable to log in after a tmm restart.
946089 : BIG-IP might send excessive multicast/broadcast traffic.
Component: TMOS
Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.
Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.
Impact:
Excessive multicast/broadcast traffic.
946081 : Getcrc tool help displays directory structure instead of version
Component: Application Security Manager
Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.
Conditions:
Displaying help in getcrc utility.
Impact:
Version information is not displayed.
Fix:
Getcrc utility help now displays version information.
945997 : LTM policy applied to HTTP/2 traffic may crash TMM
Component: Local Traffic Manager
Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.
Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.
945821 : Remote logging conditions adjustments
Component: Application Security Manager
Symptoms:
When "Null in multi-part" violation is detected, BIG-IP logs it to remote log even when the violation is not set to blocked in Learning and Blocking settings
Conditions:
This happens when "Null in multi-part" violation is detected
Impact:
Incorrect logging to remote logs
Workaround:
None
Fix:
Fixed an issue where BIG-IP was incorrectly sending "Null in multi-part" logs to remote logs.
945789 : Live update cannot resolve hostname if ipv6 is configured
Component: Application Security Manager
Symptoms:
Live update is not working when BIG-IP DNS is configured to use IPv6
Conditions:
BIG-IP DNS uses IPv6
Impact:
-- Unable to install latest updates to signatures.
-- Unable to import user-defined signatures.
Workaround:
If possible, use IPv4 for DNS.
Fix:
Replaced deprecated gethostbyname which does not work well with IPv6 with getaddrinfo
945601 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
Component: Local Traffic Manager
Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omited.
Conditions:
Policy contains multiple rules which employ TCP address matching condition.
Impact:
Inocorrect LTM policy is applied.
945265 : BGP may advertise default route with incorrect parameters
Component: TMOS
Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.
Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.
Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.
Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>
945109 : Freetype Parser Skip Token Vulnerability CVE-2015-9382
Solution Article: K46641512
945033 : Python Vulnerability (CVE-2019-9636): Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization
Solution Article: K57542514
944785 : Admd restarting constantly. Out of memory due to loading malformed state file
Component: Anomaly Detection Services
Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.
Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.
Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption
Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD
If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD
Fix:
No more memory corruption, no OOM nor ADMD restarts.
944641 : HTTP2 send RST_STREAM when exceeding max streams
Component: Local Traffic Manager
Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.
Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.
Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.
Workaround:
None.
Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.
944513 : Apache configuration file hardening
Component: TMOS
Symptoms:
Apache configuration file did not follow security best practice.
Conditions:
Normal system operation with httpd enabled.
Impact:
Apache configuration file did not follow security best practice.
Workaround:
None
Fix:
Apache configuration file has been hardened to follow security best practice.
944441 : BD_XML logs memory usage at TS_DEBUG level
Component: Application Security Manager
Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)
Conditions:
These messages can occur when XML/JSON profiles are configured.
Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.
Workaround:
None
Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.
944365 : Session variable for Group SIDs (in Kerberos Auth agent) and Group Names (in AD Group SID Resolver agent) has a max limit
Component: Access Policy Manager
Symptoms:
According to Microsoft (see https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/logging-on-user-account-fails), logging on a user account that is a member of more than 1,010 groups (or close to that range) may fail on a Windows Server-based computer. So session variable for group SIDs in Kerberos Auth agent has max limit around 256KB.
Also session variable for group names in AD Group SID Resolver agent has max limit of 384KB.
Conditions:
1. User account is a member of more than 1,010 groups (or close to this range)
2. Concatenated group names for the user's group membership is more than 384KB
Impact:
1. User is unable to log in to windows account
2. User is denied access to the resource protected by the APM policy
Workaround:
1. Reduce user's group membership
2. Shorten the DNs for the groups
Fix:
The user group SIDs max limit is enforced by Microsoft. The user group names max limit is enforced by BIG-IP APM to protect system resources.
944093 : Maximum remaining session's time on user's webtop can flip/flop
Component: Access Policy Manager
Symptoms:
When an Access Policy is configured with Maximum Session Timeout, the rendered value of maximum remaining session's time can flip/flop in seconds on a user's webtop
Conditions:
Access Policy is configured with Maximum Session Timeout >= 60000 secs
Impact:
End users will see the remaining time being continually reset.
Fix:
Rendering of value for maximum remaining session's time is fixed
943913 : ASM attack signature does not match
Component: Application Security Manager
Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.
Conditions:
- ASM enabled
- Undisclosed attack signature variation
Impact:
ASM attack signature does not match or trigger further processing.
Workaround:
N/A
Fix:
ASM now processes traffic as expected.
943793-1 : Neurond continuously restarting
Component: TMOS
Symptoms:
Neurond continuously restarts.
Conditions:
-- BIG-IP iSeries hardware platform
-- issuing the command "service --status-all"
Impact:
Neuron communications will be impacted
Fix:
Fix for handling neurond.init script treating unknown arg as "start": Added code for default case to handle all unknown args
943125 : ASM bd may crash while processing WebSocket traffic
Solution Article: K18570111
943081 : Unspecified HTTP/2 traffic may cause TMM to crash
Solution Article: K90603426
943033 : APM PRP LDAP Group Lookup agent has a syntax error in built in VPE expression
Component: Access Policy Manager
Symptoms:
PRP LDAP Group Lookup agent, the expression incorrectly places the 'string tolower' outside the square brackets. This causes an issue in the GUI of the LDAP Group Lookup object where the 'Simple' branch rules do not show up. You see this 'Warning':
Warning, this expression was made manually and couldn't be parsed, please use advanced tab.
Conditions:
Configure PRP with the LDAP Group Lookup agent in the Visual Policy Editor (VPE).
Impact:
Tcl expression containing a syntax error prevents the LDAP Group Lookup agent from functioning properly.
Workaround:
Go to the LDAP Group Lookup agent advanced tab and change this:
expr {[string tolower [mcget {session.ldap.last.attr.memberOf}]] contains string tolower["CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN"]}
To this:
expr {[string tolower [mcget {session.ldap.last.attr.memberOf}]] contains [string tolower "CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN"]}
Click finish.
Now you can click 'change', and use the 'Simple' tab and the 'Add an expression using presets' option.
Fix:
The syntax error in built in VPE expression of LDAP Group Lookup agent is fixed
942965 : Local users database can sometimes take more than 5 minutes to sync to the standby device
Component: Access Policy Manager
Symptoms:
Local db sync to standby devices take more than 5 minutes to sync
Conditions:
High availability (HA) setup
- add a local db user in the active device
- Wait for it to get synced to the standby device
- Sometimes the sync may not happen in 5 minutes.
Impact:
Sync of the changes to the local user db may take several minutes to sync to the standby devices.
Workaround:
None.
942921 : BIG-IP APM vulnerability CVE-2021-22985
Solution Article: K32049501
942793 : BIG-IP system cannot accept STARTTLS command with trailing white space
Component: Local Traffic Manager
Symptoms:
When an SMTPS profile is applied on a virtual server and the SMTP client sends a STARTTLS command containing trailing white space, the BIG-IP system replies with '501 Syntax error'. The command is then forwarded to the pool member, which can result in multiple error messages being sent to the SMTP client.
Conditions:
-- A virtual server is configured with an SMTPS profile.
-- The SMTP client sends a STARTTLS command with trailing spaces.
Impact:
The SMTP client is unable to connect to the SMTP server.
Workaround:
Use an SMTP client that does not send a command containing trailing white space.
Fix:
The system now handles trailing white spaces in SMTP STARTTLS command.
942701 : TMM may consume excessive resources while processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
When processing HTTP traffic, TMM may consume excessive resources.
When BIGIP handles HTTP traffic, it provides a possibility to compress payload. Under certain conditions TMM may consume its memory inefficiently, resulting in OOM situations.
Conditions:
- Virtual server with http and httpcompression profiles.
- Undisclosed conditions at backend server.
Impact:
TMM exhausts its memory and may deny legitimate traffic or delay processing traffic.
Workaround:
Remove httpcompression profile from a virtual's configuration.
Fix:
TMM now processes HTTP traffic as expected.
942585 : Website slowness
Component: Fraud Protection Services
Symptoms:
A website that is protected by FPS loads slow.
Conditions:
-- FPS is enabled
-- Many elements are created dynamically via document.createElement
Impact:
Website responses are very slow
Workaround:
N/A
Fix:
Code fix along with BLFN
function (C) {
C.XX.checkInDomOnly = true;
}
to prevent from checking elements that are not in DOM
942581 : Timestamp cookies do not work with hardware accelerated flows
Component: Advanced Firewall Manager
Symptoms:
Time stamp cookies and hardware accelerated flows are mutually exclusive.
Conditions:
Time stamp cookie enabled for TCP flows on a VLAN with hardware offload enabled as well.
Impact:
Reduced traffic throughput and increased CPU usage
Fix:
FPGA and software enhancement to allow hardware accelerate of TCP flows that have time stamp cookie enabled.
942549 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Component: TMOS
Symptoms:
During boot of a i15xxx system you see the message:
Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Conditions:
There are no specific conditions that cause the failure.
This can occur on any i15xxx device, although some devices exhibit the failure consistently around 50% of boots and others never exhibit the issue.
Impact:
When this failure occurs in a system, the system is inoperable.
Workaround:
There is no workaround for systems that do not have software capable of resetting the hardware device during the HSB load process.
Fix:
Updating the HSB load script to support resetting the hardware device during boot completely resolves this issue. The updated HSB loader can be implemented on all versions of BIG-IP.
942497 : Declarative onboarding unable to download and install RPM
Component: TMOS
Symptoms:
Installation of declarative onboarding RPM fails.
Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.
Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.
Workaround:
RPMs must be installed manually.
Fix:
The installation directory was updated to fix the RPM installation issue.
942185 : Non-mirrored persistence records may accumulate over time
Component: Local Traffic Manager
Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.
Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Persistence records are now reliably expired at the appropriate time.
942105 : Support for HTTP Trailers and gRPC
Component: Local Traffic Manager
Symptoms:
BIG-IP fails to properly process trailers when HTTP or HTTP/2 is configured on the virtual. This prevents the use of protocols such as gRPC that rely on such headers.
Conditions:
BIG-IP is configured for use with HTTP or HTTP/2 and receives a response that includes trailing headers.
Impact:
The trailing headers are dropped or ignored, preventing operation of protocols such as gRPC.
Fix:
BIG-IP traffic profiles commonly used for gRPC deployments now support trailing headers.
Behavior Change:
BIG-IP traffic profiles commonly used for gRPC deployments now support trailing headers.
941929 : Google Analytics shows incorrect stats, when Google link is redirected.
Component: Application Security Manager
Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
-- Google link is responded to (by the server) with a redirect.
-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
None
941893 : VE performance tests in Azure causes loss of connectivity to objects in configuration
Component: TMOS
Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.
Conditions:
Running performance tests of VE in Azure.
Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.
Workaround:
Reboot from the Azure console to restore functionality.
941853 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
941621 : Brute Force breaks server's Post-Redirect-Get flow
Solution Article: K91414704
Component: Application Security Manager
Symptoms:
Brute Force breaks server's Post-Redirect-Get flow
Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.
Impact:
Brute Force breaks server's Post-Redirect-Get flow
Workaround:
None
Fix:
Support PRG mechanism in brute force mitigations.
941593 : Video Traffic Management - ECN detection
Component: Policy Enforcement Manager
Symptoms:
When congestion is experienced in the network, all end user client traffic is affected, including video traffic. Enabling Explicit Congestion Notification (ECN) and setting the flow value ECN bits to 3 in the IP header helps to manage the congestion.
Conditions:
-- Congestion is experienced in the network
-- Video traffic is affected.
Impact:
Congestion in the network is unresolved.
Workaround:
None
Fix:
With this feature enabled and if the flow value has ECN bits set to 3, the BIG-IP system applies the actions associated with the PEM Policy. In the PEM policy you can apply rate limiting to the applicable (existing video) traffic.
941481 : iRules LX - nodejs processes consuming excessive memory
Component: Local Traffic Manager
Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.
You can check the iRule LX plugins memory usage using the command:
tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):
Memory (bytes)
Total Virtual Size 946.8M
Resident Set Size 14.5K
Conditions:
-- iRulesLX in use.
Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.
Workaround:
Restart the iRule LX plugin that is leaking memory:
tmsh restart ilx plugin <PLUGIN_NAME>
941449 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
Solution Article: K55237223
941381 : MCP restarts when deleting an application service with a traffic-matching-criteria
Component: TMOS
Symptoms:
After deleting an application service that contains a virtual server and a traffic-matching-criteria, the mcpd daemon crashes.
Conditions:
-- BIG-IP application service configuration containing a virtual server with traffic-matching-criteria
-- Application service is deleted
Impact:
Traffic and control plane disrupted while mcpd restarts.
Workaround:
None.
Fix:
Fixed an mcpd crash related to traffic-matching-criteria.
941257-5 : Occasional Nitrox3 ZIP engine hang
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.
You can check if your platform has the nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable http compression
941249 : Improvement to getcrc tool to print cookie names when cookie attributes are involved
Component: Application Security Manager
Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server
Conditions:
This is applicable when domain and path cookie attributes are present in response from server
Impact:
ASM cookie name which is displayed is incorrect
Workaround:
None
Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s
941169 : Subscriber Management is not working properly with IPv6 prefix flows.
Component: Policy Enforcement Manager
Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.
Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).
Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.
Workaround:
None.
940897 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
Component: Application Security Manager
Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".
Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.
Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.
Workaround:
N/A
Fix:
No false positives detected.
940885 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter
Component: TMOS
Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.
Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.
Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.
Fix:
Added the CX5 Ex device ID to the BIG-IP's Mellanox SR-IOV driver so that it can be used with that adapter.
940665 : DTLS 1.0 support for PFS ciphers
Component: Local Traffic Manager
Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.
* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA
Conditions:
DTLS 1.0 is configured in an SSL profile.
Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.
940469 : Unsupported option in /etc/resolv.conf causes failure to sync DNS Zone configuration
Component: Global Traffic Manager (DNS)
Symptoms:
The 'gtm_add' script fail to sync configuration information from the peer when 'options inet6' is present in /etc/resolv.conf.
Conditions:
The option 'options inet6' is used in /etc/resolv.conf.
Impact:
The 'gtm_add' script removes the current config and attempts to copy over the config from the remote GTM. When the remote copy fails, the local device is left without any config.
Workaround:
Remove the 'options inet6' from /etc/resolv.conf.
940401 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
940249 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached
Component: Application Security Manager
Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.
Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.
Impact:
Data after last allowed element is not masked.
Fix:
Now the values are masked.
940177 : Certificate instances tab shows incorrect number of instances in certain conditions
Component: TMOS
Symptoms:
The SSL Certificate instances tab shows an incorrect number of instances when the Cert name and the Key name match. This does not occur when the cert and key are different names.
Conditions:
-- SSL certificate and key names match
-- Viewing the SSL certificate list in the GUI
Impact:
All the custom profiles will be listed when only select instances for ca-bundle cert are expected
Fix:
The correct number of instances of certificates is now displayed.
940021 : Syslog-ng hang may lead to unexpected reboot
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.
The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.
Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).
Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.
Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.
Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.
939961 : TCP connection is closed when necessary after HTTP::respond iRule.
Component: Local Traffic Manager
Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.
Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.
Impact:
TCP connection lives longer than needed.
Workaround:
N/A
Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.
939941 : Monitor parameter not found error
Component: Global Traffic Manager (DNS)
Symptoms:
While trying to update a monitor in the GUI, there is an error:
01020036:3: The requested monitor parameter (/Common/my_https_mon 2 RECV_STATUS_CODE=) was not found.
Conditions:
-- The GTM Monitor is created in TMSH.
-- Attempt to modify it via the GUI.
Impact:
You are unable to update monitor values using the GUI.
Workaround:
Use tmsh to modifythese monitor values.
Fix:
Monitor created via TMSH can now be modified via GUI without error.
939845 : BIG-IP MPTCP vulnerability CVE-2021-23004
Solution Article: K31025212
939841 : BIG-IP MPTCP vulnerability CVE-2021-23003
Solution Article: K43470422
939701 : Allow configuration of self-ip address for L2 virtual wire vlan-group
Component: Local Traffic Manager
Symptoms:
You are unable to configure a self-ip address on a L2 virtual wire vlan-group
Conditions:
Configure network in virtual wire mode
Impact:
Unable to configure self-ip address on L2 virtual wire vlan-group
Fix:
You can now configure a SelfIP address for virtual wire untagged and vlan-specific tag interfaces. Support is added for both IPv4 and IPv6. Using this IP address, you can communicate with BIG-IP over the L2 virtual wire interface. Link-local IPv6 address as selfip for virtual wire interfaces is not supported.
939541 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
Component: TMOS
Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.
Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).
Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.
Workaround:
None.
Fix:
TMM no longer shuts down prematurely during initialization.
939529 : Branch parameter not parsed properly when topmost via header received with comma separated values
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
939421 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow
Solution Article: K38481791
939209 : FIPS 140-2 SP800-56Arev3 compliance
Component: Local Traffic Manager
Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.
Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.
Impact:
BIG-IP will comply with the older standard.
Fix:
Updated cryptographic algorithms and self-tests according to the SP800-56Arev3 standard.
939085 : /config/ssl/ssl.csr directory disappears after creating certificate archive
Component: Local Traffic Manager
Symptoms:
Creating a certificate archive removes the /config/ssl/ssl.csr directory.
Conditions:
This occurs while creating a certificate archive.
Impact:
Missing /config/ssl/ssl.csr directory is causing Integrity Check to fail on an intermittent basis.
Workaround:
Recreate /config/ssl/ssl.csr directory and set correct file permissions:
mkdir /config/ssl/ssl.csr
chmod 755 /config/ssl/ssl.csr/
chcon -R --reference=/config/ssl/ssl.crt/ /config/ssl/ssl.csr
Fix:
The ssl.csr directory is no longer deleted on archive creation.
938537 : Support draft-thomson-quic-bit-grease-00
Component: Local Traffic Manager
Symptoms:
This an improvement; there is no defect or known issue
Conditions:
This an improvement.
Impact:
This should have no impact on endpoints, but it will help to preserve future extensibility of the protocol.
Workaround:
If you wish to disable this function, you can set the db variable quic.bit.grease to 'disable'. When disabled, BIG-IP will neither advertise the ability to accept values other than '1', nor will it send values other than '1'. It will reject packets that set it to '0'.
The reasons to disable would be that (1) something in the path is dropping packets with the greased bit, or (2) future evaluation of the draft shows that this in some way introduces a security or performance impact.
Fix:
BIG-IP now fully implements draft-thomson-quic-bit-grease-00, an optional extension that allows the second bit in each QUIC packet to be a random value instead of always '1', if the client requests it.
Behavior Change:
BIG-IP now fully implements draft-thomson-quic-bit-grease-00, an optional extension that allows the second bit in each QUIC packet to be a random value instead of always '1', if the client requests it.
This should have no impact on endpoints, but it will help to preserve future extensibility of the protocol.
If users wish to disable this function, they can set the db variable quic.bit.grease to 'disable'. When disabled, BIG-IP will neither advertise the ability to accept values other than '1', nor will it send values other than '1'. It will reject packets that set it to '0'.
The reasons to disable would be that (1) something in the path is dropping packets with the greased bit, or (2) future evaluation of the draft shows that this in some way introduces a security or preformance regression.
938293 : importing a JSON policy with Application Language "auto-detect" changes to 'utf8' policy
Component: Application Security Manager
Symptoms:
When importing a JSON policy with Application Language "auto-detect", the policy wrongly gets set as "utf-8".
Conditions:
1. Create a policy with Application Language "auto-detect".
2. Export it as a JSON policy (Verify the policy contains: "applicationLanguage" : "auto-detect".)
3. Import it back
Application language changed to utf-8
Impact:
Application language is set to utf-8 instead of auto-detect
Fix:
Fixed an issue with importing JSON policies.
938233 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
Component: Local Traffic Manager
Symptoms:
BIG-IP exhibits gradual and linear increase in memory accumulation (high xfrag accumulation) leading to high CPU utilization.
Impact:
This may start affecting BIG-IPs capacity to serve other incoming requests as CPU utilization tends towards maximum limit.
Fix:
BIG-IP no longer shows the known issues of high memory (xfrag) accumulation that leads to the high CPU utilization.
938165 : TMM Core after attempted update of IP geolocation database file
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.
Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Revert to using the previously working version of the IP-geolocation file.
For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.
Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.
938149 : Port Block Update log message is missing the "Start time" field
Component: Advanced Firewall Manager
Symptoms:
Port Block Update log message is missing the "Start time" field.
Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.
Impact:
NAT Log information is not usable for accounting purpose.
Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.
937881 : REST framework (restjavad) upgrade to 64-bit OpenJDK 8 JVM
Component: Device Management
Symptoms:
iControl REST framework needs to be upgraded to 64-bit OpenJDK 8 JVM.
Conditions:
Using iControl REST.
Impact:
There is no functional impact to using the current version.
Workaround:
None
Fix:
REST framework (restjavad) upgrade to 64-bit OpenJDK 8 JVM.
Note: This results in an increase in the size of /usr. Although not an issue on its own, cumulative increases in /var, /usr, and /root might result in installation failures on iSeries devices when multiple slots contain software versions 16.1.x or later. Depending on the combination of versions, you might not be able to install/upgrade three TMOS software volumes on your iSeries device (see K41812306: The appdata volume on BIG-IP iSeries platforms is now larger :: https://support.f5.com/csp/article/K41812306 ).
Behavior Change:
REST framework (restjavad) upgrade to 64-bit OpenJDK 8 JVM.
Note: This results in an increase in the size of /usr. Although not an issue on its own, cumulative increases in /var, /usr, and /root might result in installation failures on iSeries devices when multiple slots contain software versions 16.1.x or later. Depending on the combination of versions, you might not be able to install/upgrade three TMOS software volumes on your iSeries device (see K41812306: The appdata volume on BIG-IP iSeries platforms is now larger :: https://support.f5.com/csp/article/K41812306 ).
937777 : The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.
Component: Local Traffic Manager
Symptoms:
The iRule command HTTP::payload is not supported for use within Policy Enforcement Manager (PEM) policies. Attempting to use this within your configuration may result in the TMM crashing.
Conditions:
-- Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload
Impact:
Traffic disrupted while the TMM restarts.
Workaround:
Do not use the iRule command HTTP::payload within Policy Enforcement Manager (PEM) policies.
Fix:
Having a Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload will no longer cause the TMM to crash.
937769 : SSL connection mirroring failure on standy with sslv2 records
Component: Local Traffic Manager
Symptoms:
Standby device in ssl connection mirroring config does not handle sslv2 recrods correctly.
Conditions:
SSLv2 records processed by standby high availability (HA) device.
Impact:
Standby device fails handshake, active will finish handshake resulting in non mirrored connection.
Fix:
Standby ssl connection mirroring now handles sslv2 records correctly
937749 : The 'total port blocks' value for NAT stats is limited to 64 bits of range
Component: Advanced Firewall Manager
Symptoms:
The 'total port blocks' value, which can be found in PBA 'tmctl' tables, 'tmsh show', and SNMP, is limited to 64 bits of range. The upper 64 bits of the value are not taken into account.
Conditions:
This always occurs, but affects only systems whose configuration makes the 'total port blocks' value exceed 64 bits of range.
Impact:
Incorrect statistics.
Workaround:
None.
Note: For those who really need this value, it is still possible to manually calculate it, but that is not a true workaround.
937637-1 : BIG-IP APM VPN vulnerability CVE-2021-23002
Solution Article: K71891773
937445 : Incorrect signature context logged in remote logger violation details field
Component: Application Security Manager
Symptoms:
An incorrect context (request) is logged for URL signatures in the violation details field.
Conditions:
-- ASM is running with a remote logger that has the violation_details field assigned.
-- A URL signature is matched.
Impact:
The logs do not provide the correct information, which might result in confusion or the inability to use the logged information as intended.
Workaround:
None.
Fix:
The remote logger violation details context field is now correct.
937365 : LTM UI does not follow best practices
Component: TMOS
Symptoms:
The SCTP component of LTM WebUI does not follow current best practices.
Conditions:
- Authenticated LTM WebUI user
Impact:
LTM WebUI does not follow current best practices.
Workaround:
None
Fix:
TMUI now follows best practices.
937333 : Incomplete validation of input in unspecified forms
Component: Global Traffic Manager (DNS)
Symptoms:
Incomplete validation of input in unspecified forms
Conditions:
DNS Provisioned
Impact:
Incomplete validation
Fix:
Proper input validation now performed
936557 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
Component: Local Traffic Manager
Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.
Conditions:
This issue occurs when the following conditions are true:
-- Standard TCP virtual server.
-- TCP profile with Verified Accept enabled.
-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.
Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.
Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.
Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.
936125 : SNMP request times out after configuring IPv6 trap destination
Component: TMOS
Symptoms:
SNMP request is times out.
Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.
Impact:
No response is returned for SNMP request.
Workaround:
Restart SNMP daemon by running the following TMSH command:
restart sys service snmpd
Fix:
N/A
935801 : HSB diagnostics are not provided under certain types of failures
Component: TMOS
Symptoms:
In rare cases where the HSB detects an error and triggers an high availability (HA) failover, HSB-specific diagnostic data is not provided.
An example are XLMAC errors, which can be seen in the LTM logs:
<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.
Conditions:
The HSB detects an internal error.
Impact:
There is less HSB data for analysis when an internal HSB occurs.
Workaround:
None.
Fix:
Dump HSB registers on all HSB initiated high availability (HA) failovers.
935721 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
Solution Article: K82252291
935593 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
Component: Local Traffic Manager
Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.
Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.
Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.
Workaround:
Do not use TCP timestamp rewrite.
935433 : iControl SOAP Hardening
Component: TMOS
Symptoms:
Under certain condition, iControl SOAP does not follow current best practices.
Conditions:
- Undisclosed conditions.
Impact:
iControl SOAP doe not follow current best practices.
Workaround:
N/A
Fix:
iControl SOAP now follows current best practices.
935401 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001
Solution Article: K06440657
935293 : 'Detected Violation' Field for event logs not showing
Component: Application Security Manager
Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.
Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.
Impact:
You cannot see the violation details.
Workaround:
Disabling parameter learning helps.
Note: This happens only with a large number of parameters. Usually it works as expected.
Fix:
The eventlog is reserving space for violations.
935029 : TMM may crash while processing IPv6 NAT traffic
Solution Article: K04048104
934993 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams
Component: Local Traffic Manager
Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.
Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.
Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.
Workaround:
None.
Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.
934941 : Platform FIPS power-up self test failures not logged to console
Component: TMOS
Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.
Conditions:
A FIPS failure occurs during the power-up self test.
Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.
Workaround:
None.
934801 : Prevention of Audit data loss
Component: TMOS
Symptoms:
Audit logs can consume all available partition space.
Conditions:
Audit logging enabled for a sufficient period of time
Impact:
Audit data loss when /var/log is full.
Workaround:
You can recover disk space by manually removing unneeded logs in /var/log/audit.
Fix:
The BIG-IP system periodically checks for free disk space at '/var/log'. If disk usage exceeds configured threshold and when software detects a possible problem with storing audit logs, all important processes are shut down to prevent generation of audit logs. If this occurs, the admin must manually recover the system.
934721 : TMM core due to wrong assert
Component: Application Visibility and Reporting
Symptoms:
TMM crashes with a core
Conditions:
AFM and AVR provisioned and collecting ACL statistics.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.
Fix:
Fixed a tmm crash related to ACL statistics
934241 : TMM may core when using FastL4's hardware offloading feature
Component: TMOS
Symptoms:
TMM cores.
Conditions:
FastL4's hardware offloading is used.
Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.
Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.
Workaround:
Disable PVA/EPVA on all FastL4 profiles
Fix:
Fix the internal logic error.
934065 : The turboflex-low-latency and turboflex-dns are missing.
Component: TMOS
Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.
Conditions:
The turboflex-low-latency or turboflex-dns in use.
Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.
Workaround:
None.
Fix:
The turboflex-low-latency and turboflex-dns profiles are restored.
933765 : Automap support in FWNAT
Component: Advanced Firewall Manager
Symptoms:
Automap selects the available self IP address as the translated source IP address. FWNAT does not support automap functionality as is available in LTM.
Conditions:
Attempting to use automap functionality as is available in LTM
Impact:
In FWNAT, you cannot select automap as one of the options for source translation.
Workaround:
None
Fix:
FWNAT now supports automap functionality.
933741 : BIG-IP FPS XSS vulnerability CVE-2021-22979
Solution Article: K63497634
933577 : Changes to support DNS Flag Day
Component: Global Traffic Manager (DNS)
Symptoms:
It is important for DNS software vendors to comply with DNS standards, and to use a default EDNS buffer size (1232 bytes) that will not cause fragmentation on typical network links.
Conditions:
IP fragmentation can cause transmission failures when large DNS messages are sent via UDP.
Impact:
Even when fragmentation does work, it may not be secure; it is theoretically possible to spoof parts of a fragmented DNS message, without easy detection at the receiving end.
Fix:
Create a db variable "dns.maxudp" to set a maximum UDP buffer size
933461 : BGP multi-path candidate selection does not work properly in all cases.
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
933409 : Tomcat upgrade via Engineering Hotfix causes live-update files removal★
Component: TMOS
Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.
Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.
Impact:
Live-update functionality does not work properly.
Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.
Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.
933405 : Zonerunner GUI hangs when attempting to list Resource Records
Solution Article: K34257075
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.
Conditions:
Attempt to list Resource Records in Zonerunner GUI.
Impact:
Zonerunner hangs.
Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.
933329 : The process plane statistics do not accurately label some processes
Component: TMOS
Symptoms:
The plane process statistics can be used to track the statistics of processes even though the process ID has changed over time. The processes are characterized as belonging to the control plane, data plane, or analysis plane. Some of the processes are incorrectly labeled.
Conditions:
Viewing the plane process statistics when diagnosing plane usage on the BIG-IP system.
Impact:
The percentage of usage of each plane can be confusing or incorrect.
Workaround:
None.
932937 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
Component: Local Traffic Manager
Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.
Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.
Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.
Workaround:
Use an iRule to prevent connections from hanging:
when HTTP_REJECT {
after 1
}
Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.
932893 : Content profile cannot be updated after redirect from violation details in Request Log
Component: Application Security Manager
Symptoms:
BIG-IP issues a redirect to the content profile form that contains relevant violation details in the Request Log. If you follow this redirect and try to update profile, the action fails.
Conditions:
This occurs if you follow the redirect to the content profile page from the violation details page in the Request Log, and then try to update the profile
Impact:
You are unable to update the content profile.
Workaround:
Go to the list content profile page, and update the content profile from there.
Fix:
Update of content profiles works in all cases, including redirect from violation details in Request Log
932825 : Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device
Component: Local Traffic Manager
Symptoms:
When the standby system in a High Availability (HA) group becomes active, it sends out gratuitous ARPs to advertise its ownership of IP addresses and direct traffic to itself. In rare conditions, when becoming active, other processes may send out traffic before Gratuitous ARPs are generated.
Conditions:
-- HA configured
-- Protocols in use that generate frequent and fast signaling messages
Impact:
This has been observed as an issue for IPsec during failover, causing tunnel stability issues after failover. No other protocols are known to be affected by the issue.
Workaround:
None
Fix:
When the standby device in an HA pair becomes active, Gratuitous ARPs are prioritized over other traffic.
932497 : Autoscale groups require multiple syncs of datasync-global-dg
Component: TMOS
Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.
Conditions:
Browser Challenges update image is automatically downloaded.
Impact:
Peers are not synced.
Workaround:
Manually sync datasync-global-db group.
Fix:
Perform full sync for each change when having multiple live update changes in a row.
932437 : Loading SCF file does not restore files from tar file★
Component: TMOS
Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.
Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:
01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.
Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles
Impact:
Restoring SCF does not restore contents of file objects.
Workaround:
None.
932285 : Tmm core is seen after multiple failover/ failback with lots of tunnels.
Component: TMOS
Symptoms:
When IPsec tunnel count is high (~300), a tmm core
is generated after multiple failover.
Conditions:
Multiple failovers occur on BIG-IP systems with lots of IPsec tunnels.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm crash related to IPsec tunnels and repeated failover.
932233 : '@' no longer valid in SNMP community strings
Component: TMOS
Symptoms:
The '@' character is no longer valid in SNMP community strings.
Conditions:
Attempting to use the '@' character in SNMP community strings.
Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.
Workaround:
Use a community string that does not contain the '@' character.
932225 : Source translation type of automap not synced properly
Component: Advanced Firewall Manager
Symptoms:
After changing the FWNAT source translation type, the setting is not synced to the other devices.
Conditions:
-- High availability (HA) configuration
-- FWNAT source translation type changed to automap
Impact:
Automap is not synced to the other devices and source translation is not applied at all.
Workaround:
None
Fix:
The source translation type now syncs correctly on the active/standby device.
932213 : Local user db not synced to standby device when it is comes online after forced offline state
Component: Access Policy Manager
Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.
Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.
Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.
Workaround:
None
Fix:
Fixed the issue by handling the forced offline scenario.
932065 : iControl REST vulnerability CVE-2021-22978
Solution Article: K87502622
932045 : Memory leak when creating/deleting LTM node object
Component: Local Traffic Manager
Symptoms:
A memory leak occurs when creating/deleting an LTM node object.
Conditions:
-- Create a node object.
-- Delete the node object.
Impact:
This gradually causes tmm memory pressure, and eventually severe outcome is possible such as aggressive mode sweeper and tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Refrain continuous creation/deletion of LTM nodes.
Fix:
Memory gets freed accordingly while deleting LTM node objects.
931837 : NTP has predictable timestamps
Solution Article: K55376430
931749 : Geolocation database does not show region_name for IP addresses of some Spain provinces
Component: TMOS
Symptoms:
Geolocation database does not show region_name for the IP addresses that belong to Biscay and Gipuzkoa provinces of the Pais Vasco region of Spain.
Conditions:
Using the geolocation database for reference of the region_name for IP addresses that belong to Biscay and Gipuzkoa provinces of the Pais Vasco region of Spain.
Impact:
Geolocation database does not show region_name.
Workaround:
None.
Fix:
Geolocation database now shows the region_name for the IP addresses that belong to the Biscay and Gipuzkoa provinces of the Pais Vasco region of Spain.
931677 : IPv6 hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, handling of IPv6 traffic to BIG-IP owned addressed (e.g. self-IPs) do not follow current best practices.
Conditions:
-- IPv6 strict compliance is enabled (tmsh modify sys db ipv6.strictcompliance value true)
-- IPv6 traffic to BIG-IP owned addresses
Impact:
Handling of IPv6 traffic does not follow current best practices.
Workaround:
Disable IPv6 strict compliance with the command:
tmsh modify sys db ipv6.strictcompliance value false
Fix:
BIG-IP now handles IPv6 traffic in compliance with current best practices.
931513 : TMM vulnerability CVE-2021-22977
Solution Article: K14693346
930905-3 : Management route lost after reboot.
Component: TMOS
Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.
Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).
-- The instance is rebooted.
Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.
Workaround:
Use either of the following workarounds:
-- Delete the route completely and reinstall the route.
-- Restart mcpd:
bigstart restart mcpd
930829 : A virtual server status changes to yellow because of specific sources, which causes DNS to stop responding.
Component: Global Traffic Manager (DNS)
Symptoms:
A virtual server stops DNS response and its status on GUI is yellow.
Conditions:
-- LTM virtual server (or Pool Member or Node) is over the limit.
-- The Connection Rate Limit Mode is rate limited by source or destination.
Impact:
Virtual server stops all DNS response, and the virtual server state in the GUI turns yellow.
Yellow is intended to signify that the virtual server is serving connections but should not receive any further traffic until it goes green. In this case, however, yellow indicates that traffic is OK, as long as it is not from a given client (or to a given destination).
Workaround:
None
Fix:
A new variable, Ignore LTM Rate Limit Modes, has been added to allow optionally ignoring LTM virtual server yellow state caused by connection/rate limit reached in GUI. It can be found in DNS :: Settings : GSLB : General.
930825 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
Component: TMOS
Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the current behavior is to failover to the peer unit and go-offline and down links.
This can be seen the TMM logs:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice high availability (HA) failover action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice high availability (HA) failover action is cleared.
Followed by a failover event.
Conditions:
It is unknown under what conditions the XLMAC errors occur.
Impact:
The BIG-IP system fails over.
Workaround:
Modify the default high availability (HA) action for the switchboard-failsafe to reboot instead of go offline and down links.
Fix:
Reboot (rather than restart services) when XLMAC errors exceed threshold.
930741 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
Component: TMOS
Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.
One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.
Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.
Impact:
Traffic disruption caused by the reboot.
Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.
930633 : Delay in using new route updates by existing connections on BIG-IP.
Component: TMOS
Symptoms:
If routes are updated in BIG-IP by static or dynamic methods, the existing connections will not use the new routes until ~1-8 seconds later.
Conditions:
Routes for existing connections on the BIG-IP are updated.
Impact:
Performance might be degraded when routes are updated for existing connections on BIG-IP.
Fix:
Added DB varible "tmm.inline_route_update". When enabled, packets are checked for new routes before sending out. Its disabled by default.
Behavior Change:
A new db variable has been added, called tmm.inline_route_update. It is disabled by default. When enabled, packets are checked for new routes before sending out.
930561 : SIGABRT from sod watchdog when IPS has large number of hyperscan matches.
Component: Protocol Inspection
Symptoms:
TMM restart as SOD watchdog thinks that TMM is stuck in an infinite loop while its just busy processing of the large amount of hyperscan matches.
Conditions:
Certain IPS snort rules are weak (like NULL bytes) and on certain type of network traffic, it can lead to large number of hyperscan matches and hence it may lead to SIGABRT by SOD watchdog daemon.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable the following system compliance checks in IPS profile with action DROP/REJECT.
max_inspection_count -> Change action "DROP"
max_signature_engine_memory_chunk_size -> Change action "DROP"
max_signature_engine_memory_size -> Change action "DROP"
max_signature_hs_match_count -> Change action "DROP"
This will ensure that IPS does not consume more than the allowed system resources and will prevent a crash.
Fix:
Fixed a tmm crash related to IPS
930017 : Bot defense profile upgrade fails from 14.x to 15.x/16.x with error match-order should be unique★
Component: Application Security Manager
Symptoms:
Upgrading Bot defense profile fails with match-order field 1 or 2 fails, while the error is "match-order should be unique"
Conditions:
- ASM provisioned
- Bot defense profile has allow list object (the GUI says whitelist object)
- The object has a field match-order = 1 or 2
- Upgrade happening from 14.x to 15.x/16.x
Impact:
Upgrade fails
Workaround:
Before upgrading
-- Change match-order field 1 to 3
-- Change match-order field 2 to 4
Fix:
Fix changes match-order field 1 to 3 and match-order field 2 to 4 programmatically
930005 : Recover previous QUIC cwnd value on spurious loss
Component: Local Traffic Manager
Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.
Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.
Impact:
Inefficient use of bandwidth in the presence of packet reordering.
Workaround:
None.
Fix:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.
Behavior Change:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.
929005 : TS cookie is set in all responses
Component: Application Security Manager
Symptoms:
ASM sends a new cookie in every response, even though there is no change to the cookie name-plus-value.
Conditions:
-- ASM enabled.
-- Hostname is configured in the ASM policy.
-- The pool member sends different cookie values each time.
Impact:
ASM sends a Set-Cookie in every response, and it always sets the same cookie value.
Workaround:
None.
929001 : ASM form handling improvements
Component: Application Security Manager
Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.
Conditions:
- Brute force protection is configured
Impact:
Enforcement not triggered as expected.
Workaround:
N/A
Fix:
ASM now processes forms as expected.
928893 : QUIC now supports Spin Bit
Component: Local Traffic Manager
Symptoms:
Previous implementations of the QUIC profile did not provide an option to measure the path round-trip interval. In this release, QUIC includes an explicit signal to the network that allows observers to measure the path round-trip time. This can help network management.
Conditions:
-- Using the QUIC profile.
-- Attempting to measure the path round-trip interval.
Impact:
No functionality for doing so.
Workaround:
None.
Fix:
In this release, you can use the 'Spin Bit' option to measure the path round-trip interval. When 'Spin Bit' is enabled in the QUIC profile, the BIG-IP system behaves in accordance with https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#name-latency-spin-bit.
The 'Spin Bit' option is on by default. Previously, BIG-IP systems did not provide this functionality.
Behavior Change:
When 'Spin Bit' is enabled in the QUIC profile, the BIG-IP system behaves in accordance with https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#name-latency-spin-bit.
QUIC includes an explicit signal to the network that allows observers to measure the path round-trip time. This can help network management.
This is on by default. Previously, BIG-IP systems did not provide this functionality.
928857 : Use of OCSP responder may leak X509 store instances
Component: Local Traffic Manager
Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
928805 : Use of OCSP responder may cause memory leakage
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.
Workaround:
No workaround.
928789 : Use of OCSP responder may leak SSL handshake instances
Component: Local Traffic Manager
Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.
Conditions:
OCSP responder configured.
Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.
Workaround:
No workaround.
928717 : [ASM - AWS] - ASU fails to sync
Component: Application Security Manager
Symptoms:
Live Update configuration is not updated.
Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.
Impact:
Automatic signature updates (ASU) fail to sync.
Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:
1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.
928697 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
Component: TMOS
Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.
Conditions:
The initiator sends more than one proposal.
Impact:
Diagnosing connection issues is more difficult.
Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.
928685 : ASM Brute Force mitigation not triggered as expected
Component: Application Security Manager
Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.
Conditions:
- ASM enabled
- Brute Force mitigation enabled
Impact:
Brute Force mitigation is not triggered as expected.
Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when ASM_REQUEST_DONE
{
if { [catch { HTTP::username } ] } {
log local0. "ERROR: bad username";
ASM::raise bad_auth_header_custom_violation
}
}
Fix:
Brute Force mitigation is now triggered as expected.
928605 : Browser performs local port scanning during browser verification
Component: Application Security Manager
Symptoms:
When using Bot Defense Browser Verification, the browser scans localhost ports.
Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Browser Verification is set to 'verify before access' or 'verify after access'.
Impact:
Localhost ports are scanned.
Workaround:
None.
Fix:
Disabled localhost port scanning.
928553 : LSN64 with hairpinning can lead to a tmm core in rare circumstances
Component: Carrier-Grade NAT
Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.
Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.
Impact:
Tmm cores. Traffic disrupted while tmm restarts.
Workaround:
Disable full proxy config of hairpinning.
Fix:
Tmm does not crash anymore.
928321 : K19166530: XSS vulnerability CVE-2020-27719
Solution Article: K19166530
928037 : APM Hardening
Solution Article: K15310332
927941 : IPv6 static route BFD does not come up after OAMD restart
Component: TMOS
Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"
Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.
Impact:
BFD session is not shown in 'show bfd session'.
Workaround:
Restart tmrouted:
bigstart restart tmrouted
Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.
927713 : Secondary blade IPsec SAs lost after standby reboot using clsh reboot
Component: Local Traffic Manager
Symptoms:
-- When 'clsh reboot' is executed on the primary blade, it internally calls ssh reboot on all secondary blades and then reboots the primary blade. The 'clsh reboot' script hangs, and there is a delay in rebooting the primary blade.
-- Running 'ssh reboot' on secondary blades hangs due to sshd sessions getting killed after network interface down.
Conditions:
-- Running 'clsh reboot' on the primary blade.
-- Running 'ssh reboot' on secondary blades.
Impact:
A secondary blade is not rebooted until clsh or ssh closes the connection to that blade.
Workaround:
Perform a reboot from the GUI.
Fix:
Running 'clsh reboot' on the primary blade or 'ssh reboot' on a secondary blade no longer hangs, so operations complete as expected.
927617 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
Component: Application Security Manager
Symptoms:
A valid request that should be passed to the backend server is blocked.
Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.
-- The cookie header that contain the valid cookie value is encoded to base64.
Impact:
A request is blocked that should not be.
Workaround:
Disable 'Base64 Decoding' for the desired cookie.
Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.
927569 : HTTP/3 rejects subsequent partial SETTINGS frames
Component: Local Traffic Manager
Symptoms:
HTTP/3 aborts the connection upon receipt of a 'second' SETTINGS frame.
Conditions:
HTTP/3 first receives an incomplete SETTINGS frame, followed by more SETTINGS frame bytes.
Impact:
Connection fails to complete.
Workaround:
None.
Fix:
HTTP/3 now gracefully handles receiving an incomplete SETTINGS frame.
927033 : Installer fails to calculate disk size of destination volume★
Component: TMOS
Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:
error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.
Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:
[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map
Impact:
Unable to successfully upgrade.
Workaround:
Create the expected symlink manually:
cd /dev/md
ln -s ../md127 _none_\:0
926997 : QUIC HANDSHAKE_DONE profile statistics are not reset
Component: Local Traffic Manager
Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.
Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.
Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.
Workaround:
Restart tmm to reset all statistics:
Impact of Workaround: Traffic disrupted while tmm restarts.
bigstart restart tmm
Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.
926985 : HTTP/3 aborts stream on incomplete frame headers
Component: Local Traffic Manager
Symptoms:
HTTP/3 streams abort at seemingly arbitrary times when BIG-IP is receiving large amounts of data.
Conditions:
HTTP/3 receives an incomplete frame header on a given stream.
Impact:
Data transfer is incomplete.
Workaround:
None
Fix:
HTTP/3 now gracefully handles incomplete frame headers.
926973 : APM / OAuth issue with larger JWT validation
Component: Access Policy Manager
Symptoms:
When the access profile type is OAuth-RS or ALL, and sends a request with a Bearer token longer than 4080 bytes in the Authorization header to the virtual server, OAuth fails with ERR_NOT_SUPPORTED.
Conditions:
Bearer token longer than 4080 bytes
Impact:
APM oauth fails with ERR_NOT_SUPPORTED.
Workaround:
None.
Fix:
OAuth can now handle bearer tokens longer than 4080 bytes.
926957 : Incorrect handshake RTT(RoundTripTime) reported for encrypted video traffic
Component: Traffic Classification Engine
Symptoms:
- Sometimes, an incorrect(very high value) of handshake round trip time is reported for the encrypted video traffic sessions.
Conditions:
- Behavioral classifier is enabled for Classification Engine and encrypted traffic is processed, the resulting HSL log has a high RTT value intermittently.
Impact:
- Incorrect value (high value) is reported in the Encrypted Video classification log.
926929 : RFC Compliance Enforcement lacks configuration availability
Component: Local Traffic Manager
Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.
Conditions:
The configuration has a virtual server with an HTTP profile.
Impact:
Some applications that require certain constructions after a header name may not function.
Workaround:
None.
Fix:
A configuration item is introduced to manage any RFC compliance option when enforcement is turned on:
HTTP profile option enforcement.allow-ws-header-name; prior releases Tmm.HTTP.RFC.AllowWSHeaderName DB key (necessarily a global flag, rather than per-profile control).
926757 : ICMP traffic to a disabled virtual-address might be handled by a virtual-server.
Component: Local Traffic Manager
Symptoms:
ICMP traffic to a disabled virtual-address might be handled by a virtual-server.
Conditions:
Virtual-server with an address space overlapping with a self-IP, capable of handling ICMP traffic, for example:
ip-forward wildcard 0.0.0.0/0 virtual-server
Impact:
ICMP traffic to a virtual-address might be handled by a virtual-server.
Workaround:
There is no workaround.
926593 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.
Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.
Impact:
IPv6 virtual servers are marked down unexpectedly.
Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets
926513 : HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.
Component: Local Traffic Manager
Symptoms:
HTTP/2 Clone pools are not working when the Clone Pool (Server) option is selected. This issue occurs when a HTTP/2 profile (Server) or HTTP/2 full-proxy configuration is enabled and an HTTP/2 clone pool is set on a virtual server. This issue prevents traffic from being copied to the appropriate clone pool member.
Conditions:
A virtual server provisioned with the following configuration:
--HTTP/2 default pool.
--HTTP/2 clone pool (server).
--HTTP/2 profile (server) or HTTP/2 profile full-proxy configuration.
Impact:
Clone pools (server) do not mirror HTTP/2 traffic.
Workaround:
None.
Fix:
Clone pools (server) are able to successfully mirror HTTP/2 traffic.
926197 : BIG-IP can forward HTTP headers separately from body when HTTP::collect is in use
Component: Local Traffic Manager
Symptoms:
BIG-IP forwards HTTP headers separately from the body to the client/server if the headers arrive without any body (behavior change due to ID455560 in v13.0.0)
Conditions:
HTTP virtual server using an iRule containing HTTP::collect
Impact:
BIG-IP forwards the headers separately from the body to the client/server
Fix:
HTTP::collect will avoid egress of just the header when HTTP::collect is in use
925797 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
Component: TMOS
Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.
The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.
One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.
Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.
Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.
Workaround:
None.
Fix:
The mcpd process no longer runs out of memory with the stated configuration.
924961 : CVE-2019-20892: SNMP Vulnerability
Solution Article: K45212738
924929-4 : Logging improvements for VDI plugin
Component: Access Policy Manager
Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.
Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts
Impact:
Event names are not displayed in the APM log.
Workaround:
None.
Fix:
Event names along with the exceptions are also seen in the APM log file.
924857 : Logout URL with parameters resets TCP connection
Component: Access Policy Manager
Symptoms:
TCP connection reset when 'Logout URI Include' configured.
Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
/logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
/logoff.html?a=b
Impact:
TCP connection resets, reporting BIG-IP APM error messages.
'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.
Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.
Workaround:
None
Fix:
The system now ignores unsupported query parameters.
924697 : VDI data plane performance degraded during frequent session statistic updates
Component: Access Policy Manager
Symptoms:
Data plane performance for VDI use cases (Citrix/VMware proxy) is degraded during frequent access session statistic updates.
Conditions:
APM is used as VDI proxy for Citrix or VMware.
Impact:
APM's VDI proxy does not perform to its full capacity.
Workaround:
None.
Fix:
Improved data plane performance for VDI use cases (Citrix/VMware proxy).
924521 : OneConnect does not work when WEBSSO is enabled/configured.
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.
Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.
Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server-side connections.
924493 : VMware EULA has been updated
Component: TMOS
Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.
Conditions:
The EULA is presented to the user when deploying an OVF template.
Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).
Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.
Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.
Fix:
The EULA presented in VMware was out of date and has been updated.
924429 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
Component: TMOS
Symptoms:
While restoring a UCS archive, you get an error similar to the following example:
/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.
The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.
This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.
Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.
Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.
Workaround:
None.
Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.
924349 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP
Component: Service Provider
Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.
Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses
Impact:
Unable to see multiple HostIPAddress in CER/CEA
Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.
924301 : Incorrect values in REST response for DNS/SIP
Component: Application Visibility and Reporting
Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.
Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached
Impact:
An incorrect value is calculated in the REST response.
Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation
923301 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group
Component: Application Security Manager
Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.
Conditions:
Automatic installation of ASU on manual sync setup.
Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.
Workaround:
Manually sync the device group.
Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.
923233 : Incorrect encoding in 'Logout Page' for non-UTF8 security policy
Component: Application Security Manager
Symptoms:
Fields in 'Logout Page' for a non-UTF8 security policy has incorrect encoding for values, including non-English characters in the GUI and iControl REST.
Conditions:
This can be encountered while creating a non-UTF8 security policy via iControl REST, where the 'expected' and 'unexpected' fields contain non-UTF8 content.
Impact:
Logout Page field values are displayed with the wrong encoding.
Workaround:
None.
Fix:
Fixed embedded entities encoding in REST entities data.
923125 : Huge amount of admd processes caused oom
Component: Anomaly Detection Services
Symptoms:
The top command shows that a large number of admd processes are running.
Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.
Impact:
Memory is exhausted.
Workaround:
Restart admd:
bigstart restart admd
Fix:
This issue no longer occurs.
922665 : The admd process is terminated by watchdog on some heavy load configuration process
Component: Anomaly Detection Services
Symptoms:
The watchdog process in the BIG-IP ASM monitors terminates the admd process.
Conditions:
On some heavy load configuration process, such as version upgrade.
Impact:
Restart of admd daemon. The restarts may be continuous. No stress-based anomaly detection or behavioral statistics aggregation until admd restarts.
Workaround:
For the case of continuous restarts, a partial solution is to disable admd during busy periods such as upgrades. To do so, issue the following two commands, in sequence, after the upgrade is complete:
bigstart stop admd
bigstart start admd
922597 : BADOS default sensitivity of 50 creates false positive attack on some sites
Component: Anomaly Detection Services
Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.
Conditions:
This can occur for some requests that have high latency and low TPS.
Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.
Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500
For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.
The results is that the attack is declared later than for the default value, but it is declared and the site is protected.
Fix:
Default sensitivity value 500 now illuminates false positive DoS attacks declaration.
922297 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs
Component: TMOS
Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.
You see the following log entries in /var/log/tmm:
-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...
In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:
-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...
Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.
Impact:
TMM does not start.
Workaround:
Configure fewer network interfaces or vCPUs.
Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).
922261 : WebSocket server messages are logged even it is not configured
Component: Application Security Manager
Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.
Impact:
Remote logging server overloaded with unexpected WebSocket messages.
Workaround:
Set response-logging=illegal in all remote logging profiles.
Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.
921881 : Use of IPFIX log destination can result in increased CPU utilization
Component: Local Traffic Manager
Symptoms:
-- Increased baseline CPU.
- The memory_usage_stats table shows a continuous increase in mds_* rows.
Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.
Impact:
Increased baseline CPU may result in exhaustion of CPU resources.
Workaround:
Limiting changes to associated configuration can slow the effects of this issue.
921721 : FIPS 140-2 SP800-56Arev3 compliance
Component: Local Traffic Manager
Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.
Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.
Impact:
BIG-IP will comply with the older standard.
Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.
921677 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
Component: Application Security Manager
Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:
Bot defense profile <profile full name> error: match-order should be unique.
Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.
2. Delete item with the value: match-order 2 (in tmsh), and save.
3. Switch to the GUI, add new allow list item, and save.
Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.
Workaround:
Drag between two items, and then drag back.
Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.
921625 : The certs extend function does not work for GTM/DNS sync group
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.
As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.
The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.
You might see messages similar to the following:
-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....
Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.
Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.
Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.
921421 : iRule support to get/set UDP's Maximum Buffer Packets
Component: Local Traffic Manager
Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.
Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.
Impact:
Unable to dynamically change the max buffer packets setting in an iRule.
Workaround:
None
Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts
Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.
921369-1 : Signature verification for logs fails if the log files are modified during log rotation
Component: TMOS
Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.
Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs
Impact:
Signature verification may fail on rotated log files.
Fix:
Fixed an issue with signature verification failing on valid log files.
921361 : SSL client and SSL server profile names truncated in GUI
Component: TMOS
Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.
Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.
Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.
Note: The fields remain at the limited width even when the browser window is maximized.
Workaround:
Use tmsh to see the full SSL client and SSL server name.
921337 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976
Solution Article: K88230177
921065-1 : BIG-IP systems not responding to DPD requests from initiator after failover
Component: TMOS
Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.
Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.
Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.
Workaround:
None.
Fix:
Fixed an issue with the BIG-IP system not responding to DPD requests after failover.
921001 : After provisioning change, pfmand might keep interfaces down on particular platforms
Component: TMOS
Symptoms:
After a provisioning change, pfmand might keep interfaces down.
Conditions:
-- Provisioning change on the following platforms:
+ i850
+ i2600 / i2800
+ i4600 / i4800
+ 2000- and 4000-series
-- Link Down Time on Failover configured to a non-zero value (the default is '10').
Impact:
Interfaces remain DOWN.
Workaround:
Follow this procedure:
1. Set db failover.standby.linkdowntime to '0'.
2. To bring interfaces UP again, restart pfmand:
bigstart restart pfmand
920961 : Devices incorrectly report 'In Sync' after an incremental sync
Component: Application Security Manager
Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.
Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).
Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.
Workaround:
Modify the underlying LTM policy to be 'legacy':
# tmsh modify ltm policy <LTM Policy Name> legacy
Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.
To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1
Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------
NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.
920789 : UDP commands in iRules executed during FLOW_INIT event fail
Component: Local Traffic Manager
Symptoms:
UDP commands in iRules executed during FLOW_INIT event fail.
Conditions:
An iRule that contains UDP commands is executed on the FLOW_INIT event.
Impact:
UDP commands in iRules executed during FLOW_INIT event fail.
Workaround:
None.
Fix:
UDP PCB is initialized before FLOW_INIT.
920361 : Standby device name sent in Traffic Statistics syslog/Splunk messages
Component: Advanced Firewall Manager
Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.
Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.
Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.
Workaround:
None.
Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.
920205 : Rate shaping might suppress TCP RST
Component: Local Traffic Manager
Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.
Conditions:
Rate shaping is configured.
Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.
Workaround:
Do not use rate-shaping.
Fix:
TCP RSTs are no longer dropped by the rate-shaping instance.
920197 : Brute force mitigation can stop mitigating without a notification
Component: Application Security Manager
Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.
Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).
Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.
Workaround:
None.
919989 : TMM does not follow TCP best practices
Solution Article: K64571774
919885 : A TCP connection is not closed after invoking the HTTP::respond iRule command.
Component: Local Traffic Manager
Symptoms:
After sending a HTTP response that would normally cause the underlying TCP connection to get closed, the BIG-IP system fails to close the TCP connection.
Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule command is used.
- The HTTP filter sets the "Connection: close" header (for example, in response to a HTTP/1.0 request that does not request Keep-Alive behavior).
Impact:
The TCP connection lives longer than needed, and even allows the client to send subsequent requests over the same connection.
Workaround:
N/A
Fix:
TCP connection is now closed as necessary after invoking the HTTP::respond iRule command.
919841 : AVRD may crash while processing Bot Defense traffic
Solution Article: K45143221
919745 : CSV files downloaded from the Dashboard have the first row with all 'NaN
Component: TMOS
Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'
Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.
Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.
Workaround:
None.
Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.
919553 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
Component: Global Traffic Manager (DNS)
Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.
Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.
919381-2 : Extend AFM subscriber aware policy rule feature to support multiple subscriber groups
Component: Advanced Firewall Manager
Symptoms:
Currently AFM does not have support to match rules against multiple subscriber policies
Conditions:
-- AFM provisioned
-- You wish to match rules against multiple subscriber policies
Impact:
AFM rules cannot be matched against multiple subscriber policies
Workaround:
None
Fix:
Enhancing the AFM rules matching against multiple subscriber policies
919317 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes
Component: TMOS
Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.
Conditions:
ECMP routes reachable via recursive nexthops.
Impact:
NSM is stuck at 100% CPU usage.
Workaround:
Avoid using EMCP routes reachable via recursive nexthops.
919249 : NETHSM installation script hardening
Component: Local Traffic Manager
Symptoms:
The nethsm-safenet-install.sh script does not follow current best practices when installing the Safenet NETHSM.
Conditions:
-Installation of the Safenet NETHSM
Impact:
The nethsm-safenet-install.sh script does not follow current best practices.
Workaround:
N/A
Fix:
The nethsm-safenet-install.sh script now follows current best practices when installing the Safenet NETHSM.
919001 : Live Update: Update Available notification is shown twice in rare conditions
Component: Application Security Manager
Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.
Conditions:
This can be encountered on the first load of the Live Update page.
Impact:
Notification is shown twice.
Workaround:
None.
Fix:
Notification is shown only once in all cases.
918933 : The BIG-IP ASM system may not properly perform signature checks on cookies
Solution Article: K88162221
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221
918929 : NetHSM install scripts - remove references to fipskey.nethsm
Component: Local Traffic Manager
Symptoms:
Fipskey.nethsm is deprecated
However, when running the nethsm-[safenet/thales]-install script, the script logs a reference to fipskey.nethsm
Conditions:
Shows the following statements during the installation:
Successfully set SafeNet HSM for use with 'fipskey.nethsm'. <====
> Registering SafeNet HSM in the BIG-IP config ...
> Setting Thales HSM for use with 'fipskey.nethsm' ... <====
> Registering Thales HSM in BIG-IP config ...
Impact:
Could create a confusion since fipskey.nethsm is no longer supported.
Fix:
Removed the reference to fipskey.nethsm from the install scripts.
918905 : PCCD restart loop when using more than 256 FQDN entries in Firewall Rules
Component: Advanced Firewall Manager
Symptoms:
PCCD enters a restart loop, until the configuration is changed such that 256 or fewer FQDN entries are in use. Errors are reported to the terminal screen:
pccd[23494]: 015d0000:0: pccd encountered a fatal error and will be restarted shortly...
Conditions:
Greater than 256 FQDN entries are in use in Firewall Rules.
Impact:
PCCD goes into a restart loop. PCCD is not functional until there are 256 or fewer entries.
Workaround:
Use 256 or fewer FQDN entries in Firewall Rules.
To aid in the removal of extra rules when using tmsh, you can prevent PCCD restart messages from flooding the console:
1. Stop PCCD to halt the restart messages:
bigstart stop pccd
2. Modify the configuration.
3. Bring PCCD back up:
bigstart start pccd
Fix:
PCCD restart loop no longer occurs when using more than 256 FQDN entries in Firewall Rules.
918717 : Exception at rewritten Element.innerHTML='<a href></a>'
Component: Access Policy Manager
Symptoms:
If the "href" attribute of an anchor tag in a web application does not have any value, an exception will be thrown.
Conditions:
-- Rewrite enabled
-- The href attribute of an anchor tag on a web page does not have a value, for example:
<script>
d = document.createElement('div')
try {
d.innerHTML = "<a href b=1>click</a>"
}catch(e){
alert(e.message);
}
</script>
Impact:
Web page does not load properly.
Workaround:
Find the "href" attributes of anchor tag and give some empty value to it:
Before:
<a href></a>
After:
<a href=""></a>
Fix:
Fixed an issue with rewrite of anchors that contain an empty href attribute.
918597 : Under certain conditions, deleting a topology record can result in a crash.
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.
918409 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
Component: TMOS
Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.
Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.
Impact:
Traffic disrupted on the tmm process that is looping indefinitely.
Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.
Note: The change does not persist across software installs.
a. mount -o remount,rw /usr
b. Edit /defaults/daemon.conf and put these contents at the top of the file:
sys daemon-ha tmm24 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm25 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm26 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm27 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
c. mount -o remount,ro /usr
2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:
tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm
918277 : Slow Ramp does not take into account pool members' ratio weights
Component: Local Traffic Manager
Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.
Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.
Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.
Workaround:
None.
Fix:
Ratio weights are now taken into account for pool members.
918209 : GUI Network Map icons color scheme is not section 508 compliant
Component: TMOS
Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.
Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.
Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.
Workaround:
None.
Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.
918169 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when all of the following conditions are true:
-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).
-- The server's HTTP response does not terminate with a newline.
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by performing any one of the following actions:
-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.
-- Ensure the server's HTTP response ends with a newline.
Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.
918097 : Cookies set in the URI on Safari
Component: Application Security Manager
Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.
Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.
Impact:
A cookie is set on the URL.
Workaround:
None.
Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.
Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.
This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable
Default value is the original behavior (enable), which sets the cookie in the URl.
NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.
918093 : Access-Control-Allow-Origin header with trailing white spaces causes Portal Access CORS failure.
Component: Access Policy Manager
Symptoms:
'Access-Control-Allow-Origin' header value may contain trailing white spaces in very rare cases, for example:
Access-Control-Allow-Origin: http://example.com \r\n
In this case, Cross-Origin Resource Sharing (CORS) validation may fail if the 'Origin' header value contains the same value as that of 'Access_Control_Allow_Origin', but without trailing white spaces, for example:
Origin: http://example.com\r\n
If CORS validation fails, content on the browser gets blocked.
Conditions:
-- 'Origin' header and 'Access-Control-Allow-Origin' header values match except for the trailing white space.
-- Using Portal Access to access the resource.
Impact:
Web application content gets blocked on the browser when accessed through Portal Access.
Workaround:
Use an iRule to truncate trailing white space from 'Access-Control-Allow-Origin' headers.
Fix:
Now, content does not get blocked if 'Origin' header and 'Access-Control-Allow-Origin' header values match except for trailing white space.
918081 : Application Security Administrator role cannot create parent policy in the GUI
Component: Application Security Manager
Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created
Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.
Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.
Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.
Fix:
The Application Security Administrator role can now create the parent policy when required.
917509 : BIG-IP ASM vulnerability CVE-2020-27718
Solution Article: K58102101
917469 : TMM may crash while processing FPS traffic
Solution Article: K53821711
917005 : ISC BIND Vulnerability: CVE-2020-8619
Solution Article: K19807532
916969 : Support of Microsoft Identity 2.0 platform
Component: Access Policy Manager
Symptoms:
BIG-IP does not support Template for Microsoft Identity Platform 2.0.
Conditions:
This is encountered if you want to use Template for Microsoft Identity Platform 2.0 as an identity provider.
Impact:
Unable to configure Microsoft Identity Platform 2.0 on BIG-IP.
Workaround:
OAuth provider has a custom template which provides the ability to configure and discover using new endpoints.
916821 : iControl REST vulnerability CVE-2021-22974
Solution Article: K68652018
916781 : Validation error while attaching DoS profile to GTP virtual
Component: Service Provider
Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.
Conditions:
Attach DoS security profile to GTP virtual server.
Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.
Workaround:
None.
Fix:
Create GTP virtual profile and attach DoS security profile to it. No validation error should be reported.
916753 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core
Component: Global Traffic Manager (DNS)
Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.
Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:
RESOLV::lookup @/Common/my_dns_virtual www.example.com
Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.
For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:
instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53
916589 : QUIC drops 0RTT packets if CID length changes
Component: Local Traffic Manager
Symptoms:
QUIC sometimes rejects valid 0RTT packets.
Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.
Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.
Workaround:
None.
Fix:
Fixed an issue with 0RTT packets when using QUIC.
915969 : Truncated QUIC connection close reason
Component: Local Traffic Manager
Symptoms:
The connection close reason in QUIC is limited to 5 bytes prior to the path being validated. This makes it difficult to debug early connection failures.
Conditions:
A connection close is sent in QUIC before the path is validated.
Impact:
Connection close reason is limited to 5 bytes before the path is validated.
Workaround:
None
Fix:
Reason string limits are now derived from the amount of credit we have remaining to send. This should allow a longer reason string in almost all cases.
915825 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
Component: TMOS
Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.
Configuration error: Can't associate folder (/User/Drafts) folder does not exist.
Conditions:
This occurs in the following scenario:
1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.
Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.
Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.
915713 : Support QUIC and HTTP3 draft-29
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.
Conditions:
Browser requests draft-29.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-29 and draft-28, and has removed draft-27 support.
915689 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.
Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.
Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.
Workaround:
None.
Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.
915605 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★
Solution Article: K56251674
Component: Local Traffic Manager
Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.
tmsh show software status will report the status for the target volume as one of the following:
-- Could not access configuration source.
-- Unable to get hosting system product info.
Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.
Impact:
Unable to upgrade or more generally install an image on a new or existing volume.
Workaround:
Re-mount /usr as read-only:
mount -o remount,ro /usr
915509 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
Component: Access Policy Manager
Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).
Conditions:
RADIUS Auth with 'show-extended-error' enabled.
Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.
Workaround:
None.
915497 : New Traffic Class Page shows multiple question marks.
Component: TMOS
Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.
Conditions:
This is encountered when creating a new Traffic Class.
Impact:
Multi-byte characters are displayed incorrectly.
Workaround:
None.
Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.
915489 : LTM Virtual Server Health is not affected by iRule Requests dropped
Component: Anomaly Detection Services
Symptoms:
Virtual Server Health should not take into account deliberate drop requests.
Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.
Impact:
Server Health reflects it is overloading status more precisely.
Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.
Fix:
Virtual Server Health is no longer affected while dropping requests using iRules.
915305 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
Component: TMOS
Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.
Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.
Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.
Workaround:
Use static routing to provide a path to remote tunnel endpoint.
915281 : Do not rearm TCP Keep Alive timer under certain conditions
Component: Local Traffic Manager
Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.
Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.
Impact:
Continuous rearming results in consuming CPU resources unnecessarily.
Workaround:
None.
Fix:
Rearming of TCP Keep Alive timer is improved.
914761 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
Component: TMOS
Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:
Unexpected Error: UCS saving process failed.
Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.
Impact:
UCS file is not successfully saved and backup fails.
Workaround:
None.
914681 : Value of tmm.quic.log.level can differ between TMSH and GUI
Component: Local Traffic Manager
Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.
Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.
Impact:
Misleading log level displayed in the GUI.
Workaround:
Use TMSH to set and view values for tmm.quic.log.level.
Fix:
GUI values for tmm.quic.log.level are now displayed properly.
914649 : Support USB redirection through VVC (VMware virtual channel) with BlastX
Component: Access Policy Manager
Symptoms:
USB is unavailable after opening VMware View Desktop.
Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client
Impact:
USB is unavailable after opening VMware View Desktop
Workaround:
None.
Fix:
USB is now available after opening VMware View Desktop
914293 : TMM SIGSEGV and crash
Component: Anomaly Detection Services
Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.
Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.
Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.
Fix:
Fixed a tmm crash related to iRules and Behavioral DoS policies.
914277 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.
Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.
Fix:
Automatic downloads are quietly synced and do not have an impact on the device group sync status.
914245 : Reboot after tmsh load sys config changes sys FPGA firmware-config value
Component: TMOS
Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.
Chmand reports errors:
chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]
Conditions:
Running either of the following commands:
tmsh load sys config
/etc/init.d/fw_update_post reload
Impact:
Firmware update fails.
Workaround:
Use this procedure:
1. Mount /usr:
mount -o rw,remount /usr
2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload
3. Reload systemctl:
systemctl daemon-reload
4. Reload the file:
/etc/init.d/fw_update_post reload
Fix:
Added the reload option in fw_update_post service file.
914061 : BIG-IP may reject a POST request if it comes first and exceeds the initial window size
Component: Local Traffic Manager
Symptoms:
HTTP/2 protocol allows a negative flow-control window on initial stage of communication while first 65,535 bytes of payload are delivered from a peer. BIG-IP may break this requirement.
Conditions:
-- BIG-IP has a virtual server with http2 profile.
-- A configured receive window size in the http2 profile is below 64K (default 32K).
-- A peer sends POST request with payload exceeding initial receive window size over HTTP/2 connection.
Impact:
BIG-IP denies the POST request and sends RST_STREAM.
Fix:
BIG-IP allows a negative flow-control window on initial request allowing a peer to fill all 65,535 bytes of flow-control window even if it exceeds an advertised receive window size.
Behavior Change:
For an HTTP/2 client or a server BIG-IP may impose a delay up to 20 seconds if a peer sends 65,535 bytes of payload over a single stream and does not respond timely with SETTINGS/ACK frame to a SETTINGS frame sent by BIG-IP.
913849-3 : Syslog-ng periodically logs nothing for 20 seconds
Component: TMOS
Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.
Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)
Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.
Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.
Workaround:
None.
Fix:
F5 patched syslog-ng to use a lower 1-second, 0-retries timeout back in 13.0.0, but this patch was made ineffective by the upgrade to centos 7 in 14.1.0. This fixes the patch so that it works again.
913829 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.
For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.
Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.
Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.
You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.
913761 : Security - Options section in navigation menu is visible for only Administrator users
Component: Application Security Manager
Symptoms:
The Security - Options section in the left navigation menu is visible for only for user accounts configured with the Administrator role.
Conditions:
You logged in as a user configured with a role other than Administrator.
Impact:
No direct access to many settings that are available only for user account configured with the Administrator role.
Workaround:
Direct links to the pages work for those with the appropriate roles.
Fix:
Security - Options section is available for all user roles when at least one of the following is enabled:
-- ASM
-- DoS
-- FPS
-- AFM
913757 : Error viewing security policy settings for virtual server with FTP Protocol Security
Component: Application Security Manager
Symptoms:
The system reports an error message when trying to navigate to 'Security :: Policies' under virtual server properties:
An error has occurred while trying to process your request.
Conditions:
-- An FTP or SMTP profile with protocol security enabled is attached to a virtual server.
-- Attempt to navigate to 'Security :: Policies'.
Impact:
-- No policies appear. You cannot perform any operations on the 'Security :: Policies' screen.
-- The following error message appears instead:
An error has occurred while trying to process your request.
Workaround:
As long as an FTP or SMTP profile with protocol security enabled is defined under virtual server properties (in another words, it is attached to a virtual server), this issue recurs. There are no true workarounds, but you can avoid the issue by using any of the following:
-- Use another profile, such as HTTP.
-- Set the FTP/SMTP profile under the virtual server settings to None.
-- Remove the profile via the GUI or the CLI (e.g., you can remove the profile from the virtual server in tmsh using this command:
tmsh modify ltm virtual /Common/test-vs { profiles delete { ftp_security } }
Fix:
You can now attach FTP or SMTP profile with protocol security enabled and navigate to 'Security :: Policies' without error.
913729 : Support for DNSSEC Lookaside Validation (DLV) has been removed.
Component: Global Traffic Manager (DNS)
Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.
Conditions:
Attempting to use DLV.
Impact:
Cannot use DLV.
Workaround:
None. DLV is no longer supported.
Fix:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV). If you roll forward a configuration that contains this feature, the system removes it from the configuration and prints a log message.
Behavior Change:
The BIG-IP DNS validating resolver no longer supports DNSSEC lookaside validation (DLV).
913453-1 : URL Categorization: wr_urldbd cores while processing urlcat-query
Component: Traffic Classification Engine
Symptoms:
The webroot daemon (wr_urldbd) cores.
Conditions:
This can occur while passing traffic when webroot is enabled.
Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.
Workaround:
None.
Fix:
Fixed a core with wr_urldb.
913433 : On blade failure, some trunked egress traffic is dropped.
Component: TMOS
Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.
Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)
Workaround:
None.
913373 : No connection error after failover with MRF, and no connection mirroring
Component: Service Provider
Symptoms:
-- Unable to establish MRF connection after failover.
-- Error reports 'no connection'.
Conditions:
- MRF configured.
- Using iRule for routing.
-- Failover occurs.
Impact:
Unable to establish new connection until existing sessions time out. No message is reported explaining the circumstances.
Workaround:
Any of the following:
-- Enable connection mirroring on the virtual server.
-- Disable session mirroring.
913361 : The high availability (HA) incremental sync reverts to full load after SSL Orchestrator configuration changes
Component: TMOS
Symptoms:
When a BIG-IP administrator initiates a high availability (HA) sync from one high availability (HA) peer to another, pending SSL Orchestrator configuration changes yield a full configuration load instead of an incremental update.
Conditions:
BIG-IP high availability (HA) configuration with SSL Orchestrator or similar iAppLX configurations
Impact:
This may impact the overall performance of the sync across the high availability (HA) peers during frequent changes of SSL Orchestrator or similar iAppLX configurations.
Workaround:
There is no workaround at this time.
Fix:
Issuing the high availability (HA) sync following an SSL Orchestrator configuration change yields an incremental configuration update across the high availability (HA) configuration.
913249 : Restore missing UDP statistics
Component: Local Traffic Manager
Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
Conditions:
Viewing UDP statistics.
Impact:
Unable to view these UDP statistics.
Workaround:
None.
Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes
913137 : No learning suggestion on ASM policies enabled via LTM policy
Component: Application Security Manager
Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.
Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.
This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.
Impact:
No learning suggestions.
Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.
Fix:
Policy builder now classifies non-bot traffic and applies learning suggestions.
912969 : iAppsLX REST vulnerability CVE-2020-27727
Solution Article: K50343630
912761 : Link throughput statistics are different
Component: Global Traffic Manager (DNS)
Symptoms:
Different link throughput statistics are seen on GTM/DNS systems that are connected by full-mesh iQuery.
Conditions:
-- The same link is used on different BIG-IP addresses as a pool member in the default gateway pool.
-- A forwarding virtual server is used.
Impact:
Each GTM/DNS server might get different link throughput for the same link, and therefore make less-than-optimal decisions.
Workaround:
Do not use the same uplink for different BIG-IP devices.
Fix:
GTM/DNS server now calculates the link throughput based on the aggregation of the link stats for the same link on different BIG-IP systems.
912509 : Upgrade may cause an aced core file★
Component: Access Policy Manager
Symptoms:
After loading a UCS file, aced cores.
Conditions:
This can occur after upgrading, while loading the UCS file. The exact conditions that trigger it are unknown.
Impact:
An aced core file is left on the BIG-IP system. The BIG-IP system stills functions normally.
Workaround:
None.
Fix:
Corrected conditions that might have caused aced to crash during stop/restart. When loading UCS files, typically daemons need to stop and restart.
912425 : Modification of in-tmm monitors may result in crash
Component: In-tmm monitors
Symptoms:
TMM crash.
Conditions:
-- Modify in-tmm monitors.
-- Perform configuration sync.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Disable in-tmm monitors.
-- Avoid config syncing to the active device.
912089 : Some roles are missing necessary permission to perform Live Update
Component: Application Security Manager
Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.
Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.
Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.
Workaround:
None.
Fix:
The following roles can now perform live-update:
- Administrator
- Web Application Security Administrator
- Resource Administrator
- Application Security Operations Administrator
912001 : TMM cores on secondary blades of the Chassis system.
Component: Local Traffic Manager
Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:
tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307
Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.
Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.
Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.
911853 : Stream filter chunk-size limits filter to a single match per ingress buffer
Component: Local Traffic Manager
Symptoms:
The chunk-size profile setting of the stream filter limits memory by capping the match string allocated from an ingress buffer to <chunksize> bytes. This implicitly limits the maximum size of the match, potentially resulting in missed matches beyond chunk-size within the same ingress buffer. For more information, see:
https://support.f5.com/csp/article/K39394712
Conditions:
A stream filter is configured with the chunk-size parameter set and ingress data arrives which contains matches beyond the configured chunk-size in the buffer.
Impact:
Potential matches beyond the configured chunk-size will be sent unmodified by the stream filter, potentially resulting in missed matches.
Workaround:
None.
Fix:
The stream filter can now successfully find and replace matches beyond chunk-size within a single ingress buffer.
911777 : BIG-IP SSL forward proxy might drop connection to servers with revoked certificate status.
Component: Local Traffic Manager
Symptoms:
If the server certificate status is revoked, SSL forward proxy configured with a new server SSL profile might drop the connection.
Conditions:
-- New SSL forward proxy server SSL profile is attached to the virtual server.
-- Revoked-cert-status-response-control is set to the default value (drop).
-- Certificate status service (e.g., CRL/OCSP) is configured on the server SSL profile.
Impact:
BIG-IP client connections are reset.
Workaround:
Change revoked-cert-status-response-control to ignore on the server SSL profile.
Fix:
If ssl-forward-proxy is enabled for new server SSL profiles, and revoked-cert-status-response-control is not specified, it will automatically be set to ignore. Client connection go through and the client will see a forged revoked certificate status.
911761 : F5 TMUI XSS vulnerability CVE-2020-5948
Solution Article: K42696541
911041 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
Component: Local Traffic Manager
Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.
Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.
Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.
910905 : Unexpected tmm core
Component: Local Traffic Manager
Symptoms:
A tmm core occurs unexpectedly and causes a failover event.
Conditions:
This can occur while tmm is in normal operation. An internal error occurs when deleting an old SSL session during SSL handshake.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed incorrect internal deletion of expired SSL sessions.
910653 : iRule parking in clientside/serverside command may cause tmm restart
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.
Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.
For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.
Fix:
iRule parking in clientside/serverside command no longer causes tmm to restart.
910521 : Support QUIC and HTTP draft-28
Component: Local Traffic Manager
Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-25 and draft-27. IETF has released draft-28.
Conditions:
Browser requests draft-28.
Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.
Workaround:
None.
Fix:
The BIG-IP system now supports draft-28 and draft-27, and has removed draft-25 support.
910417 : TMM core may be seen when reattaching a vector to a DoS profile
Component: Advanced Firewall Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.
910253 : BD error on HTTP response after upgrade★
Component: Application Security Manager
Symptoms:
After upgrade, some requests can cause BD errors on response:
BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040
IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Upgrading BIG-IP systems to v15.0.0 or later from versions earlier than v15.0.0.
-- ASM policy is configured on a virtual server.
Impact:
For some requests, the response can arrive truncated or not arrive at all.
Workaround:
Add an iRule that deletes ASM cookies:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Note: Performing this workaround affects cookie-related violations (they may need to be disabled to use this workaround), session, and login protection.
910201 : OSPF - SPF/IA calculation scheduling might get stuck infinitely
Component: TMOS
Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.
Conditions:
SPF/IA calculation gets suspended;
This occurs for various reasons; BIG-IP end users have no influence on it occurring.
Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.
Workaround:
Restart the routing daemons:
# bigstart restart tmrouted
Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.
If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.
910097 : Changing per-request policy while tmm is under traffic load may drop heartbeats
Component: Access Policy Manager
Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash
Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.
910017 : Security hardening for the TMUI Interface page
Solution Article: K21540525
909997 : Virtual server status displays as unavailable when it is accepting connections
Component: Local Traffic Manager
Symptoms:
After a rate limit is triggered and released, the virtual server status in the GUI remains as 'unavailable'. The virtual server resumes accepting new connections while the GUI shows the virtual server is unavailable.
Conditions:
-- The virtual server has a source address list configured.
-- Address lists define more than one address.
-- The connections are over the rate limit, and the virtual server status is marked unavailable.
-- The number of connections falls below the limit.
Impact:
Actual virtual server status is not reflected in GUI.
Workaround:
If the deployment design allows, you can use either of the following workarounds:
-- Remove the source address list from the virtual server.
-- Have a single address in the source address list.
909677 : HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted
Component: Local Traffic Manager
Symptoms:
When using HTTP/2, the :scheme pseudo-header appears to always be set to HTTPS on requests, even when the server-side connection is not encrypted.
Conditions:
-- Using an HTTP/2 virtual server.
-- The server-side connection that is unencrypted.
Impact:
The impact of this issue varies based on how the application reacts at the server-side.
Workaround:
None.
909197 : The mcpd process may become unresponsive
Component: TMOS
Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.
Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.
Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
Fixed handling of malformed messages by mcpd, so the problem should no longer occur.
908673 : TMM may crash while processing DNS traffic
Solution Article: K43850230
908601 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
Component: TMOS
Symptoms:
When the BIG-IP system boots, mcpd continually restarts.
Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.
Impact:
The BIG-IP system is unable to complete the boot process and become active.
Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.
Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.
You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.
If the system is already in the defective state, use this shell command, and then reboot:
touch /.tmos.platform.init
The problem should be resolved.
Fix:
Running 'diskinit' from MOS with the '--style=volumes' option no longer causes continuous mcpd restarts.
908517 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
Component: TMOS
Symptoms:
LDAP authentication fails with an error message:
err nslcd[2867]: accept() failed: Too many open files
Conditions:
This problem occurs when user-template is used instead of Bind DN.
Impact:
You cannot logon to the system using LDAP authentication.
Workaround:
None.
Fix:
LDAP authentication now succeeds when user-template is used.
908465 : Unable to set LACP system priority manually
Component: Local Traffic Manager
Symptoms:
LACP system priority is calculated internally using the system MAC. This occasionally results in priority being calculated as 0, which is not accepted by third party devices, such as Cisco.
Conditions:
-- LACP is enabled on BIG-IP system.
-- The last two octets of system MAC are zero.
Impact:
LACP system priority is calculated as 0 which is rejected by Cisco.
Note: BIG-IP administrators have no manual control over setting the LACP system priority value.
Workaround:
None.
Behavior Change:
New schema changes added for setting LACP system priority manually.
908173 : Empty fields are shown in the policy version history
Component: Application Security Manager
Symptoms:
Empty fields are displayed instead of N/A in the policy version history.
Conditions:
1. Create and apply a new policy.
2. Open General Settings screen.
3. Open Policy Version History.
Impact:
Empty fields are shown (Source Policy Name and Source Host Name are empty), potentially implying an error condition, when in fact the field values are not applicable in this case.
Workaround:
None.
Fix:
N/A text is shown in Source Policy Name and Source Host Name fields when required.
908065 : Logrotation for /var/log/avr blocked by files with .1 suffix
Component: Application Visibility and Reporting
Symptoms:
AVR logrotate reports errors in /var/log/avr:
error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged
Conditions:
Files ending with .1 exist in the log directory.
Impact:
Logrotate does not work. This might fill the disk with logs over time.
Workaround:
Remove or rename all of the .1 log files.
Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.
908021 : Management and VLAN MAC addresses are identical
Component: TMOS
Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.
Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.
Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.
Workaround:
None.
Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.
907997 : Source Policy Name instead of Current Policy used in Restore Policy Version
Component: Application Security Manager
Symptoms:
When trying to restore the policy from a previous version, the incorrect policy name is shown in the dialog window.
Conditions:
This is encountered while restoring policies from a previous version via the GUI.
Impact:
Misleading policy name is shown on restore policy dialog.
Workaround:
None.
Fix:
Correct policy name is shown on restore policy dialog window.
907873 : Authentication tab is missing in VPE for RDG-RAP Access Policy type
Component: Access Policy Manager
Symptoms:
Authentication tab is missing in Visual Policy Editor (VPE) for RDG-RAP Access Policy type
Conditions:
Configuration of RDG-RAP Access Policy type in VPE.
Impact:
Authentication tab with AD/LDAP Query agents is missing in VPE.
Workaround:
Use the tmsh cli configuration of AD/LDAP Query for RDG-RAP Access Policy type.
Fix:
Appearance of Authentication tab in VPE for RDG-RAP Access Policy type is fixed.
907765 : BIG-IP system does not respond to ARP requests if it has a route to the source IP address
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system receives an ARP request from a source IP address for which it has a route configured, the BIG-IP system does not give an ARP reply.
Conditions:
-- BIG-IP system receives an ARP who-is request for one of its self ip addresses.
-- The source IP address is in a different network, and the BIG-IP system has an L3 route configured for it.
Impact:
BIG-IP does not send an ARP reply.
Workaround:
None.
Fix:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.
Behavior Change:
A db variable has been added called 'arp.verifyreturnroute' that can disable the TMM process's checking for a valid return route for ARP requests. It defaults to 'enable', which is the normal BIG-IP behavior. It can be set to 'disable' to disable the dropping of the request if a return route exists.
907645 : IPsec SAs may not be mirrored to HA standby
Component: TMOS
Symptoms:
Some IPsec Security Associations (SAs) may not be mirrored to the HA standby device.
Conditions:
-- HA mirrored configured
-- Many IPsec tunnels are established
Impact:
The HA standby system is unable to take over established tunnels when HA failover happens.
Workaround:
None
Fix:
All IPsec SAs are mirrored to the high availability (HA) standby device.
907473 : MRF DIAMETER: New iRule command to skip capabilities exchange
Component: Service Provider
Symptoms:
A new iRule command is available, DIAMETER::skip_capabilities_exchange, to skip the capabilities exchange messages.
Conditions:
To skip the capabilities exchange messages
-- Within an internal virtual server for protocol translation.
-- Analyzing a tab connection for logging/analysis.
-- Internally generated DIAMETER messages (e.g., for logging, authentication, etc.).
Impact:
When DIAMETER::skip_capabilities_exchange is executed during the CLIENT_ACCEPTED event, the BIG-IP system bypasses capabilities exchange messaging and causes the connection to be able to immediately accept DIAMETER messages.
Workaround:
None needed. This is new capability.
Fix:
New iRule DIAMETER::skip_capabilities_exchange, to skip the capabilities exchange messages.
Behavior Change:
The following iRule command is now available:
DIAMETER::skip_capabilities_exchange
Once called, the current connection skips DIAMETER capabilities exchange message communication with the peer device and is immediately able to receive DIAMETER messages.
907337 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
A specific scenario that results in memory corruption.
Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.
Workaround:
None.
Fix:
This BD crash no longer occurs.
907245 : AFM UI Hardening
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, the AFM WebUI does not follow current best practices.
Conditions:
- AFM provisioned
- Authenticated AFM WebUI user
Impact:
AFM WebUI does not follow current best practices.
Workaround:
N/A
Fix:
AFM WebUI now follows current best practices
907205 : CentOS Security Update for libssh2
Component: TMOS
Symptoms:
The vulnerability found in the libssh2 library. The libssh2 provides the library to implement the SSH2 protocol. This could have been exploited to gain the partial access to sensitive information. This can also trigger the limited Denial of service in the form of the interruptions to resource availability.
Conditions:
There are 2 conditions that cause this vulnerability to occur
1. Out-of-bounds reads with specially crafted SSH packets.
when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.
2. When SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.
Impact:
Access to the sensitive information partially followed by limited Denial of Service.
Workaround:
N/A
Fix:
Updating the version of the libssh2 from 1.4.3 to 1.8.0.
907201 : TMM may crash when processing IPSec traffic
Component: TMOS
Symptoms:
Under certain conditions, TMM may crash while negotiation IPSec traffic with a remote peer.
Conditions:
-IPSec peers configured and active
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
TMM now processes IPSec traffic as expected.
907045 : QUIC HANDSHAKE_DONE is sent at the end of first flight
Component: Local Traffic Manager
Symptoms:
QUIC does not send the HANDSHAKE_DONE immediately on conclusion of the handshake. Instead, it sends an entire flight of data first.
Conditions:
This happens in normal operation.
Impact:
The end user system has to store handshake state longer than it might have to otherwise.
Workaround:
None.
Fix:
Fixed an issue with the HANDSHAKE_DONE message.
906889 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Component: TMOS
Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:
Packets In 2 shows as 016 in the GUI
Packets Out 0 shows as 8 in the GUI
Workaround:
View statistics in tmsh.
906885-3 : Spelling mistake on AFM GUI Flow Inspector screen
Component: Advanced Firewall Manager
Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.
Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).
Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.
Workaround:
None.
906737 : Error message: 'templates/' is not a directory
Component: Application Security Manager
Symptoms:
Some of the Templates class values are incorrectly initialized with the wrong base directory, so every time specific pages are opened in browser a message is written to var/log/ts/ui/debug.log:
'templates/' is not a directory.
Conditions:
Open Live Update, Policies Lists, Policies Summary, and several other pages under the Security heading.
Impact:
No functional impact, but log entries are added.
Workaround:
None
Fix:
Templates class initializes correctly, so there are no more irrelevant error messages in var/log/ts/ui/debug.log.
906377 : iRulesLX hardening
Component: TMOS
Symptoms:
Under certain conditions, iRulesLX does not follow current best practices.
Conditions:
- Authenticated administrative user
Impact:
iRulesLX does not follow current best practices.
Workaround:
N/A
Fix:
iRulesLX now follows current best practices.
906237 : Reject flood packets to prevent L2 learning problems when TCN is generated
Component: Local Traffic Manager
Symptoms:
Mac move messages can be observed on the connected switches
Conditions:
Virtual wire configured in high availability (HA) mode.
Impact:
1) Mac move messages can be observed on the connected switches.
2) Traffic will be impacted on failover
Workaround:
N/A
Fix:
BIG-IP will stop accepting new TCP connections if it detects a topology change during a configurable timeout (l2.virtualwire.tcn.recovery.connection.drop.timeout, default 30).
This feature is not enabled by default. To enable l2.virtualwire.tcn.connection.drop this variable needs to be set.
905669 : CSRF token expired message for AJAX calls is displayed incorrectly
Component: Application Security Manager
Symptoms:
CSRF token expired message for AJAX calls is displayed incorrectly in alert message
Conditions:
This can occur if a BIG-IP administrator or user navigates to pages containing AJAX calls that modify a policy when the CSRF token is already expired. This occurs very rarely.
Impact:
Each letter in message is shown in new line in alert message
Fix:
CSRF token expired message for AJAX calls is shown correctly
905125 : Security hardening for APM Webtop
Solution Article: K30343902
904845 : VMware guest OS customization works only partially in a dual stack environment.
Component: TMOS
Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).
By default, DHCP is enabled on the management interface.
During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.
Conditions:
Applying a customization profile to VMware VM in a dual stack environment.
Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.
Workaround:
Configure the mgmt interface addresses using the config script.
Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.
904785 : Remotely authenticated users may experience difficulty logging in over the serial console
Component: TMOS
Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user
Conditions:
-- Remote authentication (e.g., RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.
Impact:
Remotely authenticated users cannot log in over the serial console.
Workaround:
Using either of the following workaround:
-- Log in over SSH instead
-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.
904705 : Cannot clone Azure marketplace instances.
Component: TMOS
Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.
Conditions:
Applies to any Azure marketplace instance.
Impact:
Cannot clone Azure marketplace instances.
Workaround:
None.
Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.
904593 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
Component: Application Security Manager
Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the primary device, before the primary has a chance to sync the configuration to the new device, causing the configuration in the primary device to be overwritten.
Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
Impact:
Configuration of all devices in the Auto Scale group is overwritten.
Workaround:
Disable ASM Live Update Automatic Download.
This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.
For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping
-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable
904441 : APM vs_score for GTM-APM load balancing is not calculated correctly
Component: Access Policy Manager
Symptoms:
Output from the 'show ltm virtual <vs> detail' command reports an incorrect value for the APM Module-Score.
Conditions:
-- Using GTM/DNS and APM.
-- Configure an access profile attached to a virtual server.
-- Configure a non-zero number for 'Max Concurrent Users' for the access profile.
-- Access the virtual server.
Impact:
GTM/DNS load balancing does not work as expected.
Workaround:
None.
Fix:
APM virtual server score value is now calculated correctly, so GTM load balancing functions as expected.
904373 : MRF GenericMessage: Implement limit to message queues size
Component: Service Provider
Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.
Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.
Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.
Workaround:
None.
Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.
904053 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never
Component: Application Security Manager
Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.
Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.
Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.
Workaround:
Disable Learning mode for the Policy disables Cookie hashing.
Note: This affects all learning, not just Cookie hashing.
Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".
904041 : Ephemeral pool members may be incorrect when modified via various actions
Component: Local Traffic Manager
Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.
For example:
A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.
B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.
Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"
Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.
Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.
Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.
For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.
Fix:
FQDN ephemeral pool members now better reflect expected states after the corresponding FQDN template pool member is modified by one of several actions such as config load, config sync and BIG-IP restart.
903973 : URL properties screen does not display Advanced mode
Component: Application Security Manager
Symptoms:
URL properties page is shown in Basic mode, though Advanced is selected when loading the page
Conditions:
-- Chrome browser used
-- You navigate to another page from the URL properties with Advanced mode selected
-- Press the Back button in Chrome
Impact:
URL properties page is shown in Basic mode, though Advanced is selected on load of page
Workaround:
Select Basic and then Advanced mode to see all options
Fix:
URL properties page is initialized correctly in Chrome browser after Back is pressed
903649 : LTM monitor hardening
Component: TMOS
Symptoms:
Under certain conditions, LTM monitors do not follow current best practices.
Conditions:
-Authenticated administrative user
-LTM monitor usage
Impact:
LTM monitors do not follow current best practices.
Workaround:
N/A
Fix:
LTM monitors now follow current best practices.
903581 : The pkcs11d process cannot recover under certain error condition
Component: Local Traffic Manager
Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.
Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.
Impact:
SSL handshake failure.
Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d
Fix:
Allow pkcs11d to re-initialize on error.
903573-1 : AD group cache query performance
Component: Access Policy Manager
Symptoms:
Active Directory queries are slow.
Conditions:
-- Active Directory (AD) authentication used
-- There are lots of AD caches in the environment, and users are in deeply nested groups.
Impact:
Active Directory query time can be excessive.
Fix:
Improved AD cache optimization.
903357 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
Component: Application Security Manager
Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.
Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.
Impact:
Bot Defense list page loading time can take more than 30 seconds.
Workaround:
None.
902485 : Incorrect pool member concurrent connection value
Component: Application Visibility and Reporting
Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.
Conditions:
This is encountered when viewing the pool-traffic report.
Impact:
Incorrect stats reported in the pool-traffic report table
Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:
From this:
formula=round(sum(server_concurrent_conns),2)
Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)
Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.
902417 : Configuration error caused by Drafts folder in a deleted custom partition★
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
902401-2 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device
Component: TMOS
Symptoms:
The ospfd process generates a core.
Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.
Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.
Workaround:
None.
Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.
901985 : Extend logging for incomplete HTTP requests
Component: Local Traffic Manager
Symptoms:
Logging is not triggered for incomplete HTTP requests.
Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.
Impact:
Logging is missing for incomplete HTTP requests.
Workaround:
None.
Fix:
Logging is now triggered at shutdown for incomplete HTTP requests.
901929 : GARPs not sent on virtual server creation
Component: Local Traffic Manager
Symptoms:
When a virtual server is created, GARPs are not sent out.
Conditions:
-- Creating a new virtual server.
Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.
Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.
Fix:
GARPs are now sent when a virtual server is created.
901061 : Safari browser might be blocked when using Bot Defense profile and related domains.
Component: Application Security Manager
Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.
Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.
Impact:
Some requests might be blocked.
Workaround:
None.
Fix:
Set the cookie so all requests in the target domain will contain it.
901041-5 : CEC update using incorrect method of determining number of blades in VIPRION chassis★
Component: Traffic Classification Engine
Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.
Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.
Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.
Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.
Workaround:
Install the package manually on each slot.
Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.
900933 : IPsec interoperability problem with ECP PFS
Component: TMOS
Symptoms:
IPsec tunnels fails to remain established after initially working.
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.
This may also immediately present as a problem when trying to establish a second tunnel to the same peer.
Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).
Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.
Workaround:
Do not use ECP for PFS.
Fix:
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.
900797 : Brute Force Protection (BFP) hash table entry cleanup
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.
Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.
Workaround:
N/A
Fix:
Mitigated entries are kept in the hash table.
900793 : APM Brute Force Protection resources do not scale automatically
Solution Article: K32055534
Component: Application Security Manager
Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.
Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.
Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.
Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.
Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.
900789 : Alert before Brute Force Protection (BFP) hash are fully utilized
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.
Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.
Impact:
No alert is sent when entries are evicted.
Workaround:
None.
Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.
898997 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
Component: Service Provider
Symptoms:
GTP message parsing fails and log maybe observed as below:
GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).
Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes
Impact:
- message parsing fails, traffic maybe interupted
Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes
898949 : APM may consume excessive resources while processing VPN traffic
Solution Article: K04518313
898741 : Missing critical files causes FIPS-140 system to halt upon boot
Component: Application Security Manager
Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.
Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing
Impact:
System halts during boot because of sys-eicheck.py failure.
Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.
If the missing files are due to missing signature update files:
- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.
898705 : IPv6 static BFD configuration is truncated or missing
Component: TMOS
Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.
-- IPv6 static BFD configuration entries go missing during a daemon restart.
Conditions:
IPv6 static BFD configuration.
Impact:
The IPv6 static BFD configuration does not persist during reloads.
-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.
Workaround:
None.
898653 : MR::available_for_routing iRule command prevents client side connections from being counted as available for routing towards
Component: Service Provider
Symptoms:
In systems with a large number of incoming connections from a low number of client IP addresses, the connections are not spread across all TMMs. All entries for a client IP address are stored on the same TMM. Lookup of one of the records returns all records for an IP address. This can lead to exceeding the available bits available for reference counting.
Conditions:
A large number of incoming connections from a low number of client IP addresses.
Impact:
An internal overflow can cause a fault. This might result in a crash or core.
Workaround:
None.
Fix:
You can now identify which client side connections do not need to have messages routed towards them using a new MR::available_for_routing iRule command.
Note: If reverse routing is not required, there is no need to include the client side connections.
Behavior Change:
There is a new MR::available_for_routing iRule command to flag that a connection should not have messages routed towards them.
898461 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
Component: TMOS
Symptoms:
The following SCTP iRule commands:
-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port
Are unavailable in the following MRF iRule events:
-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS
Attempts to use these commands in these events result in errors similar to:
01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].
Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.
Impact:
Unable to use these iRule commands within these iRule events.
Workaround:
None.
Fix:
These iRule commands are now available within these iRule events.
898441 : Enable logging of IKE keys
Component: TMOS
Symptoms:
IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.
Conditions:
-- The BIG-IP system has an IPsec IKEv2 tunnel configured.
-- debug level logging is enabled.
Impact:
Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.
Workaround:
None, although the remote peer may log this information.
Fix:
Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.
898373 : Unclear message: TakesTooLong was 0.00 exceeded the lower threshold of 10000
Component: Application Visibility and Reporting
Symptoms:
The system presents an unclear error message: TakesTooLong was 0.00 exceeded the lower threshold of 10000.
Conditions:
This occurs when the AVR page load times drop below the lower acceptable threshold.
Impact:
The message is unclear, making resolution difficult. A more accurate message might be: The AVR page load took 0.00, which is lower than the threshold of 10000.
Workaround:
None.
898333 : Unable to collect statistics from BIG-IP system after BIG-IQ restart
Component: Application Visibility and Reporting
Symptoms:
AVR fails to send statistics to BIG-IQ. Lack of stats data in the BIG-IQ console.
Conditions:
-- The BIG-IP system is connected to the Data Collection Device (DCD), BIG-IQ.
-- DCD is restarted.
-- DCD does not send to BIG-IQ configuration instructions via REST interface due to ID 898341.
Impact:
Unable to collect statistics from BIG-IP system. Lack of stats data in the BIG-IQ console.
Workaround:
Restart avrd:
bigstart restart avrd
Fix:
Fixed an issue with AVR failing to send statistics to BIG-IQ.
897681 : Application Security Editor user cannot create ASM policy or Logging profile on Security :: Overview : Summary page
Component: Application Security Manager
Symptoms:
BIG-IP users logged in with the Application Security Editor role are unable to perform any actions for ASM policies.
Conditions:
1) Create Application Security Editor user.
2) Login as Application Security Editor.
3) Go to Security :: Overview : Summary page.
Impact:
Application Security Editor user is unable to create an ASM policy or logging profile from the summary page.
Workaround:
Application Security Editor users can create ASM policies or Logging profiles via the Logging Profiles and Security Policies List pages.
Fix:
Application Security Editor user now can create ASM policy or Logging profile on the Security :: Overview : Summary page.
897509 : IPsec SAs are missing on HA standby, leading to packet drops after failover
Component: TMOS
Symptoms:
IPsec Security Associations (SAs) are missing on the standby high availability (HA) device.
Conditions:
-- HA mirroring is configured
-- IKEv2 tunnels are started
Impact:
During an HA failover, IPsec tunnels may be disrupted because the newly active device is not aware of some IPsec SAs.
Workaround:
None
Fix:
IPsec SAs are now mirrored correctly to the HA standby device. Note that HA failover for IPsec tunnels is only supported when IKEv2 tunnels are in use.
896861 : PTR query enhancement for RESOLVER::name_lookup
Component: Global Traffic Manager (DNS)
Symptoms:
Currently RESOLVER::name_lookup does not have PTR reverse domain mapping.
Conditions:
RESOLVER::name_lookup needs an additional iRule to make PTR query work
Impact:
Need an additional iRule to convert to reverse IP PTR query to work
Workaround:
Use an iRule to convert ip address reverse mapping
Fix:
Address IP address reverse mapping for PTR query
896817 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
Component: TMOS
Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:
01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.
Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.
Impact:
Unable to replace configuration using TMSH's 'replace' verb.
Workaround:
None.
Fix:
When merging a configuration that modifies the list of iRules a virtual server uses using the TMSH 'replace' verb, no error is encountered.
896709 : Add support for Restart Desktop for webtop in VMware VDI
Component: Access Policy Manager
Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.
Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.
Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.
Workaround:
None.
Fix:
APM now supports restart desktop option on webtop for VMware VDI.
896285 : No parent entity in suggestion to add predefined-filetype as allowed filetype
Component: Application Security Manager
Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.
Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.
Impact:
No parent entity appears in the sugestion.
Workaround:
None.
Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.
896261 : Linkstate propagation support on virtual wire trunk interfaces
Component: Local Traffic Manager
Symptoms:
LACP passthrough may not work properly when some of the trunk ports are down / disabled.
Conditions:
Virtual wire configured with trunk interfaces.
Impact:
Lacp and other l2 protocols passthrough will work properly. Network traffic is disrupted.
Workaround:
N/A
Fix:
LACP passthrough will work properly.
896217 : BIG-IP GUI unresponsive
Component: TMOS
Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.
Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.
Impact:
GUI becomes unresponsive.
Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat
896125 : Reuse Windows Logon Credentials feature does not work with modern access policies
Component: Access Policy Manager
Symptoms:
Client users are not automatically logged on to the Edge client using previously entered Microsoft Windows credentials, while client users on Windows computers are prompted with a logon page to enter the credentials.
Conditions:
-- Access policy "customization type" should be set to "modern"
-- In connectivity profile, click Customize Package :: Windows.
-- Under Available Components, select the check box to enable User Logon Credentials Access Service.
Impact:
Unable to automatically logon to Edge client and user is prompted for credentials
Workaround:
Use standard access policy in the virtual server.
895837 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified
Component: TMOS
Symptoms:
Virtual server configured with:
-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0
-- The configuration uses a destination port list.
Conditions:
Modify the virtual server's port-list to a different one.
Impact:
Mcpd generates a core, and causes services to restart and failover.
Workaround:
None.
Fix:
Mcpd no longer crashes when modifying a traffic-matching-criteria's destination port list.
895013 : Learning of login pages does not work
Component: Application Security Manager
Symptoms:
Learning of login pages does not work.
Conditions:
The internal parameter pb_force_sampling is turned on.
Impact:
Automatic learning of login pages by the policy builder fails.
Workaround:
Configure login pages manually or turn off the force sampling internal parameter.
Fix:
Fixed an issue with login page learning.
894885-1 : [SAML] SSO crash while processing client SSL request
Component: Access Policy Manager
Symptoms:
-- Tmm crashes while processing a client SSO request.
-- Graphs show a high SWAP consumption and there are also some OOM events, although the process being terminated is avrd.
Log messages:
-- notice sod[4759]: 01140045:5: HA reports tmm NOT ready.
-- notice sod[4759]: 010c0050:5: Sod requests links down.
Conditions:
SAML SSO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a crash that occurred while handling SSL Orchestrator traffic.
893953 : Portal Access: Chrome/Edge browser: cookie transport: sync XMLHttpRequests should not be used in onbeforeunload handlers
Component: Access Policy Manager
Symptoms:
Error message in browser console:
Uncaught DOMException: Failed to execute 'send' on VM41 cache-fm.js:618
'XMLHttpRequest': Failed to load ''https://appportal.omo.nl/private/fm/volatile.html': Synchronous XHR in page dismissal. See https://www.chromestatus.com/feature/4664843055398912 for more details.
Conditions:
Setting and/or getting cookies in onbeforeunload/onunload handlers defined by the web-application.
Impact:
Web-application does not function as expected. Behavior varies, depending on web-application control flow.
Workaround:
Important: This workaround will work until later versions of Chrome and Edge Browser are released. You can refer to the release notes for these browsers to determine when functionality is removed.
Use an iRule to allow sync requests from onbeforeunload, onunload, and other page dismissal events.
This is intended to inject into responses from the BIG-IP virtual server header, Origin-Trial, using a token obtained from the Google Chrome developer console. This token allows for use of synchronous requests in page dismissal events. It should work for Chrome and Microsoft Edge browsers where such sync requests are disabled now.
To obtain the token you need to use the following iRule with your virtual server:
1. Go to the Chrome Origin Trials page:
https://developers.chrome.com/origintrials/#/trials/active.
2. Click the 'REGISTER' button to the right of 'Allow Sync XHR In Page Dismissal'.
3. Enter the origin of your virtual server and other information:
https://domain_of_your_virtual_server.
4. Click REGISTER.
By doing this, you obtain a token to use in place of the token provided in the following iRule.
Note: For additional info about Origin Trials and how they work:
https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/developer-guide.md
when HTTP_RESPONSE_RELEASE {
HTTP::header insert Origin-Trial Aq5OZcJJR3m8XG+qiSXO4UngI1evq6n8M33U8EBc+G7XOIVzB3hlNq33EuEoXZQEt30Yv2W6YgFelr2aGUkmowQAAABieyJvcmlnaW4iOiJodHRwczovLzEwLjE5Mi4xNTIuMzk6NDQzIiwiZmVhdHVyZSI6IkFsbG93U3luY1hIUkluUGFnZURpc21pc3NhbCIsImV4cGlyeSI6MTU5ODk5NzIyMX0=
}
893905 : Wrong redirect from Charts to Requests Log when request status selected in filter
Component: Application Security Manager
Symptoms:
Incorrect filter applied when you are redirected from Charts page to Requests Log.
Conditions:
Select request status in filter in Charts page and apply filter and then click View Requests on the bottom of Charts page.
Impact:
Filter not applied in Requests Log page after redirect.
Workaround:
Filter can be applied manually after redirect.
There is mismatch between AVR request types and ASM request statuses, e.g., Blocked in AVR includes Unblocked as well.
Fix:
On redirect correct filter is applied that takes into consideration mismatch between AVR request types and ASM request statuses.
893885-1 : The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation
Component: TMOS
Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.
Conditions:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on Trusted Platform Module (TPM)-supported BIG-IP platforms.
Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.
Workaround:
None.
Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status.
893865 : NDP learned on vlangroup instead on vlan
Component: Local Traffic Manager
Symptoms:
Traffic might flood on vlangroup
Conditions:
Mac learned on vlan group when target mac in ipv6 neighbor advertisement s different form sender mac
Impact:
Traffic might flood on vlangroup
Workaround:
N/A
Fix:
Mac entry is learned on vlan rather than vlangroup.
No traffic flood issues observed.
893721 : PEM-provisioned systems may suffer random tmm crashes after upgrading★
Component: Traffic Classification Engine
Symptoms:
TMM crashes with SIGSEGV and a core file is written to /var/core/
Conditions:
This affects systems where PEM is provisioned and where the classification engine is running.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
None
893281 : Possible ssl stall on closed client handshake
Component: Local Traffic Manager
Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.
Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.
Impact:
Some ssl client connection remain until idle timeout.
Fix:
Allow transmit of any pending crypto during ssl shutdown.
893061 : Out of memory for restjavad
Component: Application Security Manager
Symptoms:
REST framework not available due to Out of memory error
Conditions:
Long list of Live Update installations
Impact:
Live Update GUI is not responding.
Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)
# tmsh modify sys db provision.extramb value 1000
2) Allow restjavad to access the extra memory:
# tmsh modify sys db restjavad.useextramb value true
3) Save the config:
# tmsh save sys config
4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.
5) Increase the restjavad maxMessageBodySize property:
# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
"maxMessageBodySize": 134217728,
"localhostRestnodedConnectionLimit": 8,
"defaultEventHandlerTimeoutInSeconds": 60,
"minEventHandlerTimeoutInSeconds": 15,
"maxEventHandlerTimeoutInSeconds": 60,
"maxActiveLoginTokensPerUser": 100,
"generation": 6,
"lastUpdateMicros": 1558012004824502,
"kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
"selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}
Ensure the command returns output showing the limit has been increased (as shown above).
6) Reboot the unit.
892941 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
Solution Article: K20105555
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
892937 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
Solution Article: K20105555
Component: Access Policy Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555
Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555
892781 : Azure walinuxagent has been updated to v2.2.48.1
Component: TMOS
Symptoms:
Some onboarding features are not available in the current version of walinuxagent.
Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.
Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.
Workaround:
None.
Fix:
The Azure walinuxagent has been updated to v2.2.48.1
892677 : Loading config file with imish adds the newline character
Component: TMOS
Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.
In particular, this affects the bigip_imish_config Ansible module.
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Regex expressions are not created properly.
Workaround:
You can use either of the following workarounds:
-- Delete and re-add the offending commands using the imish interactive shell.
-- Restart tmrouted:
bigstart restart tmrouted
892653 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
Component: Application Security Manager
Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI
Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.
Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html
Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.
892485 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.
Component: Local Traffic Manager
Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.
Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.
Impact:
A wrong OCSP status may be reported in the SSL handshake.
Fix:
After the fix, the correct OCSP status entry is returned and SSL handshake continues with the correct OCSP status.
892385-6 : HTTP does not process WebSocket payload when received with server HTTP response
Component: Local Traffic Manager
Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.
Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.
Impact:
-- WebSocket connection hangs.
Workaround:
None.
Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.
891849 : Running iRule commands while suspending iRule commands that are running can lead to a crash
Component: Local Traffic Manager
Symptoms:
Running iRule commands while suspending iRule commands that are running can lead to a crash.
Conditions:
-- Running iRule commands.
-- iRule commands that suspend iRules are running.
For more information on the conditions that trigger iRule suspend, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Running iRule commands while suspending iRule commands are running no longer results in a tmm crash.
891729 : Errors in datasyncd.log★
Component: Fraud Protection Services
Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM
Conditions:
Upgrades from version 13.x to 14.0.0 or higher.
Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.
Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.
If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.
Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.
891613 : RDP resource with user-defined address cannot be launched from webtop with modern customization
Component: Access Policy Manager
Symptoms:
RDP resource with a user-defined address cannot be launched from the webtop when configured with modern customization.
After requesting the RDP file for a remote address, the RDP file fails to download and the system reports an error message:
Logon failed. Connection to your resource failed. Please click the Try Again button to try again or Close button to close this dialog.
Conditions:
-- Webtop with modern customization.
-- RDP resource with a user-defined address is assigned to the webtop.
Impact:
Cannot use remote desktop resource with user-defined addresses.
Workaround:
As the problem is with modern access policy with modern webtop, a quick workaround:
1. Create a standard access policy with standard webtop (it is similar to modern access policy and modern webtop):
-- 1.1 GUI: Access :: Profiles / Policies :: Create :: {choose Customization Type as 'Standard').
-- 1.2 GUI: Access :: Webtops :: Create :: {choose Customization Type as 'Standard').
Recreate similar access policy as modern access policy that is showing this problem.
If manually re-creating similar standard access policy is not possible, there is no workaround.
Fix:
Now, RDP resources with user-defined addresses can be used as expected on webtops with modern customization.
891457 : NIC driver may fail while transmitting data
Solution Article: K75111593
891385 : Add support for URI protocol type "urn" in MRF SIP load balancing
Component: Service Provider
Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.
Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.
Impact:
SIP messages with urn URIs are rejected.
Fix:
Added support for the urn URI protocol type.
891373 : BIG-IP does not shut a connection for a HEAD request
Component: Local Traffic Manager
Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.
Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.
Impact:
Connection remains idle until it expires normally, consuming network resources.
Workaround:
None.
Fix:
When an HTTP HEAD request contains 'Connection: close' header and a OneConnect profile is configured on a virtual server, the BIG-IP system shuts a connection down after a response is served.
891181 : Wrong date/time treatment in logs in Turkey/Istambul timezone
Component: Application Security Manager
Symptoms:
There is mismatch between server and GUI timezone treatment for Turkey/Istambul timezone.
Conditions:
User sets Turkey/Istambul timezone on BIG-IP
Impact:
When filtering logs by time period, results differ from set period by an hour
Workaround:
Define time period one hour earlier for filtering ASM logs
Fix:
Fixed timezone treatment for in GUI to match server settings
891093 : iqsyncer does not handle stale pidfile
Component: Global Traffic Manager (DNS)
Symptoms:
Stale /var/run/iqsyncer.pid file is causing a new iqsyncer application to exit immediately after start.
Conditions:
iqsyncer applications is killed by Linux kernel or any other reason causing a stale iqsyncer pid file
Impact:
Gtm config changes and gtm_add operations are blocked
Workaround:
Remove iqsyncer pid file manually or reboot
Fix:
Stale iqsyncer pid file condition handled in iqsyncer application
890881-1 : ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
Component: Local Traffic Manager
Symptoms:
Traffic drop occurs.
Conditions:
Source MAC in the ARP header and the Ethernet header do not match.
Impact:
The BIG-IP system drops these packets.
Workaround:
None.
890825 : Attack Signatures and Threat Campaigns filter incorrect behaviour
Component: Application Security Manager
Symptoms:
When removing not last selected values in Systems or Tags filter, last one is removed.
Conditions:
Select several values in Systems or Tags filter and then remove not the last value.
Impact:
Filter incorrectly displayed.
Workaround:
None.
Fix:
Filters are working correctly with multiple values selection and removal.
890485 : The 'noscript' injection should follow W3 HTML4.01 standards
Component: Fraud Protection Services
Symptoms:
The 'noscript' injection breaks W3 HTML4.01 standards.
Conditions:
-- FPS enabled.
-- Configure a protected URL.
Impact:
The format of the injected 'noscript' tag violates the W3 HTML4.01 standards.
Workaround:
None.
Fix:
The 'noscript' injection now follows W3 HTML4.01 standards.
890277 : Full config sync to a device group operation takes a long time when there are a large number of partitions.
Component: TMOS
Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.
Conditions:
Full config sync on device with large number of partitions.
Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.
Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.
Workaround:
Enable Manual Incremental Sync.
889601 : OCSP revocation not properly checked
Component: Local Traffic Manager
Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.
Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles
Impact:
The SSL handshake continues eve if a certificate is revoked.
Fix:
OCSP revocation checking now working properly.
889557-8 : jQuery Vulnerability CVE-2019-11358
Solution Article: K20455158
889165 : "http_process_state_cx_wait" errors in log and connection reset
Component: Local Traffic Manager
Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:
err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside
Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server
Impact:
Possible connection failure.
Fix:
Fixed incorrect early release of HUDEVT_ACCEPTED during ssl handshake irules.
889041 : Failover scripts fail to access resolv.conf due to permission issues
Component: TMOS
Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:
/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file
Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.
Impact:
Failover does not complete. Floating IP addresses do not move to the active device.
Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0
Impact of workaround: these commands disable SELinux policy enforcement.
889029 : Unable to login if LDAP user does not have search permissions
Component: TMOS
Symptoms:
A user is unable to log in using remote LDAP.
Conditions:
-- BIG-IP systems are configured to use LDAP authentication.
-- Remote user has no search permissions on directory
Impact:
Authentication does not work.
Workaround:
Grant search permissions to the user in LDAP.
888869 : GUI reports General Database Error when accessing Instances Tab of SSL Certificates
Component: TMOS
Symptoms:
A General Database Error message is shown when you click the Instances tab of a certificate bundle / certificate / Key listed under the System :: Certificate Management : Traffic Certificate Management : SSL Certificate List.
Conditions:
-- The selected SSL Certificate does not have a certificate or key listed under it.
-- You click the instances tab of the properties page of the SSL Certificate.
Impact:
GUI shows an error screen.
Workaround:
Avoid clicking the instance tab if there is no key or certificate associated with the SSL Certificate / Bundle.
888517 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★
Component: Local Traffic Manager
Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.
Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.
Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.
Workaround:
Correct the underlying networking/virtualization issue.
Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.
888497 : Cacheable HTTP Response
Component: TMOS
Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.
Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.
Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.
Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.
Workaround:
Disable caching in browsers.
888493 : ASM GUI Hardening
Solution Article: K40843345
888489 : ASM UI hardening
Solution Article: K55873574
888417 : Apache Vulnerability: CVE-2020-8840
Solution Article: K15320518
888341 : HA Group failover may fail to complete Active/Standby state transition
Component: TMOS
Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:
-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.
Note: You can confirm sod process uptime in tmsh:
# tmsh show /sys service sod
Conditions:
HA Group failover configured.
Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:
o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).
Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.
Workaround:
There is no workaround.
The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
888145 : When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property
Component: Access Policy Manager
Symptoms:
The entityID property of SAML Service Provider (SP) object ('apm aaa saml') accepts only a valid URI as the value if host is empty. All other values are deemed invalid.
This creates a less than optimal configuration experience in certain use-cases. For instance, when the deployment contains two SAML SP configuration objects that are essentially identical, with the only difference being the entityID value, validation prevents reusing the same object, and mandates creation of two independent configuration objects.
Conditions:
-- The BIG-IP system is used as a SAML SP with two or more SP configuration objects.
-- The only difference between two (or more) configured SP configuration objects is the value of entityID.
Impact:
None. This is a usability enhancement.
Workaround:
Creating multiple SP objects.
Fix:
This enhancement supports configuring an APM session variable in the entityID property of SAML SP ('apm aaa saml') objects, thus reducing the number of nearly duplicate SP configuration objects.
NOTE: When a session variable is used in the entityID property of a SAML SP object, the SAML metadata exported by such object must be edited manually to replace the session variables with valid FQDN names before the metadata is shared with external parties.
887625 : Note should be bold back, not red
Component: Application Security Manager
Symptoms:
Under Session Hijacking :: Device Session Hijacking by Device ID Tracking, the note text below the 'enable' checkbox is shown in bold red color
Note : Device-ID mode must be configured in bot profile for this option to work.
Conditions:
This always occurs.
Impact:
The Note does not indicate a hazardous situation (as might be implied by the color), so the text should be black instead of red.
Workaround:
None.
887609 : TMM crash when updating urldb blacklist
Component: Traffic Classification Engine
Symptoms:
TMM crashes after updating the urldb blacklist.
Conditions:
-- The BIG-IP system is configured with URL blacklists.
-- Multiple database files are used.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
887505 : Coreexpiration script improvement
Component: TMOS
Symptoms:
Script fails with:
stat: cannot stat '/shared/core/*.core.*': No such file or directory.
In addition, the system reports a message in /var/log/user and /var/log/messages when there are no core files:
Deleting file /shared/core/*.core.*
Conditions:
Coreexpiration script is run.
Impact:
No core is produced. In addition, there is no core deleted.
Workaround:
To resolve the issue, add the following line to the script:
for filename in /shared/core/*.core.*; do
+ [ -e "$filename" ] || continue
# Time of last modification as seconds since Epoch
887349 : DNS Profile names starting with the letter a, b, or c are selected as the default DNS profile when creating listeners.
Component: Global Traffic Manager (DNS)
Symptoms:
The default dns profile name not selected by default when creating dns listener.
Conditions:
-- Creating a dns listener
-- A DNS profile exist whose name begins with the letter a, b, or c
Impact:
The default dns profile is not selected by default for a new dns listener
Workaround:
Select dns profile value every time you create a gtm listener
Fix:
Now by default "default dns" profile is selected when you create a dns listener.
887205 : Correct handling of wildcard parameters with search-in 'any' marked for data integrity
Component: Fraud Protection Services
Symptoms:
The Data Integrity feature does not work for wildcard parameters with search-in set to 'any'.
Conditions:
-- Configure a wildcard parameter with search-in 'any' and mark it for data integrity.
-- Send traffic containing multiple parameters that match the configured pattern.
Impact:
-- Only the first traffic parameter matched by wildcard pattern will be checked for Data Integrity.
-- No alerts will be triggered for other parameters matched by same pattern even if they were manipulated.
Workaround:
Use explicit parameters.
Use wildcard parameters only if each pattern should match only one traffic parameter.
Fix:
Wildcard parameters with search-in 'any' marked for Data Integrity are now handled correctly.
887089 : Upgrade can fail when filenames contain spaces
Component: TMOS
Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.
The file's content is also significant because that determines the md5sum value.
Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:
Not enough free disk space to install!
Conditions:
Filenames with spaces in /config directory.
Impact:
Upgrade or loading of UCS fails.
Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.
886865 : P3P header is added for all browsers, but required only for Internet Explorer
Component: Application Security Manager
Symptoms:
The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.
Conditions:
Bot Defense Profile is attached to a virtual server.
Impact:
Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.
Workaround:
The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header.
It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.
Fix:
The profile now adds the P3P header only to Internet Explorer browsers. There is still the option to add the header to all browsers (i.e., keep the old behavior, in case there is another browser that requires this) by setting a db variable:
tmsh modify sys db botdefense.always_add_p3p_header value enable
886693 : System may become unresponsive after upgrading★
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:
-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
-- BIG-IP Virtual Edition (VE)
886689 : Generic Message profile cannot be used in SCTP virtual
Component: TMOS
Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:
01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)
Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.
Impact:
You are unable to combine the Generic Message profile with the SCTP profile.
Fix:
Generic Message profile can be used in SCTP virtual
885789 : Clicking 'Fix Automatically' on PCI Compliance page does not replace non-PCI-compliant-profile with complaint one on HTTP/2 virtual servers
Component: Application Security Manager
Symptoms:
Clicking the 'Fix Automatically' button in the PCI Compliance page does not replace the insecure client SSL profile attached on an HTTP/2 virtual server, with a secure one. The compliance state shows as a red cross mark, indicating the virtual server to be noncompliant.
Conditions:
-- Clicking the 'Fix Automatically' button on the PCI compliance page.
-- A noncompliant PCI profile is attached to the HTTP/2 virtual server.
-- A PCI-compliant, client SSL profile with renegotiation disabled is available in the SSL profiles.
Impact:
The provision for enhanced configuring does not function as expected for HTTP/2-based virtual servers.
Workaround:
Manually configure a PCI-compliant profile in SSL profiles, with renegotiation disabled, and attach it to the virtual server.
Fix:
HTTP/2 virtual servers are now handled correctly on the PCI Compliance page.
885785 : Clicking 'Fix Automatically' in PCI Compliance page does not attach a PCI-compliant-profile on HTTP/2 virtual servers
Component: Application Security Manager
Symptoms:
For an HTTP/2 virtual server with an insecure client SSL profile attached, clicking the 'Fix Automatically' button on the PCI Compliance page creates a PCI-compliant client SSL profile, but fails to attach to the virtual server. The compliance state shows as a red cross mark, indicating the virtual server to be noncompliant.
Conditions:
-- No compliant PCI profile is attached to the HTTP/2 virtual server.
-- Click the 'Fix Automatically' button on the PCI Compliance page.
Impact:
The provision for enhanced configuring does not function as expected for HTTP/2-based virtual servers.
Workaround:
Manually configure a PCI-compliant profile in SSL profiles, with renegotiation disabled, and attach it to the virtual server.
Fix:
HTTP/2 virtual servers are now handled correctly in the PCI Compliance page.
885769 : The ASM logging Operation_id field has incorrect byte at the end
Component: Application Security Manager
Symptoms:
The operation ID field has one incorrect byte at the end of the string.
Conditions:
This can occur if the operation ID is 255 bytes long.
Impact:
In the remote log, the operation ID reports the incorrect byte, which might lead to confusion.
Workaround:
None.
Fix:
Eliminated the extra byte at the end of the operation ID.
885201 : BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
Component: Global Traffic Manager (DNS)
Symptoms:
Err (error) level messages in /var/log/gtm log when DNS (GTM) SSL monitors such as https are used and are unable to connect to the monitored target IP address:
err big3d[4658]: 01330014:3: CSSLSocket:: Unable to get the session.
These messages do not indicate the IP address or port of the target that failed to connect, and this ambiguity may cause concern.
Conditions:
-- SSL-based DNS (GTM) monitor assigned to a target, for example https
-- TCP fails to connect due to a layer 2-4 issue, for example:
- No route to host.
- Received a TCP RST.
- TCP handshake timeout.
Impact:
The system reports unnecessary messages; the fact that the monitor failed is already detailed by the pool/virtual status change message, and the target changing to a red/down status.
These messages can be safely ignored.
Workaround:
If you want to suppress these messages, you can configure a syslog filter.
For more information, see K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.
Fix:
Added debug messages for SSL probing with attached DB variable
884953 : IKEv1 IPsec daemon racoon goes into an endless restart loop
Component: TMOS
Symptoms:
The IKEv1 IPsec daemon racoon goes into an endless restart loop.
2020-01-02 08:36:36: ERROR: /etc/racoon/racoon.conf.BIG-IP:376: "}" duplicated sainfo: loc='ANONYMOUS', rmt='10.42.80.0/24', peer='ANY', id=0
2020-01-02 08:36:36: ERROR: fatal parse failure (1 errors)
2020-01-02 08:36:36: ERROR: failed to parse configuration file.
Conditions:
Duplicate wildcard traffic-selectors, one with ::/0 and one with 0.0.0.0/0, attached to different IPsec policies.
Impact:
IPsec IKEv1 tunnels cannot be established.
Workaround:
Configure duplicate traffic-selectors only when they are attached to interface mode IPsec policies.
Fix:
Config validation now prevents duplicate wildcard selectors attached to tunnel mode IPsec policies.
883577 : ACCESS::session irule command does not work in HTTP_RESPONSE event
Component: Access Policy Manager
Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm
No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)
Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.
Impact:
Cannot create APM session using the ACCESS::session irule command.
Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.
883133 : TLS_FALLBACK_SCSV with TLS1.3
Component: Local Traffic Manager
Symptoms:
Possible handshake failure with some combinations of TLS Fallback Signaling Cipher Suite Value (SCSV) and SSL profile protocol versions.
Conditions:
-- Using fallback SCSV suites.
-- Using certain client SSL profile protocol versions (e.g., the virtual server is configured for TLS1.3, and the client is configured for TLS1.0 - TLS1.2).
Impact:
Possible handshake failure.
Workaround:
None.
Fix:
The BIG-IP system now correctly handles all combinations of fallback SCSV and supported protocol versions.
883105 : HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect
Component: Local Traffic Manager
Symptoms:
If a virtual server is configured with both client-side and server-side using HTTP/2, and with translate-address disabled, the connection to the server-side does not succeed.
Conditions:
-- HTTP/2 profiles on both client-side and server-side, using an http-router profile.
-- Translate-address is disabled.
Impact:
Connections fail.
Workaround:
None.
883097 : Radius authentication may consume excessive resources
Solution Article: K11400411
882633 : Active Directory authentication does not follow current best practices
Solution Article: K51213246
882549 : Sock driver does not use multiple queues in unsupported environments
Component: Local Traffic Manager
Symptoms:
In some unsupported environments, the underlying sock driver uses only only 1 queue. You can confirm whether it does so by executing the tmctl command to check the rxq column (which shows 0):
tmctl -d blade -i tmm/ndal_rx_stats' and
You can verify this on the tx side as well.
Conditions:
This occurs in certain unsupported environments.
Note: When you run 'ethtool -l', you can see: 'command not supported'.
Impact:
When multi-q is present, the use of single queue can impact performance when using the sock driver.
Workaround:
Use other available drivers.
You can check the available drivers by executing the tmctl command:
tmctl -d blade -i tmm/device_probed
Fix:
Fixed an issue with the sock driver.
882189-9 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897
Solution Article: K20346072
881757 : Unnecessary HTML response parsing and response payload is not compressed
Component: Application Security Manager
Symptoms:
When either DoS Application Profile or Bot Defense profile are used, or ASM Policy with complex LTM Policy, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload.
Conditions:
One of these options:
-- Bot Defense Profile is associated with the Virtual Server.
-- DoS Profile is associated with the Virtual Server and has Application (L7) enabled.
-- ASM Policy is associated with the Virtual Server and has complex LTM Policy: multiple ASM Policies, or additional rules.
Impact:
-- Response payload sent by the backend server is uncompressed.
-- Performance impact caused by response parsing.
Workaround:
The workaround is to disable the option for modification of Referer header:
tmsh modify sys db asm.inject_referrer_hook value false
Note: Using this brings back the impact of bug 792341.
Fix:
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.
881445-10 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
Solution Article: K69154630
881317-10 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
Solution Article: K15478554
881293-9 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
Solution Article: K15478554
880625 : Check-host-attr enabled in LDAP system-auth creates unusable config
Component: TMOS
Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.
Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.
Impact:
LDAP-based auth does not function.
Workaround:
None.
880361 : iRules LX vulnerability CVE-2021-22973
Solution Article: K13323323
880289-1 : FPGA firmware changes during configuration loads★
Component: TMOS
Symptoms:
FPGA firmware on DDoS Hybrid Defender products might be changed unexpectedly during a configuration load or license update.
Conditions:
Configuration load or license update.
Impact:
FPGA firmware changes unexpectedly, reboot might be required to stabilize.
Workaround:
None.
880165 : Auto classification signature update fails
Component: TMOS
Symptoms:
During classification update, you get an error:
"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"
An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".
Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.
It can occur when something goes wrong during license activation, but license activation ultimately succeeds.
Impact:
When this issue occurs, auto classification signature update will fail.
Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.
879829 : HA daemon sod cannot bind to ports numbered lower than 1024
Component: TMOS
Symptoms:
If the network high availability (HA) daemon sod is configured to use a port number that is lower than 1024, the binding fails with a permission-denied error. This affects binding to ports on both management and self IP addresses.
Example log messages:
/var/log/ltm
err sod[2922]: 010c003b:3: bind fails on recv_sock_fd addr 1.2.3.4 port 1023 error Permission denied.
notice sod[2992]: 010c0078:5: Not listening for unicast failover packets on address 1.2.3.4 port 1023.
/var/log/auditd/audit.log
type=AVC msg=audit(1578067041.047:17108): avc: denied { net_bind_service } for pid=2922 comm="sod" capability=10 scontext=system_u:system_r:f5sod_t:s0 tcontext=system_u:system_r:f5sod_t:s0 tclass=capability
Conditions:
-- high availability (HA) daemon sod is configured to use a port lower than 1024 for network high availability (HA) operations.
-- Version 13.1.0 or later.
Impact:
A network high availability (HA) connection configured to use a port number lower than 1024 on an affected version does not function.
Workaround:
Change the port number to 1024 or higher.
Note: UDP port 1026 is the default.
879745-9 : TMM may crash while processing Diameter traffic
Solution Article: K82530456
879413 : Statsd fails to start if one or more of its *.info files becomes corrupted
Component: Local Traffic Manager
Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:
-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.
Conditions:
Corrupted *.info file in /var/rrd.
Impact:
Stats are no longer accurate.
Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):
found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done
Fix:
The system now detects corrupt *.info files and deletes and recreates them.
879405 : Incorrect value in Transparent Nexthop property
Component: TMOS
Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN.
Conditions:
-- Virtual server configured with with transparent next-hop bychecking 'Transparent Nexthop' in the GUI on the LTM Virtual Server page: Transparent Nexthop = None
Works fine with:
Impact:
Incorrect value shown in Transparent Nexthop property field.
Workaround:
Use tmsh to complete the action successfully.
879189 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
Component: TMOS
Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.
Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual server, but the module supporting the profile is not provisioned.
Impact:
The Network Map shows an error message.
Workaround:
Provision the module that supports the profile.
Fix:
The button text has been modified to be more informative.
877109 : Unspecified input can break intended functionality in iHealth proxy
Solution Article: K04234247
876953 : Tmm crash while passing diameter traffic
Component: Service Provider
Symptoms:
Tmm crashes with the following log message.
-- crit tmm1[11661]: 01010289:2: Oops @ 0x2a3f440:205: msg->ref > 0.
Conditions:
This can be encountered while passing diameter traffic when one or more of the pool members goes down and retransmissions occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash while passing diameter traffic.
876805 : Modifying address-list resets the route advertisement on virtual servers.
Component: TMOS
Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the address list is modified.
This issue has also been shown to cause inconsistent ICMP response behavior when 'selective' mode is used.
Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all virtual addresses.
-- Modify the address list.
Impact:
-- Modifications made to virtual addresses are lost.
-- Possible ICMP response issues when 'selective' mode is used (e.g., responses when all pool members are disabled, or no responses when pool members are enabled).
Workaround:
None
Fix:
Virtual address properties are now preserved when an address list is modified.
876581 : JavaScript engine file is empty if the original HTML page cached for too long
Component: Fraud Protection Services
Symptoms:
JavaScript engine file is empty.
Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.
Impact:
No FPS protection for that HTML page.
Workaround:
You can use either workaround:
-- Use an iRule to disable caching for protected HTML pages.
-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).
Fix:
FPS now also removes ETag headers from protected HTML pages.
876353 : iRule command RESOLV::lookup may cause TMM to crash
Solution Article: K03125360
876177 : Port and Trunk information is added to F5 trailer in tcpdump
Component: Local Traffic Manager
Symptoms:
It is difficult to analyze the issues with virtual wire with tcpdump's F5 ethernet trailer.
Conditions:
You wish to use tcpdump to diagnose issues with virtual wire.
Impact:
The information that is provided in the ethernet trailers is insufficient to be able to diagnose problems.
Workaround:
N/A
Fix:
Port and trunk information is seen in F5 ethernet trailer (low details)
876077 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up
Component: Service Provider
Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.
Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered
Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.
Workaround:
None.
Fix:
Stale pending retransmission entries are cleaned up properly.
874677-5 : Traffic Classification auto signature update fails from GUI★
Component: Traffic Classification Engine
Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.
The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.
Conditions:
Performing Traffic Classification auto signature update using the GUI.
Impact:
Fails to update the classification signature automatically.
Workaround:
You can use either of the following:
-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.
Fix:
Fixed the hitless upgrade script to download the IM packages from the EDSM server for point releases.
874221 : DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd
Component: Global Traffic Manager (DNS)
Symptoms:
DNS response recursion desired (rd) flag does not match the DNS query when using the iRule command DNS::header rd.
Conditions:
-- iRule command DNS::header rd is used to set DNS query rd bit to a different value.
-- At least one wide IP is configured.
Impact:
DNS response rd flag does not match the DNS query. This is not RFC compliant.
Workaround:
Do not configure any wide IPs.
873249 : Switching from fast_merge to slow_merge can result in incorrect tmm stats
Component: Local Traffic Manager
Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.
Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.
Impact:
Incorrect reporting for TMM stats.
Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.
These files are roll-ups and will be re-created as necessary.
872505 : Dynamic server config on OAuth Client/RS agent in Per-Session-Policy
Component: Access Policy Manager
Symptoms:
Session config on OAuth Client/RS agent is applied once and used for all APM sessions.
Conditions:
OAuth is configured
Impact:
You are unable to provision OAuth Authorization Servers per group of APM session(s)
Workaround:
Create OAuth Client/RS agent with each server object applicable
Fix:
You can now configure a "DynamicServer" session variable for OAuth so that one agent can be applied to multiple sessions.
872037 : DNS::header rd does not set the Recursion desired
Component: Global Traffic Manager (DNS)
Symptoms:
iRule command DNS::header rd not working as expected.
Conditions:
Virtual server configured with an iRule command to set DNS::header rd.
Impact:
The DNS::header rd iRule command does not set the Recursion Desired flag in DNS headers.
Workaround:
None.
871561 : Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★
Component: TMOS
Symptoms:
Software upgrades to an Engineering Hotfix on a vCMP guest might fail with one of the following messages:
failed (Software compatibility tests failed.)
failed (The requested product/version/build is not in the media.)
The failed installation is also indicated by log messages in /var/log/ltm similar to:
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (The requested product/version/build is not in the media.)
Conditions:
This may occur when performing a software upgrade to an engineering hotfix on a vCMP guest running affected versions of BIG-IP software, when the software images are present on the vCMP host.
This can be accomplished by running the following command from the vCMP guest console:
tmsh install sys software block-device-hotfix <hotfix-image-name> volume <volume.name>
Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host.
Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.
Then restart the lind service on the vCMP Guest:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.
Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:
1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
isoinfo -d -i /dev/cdrom
Note: Pay attention to the volume ID in the output from within the vCMP guest.
2. Unlock (eject) the image:
eject -r -F /dev/cdrom && vcmphc_tool -e
3. Verify the CD drive is now empty:
isoinfo -d -i /dev/cdrom
The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>
4. Restart lind:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
Fix:
Software upgrades on a vCMP guest complete successfully even when the software images are present on the vCMP hypervisor.
869565-5 : Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN
Component: Local Traffic Manager
Symptoms:
HTTP/2 protocol can be negotiated with the Application-Layer Protocol Negotiation (ALPN) on the Transport Layer Security (TLS) level of communication. When an iRule disables HTTP/2 on a server side, it is assumed that the BIG-IP system no longer offers h2 to a server as an option.
Conditions:
-- A virtual server has an HTTP/2 profile configured on both the client and server sides.
-- A server SSL profile is configured on the virtual server.
-- An iRule using the 'HTTP2::disable serverside' command is attached to the virtual server.
Impact:
The BIG-IP system offers h2 as an option in ALPN when the HTTP/2 profile is disabled on a server side. If h2 is accepted by the server, communication fails since HTTP/2 is disabled and does not decode HTTP/2 traffic.
Workaround:
None.
Fix:
When a command 'HTTP2::disable serverside' is executed, the BIG-IP system correctly disables the HTTP/2 profile on a server side, and no longer offers h2 when negotiating a protocol over ALPN.
868209 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.
This defect will also cause active FTP data connections over vlan-group to fail.
Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.
OR
- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.
Impact:
Server-side connections will fail.
Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)
867777 : Remote syslog server cannot parse violation detail buffers as UTF-8.
Component: Application Security Manager
Symptoms:
Remote syslog server is unable to properly parse the violation detail buffers as UTF-8.
Conditions:
This occurs when the violation detail buffers contain double-byte/non-UTF characters, due to requests that contain non-ASCII UTF-8 characters.
Impact:
The syslog server cannot parse violation detail buffers as UTF-8.
Workaround:
None.
866957 : Load balancing IPsec tunnels
Component: TMOS
Symptoms:
IPsec can experience packet loss on oversubscribed TMM instances (reaching 100% CPU transiently or consistently) and other TMM instances do not share the load.
Conditions:
-- A large number of IPsec tunnels.
-- The Security Associations (SAs) associated with IPsec tunnels are not balanced across TMMs.
-- Other TMMs are less busy.
Impact:
If random assignment of IPsec tunnels to TMM instances results in one TMM needing more than 100% CPU to handle all the traffic, packets are lost. When packets are lost, they are retransmitted, and BIG-IP network performance drops in proportion to the packet loss.
Workaround:
None
Fix:
The following sys db variables offer better tmm load balancing for IPsec tunnels. By default these variables are zero.
tmsh modify sys db ipsec.sp.owner value 1
tmsh modify sys db ipsec.sp.migrate value 1
tmsh modify sys db ipsec.pfkey.load value 2
F5 strongly recommends that these values only be set under the direction of F5 Support, Consultants or Pre-Sales engineers. This issue occurs only in extreme cases. TMM instances can be CPU pinned by other traffic outside of IPsec, so it is critical to first ascertain that IPsec traffic is resulting in poor TMM performance before implementing the variables.
Notation "sp" refers to an IPsec object where tunnel SAs live.
Variable ipsec.sp.owner controls whether these have a tmm owner that can be assigned.
Variable ipsec.sp.migrate controls whether tunnels can migrate automatically based on CPU load.
Variable ipsec.pfkey.load controls frequency of inter-TMM messages about CPU load to enable load-balancing decisions.
The value of ipsec.pfkey.load is seconds between CPU load update messages. The highest possible frequency is once a second, for value "1". Any value larger than 4 or 5 seconds runs a risk of using CPU load information too out-of-date to accurately balance load.
866073 : Add option to exclude stats collection in qkview to avoid very large data files
Component: TMOS
Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:
qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938
Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.
Impact:
Qkview files may not be able to be parsed by the iHealth service.
Also, memory allocation error messages may be displayed when generating qkview.
Workaround:
None.
Fix:
Qkview now has a -x option that can be used to exclude statistics collection in the stat_module.xml file.
Behavior Change:
Qkview now has a -x option that can be used to exclude statistics collection.
865801 : AFM FQDN Resolver does not honor Refresh Interval during or after disruption
Component: Global Traffic Manager (DNS)
Symptoms:
Unbound uses default host-ttl (900) and it cannot be customized.
Conditions:
Always.
Impact:
DNS queries can take up to 15 minutes to fail (default host-ttl time) if the server is down.
Workaround:
None.
Fix:
"host-ttl" is now configurable via TMSH.
865225 : 100G modules may not work properly in i15000 and i15800 platforms
Component: TMOS
Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.
Conditions:
-- Using OPT-0039 or OPT-0031 modules.
-- Running on i15000 and i15800 platforms.
Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.
Impact:
You might see traffic drop.
Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.
Workaround:
None.
865177-6 : Cert-LDAP returning only first entry in the sequence that matches san-other oid
Component: TMOS
Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists
Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids
Impact:
Only the first matching oid is returned.
864797 : Cached results for a record are sent following region modification
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the contents of a topology region record may result in DNS queries temporarily being directed as if the change had not happened for queries from the IP address of the last end user client to use topology load balancing.
Conditions:
-- A client at a single IP address makes multiple queries that are load balanced using topology, both before and after a change to a topology region record, where that change also modifies the result the single client receives.
-- If a query from a different client IP address is received and load balanced using topology, then the issue is corrected until the next change to a topology region record.
Impact:
After changing the contents of a topology region record, the last end user client to send a query before the change may receive the wrong load balancing decision if the change affected that decision. Queries from other end user clients are load balanced correctly and cause the issue to go away until the next topology region record change.
Workaround:
This issue can be temporarily corrected by sending a DNS query that is load balanced using topology after making changes to region records.
Fix:
The system now handles regions item changes as expected, so this issue no longer occurs.
864757 : Traps that were disabled are enabled after configuration save
Component: TMOS
Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.
Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.
Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.
Workaround:
None.
863917 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
Component: Global Traffic Manager (DNS)
Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:
The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.
This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.
Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.
Impact:
Messages are logged that imply the system is overloaded when it is not.
Workaround:
Create a log filter to suppress the messages
sys log-config filter gtm-warn {
level warn
message-id 011ae116
source gtmd
}
862937 : Running cpcfg after first boot can result in daemons stuck in restart loop★
Component: TMOS
Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.
Conditions:
Running cpcfg on a volume that has already been booted into.
Impact:
Services do not come up.
Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:
# touch /.autorelabel
# reboot
862885 : Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error
Component: Local Traffic Manager
Symptoms:
A configuration with a virtual server-to-virtual server flow established, for example by the 'virtual' iRule command, and using a TCP stack with 'Tail Loss Probe' enabled, might encounter a race between the delayed ACK and the tail loss probe, which can lead to a tmm_panic or an OOPs message:
no trailing data.
Conditions:
-- Virtual server-to-virtual server flow established.
-- TCP profile with 'Tail Loss Probe' enabled.
-- Certain timing related traffic scenario.
Impact:
TMM generates a core and reports an OOPs message:
no trailing data.
Workaround:
Do not use a TCP stack with 'Tail Loss Probe' enabled in conjunction with a virtual server-to-virtual server flow configuration.
Fix:
Virtual server-to-virtual server with 'Tail Loss Probe' enabled can now be used without error.
859717 : ICMP-limit-related warning messages in /var/log/ltm
Component: Local Traffic Manager
Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:
warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.
Conditions:
Viewing /var/log/ltm.
Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.
Workaround:
None.
Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.
858973 : DNS request matches less specific WideIP when adding new wildcard wideips
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.
Conditions:
New less specific Wildcard WideIPs are created.
Impact:
DNS request matches less specific WideIP.
Workaround:
# tmsh load sys config gtm-only
or
restart tmm
858701 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★
Component: Local Traffic Manager
Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.
-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.
Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.
Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:
If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.
Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:
Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:
Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.
You can check this value with the guishell command:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.
------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:
1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.
2. Fail over Active system to Standby status:
tmsh run sys failover standby
3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.
4. Save the config to disk:
tmsh save sys config
5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
tmsh load sys config
6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
tmsh load sys config
7. Verify it worked:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example of a fixed config:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':
tmsh load sys config
858197 : Merged crash when memory exhausted
Component: TMOS
Symptoms:
Merged crashes when system memory is exhausted
Conditions:
System memory is is at 0% available.
Impact:
Merged crashes, stopping stats updates
Workaround:
Reduce the configuration on the system
Fix:
Remove function call to drop row from table on error path where row was not successfully added.
857953 : Non-functional disable/enable buttons present in GTM wide IP members page
Component: Global Traffic Manager (DNS)
Symptoms:
Enable/disable buttons do not perform any action against the selected members when pressed.
Conditions:
-- GTM wide IP has members.
-- Navigate to the GTM wide IP members page.
-- Attempt to enable or disable a selected member./
Impact:
No action against the selected members occurs when the buttons are pressed.
Workaround:
None.
856713 : IPsec crash during rekey
Component: TMOS
Symptoms:
IPsec-related tmm crash and generated core file during rekey.
Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.
Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec-related tmm crash has been fixed.
854001 : TMM might crash in case of trusted bot signature and API protected url
Component: Application Security Manager
Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.
Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.
Fix:
An issue where tmm could crash when processing a request sent to a protected API URL with a trusted bot signature has been fixed.
853585 : REST Wide IP object presents an inconsistent lastResortPool value
Component: Global Traffic Manager (DNS)
Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:
...
"lastResortPool": "aaaa \"\""
...
Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:
tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>
Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.
Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.
Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.
852785-2 : Exposing counters from FIPS device registers allows debugging when cards fail
Component: TMOS
Symptoms:
FIPS devices may fail due to overuse. There has been no visibility into the numbers of key generation operations performed or the times when temperature ranges have been exceeded.
Conditions:
When a FIPS device fails it can be difficult to determine if there were temperature or over use issues.
Impact:
Lack of environmental information to diagnose problems.
Fix:
A fips_stats table is now maintained and can be queried with the tmctl tool. The statistics are also present in qkviews.
847105 : The bigip_gtm.conf is reverted to default after rebooting with license expired★
Component: Global Traffic Manager (DNS)
Symptoms:
The bigip_gtm.conf is reverted to default after rebooting (or upgrading to a newer BIG-IP software release).
Conditions:
-- The BIG-IP license is expired prior to the reboot or upgrade.
-- GTM is configured.
Impact:
The GTM configuration (in /config/bigip_gtm.conf) information is lost in the newly installed boot location.
Workaround:
Renew license before reboot. Always reboot with valid license.
If you have already rebooted or upgraded with an expired license, and your configuration has been lost, you can restore it using the following procedure.
1. Re-activate the BIG-IP license
2. Restore bigip_gtm.conf from the auto-created backup (.bak) file:
cp /config/bigip_gtm.conf.bak /config/bigip_gtm.conf
3. Load the replaced config:
tmsh load sys config gtm-only
If this is a the result of a software upgrade, and the .bak file is not available or has been overwritten, you can boot back to the previous volume and re-copy the configuration from there (cpcfg or via the GUI) before rebooting back to the upgraded software release.
846601 : Traffic classification does not update when an inactive slot becomes active after upgrade★
Component: Traffic Classification Engine
Symptoms:
VIPRION platforms have an automated process of joining a newly inserted blade to a cluster. TMOS install, licensing, and configuration including iAppLX are synchronized from primary to the newly inserted blade automatically without manual intervention. Traffic classification update is not occurring as expected under these conditions.
Conditions:
-- Traffic classification configured.
-- Update installation.
-- VIPRION blade is inactive, and later comes online.
Impact:
Traffic policies/rules related to updated installation do not work on inactive slot when it returns to the online state.
Workaround:
To prevent this issue from occurring, ensure that all blades are online when installation begins.
If you insert a blade, run config sync manually from the active blade.
Fix:
Upgrade script now initiates install when the slot becomes active.
846317 : Show net ipsec ipsec-sa traffic-selector not working on secondary blade
Component: TMOS
Symptoms:
The tmsh command 'show net ipsec ipsec-sa traffic-selector' does not work on the secondary blade.
Conditions:
-- Configuration with secondary blades (cluster scenario).
-- Running the command ont he secondary blade: show net ipsec ipsec-sa traffic-selector
Impact:
IPsec SA's from the secondary blade are not displayed.
Workaround:
You can use either of the following workarounds:
-- Remove the traffic-selector classifier from the command, and all IPsec SA's are then displayed.
-- The results of all blades can be viewed at once by issuing from the primary blade:
clsh tmsh show net ipsec ipsec-sa
Fix:
When issuing the command 'tmsh show net ipsec ipsec-sa traffic-selector' on a secondary blade, the correct results are now shown.
845333 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
Component: Local Traffic Manager
Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]
Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.
Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.
Workaround:
Make the datagroup a Tcl variable to bypass validation.
Fix:
Validation can recognize the datagroup on Transport Config objects.
844085 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
Component: TMOS
Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:
01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.
Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.
Impact:
Unable to change the source address of a virtual server to an address list.
Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:
tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}
tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any
842989 : PEM: tmm could core when running iRules on overloaded systems
Component: Policy Enforcement Manager
Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.
Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Reduce the load on tmm or modify the optimize the irule.
842717-9 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
Solution Article: K55102004
842517-3 : CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails
Component: Local Traffic Manager
Symptoms:
SSL handshake fails with error in LTM logs.pkcs11d[10407]:
err pkcs11d[10407]: 01680048:3: C_Sign: pkcs11_rv=0x00000082, CKR_OBJECT_HANDLE_INVALID
Conditions:
Key created with Safenet NetHSM is used in SSL profile for virtual server. This error is seen randomly.
Impact:
SSL handshake fails.
Workaround:
Restart the PKCS11D.
842149 : Verified Accept for SSL Orchestrator
Component: Access Policy Manager
Symptoms:
You are unable to configure Verified Accept on SSL Orchestrator.
Conditions:
-- SSL Orchestrator in use .
-- A TCP profile is in use and it contains the Verified Accept flag.
Impact:
No connectivity over SSL Orchestrator.
Workaround:
None.
Fix:
Fixed a problem with Verified Accept and SSL Orchestrator.
841305 : HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log
Component: Application Visibility and Reporting
Symptoms:
The HTTP/2 version appears in charts, but when clicking on the chart reports, errors are reported in monpd log and the chart is empty in the GUI, with an error reported in the GUI and in the monpd log:
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:mysql_query_safe:0209| Error (err-code 1054) executing SQL string :
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:runSqlQuery:0677| Error executing SQL query:
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/handlers/ReportRunnerHandler.cpp:runReport:0409| Results for query came back as NULL
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/ReporterUtils.cpp:throwInternalException:0105| throwing exception to client error code is 1 error msg is Internal error
Conditions:
-- Create a new policy or use an existing policy.
-- Go to Security :: Reporting : Application : Charts.
-- Select weekly charts.
Impact:
Charts are empty in the GUI, and the system logs errors in monpd.
Workaround:
None.
Fix:
Fixed an issue with HTTP stats database tables.
839145 : CVE-2019-10744: lodash vulnerability
Solution Article: K47105354
839121 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★
Solution Article: K74221031
Component: TMOS
Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.
Conditions:
The upgrade failure is seen when all the following conditions are met:
-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.
Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.
Workaround:
There are two possible workarounds:
-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.
-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:
1. cp /config/bigip.conf /config/backup_bigip.conf
2. Run: sed -i "s/\(\!SSLv2:\|:\!SSLv2\)//g" /config/bigip.conf
3. tmsh load /sys config
837889-1 : Duplicate traffic-selectors may result in failure while reloading the configuration or during upgrade★
Component: TMOS
Symptoms:
Configuring duplicate net ipsec traffic-selectors with one having interface mode ipsec-policy and another having non-interface mode ipsec-policy is allowed, but results in an error on reloading the config, and may fail during upgrades.
Conditions:
-- Adding a second traffic-selector that has the same values for all these five attributes:
- destination-address
- destination-port
- source-address
- source-port
- ip-protocol.
-- The second traffic-selector ipsec-policy is in interface mode, i.e., has its 'mode' field set to 'interface'.
-- The first traffic-selector has a non-interface ipsec-policy.
Example of two duplicate traffic-sectors (trafsel1 and trafsel2):
net ipsec ipsec-policy temp-ipsec-policy {
ike-phase2-auth-algorithm aes-gcm128
ike-phase2-encrypt-algorithm aes-gcm128
}
net ipsec ipsec-policy temp-ipsec-policy-interface {
ike-phase2-auth-algorithm aes-gcm128
ike-phase2-encrypt-algorithm aes-gcm128
mode interface
}
net ipsec traffic-selector trafsel1 {
ipsec-policy temp-ipsec-policy
source-address 1.1.1.1/32
source-port texar
}
net ipsec traffic-selector trafsel2 {
ipsec-policy temp-ipsec-policy-interface
source-address 1.1.1.1/32
source-port texar
}
Impact:
The configuration is allowed, but fails config reload and upgrade, giving the following error:
01070734:3: Configuration error: Duplicate traffic selector is not allowed.
Workaround:
Before upgrading:
Ensure all pairs of duplicate traffic-selectors have an ipsec-policy configured and that, this ipsec-policy is in interface mode, i.e., has its 'mode' field set to 'interface', or ensure any one of the five attributes listed above is unique.
This can be done in multiple ways:
1. Change the ipsec-policy of the traffic-selector to take an interace mode ipsec-policy:
Example:
net ipsec ipsec-policy temp-ipsec-policy {
ike-phase2-auth-algorithm aes-gcm128
ike-phase2-encrypt-algorithm aes-gcm128
}
net ipsec ipsec-policy temp-ipsec-policy-interface {
ike-phase2-auth-algorithm aes-gcm128
ike-phase2-encrypt-algorithm aes-gcm128
mode interface
}
net ipsec traffic-selector trafsel1 {
ipsec-policy temp-ipsec-policy-interface
source-address 1.1.1.1/32
source-port texar
}
net ipsec traffic-selector trafsel2 {
ipsec-policy temp-ipsec-policy-interface
source-address 1.1.1.1/32
source-port texar
}
2. Change the mode of ipsec-policy (used by any duplicate traffic-selector) to 'interface'.
Example:
net ipsec ipsec-policy temp-ipsec-policy {
ike-phase2-auth-algorithm aes-gcm128
ike-phase2-encrypt-algorithm aes-gcm128
mode interface
}
net ipsec ipsec-policy temp-ipsec-policy-interface {
ike-phase2-auth-algorithm aes-gcm128
ike-phase2-encrypt-algorithm aes-gcm128
mode interface
}
net ipsec traffic-selector trafsel1 {
ipsec-policy temp-ipsec-policy
source-address 1.1.1.1/32
source-port texar
}
net ipsec traffic-selector trafsel2 {
ipsec-policy temp-ipsec-policy
source-address 1.1.1.1/32
source-port texar
}
3. Change any one of the five attributes to be unique, (e.g., source-address):
net ipsec traffic-selector trafsel1 {
ipsec-policy temp-ipsec-policy
source-address 1.1.2.2/32
source-port texar
}
net ipsec traffic-selector trafsel2 {
ipsec-policy temp-ipsec-policy-interface
source-texar 1.1.1.1/32
source-port texar
}
Fix:
Modify the config of duplicate traffic-selectors to have their ipsec-policy set to "interace" mode or make any one of the five attributes noted above unique.
837637 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★
Solution Article: K02038650
Component: Global Traffic Manager (DNS)
Symptoms:
Configuration fails to load after upgrade with a message:
01420006:3: Can't find specified cli schema data for x.x.x.x
Where x.x.x.x indicates an older version of BIG-IP software than is currently running.
Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.
-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.
Impact:
Configuration fails to load after upgrade.
Workaround:
Before upgrading:
If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh load sys config gtm-only
After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh restart sys service all
834533 : Linux kernel vulnerability CVE-2019-15916
Solution Article: K57418558
830413-1 : Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure★
Component: TMOS
Symptoms:
Deployment of BIG-IP Virtual Edition may result in an error "Failed to generate ssh host key".
Conditions:
Azure only. Observed for instances with password-based authentication.
Impact:
A timing issues exists with host key generation. The Virtual Machine is likely to be deployed, but users and automation tools might be unable to communicate with the instance.
Workaround:
BIG-IP may still be accessible despite the error.
829821 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
Component: TMOS
Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.
Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).
Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).
Workaround:
None.
829677 : .tmp files in /var/config/rest/ may cause /var directory exhaustion
Component: TMOS
Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
This issue is happening because a VIPRION process is not available because of a REST timeout.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Manually run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker
The fix also includes automatic removal of unused tmp files.
828789 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
Component: TMOS
Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.
Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.
Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.
This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.
Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.
825501-5 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★
Component: Protocol Inspection
Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.
It also shows different versions of the Active IM package on different slots.
Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.
Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.
As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality
Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.
824885 : When BIG-IP is deployed as SAML SP, it cannot decrypt assertion it receives from IdP if it is signed using AES-GCM algorithm
Component: Access Policy Manager
Symptoms:
BIG-IP as SAML Service Provider (SP) fails to decrypt an assertion and report an error when the assertion is encrypted using AES-GCM:
err apmd[13452]: 01490202:3: session: SAML Agent: ag failed to process encrypted assertion, error: Unsupported encryption algorithm.
Conditions:
This occurs when BIG-IP SP receives an encrypted assertion from an IdP which is encrypted using AES-GCM.
Impact:
BIG-IP as SAML SP fails to verify assertion, so the access policy execution may fail if BIG-IP as SAML SP is configured for client end user authentication.
Workaround:
None.
Fix:
BIG-IP as SAML Service Provider can now successfully decrypt assertion that is encrypted using AES GCM protocol family: AES 128 GCM, AES 192 GCM, and AES 256 GCM
823877 : CVE-2019-10098 apache mod_rewrite vulnerability
Solution Article: K25126370
822377 : CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability
Component: TMOS
Symptoms:
A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Conditions:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. The following command can be used to search for possible vulnerable configurations:
grep -R '^\s*Proxy' /etc/httpd/
Impact:
An attacker could cause the link on the error page to be malformed and instead point to a page of their choice.
Workaround:
This flaw is only exploitable if Proxy* directives are used in Apache httpd configuration. As a Mitigation/Workaround, exclude Proxy* directives in Apache Httpd configuration.
Fix:
Removed request data from many other in-built error messages.
822245 : Large number of in-TMM monitors results in some monitors being marked down
Component: In-tmm monitors
Symptoms:
Pool members are marked down from the in-TMM monitor.
Conditions:
Device has a large number of in-TMM monitors.
Impact:
Monitor target may appear down when it is actually up.
Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable
820845 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
Component: TMOS
Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.
Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.
Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.
Workaround:
Create static ARP entries on affected endpoints.
819329-1 : Specific FIPS device errors will not trigger failover
Component: Local Traffic Manager
Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.
Conditions:
-- FIPS hardware failure occurs, but the device is idle
Impact:
The device may not fail over on FIPS hardware failure.
Fix:
Interpret rare FIPS card failure as failover event.
819301 : Incorrect values in REST response for dos-l3 table
Component: Application Visibility and Reporting
Symptoms:
Some of the calculations in the AVR publisher are not performed, and incorrect values are shown in the REST response.
Conditions:
-- Device vector detection and mitigation thresholds are set to 10
-- The attack vector is triggered
Impact:
Wrong values appear in REST reponse
Fix:
Fixed an issue with incorrect values for mitigated attacks.
819053-10 : CVE-2019-13232 unzip: overlapping of files in ZIP container
Component: TMOS
Symptoms:
CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service
Conditions:
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container
Impact:
UnZip overlapping will leading to denial of service.
Workaround:
N/A
Fix:
UnZip updated to resolve CVE-2019-13232
818705 : afm_cmi.py daemon can cause very high BIG-IP CPU utilization(>90%)
Component: Advanced Firewall Manager
Symptoms:
The AFM Auto threshold and behavioral dos historical data synchronization process consumes greater than 90% CPU. This affects TMM performance and some outages may occur.
Conditions:
This occurs in both high availability (HA) and standalone configurations. In both cases "MCPD" issues were reported. (Delay in response or the daemon crashed)
Impact:
TMM performance is affected and outages may occur.
Workaround:
Kill the AFM data synchronization process:
kill -9 afm_cmi.py
Fix:
If the connection to MCP is non responsive, the script will attempt to reinitialize MCP connection every second until successful. The script will be blocked until mcp connection is established.
818673 : F5 APM modules added capability to pull user group membership information from Kerberos authentication tickets
Component: Access Policy Manager
Symptoms:
F5 APM Kerberos Auth agent is unable to extract the user group membership info from the Kerberos authentication ticket.
Conditions:
This is encountered while using the Kerberos Auth agent
Impact:
APM is unable to extract user group membership info directly from Kerberos tickets.
Workaround:
Use Active Directory query module to query on user group membership info from backend AD server during every request.
Impact of workaround: this has a negative performance impact
Fix:
F5 APM modules added capability in Kerberos Authentication module to pull user group membership IDs from Kerberos authentication tickets, and added new AD Group SID Resolver module to resolve group IDs to memorable group names using group cache.
818253 : Generate signature files for logs
Component: TMOS
Symptoms:
To achieve DoDIN APL certification, the BIG-IP system must guarantee the integrity of log files using the standards' recommendation of encrypting those files on the local store. The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) without creating integrity files.
Conditions:
Viewing the audit information stored in /var/log and other locations.
Impact:
Audit log files are stored without integrity files on the local system.
Workaround:
Disable local logging for audit logs and send them to remote syslog, for example:
tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "
Fix:
There is now a LogIntegrity utility provided to generate signature files for logs.
-- To enable the feature:
tmsh modify sys db logintegrity.support value enable
-- To set the LogIntegrity loglevel:
tmsh modify sys db logintegrity.loglevel value debug
You must create private key and store it in SecureVault before enabling this feature. To do so:
1. Generate a private key with the name logfile_integrity.key, for example:
tmsh create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365
2. Generate RSA encrypted private SSL keys:
2a. Go to the filestore location on the BIG-IP system:
cd /config/filestore/files_d/Common_d/certificate_key_d/
ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2
openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key
2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key):
2c. run command to list the generated files
ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key
3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system:
tmsh install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key
Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated.
If you want to verify Signatures, follow these steps:
1. Go to the filestore location on the BIG-IP system :
cd /config/filestore/files_d/Common_d/certificate_d
2. Execute the following command to generate the public key.
openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer
3.Verify the signature file using public key:
openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1
818213 : CVE-2019-10639: KASLR bypass using connectionless protocols
Solution Article: K32804955
817989 : Cannot change managemnet IP from GUI
Component: TMOS
Symptoms:
You are unable to change the management IP from the GUI
Conditions:
This is encountered when using the GUI to change the management IP address via the System :: Platform page.
Impact:
The GUI indicates that it will redirect you to the new IP address. You will eventually be redirected but the management IP address is not changed on the BIG-IP device.
Workaround:
Use tmsh to create the management IP. This will overwrite the old one.
Example:
create /sys management-ip [ip address/prefixlen]
To view the management IP configurations
tmsh list /sys management-ip
Fix:
Should be able to set the Management IP from GUI as below
1. Go to System->Platform page.
2. Choose Configuration -> Manual and set some other IPv4 address
3. Press the Update button.
817709 : IPsec: TMM cored with SIGFPE in racoon2
Component: TMOS
Symptoms:
TMM asserted and cored in racoon2 with this panic message:
panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.
Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This issue no longer occurs.
817369 : TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.
Component: Service Provider
Symptoms:
When a georedundancy profile is attached to a TCP, UDP, and SCTP virtual server, proxy does not convert to GEO proxy.
Conditions:
Attach georedundancy profile to a standard TCP, UDP, or SCTP virtual server.
Impact:
Unable to convert proxy to GEO proxy when georedundancy profile is attached with TCP, UDP and SCTP virtual
Workaround:
None.
816953 : RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy
Component: Local Traffic Manager
Symptoms:
RST_STREAM is sent on a serverside stream in closing state in HTTP/2 full proxy.
Conditions:
-- HTTP/2 clientside and serverside profiles are attached to the virtual server.
-- HTTP and httprouter profiles are attached to the virtual server.
-- Race between clientside and serverside closing, where clientside closes faster.
Impact:
RST_STREAM is sent on a stream in closed state.
Fix:
Fixed an issue with RST_STREAM being sent incorrectly.
814953-9 : TMUI dashboard hardening
Solution Article: K43310520
814585 : PPTP profile option not available when creating or modifying virtual servers in GUI
Component: TMOS
Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.
Conditions:
Creating or modifying a virtual server in the GUI.
Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.
Workaround:
Use TMSH to add a PPTP profile to the virtual server.
811041 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf
Component: TMOS
Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.
Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.
Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.
Workaround:
None.
Fix:
The HA table no longer leaks memory if an entry is reinitialized.
808829 : When 'Monitor Disabled Objects' is set to 'no', GSLB should cease monitoring disabled pool members.
Component: Global Traffic Manager (DNS)
Symptoms:
When the 'Monitor Disabled Objects' option is set to 'no', the monitors assigned to a disabled pool member continue monitoring the associated object.
Conditions:
When the 'Monitor Disabled Objects' option is set to 'no' and the configuration for a disabled pool member includes a monitor or the pool member inherits a monitor from the pool.
Impact:
Disabled pool members are always monitored regardless of the 'Monitor Disabled Objects' setting. This prevents using 'Monitor Disabled Objects' set to 'no' as a way to reduce monitoring load by only monitoring active objects.
Workaround:
Remove the monitor from the disabled pool member.
Fix:
GSLB no longer monitors disabled pool members when the pool member configuration includes a monitor and the 'Monitor Disabled Objects' option is set to 'no'.
808409 : Unable to specify if giaddr will be modified in DHCP relay chain
Component: Local Traffic Manager
Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.
However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.
Conditions:
DHCP Relay deployments where the giaddr needs to be changed.
Impact:
You are unable to specify whether giaddr will be changed.
Workaround:
None.
Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced
The default is :
sys db tmm.dhcp.relay.giaddr.overwrite {
value "enable"
}
On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP
On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain
807957 : Link Up status should clear Link Down in Nokia Alarm database
Component: TMOS
Symptoms:
When using Nokia NetAct (the alertd.nokia.alarm DB variable has the value "enable"), the LINK STATUS traps are the same for down/disable and up/enable. That has the side effect of leaving entries in the Nokia Alarm database.
Conditions:
Enable Nokia NetAct and see that the alarm database has uncleared entries for link status changes.
Impact:
This is confusing because entries in the database that do not clear.
Fix:
A new DB variable has been implemented (alertd.nokia.linktraps). The default value is disabled and the variable only takes effect when alertd.nokia.alarm is enabled. Note that the first time these variables are enabled you must restart the alert daemon and the nokiasnmp daemon. With these variables enabled (and the daemons restarted) the link status traps are broken out into two separate traps. The LINK UP/ENABLED trap clears the LINK DOWN/DISABLED trap.
807913 : The word 'ceritifcate' is misspelled in an error message
Component: Global Traffic Manager (DNS)
Symptoms:
The word 'ceritifcate' should be spelled 'certificate' in the error message:
err big3d[5725]: 12b10000:3: Could not list the ceritifcate directory '/shared/em/ssl.crt' in function EmCertsModified: Permission denied.
Conditions:
This message is produced by big3d when attempting to re-read the certificate file after it realises the timestamp of the file has changed.
Impact:
There is no functional impact to the system. This is an error message that needs updating. In addition, the inclusion of the term 'EM' is erroneous, and you can ignore it.
Workaround:
None.
807337 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
Component: TMOS
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object (such as delete, create, modify).
Impact:
The GUI shows misleading info about the pool monitor.The monitor-related object may be unchanged, or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).
806073 : MySQL monitor fails to connect to MySQL Server v8.0
Component: TMOS
Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.
Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.
Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.
804157 : ICMP replies are forwarded with incorrect checksums causing them to be dropped
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server receives an ICMP response without first receiving an ICMP request, the checksum on the ICMP response that is egressed by tmm will not be calculated correctly.
Conditions:
An ICMP response without a corresponding ICMP request, such as in non-symmetric routing scenarios.
Impact:
ICMP replies are forwarded with the incorrect checksum and likely will be dropped by the recipient or other devices on the network.
Workaround:
Ensure symmetric routing. Configure L7 virtual servers for use with ipother profiles.
803933 : Expat XML parser vulnerability CVE-2018-20843
Solution Article: K51011533
803629 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
Component: Local Traffic Manager
Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.
Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure
The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.
Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.
The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.
Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.
Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.
803233 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
Component: Local Traffic Manager
Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):
1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:
-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.
2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:
-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.
Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.
Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.
Workaround:
None.
Fix:
FQDN ephemeral pool members are created in a more timely manner when FQDN resolution via DNS returns new address records.
799293 : Cookie is masked when not configured to be masked
Component: Application Security Manager
Symptoms:
Cookie is assumed to be sensitive data in attack-signature violation details, if another cookie in the same request is configured to be masked.
Conditions:
-- Two cookies are present in the same request.
-- One of the cookies does not raise attack-signature violation and is configured to be masked.
-- The other cookie raises an attack-signature violation and is not defined to be masked.
Impact:
The attack-signature cookie is masked in attack-signature violation details.
Workaround:
None.
Fix:
The cookie that was not defined to be masked is no longer masked.
799001 : Sflow agent does not handle disconnect from SNMPD manager correctly
Component: TMOS
Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.
Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.
Impact:
Snmpd service restarts repeatedly
Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.
Fix:
No Fix. Execute 'tmsh restart sys service sflow_agent'
797829 : The BIG-IP system may fail to deploy new or reconfigure existing iApps
Component: TMOS
Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:
script did not successfully complete: ('source-addr' unexpected argument while executing
The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.
The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.
Conditions:
This issue occurs when:
-- The BIG-IP system is configured with multiple users of varying roles.
-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.
-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.
Note: You can inspect the number of child processes already created by scriptd by running the following command:
pstree -a -p -l | grep scriptd | grep -v grep
However, it is not possible to determine their current 'security context'.
Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.
Workaround:
Restart scriptd. To restart scriptd, run:
bigstart restart scriptd
Running this command has no negative impact on the system.
The workaround is not permanent; the issue may occasionally recur depending on your system usage.
Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.
797769-11 : Linux vulnerability : CVE-2019-11599
Solution Article: K51674118
794417 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★
Component: Local Traffic Manager
Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.
Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:
1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
Impact:
The configuration does not load if saved, and reports an error:
01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.
Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.
Fix:
Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.
Behavior Change:
BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile
793669 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
Component: Local Traffic Manager
Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.
Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover
Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.
Workaround:
None.
Fix:
FQDN ephemeral pool members are now in sync and disabled on the high availability (HA) peer.
789421 : Resource-administrator cannot create GTM server object through GUI
Component: Global Traffic Manager (DNS)
Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.
Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.
Impact:
Unable to create GTM server object via the GUI.
Workaround:
Use tmsh or iControl/REST.
788625 : A pool member is not marked up by the inband monitor even after successful connection to the pool member
Component: Service Provider
Symptoms:
1. Pool member is still shown as down even after BIG-IP has connected to it.
2. If a pool has only one pool member, continuous logs are seen in /var/log/ltm, at the frequency of auto-init interval and in-band timer interval mentioning about pool member being in-active and active respectively.
Conditions:
-- Auto-init is enabled to continuously try connecting the pool member
-- An inband monitor is configured
-- The inband monitor's retry interval is slightly less than auto-init interval
Impact:
Pool member marked down, even though the pool member is up
Workaround:
Configure the inband monitor's retry interval to be the lowest interval possible, which is 1 second.
Fix:
Pool member should be marked as up by the inband monitor, when the pool member comes up and connection to it is successful.
788577-9 : BFD sessions may be reset after CMP state change
Component: TMOS
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.
It might also lead to a situation where the BFD session is deleted and immediately recreated.
This problem occurs rarely and only on a chassis with more than one blade.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.
Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.
This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There are two workarounds, although the latter is probably impractical:
-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.
Fix:
BFD session is no longer reset during CMP state change.
788465 : DNS cache idx synced across HA group could cause tmm crash
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache idx conflicts and tmm crash.
Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.
Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.
Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm
787885 : The device status is falsely showing as forced offline on the network map while actual device status is not.
Component: TMOS
Symptoms:
Network Map in GUI shows incorrect [Forced Offline] status.
Conditions:
-- Multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Forced Offline]. In other words, it is always shown as [Forced Offline].
-- Non multi-blade system
The device status in the network map is falsely shown [Forced Offline] when actual device status is something else other than [Active] or [Forced Offline]. In other words, it displays fine only for [Active] and [Forced Offline].
Impact:
The device status in the network map is not reliable
Workaround:
None.
787677 : AVRD stays at 100% CPU constantly on some systems
Component: Application Visibility and Reporting
Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.
Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.
Impact:
System performance degrades.
Workaround:
Restart TMM:
bigstart restart tmm
Fix:
Added processing that prevents AVRD from entering endless loops.
785877 : VLAN groups do not bridge non-link-local multicast traffic.
Component: Local Traffic Manager
Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.
Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.
Impact:
Non-link-local multicast traffic does not get forwarded.
Workaround:
None.
Fix:
VLAN groups now bridge non-link-local multicast traffic.
785361 : In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
Component: Local Traffic Manager
Symptoms:
If the BIG-IP system is configured in L2Wire mode, packets from srcIP 0.0.0.0 are dropped.
Conditions:
L2Wire mode.
Impact:
All srcIP 0.0.0.0 packets are dropped silently.
Workaround:
Configure the virtual server to be in L2-forward mode.
Fix:
The system no longer drops srcIP 0.0.0.0 packets when in L2Wire mode.
785017 : Secondary blades go offline after new primary is elected
Component: TMOS
Symptoms:
Secondary active blades go offline.
Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.
For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.
Impact:
Cluster reduced to a single blade, which may impact performance.
Workaround:
None.
783125 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.
Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.
Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.
Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.
Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.
See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
https://clouddocs.f5.com/api/irules/DNS__drop.html
https://clouddocs.f5.com/api/irules/UDP__drop.html
779857 : Misleading GUI error when installing a new version in another partition★
Component: TMOS
Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:
'Install Status':Failed Troubleshooting
Conditions:
Install a new version in another partition.
Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.
Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.
778049 : Linux Kernel Vulnerability: CVE-2018-13405
Solution Article: K00854051
776393 : Restjavad restarts frequently due to insufficient memory with relatively large configurations
Component: TMOS
Symptoms:
Restjavad restarts frequently -- approximately every 5 minutes -- due to the JVM heap running out of memory
Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.
Impact:
REST API intermittently unavailable.
Workaround:
Give restjavad extra memory, using the following commands. The example below allocates 2 GB of extra memory to restjavad:
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.extramb value 2000
bigstart restart restjavad
To persist the change above with system reboots, save the configuration with:
tmsh save sys config
Fix:
Default restjavad heap memory has been increased to 384MB
776285 : No stats returned for 'ltm classification stats urlcat-cloud' component at system startup
Component: Traffic Classification Engine
Symptoms:
The 'ltm classification stats urlcat-cloud' returns no stats even if the stats have zero values.
Conditions:
-- PEM URL Filtering license
-- The BIG-IP system has recently rebooted and has not passed traffic yet
Impact:
You are unable to see the zeroed stats for 'urlcat-cloud' until traffic has passed through and some stats accumulate.
Workaround:
None
Fix:
Zero value stats for 'urlcat-cloud' component are initialized at BIG-IP startup if PEM URL Filtering is licensed.
774265 : Incorrect mac seen in the network when RST packet generated by BIG-IP in transparent vlangroup
Component: Local Traffic Manager
Symptoms:
BIG-IP generates wrong source mac in the RST packet.
Conditions:
-- Transparent vlangroup is configured on the BIG-IP
-- A back-end server is shutdown
Impact:
Packets with incorrect source mac are seen in the network
773693-10 : CVE-2020-5892: APM Client Vulnerability
Solution Article: K15838353
768085 : Error in python script /usr/libexec/iAppsLX_save_pre line 79
Component: iApp Technology
Symptoms:
While creating a UCS file, you see a confusing error message, and the UCS file is not created:
Failed task: %s: %s"%(taskUri, taskResult['message']))"
Conditions:
This can be encountered while trying to create a UCS file.
Impact:
Certain failure messages are not interpreted correctly by the script, resulting in the actual error message not being displayed.
Workaround:
None.
767341 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
Component: Local Traffic Manager
Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.
Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.
This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.
Filesystem error might be due to power loss, full disk or other reasons.
Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.
Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.
Another workaround is clean install, if possible/acceptable
766017 : [APM][LocalDB] Local user database instance name length check inconsistencies★
Component: Access Policy Manager
Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.
The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.
Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.
Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.
Workaround:
Delete instance from tmsh and re-create it with a shorter name.
Fix:
Tmsh now enforces the length limit for localdb instance names.
760739 : The Nokia alert configuration is not correct for all clearing events
Component: TMOS
Symptoms:
Alarms may not get correctly entered or cleared from the Nokia Alarm database.
Conditions:
A Nokia alarm is generated and then the alert condition clears.
Impact:
The alarm is not cleared when it should be. This can lead to confusion about error conditions.
Workaround:
None.
Fix:
The values have been corrected.
760629 : Remove Obsolete APM keys in BigDB
Component: Access Policy Manager
Symptoms:
Several APM/Access BigDB keys are obsolete
Conditions:
This is encountered on BIG-IP software installations.
Impact:
The db keys are obsolete and can be safely ignored.
Workaround:
None
Fix:
The following db keys have been removed from the system:
Log.AccessControl.Level
Log.ApmAcl.Level
Log.SSO.Level
Log.swg.Level
Log.AccessPerRequest.Level
Log.access.syslog
Log.access.db
759988 : Geolocation information inconsistently formatted
Component: Fraud Protection Services
Symptoms:
The ${geo} pattern in the Logging Profile has only GeoIP data; however, in alerts that are sent to either the alert server or to BIG-IQ, the GEO data includes both GeoIP and GeoLocation information.
Conditions:
Configure ${geo} pattern in Logging Profile template and trigger a logging event.
Impact:
GeoLocation data is missing in logs written by Logging Profile when using ${geo} pattern.
Fix:
The ${geo} pattern in Logging Profile template now provides full GEO informaion, both GeoIP and GeoLocation, in the same format as in alerts.
759799 : New rules cannot be compiled
Component: Advanced Firewall Manager
Symptoms:
When the number of firewall policy rules compiles to a blob sized over 2 GB, the blob size limit is exceeded and no new rules can be compiled. All traffic stops.
Conditions:
When compiled rules configured size exceeds 2 GB after a new rule is added.
Impact:
New rules cannot be compiled. Traffic stops.
Workaround:
Remove rules until the rules compile successfully.
759769 : No TTL options (set, proxy, preserve, decrement) on IPOTHER profile
Component: Local Traffic Manager
Symptoms:
Unable to control TLL/IPV6 HL value when ipother profile is used.
Conditions:
-- ipother profile is used in the virtual server.
Impact:
No option to control TTL value when ipother is used.
Workaround:
N/A
Fix:
You can now configure TTL Options (set, preserve, proxy, decrement) on the ipother profile. This is available on both IPV4 and IPV6.
Specifies the outgoing packet's IP Header TTL mode. The default is Decrement. The available settings are:
-- Proxy: Sets the outgoing IP Header TTL value to 255/64 for IPv4/IPv6 respectively.
-- Preserve: Sets the outgoing IP Header TTL value to be same as the incoming IP Header TTL value.
-- Decrement: Sets the outgoing IP Header TTL value to be one less than the incoming TTL value.
-- Set: Sets the outgoing IP Header TTL value to a specific value(as specified by ip-ttl-v[4|6]).
759564 : GUI not available after upgrade
Component: TMOS
Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions
Shell prompt may show logger[1234]: Re-starting named
bigstart restart httpd fails
bigstart start httpd fails
Conditions:
Installation over a previously used Boot Volume
Impact:
Corrupt install
Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.
758336-7 : Incorrect recommendation in Online Help of Proactive Bot Defense
Component: Application Security Manager
Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:
Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.
Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.
The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Conditions:
Application has multiple cross-domain resources.
Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.
Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.
756812-5 : Nitrox 3 instruction/request logger may fail due to SELinux permission error
Component: Local Traffic Manager
Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.
The system posts messages in /var/log/ltm similar to the following:
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.
Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.
Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.
Workaround:
None.
Fix:
Nitrox 3 queue stuck occurrences are now logged as expected.
756313 : SSL monitor continues to mark pool member down after restoring services
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.
Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.
Impact:
Services are not automatically restored by the health monitor.
Workaround:
-- To restore the state of the member, remove it and add it back to the pool.
-- Remove !TLSv1 and -TLSv1 from the cipher string, if possible.
754335 : Install ISO does not boot on BIG-IP VE★
Component: TMOS
Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).
Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.
Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.
Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.
753715 : False positive JSON max array length violation
Component: Application Security Manager
Symptoms:
False-positive JSON max array length violation is reported.
Conditions:
-- JSON profile is used.
-- The violation is coming for non-array under certain conditions.
Impact:
The system reports a false-positive violation.
Workaround:
None.
751103 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
Component: TMOS
Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.
Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config
Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)
Scripts are stopped until the prompt is answered.
Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).
In the case of this script, you can also delete the management route definitions to prevent the question from being asked.
749007 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list
Component: TMOS
Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.
Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.
Impact:
Cannot select South Sudan county from GTM country list.
Workaround:
None
Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.
748333 : DHCP Relay does not retain client source IP address for chained relay mode
Component: Local Traffic Manager
Symptoms:
The second relay in a DHCP relay chain modifies the src-address. This is not correct.
Conditions:
Using DHCP chained relay mode.
Impact:
The src-address is changed when it should not be.
Workaround:
None.
Fix:
For chained relay mode there is now an option to preserve the src-ip, controllable by 'sys db tmm.dhcp.relay.change.src'.
747234 : Macro policy does not find corresponding access-profile directly
Component: Access Policy Manager
Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.
Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.
Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.
Workaround:
Apply the Access Policy manually after auto-discovery.
Fix:
Fixed an issue with not automatically applying the access policy after discovery.
747020 : Requests that evaluate to same subsession can be processed concurrently
Component: Access Policy Manager
Symptoms:
Requests that evaluate to the same subsession can be processed concurrently in some cases
Conditions:
-- Per-Request policy with subroutines.
-- Duplicate requests are sent that match existing subsession gating criteria.
Impact:
The request gets aborted with error messages in /var/log/apm:
apmd_plugin.cpp func: "serialize_apmd_reply()" line: 495 Msg: AccessV2 agent execution error 4.
Workaround:
None.
746984 : False positive evasion violation
Component: Application Security Manager
Symptoms:
When Referer header contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.
Conditions:
-- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
-- Referer header contains a backslash character ('\') in query string part.
Impact:
False positive evasion technique violation is raised for Referer header.
Workaround:
Turn off 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property on the HTTP Header Properties screen.
Fix:
Fixed Referer value normalization to be done on the URL part only.
743253 : TSO in software re-segments L3 fragments.
Component: Local Traffic Manager
Symptoms:
FastL4 does not re-assemble fragments by default, but on a system with software-enabled TSO (sys db tm.tcpsegmentationoffload value disable), those fragments are erroneously re-segmented.
Conditions:
The behavior is encountered on BIG-IP Virtual Edition when setting sys db tm.tcpsegmentationoffload value disable, but does not cause a tmm core on Virtual Edition.
Impact:
Already-fragmented traffic is fragmented again.
Workaround:
None
743105 : BIG-IP SNAT vulnerability CVE-2021-22998
Solution Article: K31934524
741702 : TMM crash
Component: TMOS
Symptoms:
TMM crashes during normal operation.
Conditions:
-- This can occur while passing normal traffic.
-- In this instance, APM and LTM are configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
740589 : Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
Component: TMOS
Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.
Conditions:
Configuring nonexistent local IP addresses and remote log server.
Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.
Workaround:
To mitigate the issue, you can use either of the following:
-- Follow these two steps:
1. Remove the remote log server from the configuration.
2. Replace the nonexistent local IP addresses with self IP addresses.
-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));
739570 : Unable to install EPSEC package★
Component: Access Policy Manager
Symptoms:
Installation of EPSEC package via tmsh fails with error:
Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).
Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso
Impact:
First-time installation of EPSEC package through tmsh fails.
Workaround:
You can do a first-time installation of EPSEC with the following commands:
tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso
Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.
739507-5 : Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check
Component: TMOS
Symptoms:
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check.
Console shows messages similar to:
Starting System Logger Daemon...
[ OK ] Started System Logger Daemon.
[ 14.943495] System halted.
Conditions:
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license).
-- System element monitored by FIPS 140-2 integrity check has changed.
-- The device is rebooted.
Impact:
The device halts and cannot be used.
Workaround:
Workaround:
[1] Connect a terminal to the BIG-IP serial console port.
[2] From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.
[3] Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones.
[5] Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running:
cat /dev/null > /mnt/test/f5_public/fipserr
[6] Reboot.
If the system still halts, repeat from Step [1] above, until this no longer happens.
Fix:
If your device is running a version where ID 739507 is fixed:
[1] Connect a terminal to the BIG-IP serial console port
[2] From the serial console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that starts with 'linux', or the first line that starts with 'module'.
[6] Add a space, followed by NO_FIPS_INTEGRITY=1 (do not press ENTER).
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.
The machine boots into the partition containing FIPS 140-2-enabled license.
[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:
Integrity Check Result: [ FAIL ]
If fatal errors persist, do not reboot (otherwise the system foes into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Rerun the test tool until no error is seen.
Note: You can find information on the sys-eicheck (FIPS) utility in the AskF5 Non-Diagnostic Article K00029945: Using the sys-eicheck (FIPS) utility :: https://support.f5.com/csp/article/K00029945.
[11] Truncate the file /config/f5_public/fipserr:
cat /dev/null > /config/f5_public/fipserr
739505-1 : Automatic ISO digital signature checking not required when FIPS license active★
Component: TMOS
Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.
The system logs an error message upon an attempt to install or update the BIG-IP system:
failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)
Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.
Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.
Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.
Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.
738964-6 : Instruction logger debugging enhancement
Component: Local Traffic Manager
Symptoms:
Specific platforms may experience a zip-engine lock-up for various reasons. When it happens, the symptoms follow a report pattern that declares the zip-engine requires reset. When resets persist, the instruction logger is unable to diagnose the value of the instructions sent to the zip-engine.
Conditions:
Invalid or unusual compression source data.
Impact:
Compression device goes off-line and CPU usage spikes as it takes over all compression responsibility. Lack of instruction logging makes it difficult to diagnose what occurred.
Workaround:
Disable hardware compression until issue is fixed.
Fix:
A new tcl variable, nitrox::comp_instr_logger has been added. It has four possible values: off, on, force-restart-tmm and force-reboot-host. This variable is used for diagnosing issues with the Nitrox compression engine.
738032 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.
Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.
Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.
Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.
730852 : The tmrouted repeatedly crashes and produces core when new peer device is added
Component: TMOS
Symptoms:
There is a tmrouted crash when new peer device is added.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.
Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
723112-9 : LTM policies does not work if a condition has more than 127 matches
Component: Local Traffic Manager
Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.
Conditions:
LTM policy that has a condition with more than 127 matches.
Impact:
LTM policy does not match the expected condition.
Workaround:
There is no workaround at this time.
Fix:
LTM policy now works for a condition with more than 127 matches.
722337 : Always show violations in request log when post request is large
Component: Application Security Manager
Symptoms:
The system does not always show violations in request log when post request is large.
Conditions:
A large post request with many parameters is sent.
Impact:
Although the violations is handled correctly, it is not reported.
Workaround:
Disable learning mode.
The internal parameter pb_sampling_high_cpu_load can define what is seen as high CPU load above which sampling does not take place. The default is 60.
-- Using a lower value reduces the chances of sampling data.
-- Using 0 makes sampling never happen and thus this issue does not occur (this slows down automatic policy building).
719338 : Concurrent management SSH connections are unlimited
Component: TMOS
Symptoms:
There is no limit to the number of users that can login concurrently onto a BIG-IP system.
Conditions:
Multiple users are logged into the BIG-IP device through SSH at the same time.
Impact:
System can potentially run out of memory.
Workaround:
Provide a way to limit the number of concurrent user SSH sessions.
Fix:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.
-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
+ Enables the feature; feature is functional with default values.
+ Defaults: feature is not enabled for admin/root privileged user.
+ Total session limit for all users is 10 sessions.
-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
+ Enables feature for admin/root privileged user.
+ Total session limit for all users is still 10 sessions.
-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
+ Changes the default global setting limit of 10 to the specified value.
-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
+ Sets the maximum session limit per user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
+ Sets the maximum number of sessions for a particular user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
Behavior Change:
There are new db variables available for specifying SSH session limits, overall, per-user, and for a specific user.
-- Command: modify sys global-settings ssh-session-limit [enable/disable]
Specifies enable/disable of ssh session limit feature.
+ Enables the feature; feature is functional with default values.
+ Defaults: feature is not enabled for admin/root privileged user.
+ Total session limit for all users is 10 sessions.
-- Command: modify sys global-settings ssh-root-session-limit [enable/disable]
Specifies enable/disable of SSH session limit feature for root user.
+ Enables feature for admin/root privileged user.
+ Total session limit for all users is still 10 sessions.
-- Command: modify sys global-settings ssh-max-session-limit <value>
Specifies a global maximum number of SSH sessions.
+ Changes the default global setting limit of 10 to the specified value.
-- Command: modify sys global-settings ssh-max-session-limit-per-user <value>
Specifies a global maximum number of SSH sessions for each user.
+ Sets the maximum session limit per user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
-- Command: create auth user <> session-limit <value>
Specifies a user-specific SSH sessions limit.
+ Sets the maximum number of sessions for a particular user.
+ Total sessions on the system are still enforced by the setting for ssh-max-session-limit.
718573 : Internal SessionDB invalid state
Component: TMOS
Symptoms:
TMM crashes.
Conditions:
SessionDB is accessed in a specific way that results in an invalid state.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
718189 : Unspecified IP traffic can cause low-memory conditions
Solution Article: K10751325
717346-9 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
Solution Article: K13040347
Component: Local Traffic Manager
Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.
Conditions:
Rarely occurring, unstable network could be one of the reasons.
Impact:
Cannot use stats for troubleshooting.
Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket
716746-5 : Possible tmm restart when disabling single endpoint vector while attack is ongoing
Component: Advanced Firewall Manager
Symptoms:
tmm restarts.
Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.
Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.
Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.
Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.
Fix:
tmm no longer restarts when disabling single endpoint vector while an attack is ongoing.
714642 : Ephemeral pool-member state on the standby is down
Component: Local Traffic Manager
Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.
Conditions:
Re-enabling a forced-down FQDN node on the primary system.
Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).
Workaround:
None.
714176 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed
Component: TMOS
Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.
Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.
Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.
Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.
1. Locate the dynad config in /config/bigip_base.conf file:
For example, the dynad config will look like:
sys dynad key {
key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}
2. Modify the dynad configuration lines to:
sys dynad key {
key "test"
}
3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config
Fix:
The log message is improved to provide the BIG-IP administrator with more specific detail that the dynad key failed to be decrypted.
706521 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
Solution Article: K21404407
Component: TMOS
Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.
Conditions:
Configure TACACS+ auditing forwarder.
Impact:
Exposes sensitive information.
Workaround:
None.
Fix:
The sensitive data is not exposed, and this issue is fixed.
703610 : Support of virtual wire on VE
Component: Local Traffic Manager
Symptoms:
Virtual wire can now be configured on BIG-IP Virtual Edition (VE).
Conditions:
-- Using VE.
-- Creating virtual wire configurations.
Impact:
You can use virtual machines (VMware ESXi) to create virtual wire configurations.
Workaround:
None needed. This is new capability.
Fix:
Virtual wire can be created on VMware ESXi machines with VyOS switches.
Both tagged and untagged traffic is working as expected.
Behavior Change:
Virtual wire can now be configured on BIG-IP Virtual Edition (VE).
703510 : Add Minimum Up members required for GTM pool to be up
Component: Global Traffic Manager (DNS)
Symptoms:
A pool is marked UP even with one active pool member. If the application servers cannot support all client connections in a single site with fewer pool members, this may result in delayed response or server down.
Conditions:
-- GTM pool
-- The pool requires a minimum number of members to be available
Impact:
If the pool has insufficient pool member resources, the servers could become overloaded and disrupt traffic.
Workaround:
None
Fix:
You can now configure the minimum up members.
Behavior Change:
You can now set the minimum up members:
Create gtm pool a test members add { Server1:/Common/vs1 Server1:/Common/vs2 Server1:/Common/vs3 } min-members-up-mode number min-members-up-value 2
Pool minimum up members works with mode and value options where mode has 3 possibilities: OFF, NUMBER and PERCENT.
Mode is OFF and the value is 0 by default.
696755-7 : HTTP/2 may truncate a response body when served from cache
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.
Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.
Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.
Workaround:
Adding the following iRule causes the body to be displayed:
when HTTP_RESPONSE_RELEASE {
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Content-Length
HTTP::header insert Content-Length "$con_len"
}
Fix:
With provided fix, HTTP/2 end users no longer experience the problem of incorrect page rendering due to this issue.
693360 : A virtual server status changes to yellow while still available
Solution Article: K52035247
692218 : Audit log messages sent from the primary blade to the secondaries should not be logged.
Component: TMOS
Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.
Conditions:
Multi-blade platform.
Impact:
Unnecessary messages in the log file.
Workaround:
None.
682395 : SNI support for GTM HTTPS monitors
Component: Global Traffic Manager (DNS)
Symptoms:
Some applications require that a TLS connection request include the Server Name Indication (SNI) extension to determine which server certificate should be used when negotiating a connection.
Conditions:
Monitoring HTTPS resources.
Impact:
GTM can now properly monitor resources that require SNI.
Workaround:
None.
Fix:
GTM HTTPS monitoring allows the specification of the SNI value to use when monitoring a resource.
679751 : Authorization header can cause a connection reset
Component: Access Policy Manager
Symptoms:
APM resets connections and reports an ERR_ARG from a simple web request.
Conditions:
-- APM profile with User Identification Method as HTTP.
-- APM profile with User Identification Method as OauthToken.
-- HTTP traffic arrives with certain types of Authorization headers.
Impact:
Connections are reset and APM logs ERR_ARG, which is not helpful for understanding the cause.
Workaround:
iRule workaround:
when HTTP_REQUEST {
if { [HTTP::header "Authorization"] contains "Bearer" && [string tolower [HTTP::header "User-Agent"]] contains "onenote" } {
HTTP::header replace Authorization [string map {"Bearer" ""} [HTTP::header Authorization]]
}
}
Fix:
APM no longer resets connections and reports an ERR_ARG from a simple web request.
675911 : Different sections of the GUI can report incorrect CPU utilization
Solution Article: K13272442
Component: TMOS
Symptoms:
The following sections of the GUI can report incorrect or higher than expected CPU utilization:
-- The 'download history' option found in the Flash dashboard.
-- Statistics :: Performance :: Traffic Report (section introduced in version 12.1.0).
Values such as 33%, 66%, and 99% may appear in these sections despite the system being completely idle.
Conditions:
HT-Split is enabled (default for platforms that support it).
Impact:
The CPU history in the exported comma-separated values (CSV) file does not match actual CPU usage.
Workaround:
-- You can obtain CPU history through various other means. One way is to use the sar utility.
- In 12.x and higher versions:
sar -f /var/log/sa6/sa
- or for older data:
sar -f /var/log/sa6/sa.1
- The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.
- In 11.x:
sar -f /var/log/sa/sa
- or for older data
sar -f /var/log/sa/sa.1
- The oldest data is found compressed in /var/log/sa and must be gunzipped before use.
-- Live CPU utilization can also be obtained through the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.
675772 : IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy
Component: TMOS
Symptoms:
When IPsec tunnels to several different peers are configured using a single ipsec-policy in interface mode, the tunnels will be unreliable or may not start.
Conditions:
Several traffic-selectors that are associated with different tunnels reference the same interface mode IPsec policy.
Note: It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.
Impact:
IPsec tunnels may start but fail after a period of time. In other cases, IPsec tunnels may not start at all.
Workaround:
(1) Create a unique ipsec-policy configuration object for each remote peer and traffic-selector.
(2) Use tunnel mode. It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.
Fix:
By design the implementation does not allow ipsec-policy instances to be shared, under interface mode tunnels, because the tunnel IP addresses used by the interface mode tunnel get pushed into the ipsec-policy instance. In effect, they must match. You can select a dummy IP address for the tunnel into the ipsec-policy, but these are ignored and replaced by the IP addresses of the interface mode tunnel at runtime. When an ipsec-policy is shared, it will have the wrong tunnel IP addresses for one or more of the interface mode tunnels.
648242-8 : Administrator users unable to access all partition via TMSH for AVR reports
Solution Article: K73521040
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
Fix:
Allowing for administrator users to get all partitions available on query.
646440 : TMSH allows mirror for persistence even when no mirroring configuration exists
Component: Local Traffic Manager
Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.
Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.
Impact:
A memory leak and degraded performance can occur when:
-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.
Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.
If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:
1. Access the BIG-IP Bash prompt.
2. List the Persistence profiles with the following command:
tmsh list ltm persistence
3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.
4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled
5. Save the changes to the Persistence profiles:
tmsh save sys config
Fix:
TMSH no longer allows the configuration of mirroring of persistence profiles, which prevents any potential memory leak.
644192 : Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN
Solution Article: K23022557
Component: Global Traffic Manager (DNS)
Symptoms:
Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN.
Conditions:
A CNAME wide IP and a dnx with parent zone.
For example, CNAME wide IP for www.siterequest.com and a dnx zone for siterequest.com.
Impact:
Cache resolvers will remember NXDOMAIN for the entire name. So clients talking to those caches asking for A/AAAA records may actually get NXDOMAIN responses until the negative cache expires.
Workaround:
Option 1: Create a related "www.siterequest.com" txt record in ZoneRunner
Option 2: Create a ltm virtual server iRule, similar to this:
when DNS_RESPONSE {
if { [DNS::question name] eq "www.siterequest.com" } {
if { [DNS::header rcode] eq "NXDOMAIN" } {
DNS::header rcode NOERROR
DNS::authority clear
return
}
}
}
Fix:
A new DB key, 'gtm.allownxdomainoverride', has been added to allow configuring the BIG-IP DNS system to respond with a NOERROR response.
615934-5 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl/SOAP functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
592353 : Javascript parser incompatible with ECMA6/7+
Component: Access Policy Manager
Symptoms:
A web application mis-functions on the client side
Conditions:
-- APM proxying a web application
-- Web-application uses ES6/7 or higher javascript
Impact:
Web application mis-function
Fix:
Fixed an issue with Javascript rewrite not occurring on ECMA6/7 Javascript.
582331 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
Fix:
Maximum connections is now accurate when TMM load is uneven.
550928 : TMM may crash when processing HTTP traffic with a FastL4 virtual server
Component: Local Traffic Manager
Symptoms:
When a FastL4 virtual server with HTTP profile is used, certain traffic flows may cause excessive resource consumption.
Conditions:
-- FastL4 virtual server with HTTP profile.
Impact:
Excessive resource consumption, potentially leading to a TMM crash and failover event.
Workaround:
-- If the HTTP profile is required, use a standard virtual server rather than performance (FastL4) type.
-- If the HTTP profile is not required, you can remove the HTTP profile from the virtual server.
Fix:
TMM now process FastL4 HTTP traffic as expected
489572 : Sync fails if file object is created and deleted before sync to peer BIG-IP
Solution Article: K60934489
Component: TMOS
Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:
Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...
Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.
Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.
Impact:
Sync fails.
Workaround:
When you create/add a file object, make sure to sync before deleting it.
If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.
398683 : Use of a # in a TACACS secret causes remote auth to fail
Solution Article: K12304
Component: TMOS
Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.
Conditions:
TACACS secret contains the '#' character.
Impact:
TACACS remote auth fails.
Workaround:
Do not use the '#' character in the TACACS secret.
1020941 : HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags
Component: Local Traffic Manager
Symptoms:
HTTP/2 request fails with COMPRESSION_ERROR.
Conditions:
HTTP/2 header frames are received in multiple xfrags in such a way that the first 2 bytes of 'encoded' header-field 'value-length' are the last 2 bytes of the xfrag, and the remaining bytes are in the next xfrag.
Impact:
The header value length is incorrectly updated, and the HTTP/2 request fails.
Workaround:
None
Fix:
HTTP/2 now parses the request, regardless of its xfrags distribution.
1020349 : APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL
Component: Access Policy Manager
Symptoms:
APM daemon (apmd) crashes and a coredump is created at '/var/core/'
Conditions:
-- Configure On-Demand Cert Auth with any Auth Mode
-- 'Request/Require'
-- Configure AAA CRLDP
Impact:
All CRLDP based authentications fail.
Workaround:
None
Fix:
The system now handles this condition.
1019085 : Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.★
Component: TMOS
Symptoms:
Network virtual-addresses default to "arp disabled" and "icmp-echo disabled". However, a BIG-IP Administrator can change these settings to "enabled", if required.
Either following a software upgrade or a reload of the configuration from file, network virtual-addresses that had previously been set to "icmp-echo enabled" revert to the default of "icmp-echo disabled".
Conditions:
- One or more network virtual-addresses configured with "icmp-echo enabled".
- A software upgrade or reload of the configuration from file occurs (for example, taking and restoring a UCS archive, removing the mcpd binary database and reloading the config, etc.).
Impact:
Traffic failures can occur as a result of the affected network virtual-addresses not being presented to the surrounding network as originally intended by the BIG-IP Administrator.
Workaround:
Manually configure the affected virtual-addresses to "icmp-echo enabled" again. This workaround is not permanent, and the issue will occur again in the future given the right conditions.
Fix:
Network virtual-addresses no longer lose the "icmp-echo enabled" property.
1019081 : HTTP/2 hardening
Component: Local Traffic Manager
Symptoms:
Under certain condition, the HTTP/2 profile does not follow current best practices
Conditions:
- HTTP/2 profile enabled
Impact:
The HTTP/2 profile does not follow current best practices.
Workaround:
N/A
Fix:
TMM now processes HTTP/2 traffic as expected
1017973 : BIND Vulnerability CVE-2021-25215
Solution Article: K96223611
1017965 : BIND Vulnerability CVE-2021-25214
Solution Article: K11426315
1017645 : False positive HTTP compliance violation
Component: Application Security Manager
Symptoms:
False positive HTTP compliance violation.
Conditions:
Authorization header with bearer token and/or some other authorization headers types.
Impact:
False positive traffic blocking.
Workaround:
Turn on an internal parameter by entering the following command from the BIG-IP CLI:
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1
Fix:
The RFC compliance violation is no longer issued for unknown types of authorization headers.
1016657 : TMM may crash while processing LSN traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing LSN traffic
Conditions:
- LSN listener enabled
- Packet filtering enabled
Impact:
TMM crash leading to a failover event
Workaround:
N/A
Fix:
TMM now processes LSN traffic as expected
1016465 : Built-in Integrated Bot Defense iApp template "f5.ibd"
Component: Application Security Manager
Symptoms:
There is no built-in Integrated Bot Defense iApp template on BIG-IP for configuring SED application.
Conditions:
Any BIG-IP version installed.
Impact:
You are required to download and install the Integrated Bot Defense iApp template from F5 Cloud Services and import it into the BIG-IP system.
Workaround:
None
Fix:
The Integrated Bot Defense iApp template is now a part of the F5 verified and certified iApp templates built-in into the BIG-IP.
1015385 : Built-in Device ID+ iApp template "f5.apg_analytics"
Component: Application Security Manager
Symptoms:
There is no Device ID+ iApp template on BIG-IP for providing a Device ID+ solution for BIG-IP systems.
Conditions:
Any BIG-IP version installed.
Impact:
You are required to download and install the Device ID+ iApp template from F5 Cloud Services and import it into the BIG-IP system.
Workaround:
None
Fix:
The Device ID+ iApp template is now a part of the F5 verified and certified iApp templates built-in into the BIG-IP.
1015381-3 : Windows Edge Client does not follow best practices while installing
Solution Article: K08503505
1015161 : Ephemeral pool member may not be created when FQDN resolves to address that matches static node
Component: Local Traffic Manager
Symptoms:
An ephemeral pool member may not created if the FQDN name resolves to a new IP address that matches an existing statically-configured node.
When this occurs, a message like the following appears in the LTM log:
err mcpd[4498]: 01070734:3: Configuration error: node (/Common/_auto_10.10.120.12) not found.
Note that the node name in the message is the expected name of an ephemeral node created for this address, not the actual name of the statically-configured node with that IP address.
Conditions:
This may occur if:
-- The FQDN node and pool member are created with the "autopopulate enabled" option.
-- The FQDN name resolves to more than one IP address.
-- One of these IP addresses was not included in the previous DNS query result.
-- There is a statically-configured node with the same IP address.
Impact:
An ephemeral pool member is not created for the IP address newly included in the DNS query result. This results in traffic not being load-balanced to all of the expected pool members.
Workaround:
Use one of the following methods to prevent this issue from occurring:
-- Avoid creating statically-configured nodes using the same IP addresses returned by resolution of configured node/pool member FQDN names.
-- Configure the FQDN pool member with "autopopulate disabled" (default), which creates only a single ephemeral pool member.
Perform this sequence of actions to recover from an occurrence of this issue:
1. Remove any pool members referencing the conflicting IP address(es) from their respective pool(s).
2. Delete the statically-configured node(s) using the conflicting IP address(es).
3. Add any pool members referencing the conflicting IP address(es) back to their respective pool(s).
Fix:
Ephemeral pool members are successfully created when the corresponding FQDN name resolves to one or more new IP addresses that conflict with statically-configured nodes.
1013813 : Advanced WAF GraphQL support
Component: Application Security Manager
Symptoms:
GraphQL queries payload causes lots of false positive signautres.
Conditions:
GraphQL payload arriving to ASM.
Impact:
Lots of false positives.
Workaround:
N/A
Fix:
BIG-IP Advanced WAF now supports GraphQL. GraphQL queries are parsed and signatures are applied on the relevant parts of the query, and Advanced WAF can perform introspection mitigation, syntax enforcement, max query depth and additional settings mitigations.
1013649 : Leftover files in /var/run/key_mgmt after key export
Component: TMOS
Symptoms:
Files accumulate in /var/run/key_mgmt
qkview grows too large to be processed by iHealth
Conditions:
iControl SOAP used for key export
Impact:
Thousands of files can eventually accumulate in /var/run/key_mgmt, impacting ability to process qkviews
it takes long time to process.
Workaround:
Delete files in /var/run/key_mgmt manually
Fix:
Earlier f5km_shutdown is called with DONT_DELETE argument, now it is called with DELETE_ENTIRE_KEYMGMT_DIR so it will clean up temp files in /var/run/key_mgmt properly.
1013181 : TMM may produce core when dynamic CRL check is enabled on the client SSL profile
Component: Local Traffic Manager
Symptoms:
Possible tmm crash during ssl handshake with client SSL virtual server when dynamic CRL check is used.
Conditions:
All these 3 conditions need to be met.
- Client Certificate is set to "request" on the client SSL profile or using APM "On-Demand Cert Auth" agent set to "request".
- Dynamic CRL check is configured on the client SSL profile.
- Client does not submit its client certificate to the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
- Configure Client Certificate "require" on the client SSL profile or, if using APM "On-Demand Cert Auth" agent, configure it to "require".
or
- Disable Dynamic CRL check. You can use static CRL file on the client SSL profile instead.
1012521 : BIG-IP UI file permissions
Component: Advanced Firewall Manager
Symptoms:
Some GUI files have incorrect permission settings.
Conditions:
Files installed by the security-ui rpm.
Impact:
File permissions are incorrect.
Fix:
Installation script updated to set permissions to remove write privileges for the Group and User level
1012145 : TMM may crash when processing Datasafe profiles with ASM
Component: Fraud Protection Services
Symptoms:
Under certain conditions TMM may crash while processing Datasafe profiles with ASM.
Conditions:
- ASM provisioned
- Datasafe profile active
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes Datasafe profiles as expected.
1011285 : The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects.
Component: Global Traffic Manager (DNS)
Symptoms:
If you attempt a POST or PATCH iControl REST request against a wide IP, and you include an empty 'lastResortPool' property in the JSON body, the system rejects the request as invalid and returns the following validation error:
{
"code": 400,
"message": "\"last-resort-pool\" requires a value",
"errorStack": [],
"apiError": 26214401
}
Conditions:
A POST or PATCH command against a wide IP object includes an empty lastResortPool property.
Impact:
Inability to create or modify the wide IP object.
Workaround:
You can use either of the following, depending on what you want to do:
-- To create a new wide IP object, remove the empty 'lastResortPool' property from the JSON body.
-- To remove the last-resort-pool from an already existing wide IP, define the property as follows instead:
"lastResortPool":"none"
1011045 : GUI does not reflect 'Fully Automatic' state , which is substate of Automatic learning mode.
Component: Application Security Manager
Symptoms:
When disabling 'Fully Automatic' mode in policy configuration (either through the GUI or REST) the GUI still indicates that the policy is in Automatic learning mode.
Conditions:
1. Configure a policy using the Fundamental template.
2. Change Learning Mode to 'automatic only' by REST, or uncheck the 'Fully Automatic' box in the GUI (Policy Configuration page).
Impact:
The GUI still shows the Learning Mode state, but not the 'Fully Automatic' state.
As a result, the administrator cannot be sure of the actual state of learning mode via the GUI.
Workaround:
The actual state is reflected properly when viewed via the REST command.
GET https://big-ip-mgmt/mgmt/tm/asm/policies/policy_id/policy-builder
1010393 : Unable to relax AS-path attribute in multi-path selection
Component: TMOS
Symptoms:
In BIG-IP versions where ID933461 (https://cdn.f5.com/product/bugtracker/ID933461.html) is fixed, you are unable to relax AS-path attribute in multi-path selections.
Conditions:
BGP multi-path routes with different AS_PATH attributes.
Impact:
Some routes might not be considered as multipath. ECMP routes are not installed properly.
Workaround:
Consider using 'bgp bestpath as-path ignore' or alter the AS_PATH attribute upstream.
1010245 : Duplicate ipsec-sa SPI values shown by tmsh command
Component: TMOS
Symptoms:
A tmsh command which shows ipsec-sa instances can display the 32-bit SPI more than once for the same security association (SA) but in different tmm instances.
Conditions:
Especially in the context of failover where Standby becomes Active, sometimes the same SA appears more than once when shown by a tmsh command, but in different tmms.
Impact:
The duplicate SPI displayed is a cosmetic effect only.
Workaround:
None
Fix:
Fixed an issue with duplicate SA reporting when using the tmsh show net ipsec ipsec-sa command.
1008077 : TMM may crash while processing TCP traffic with a FastL4 VS
Component: Local Traffic Manager
Symptoms:
Under certain conditions, FastL4 virtual servers may consume excessive resources while processing TCP traffic
Conditions:
- FastL4 virtual server
- TCP traffic
Impact:
Excessive resource consumption, potentially leading to a TMM crash and failover event.
Workaround:
N/A
Fix:
In versions where the vulnerability is fixed loose-close option enabled on a fastl4 profile is _strictly_ required for nPath deployments.
1007629 : APM policy configured with many ACL policies can create APM memory pressure
Component: Access Policy Manager
Symptoms:
High APM memory usage even in idle state when no traffic is flowing.
Conditions:
APM policies configured with resource assignment agents with ACL policies configured. The idle state memory usage will be proportional to the number of resource assignment agents and ACL policies configured
Impact:
If idle state memory of APM is high then less memory is available for use during traffic flow and thereby can lead to OOM crashes and failover.
Workaround:
None
Fix:
APM policy configured with many ACL policies no longer creates APM memory pressure
1007109 : Flowmap entry is deleted before updating its timeout to INDEFINITE
Component: Service Provider
Symptoms:
A sessiondb entry cannot be looked up.
Conditions:
A connection takes more than 5 seconds to establish. For example, in SCTP, the connection establishment might take more than 5 seconds with a maximum timeout of 60 seconds
Impact:
The session db lookup failure leads to the establishment of a new connection, even though there is an existing connection to the pool member.
Workaround:
Increase the temporary timeout of the session db entry to 60 seconds.
Fix:
Fixed the temporary timeout of the session db entry
1007049 : TMM may crash while processing DNS traffic
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain condition, TMM may crash while processing DNS traffic.
Conditions:
- DNS profile enabled
- DNS profile configured to use DNS cache
Impact:
TMM crash, leading to a failover event.
Workaround:
N/A
Fix:
TMM does not crash when performing DNS resolution using DNS cache.
1005489 : iRules with persist command might result in tmm crash.
Component: Local Traffic Manager
Symptoms:
BIG-IP systems may experience a tmm crash if iRules containing 'persist' command are being used.
Conditions:
-- BIG-IP systems with multiple TMMs
-- Virtual server with HTTP/HTTP/2 profile attached.
-- Virtual server has iRules containing the 'persist add' command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
1004417 : Provisioning error message during boot up★
Component: TMOS
Symptoms:
Error message in /var/log/ltm:
Could not retrieve DB variable for (provision.datastor)
Conditions:
Upgrade BIG-IP software from version 12.x to version 13.x or higher.
Impact:
The error message is logged after the first boot after the upgrade. There is no impact on functionality and the error message can be ignored.
Workaround:
None
1003557 : Not following best practices in Guided Configuration Bundle Install worker
Solution Article: K74151369
1003105 : iControl Hardening
Solution Article: K74151369
1002561 : TMM vulnerability CVE-2021-23007
Solution Article: K37451543
1002557 : Tcl free object list growth
Component: Access Policy Manager
Symptoms:
Apmd memory usage grows over time when a single agent with a Tcl object is shared across multiple threads.
Conditions:
This is encountered in APM environments when passing traffic.
Impact:
Tcl free object list grows and apmd memory usage increases over time.
Workaround:
None
1001041 : Reset cause 'Illegal argument'
Component: Access Policy Manager
Symptoms:
Client connections get aborted usually after the full transfer of the HTTP Post request.
If logging of reset reason is enabled using:
tmsh modify sys db tm.rstcause.log value enable
LTM logs report the reset reason as 'Illegal Argument'.
Conditions:
Any transaction that takes a long time to complete can result in this issue. This issue can be triggered if there is a large POST request or if the backend server is slow in responding to the requests.
Impact:
Clients cannot post large files to backend servers with APM PingAccess support.
Workaround:
None
Fix:
The timeout is now properly handled for large post requests, so that no reset occurs.
1000973 : Unanticipated restart of TMM due to heartbeat failure
Component: TMOS
Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process. A core file might be generated without any message logged in /var/log/*.
High resolution timers (hrtimer) may be lost.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed an unanticipated restart of TMM due to heartbeat failure triggered by the kernel.
Known Issues in BIG-IP v16.1.x
TMOS Issues
ID Number | Severity | Solution Article(s) | Description |
913713-3 | 1-Blocking | Rebooting a blade causes MCPd to core as it rejoins the cluster | |
997793-3 | 2-Critical | Error log: Failed to reset strict operations; disconnecting from mcpd★ | |
997313-2 | 2-Critical | Unable to create APM policies in a sync-only folder★ | |
990853-1 | 2-Critical | Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway. | |
989517-3 | 2-Critical | Acceleration section of virtual server page not available in DHD | |
979045-1 | 2-Critical | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms | |
974241-3 | 2-Critical | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | |
967905-5 | 2-Critical | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | |
967573-3 | 2-Critical | Qkview generation from Configuration Utility fails | |
950201-3 | 2-Critical | Tmm core on GCP | |
940225-4 | 2-Critical | Not able to add more than 6 NICs on VE running in Azure | |
937481-5 | 2-Critical | Tomcat restarts with error java.lang.OutOfMemoryError | |
935177-3 | 2-Critical | IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm | |
929133-6 | 2-Critical | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' | |
865653-1 | 2-Critical | Wrong FDB table entries with same MAC and wrong VLAN combination | |
858877-5 | 2-Critical | SSL Orchestrator config sync issues between HA-pair devices | |
842669-6 | 2-Critical | Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log | |
780437-8 | 2-Critical | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. | |
777389-7 | 2-Critical | In rare occurrences related to PostgreSQL monitor, the mcpd process restarts | |
749332-1 | 2-Critical | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | |
737692-5 | 2-Critical | Handle x520 PF DOWN/UP sequence automatically by VE | |
382363-8 | 2-Critical | K30588577 | min-up-members and using gateway-failsafe-device on the same pool. |
1029949-2 | 2-Critical | IPsec traffic selector state may show incorrect state on high availability (HA) standby device | |
1024269-1 | 2-Critical | Forcing a file system check on the next system reboot does not check all filesystems. | |
1023829-2 | 2-Critical | Security->Policies in Virtual Server web page spins mcpd 100%, which later cores | |
1012493-5 | 2-Critical | Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check | |
1004929-1 | 2-Critical | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | |
1004517-1 | 2-Critical | BIG-IP tenants on VELOS cannot install EHFs | |
1000325-1 | 2-Critical | UCS loads successfully status even when base configuration load fails★ | |
999125-1 | 3-Major | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | |
998957-1 | 3-Major | Mcpd consumes excessive CPU while collecting stats. | |
998649-1 | 3-Major | Log hostname should be consistent when it contains ' . ' | |
998221-1 | 3-Major | Accessing pool members from configuration utility is slow with large config | |
997561-5 | 3-Major | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic | |
997541-5 | 3-Major | Round-robin Disaggregator for hardware and software | |
996145-1 | 3-Major | After UCS restore on HA pair, one of the devices is missing folder /var/config/rest/iapps/f5-iappslx-ssl-orchestrator | |
996001-5 | 3-Major | AVR Inspection Dashboard 'Last Month' does not show all data points | |
995605-2 | 3-Major | PVA accelerated traffic does not update route domain stats | |
995097-1 | 3-Major | Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. | |
994365-1 | 3-Major | Inconsistency in tmsh 'object mode' for some configurations | |
994361-2 | 3-Major | Updatecheck script hangs/Multiple updatecheck processes | |
994305-3 | 3-Major | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 | |
992813-7 | 3-Major | The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. | |
992449-1 | 3-Major | The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI | |
992253-4 | 3-Major | Cannot specify IPv6 management IP addresses using GUI | |
992053-4 | 3-Major | Pva_stats for server side connections do not update for redirected flows | |
987301-3 | 3-Major | EHF install on guest via block-device may fail with error 'reason unknown' | |
987081-1 | 3-Major | Alarm LED remains active on Secondary blades even after LCD alerts are cleared | |
984585-3 | 3-Major | IP Reputation option not shown in GUI. | |
981485-6 | 3-Major | Neurond enters a restart loop after FPGA update. | |
977953-3 | 3-Major | Show running config interface CLI could not fetch the interface info and crashes the imi | |
966949-6 | 3-Major | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node | |
959057-5 | 3-Major | Unable to create additional login tokens for the default admin user account | |
958601-4 | 3-Major | In the GUI, searching for virtual server addresses does not match address lists | |
957993-4 | 3-Major | Unable to set a port list in the GUI for an IPv6 address for a virtual server | |
953477-1 | 3-Major | Syncookie HW mode not cleared when modifying VLAN config. | |
948601-1 | 3-Major | File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU | |
946185-3 | 3-Major | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ | |
939249-1 | 3-Major | iSeries LCD changes to secure mode after multiple reboots | |
938145-3 | 3-Major | DAG redirects packets to non-existent tmm | |
935485-4 | 3-Major | BWC: flows might stall when using dynamic BWC policy | |
928353-4 | 3-Major | Error logged installing Engineering Hotfix: Argument isn't numeric★ | |
928161-3 | 3-Major | Local password policy not enforced when auth source is set to a remote type. | |
927025-1 | 3-Major | Sod restarts continuously | |
924297-4 | 3-Major | Ltm policy MCP objects are not being synced over to the peer device | |
922613-6 | 3-Major | Tunnels using autolasthop might drop traffic with ICMP route unreachable | |
922185-3 | 3-Major | LDAP referrals not supported for 'cert-ldap system-auth'★ | |
922153-5 | 3-Major | Tcpdump is failing on tmm 0.x interfaces | |
922053-1 | 3-Major | inaccurate number of trunk members reported by bcm56xxd/bcmLINK | |
915493-6 | 3-Major | imish command hangs when ospfd is enabled | |
914493 | 3-Major | Protocol Profile (Client) for virtual server is reset to 'tcp' after 'Update' | |
913013-1 | 3-Major | Racoon daemon may crash once at startup | |
912253-2 | 3-Major | Non-admin users cannot run show running-config or list sys | |
908753-5 | 3-Major | Password memory not effective even when password policy is configured | |
907549-6 | 3-Major | Memory leak in BWC::Measure | |
904713-2 | 3-Major | FailoverState device status and CM device status do not match shortly after triggering failover | |
904401-5 | 3-Major | Guestagentd core | |
901669-6 | 3-Major | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | |
887117-4 | 3-Major | Invalid SessionDB messages are sent to Standby | |
884729-1 | 3-Major | The vCMP CPU usage stats are incorrect | |
880689-1 | 3-Major | Update oprofile tools for compatibility with current architecture | |
872165-4 | 3-Major | LDAP remote authentication for REST API calls may fail during authorization | |
867549-1 | 3-Major | LCD touch panel reports "Firmware update in progress" indefinitely★ | |
867253-4 | 3-Major | Systemd not deleting user journals | |
844925-5 | 3-Major | Command 'tmsh save /sys config' fails to save the configuration and hangs | |
842013-1 | 3-Major | ASM Configuration is Lost on License Reactivation★ | |
814273-6 | 3-Major | Multicast route entries are not populating to tmm after failover | |
809089-4 | 3-Major | TMM crash after sessiondb ref_cnt overflow | |
807945-6 | 3-Major | Loading UCS file for the first time not updating MCP DB | |
803157-4 | 3-Major | LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots | |
798885-6 | 3-Major | SNMP response times may be long when processing requests | |
796985-4 | 3-Major | Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★ | |
780745-5 | 3-Major | TMSH allows creation of duplicate community strings for SNMP v1/v2 access | |
775797-5 | 3-Major | Previously deleted user account might get authenticated | |
760354-7 | 3-Major | Continual mcpd process restarts after removing big logs when /var/log is full | |
759737 | 3-Major | Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests | |
757787-5 | 3-Major | Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. | |
755976-9 | 3-Major | ZebOS might miss kernel routes after mcpd deamon restart | |
749757-4 | 3-Major | -s option in qkview help does not indicate maximum size | |
737739-4 | 3-Major | Bash shell still accessible for admin even if disabled | |
724653-5 | 3-Major | In a device group, a non-empty partition can be deleted by a peer device during a config sync | |
720610-4 | 3-Major | Updatecheck logs bogus 'Update Server unavailable' on every run | |
718291-4 | 3-Major | iHealth upload error does not clear | |
716140 | 3-Major | Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors | |
703226-3 | 3-Major | Failure when using transactions to create and publish policies | |
690928-6 | 3-Major | System posts error message: 01010054:3: tmrouted connection closed | |
674026-6 | 3-Major | iSeries AOM web UI update fails to complete.★ | |
662301-8 | 3-Major | 'Unlicensed objects' error message appears despite there being no unlicensed config | |
658850-6 | 3-Major | Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP | |
571333 | 3-Major | K36155089 | FastL4 TCP handshake timeout not honored for offloaded flows |
431503-10 | 3-Major | K14838 | TMSH crashes in rare initial tunnel configurations |
1028969-1 | 3-Major | An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working | |
1027481-3 | 3-Major | 'error: /bin/haloptns unexpected error -- 768' log messages generated on A110 and D112 platforms | |
1027477-3 | 3-Major | Virtual server created with address-list in custom partition non-RD0 does not create listener | |
1027237-1 | 3-Major | Cannot edit virtual server in GUI after loading config with traffic-matching-criteria | |
1026989-1 | 3-Major | More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet. | |
1026973-1 | 3-Major | Static routes created for application traffic processing can erroneously replace the route to the management subnet. | |
1026861-3 | 3-Major | Live Update of Browser Challenges and Anti-Fraud are not cleaned up | |
1026549-1 | 3-Major | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | |
1026273-4 | 3-Major | HA failover connectivity using the cluster management address does not work on VIPRION platforms★ | |
1025513-1 | 3-Major | PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog | |
1024661-3 | 3-Major | SCTP forwarding flows based on VTAG for bigproto | |
1024421-2 | 3-Major | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log | |
1022997-1 | 3-Major | TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC) | |
1022877-3 | 3-Major | Ping missing from list of Types for OAuth Client | |
1022757-2 | 3-Major | Tmm core due to corrupt list of ike-sa instances for a connection | |
1022637-1 | 3-Major | A partition other than /Common may fail to save the configuration to disk | |
1021873-1 | 3-Major | TMM crash in IPIP tunnel creation with a pool route | |
1021109-4 | 3-Major | The cmp-hash VLAN setting does not apply to trunked interfaces. | |
1020377-1 | 3-Major | Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon | |
1020277-1 | 3-Major | Mcpd may run out of memory when build image is missing★ | |
1020129-2 | 3-Major | Turboflex page in GUI reports 'profile.Features is undefined' error★ | |
1020089-1 | 3-Major | MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks | |
1019749-2 | 3-Major | Enabling DHCP for management should not be allowed on vCMP guest | |
1019709-1 | 3-Major | Modifying mgmt-dhcp options should not be allowed on VCMP guest | |
1019429-1 | 3-Major | CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated | |
1019357-2 | 3-Major | Active fails to resend ipsec ikev2_message_id_sync if no response received | |
1019285-1 | 3-Major | Systemd hangs and is unresponsive | |
1019129-4 | 3-Major | Changing syslog remote port requires syslog-ng restart to take effect | |
1018673-1 | 3-Major | Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop | |
1018309-5 | 3-Major | Loading config file with imish removes the last character | |
1018165-1 | 3-Major | GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain | |
1017897-1 | 3-Major | Self IP address creation fails with 'ioctl failed: No such device' | |
1017857-1 | 3-Major | Restore of UCS leads to incorrect UID on authorized_keys★ | |
1016433-2 | 3-Major | URI rewriting is incorrect for "data:" and "javascript:" | |
1015453-1 | 3-Major | Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI | |
1015093-1 | 3-Major | The "iq" column is missing from the ndal_tx_stats table | |
1014285-5 | 3-Major | Set auto-failback-enabled moved to false after upgrade★ | |
1012601-4 | 3-Major | Alarm LED and LCD alert cleared prematurely on startup for missing PSU input | |
1012449-1 | 3-Major | Unable to edit custom inband monitor in the GUI | |
1012049-1 | 3-Major | Incorrect virtual server list returned in response to status request | |
1011265-3 | 3-Major | Failover script cannot read /config/partitions/ after upgrade★ | |
1010341-4 | 3-Major | Slower REST calls after update for CVE-2021-22986 | |
1009949-4 | 3-Major | High CPU usage when upgrading from previous version★ | |
1009793-2 | 3-Major | Tmm crash when using ipsec | |
1008837-1 | 3-Major | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | |
1008269-1 | 3-Major | Error: out of stack space | |
1007909-1 | 3-Major | Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs | |
1006345-4 | 3-Major | Static mac entry on trunk is not programmed on CPU-only blades | |
1004469-1 | 3-Major | SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string | |
1003629 | 3-Major | PAYG license becomes invalid when swapping associated NICs for instances in both Azure and AWS. | |
1003257-6 | 3-Major | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | |
1002417-2 | 3-Major | Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk | |
1001129-1 | 3-Major | Maximum Login Failures lockout for root and admin | |
1001069-5 | 3-Major | VE CPU higher after upgrade, given same throughput | |
992241-3 | 4-Minor | Unable to change initial admin password from GUI after root password change | |
986821-1 | 4-Minor | Command 'run util bash' event is not captured in log when initially executed | |
985953-6 | 4-Minor | GRE Transparent Ethernet Bridging inner MAC overwrite | |
976517-2 | 4-Minor | Tmsh run sys failover standby with a device specified but no traffic group fails | |
933597-5 | 4-Minor | Mandatory arguments missing in tmsh security protocol-inspection profile help | |
928665-4 | 4-Minor | Kernel nf_conntrack table might get full with large configurations. | |
927441-5 | 4-Minor | Guest user not able to see virtual server details when ASM policy attached | |
921365-2 | 4-Minor | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | |
915473-4 | 4-Minor | Accessing Dashboard page with AVR provisioned causes continuous audit logs | |
860573-6 | 4-Minor | LTM iRule validation performance improvement by tracking procedure/event that have been validated | |
807309-5 | 4-Minor | Incorrect Active/Standby status in CLI Prompt after failover test | |
753712-4 | 4-Minor | Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family. | |
742753-8 | 4-Minor | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | |
713183-7 | 4-Minor | Malformed JSON files may be present on vCMP host | |
712241-8 | 4-Minor | A vCMP guest may not provide guest health stats to the vCMP host | |
696363-7 | 4-Minor | Unable to create SNMP trap in the GUI | |
689147-6 | 4-Minor | Confusing log messages on certain user/role/partition misconfiguration when using remote role groups | |
673573-8 | 4-Minor | tmsh logs boost assertion when running child process and reaches idle-timeout | |
659579-6 | 4-Minor | Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time | |
658943-5 | 4-Minor | Errors when platform-migrate loading UCS using trunks on vCMP guest | |
646768-6 | 4-Minor | K71255118 | VCMP Guest CM device name not set to hostname when deployed |
550526-3 | 4-Minor | K84370515 | Some time zones prevent configuring trust with a peer device using the GUI. |
528894-5 | 4-Minor | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | |
1031425-3 | 4-Minor | Provide a configuration flag to disable BGP peer-id check. | |
1030645-4 | 4-Minor | BGP session resets during traffic-group failover | |
1025965-1 | 4-Minor | Audit role users cannot see folder properties under sys-folder | |
1024621-4 | 4-Minor | Re-establishing BFD session might take longer than expected. | |
1024301-1 | 4-Minor | Missing required logs for "tmsh modify disk directory" command | |
1023817-2 | 4-Minor | Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning | |
1022417-1 | 4-Minor | Ike stops with error ikev2_send_request: [WINDOW] full window | |
1022297-4 | 4-Minor | In BIG-IP GUI using "Select All" with filters is not working appropriately for policies | |
1020109-1 | 4-Minor | Subnet mask property of virtual addresses not displayed in management GUI | |
1014361-2 | 4-Minor | Config sync fails after provisioning APM | |
1011217-5 | 4-Minor | TurboFlex Profile setting reverts to turboflex-base after upgrade★ | |
1010785-3 | 4-Minor | Online help is missing for CRL in client SSL profile and server SSL profile | |
1010761-3 | 4-Minor | Missing TMSH help description for client-ssl profile 'CRL' | |
1006449-1 | 4-Minor | The default size of the subagent object cache possibly leading to slow snmp response time★ | |
1003469-1 | 4-Minor | The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error. | |
1002809-4 | 4-Minor | OSPF vertex-threshold should be at least 100 | |
989937-2 | 5-Cosmetic | Device Trust Certificates Expiring after 2038-01-19 show date of 1969 | |
1022421-4 | 5-Cosmetic | Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk |
Local Traffic Manager Issues
ID Number | Severity | Solution Article(s) | Description |
968929-2 | 2-Critical | TMM may crash when resetting a connection on an APM virtual server | |
949137-1 | 2-Critical | Clusterd crash and vCMP guest failover | |
938545-1 | 2-Critical | Oversize plugin Tcl object results can result in 0-length messages and plugin crash | |
937649-4 | 2-Critical | Flow fwd broken with statemirror.verify enabled and source-port preserve strict | |
935193-4 | 2-Critical | With APM and AFM provisioned, single logout ( SLO ) fails | |
927633-4 | 2-Critical | Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic | |
910213-7 | 2-Critical | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | |
851385-8 | 2-Critical | Failover takes too long when traffic blade failure occurs | |
797573-1 | 2-Critical | TMM assert crash with resulting in core generation in multi-blade chassis | |
780857-4 | 2-Critical | HA failover network disruption when cluster management IP is not in the list of unicast addresses | |
758491-5 | 2-Critical | When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys | |
743950-6 | 2-Critical | TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled | |
1024241-1 | 2-Critical | NULL TLS records from client to BIG-IP results in SSL session termination | |
1020645-5 | 2-Critical | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | |
1004317-4 | 2-Critical | Csyncd removes files and directories under /config/zebos, /var/named/config/namedb, etc. | |
999881-6 | 3-Major | Tcl command 'string first' not working if payload contains Unicode characters. | |
999097-1 | 3-Major | SSL::profile may select profile with outdated configuration | |
998253-4 | 3-Major | SNI configuration is not sent via HTTPS when in-tmm monitors are disabled | |
996649-6 | 3-Major | Improper handling of DHCP flows leading to orphaned server-side connections | |
994081-1 | 3-Major | Traffic may be dropped with an Immediate idle timeout setting. | |
993517-1 | 3-Major | Loading an upgraded config can result in a file object error in some cases | |
991265-3 | 3-Major | Persistence entries point to the wrong servers for longer periods of time | |
987077-3 | 3-Major | TLS1.3 with client authentication handshake failure | |
985925-3 | 3-Major | Ipv6 Routing Header processing not compatible as per Segments Left value. | |
985749-1 | 3-Major | TCP exponential backoff algorithm does not comply with RFC 6298 | |
985401-1 | 3-Major | ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached | |
984897-1 | 3-Major | Some connections performing SSL mirroring are not handled correctly by the Standby unit. | |
980617-1 | 3-Major | SNAT iRule is not working with HTTP/2 and HTTP Router profiles | |
978953-3 | 3-Major | The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up | |
976525-5 | 3-Major | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled | |
975725-5 | 3-Major | Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast | |
967353-1 | 3-Major | HTTP proxy should trim spaces between a header field-name and colon in its downstream responses. | |
961001-5 | 3-Major | Arp requests not resolved for snatpool members when primary blade goes offline | |
958785-8 | 3-Major | FTP data transfer does not complete after QUIT signal | |
956133-2 | 3-Major | MAC address might be displayed as 'none' after upgrading★ | |
955617-8 | 3-Major | Cannot modify properties of a monitor that is already in use by a pool | |
948065-1 | 3-Major | DNS Responses egress with an incorrect source IP address. | |
944173-4 | 3-Major | SSL monitor stuck does not change TLS version | |
942217-6 | 3-Major | Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available' | |
937573-1 | 3-Major | Connections drop in virtual server with Immediate Action On Service Down set to Drop | |
934697-5 | 3-Major | Route domain not reachable (strict mode) | |
927589-1 | 3-Major | ILX::call command response get truncated | |
922641-6 | 3-Major | Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow | |
922413-8 | 3-Major | Excessive memory consumption with ntlmconnpool configured | |
921541-6 | 3-Major | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | |
915773-7 | 3-Major | Restart of TMM after stale interface reference | |
912517-7 | 3-Major | MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | |
907177-5 | 3-Major | Priority of embedded APM iRules is ignored | |
906653-1 | 3-Major | Server side UDP immediate idle-timeout drops datagrams | |
905477-6 | 3-Major | The sdmd daemon cores during config sync when multiple devices configured for iRules LX | |
901569-4 | 3-Major | Loopback traffic might get dropped when VLAN filter is enabled for a virtual server. | |
891145-7 | 3-Major | TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal | |
888885-3 | 3-Major | BIG-IP Virtual Edition TMM restarts frequently without core | |
887045-7 | 3-Major | The session key does not get mirrored to standby. | |
883049-9 | 3-Major | Statsd can deadlock with rrdshim if an rrd file is invalid | |
867985-6 | 3-Major | LTM policy with a 'shutdown' action incorrectly allows iRule execution | |
862001-6 | 3-Major | Improperly configured NTP server can result in an undisciplined clock stanza | |
846977-7 | 3-Major | TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★ | |
805561-1 | 3-Major | Change of pool configuration in OneConnect environment can impact active traffic | |
794385-6 | 3-Major | BGP sessions may be reset after CMP state change | |
778501-5 | 3-Major | LB_FAILED does not fire on failure of HTTP/2 server connection establishment | |
751451-4 | 3-Major | When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles | |
672963-1 | 3-Major | MSSQL monitor fails against databases using non-native charset | |
574762-4 | 3-Major | Forwarding flows leak when a routing update changes the egress vlan | |
1025089-1 | 3-Major | Pool members marked down by database monitor due to stale cached connection | |
1024841-2 | 3-Major | SSL connection mirroring with ocsp connection failure on standby | |
1024225-3 | 3-Major | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request | |
1023365-2 | 3-Major | SSL server response could be dropped on immediate shutdown | |
1022453-4 | 3-Major | IPv6 fragments are dropped when packet filtering is enabled. | |
1021837-3 | 3-Major | When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected" | |
1020957-1 | 3-Major | HTTP response may be truncated by the BIG-IP system | |
1020549-1 | 3-Major | Server-side connections stall with zero window with OneConnect profile | |
1020069-1 | 3-Major | Equinix SmartKey HSM is not working with nethsm-partition 'fortanix' | |
1019641-3 | 3-Major | SCTP INIT_ACK not forwarded | |
1019261-1 | 3-Major | in-tmm https monitor without a ssl-profile generates random session-ids | |
1018765-1 | 3-Major | Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system | |
1018577-4 | 3-Major | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | |
1017885-5 | 3-Major | Wildcard server-name does not match multiple labels in FQDN | |
1017801-1 | 3-Major | Internal listeners (cgc, ftp data, etc) all share the same listener_key stats | |
1017721-5 | 3-Major | WebSocket does not close cleanly when SSL enabled. | |
1017513-5 | 3-Major | Config sync fails with error Invalid monitor rule instance identifier | |
1017421-4 | 3-Major | SASP Monitor does not log significant error conditions at default logging level | |
1017029-5 | 3-Major | SASP monitor does not identify specific cause of failed SASP Registration attempt | |
1016921-3 | 3-Major | SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled | |
1016589-1 | 3-Major | Incorrect expression in STREAM::expression might cause a tmm crash | |
1016449-3 | 3-Major | Gratuitous ARP sent to the old self IP address when a self IP is deleted/created. | |
1016113-1 | 3-Major | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | |
1015817-1 | 3-Major | Flows rejected due to no return route do not increment rejection stats | |
1014633-4 | 3-Major | Transparent / gateway monitors may fail if there is no route to a node | |
1013597-2 | 3-Major | `HTTP2::disable serverside` can reset flows | |
1013209-5 | 3-Major | BIG-IP components relying on ca-bundle.crt may stop working after upgrade★ | |
1012813-1 | 3-Major | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" | |
1012009-3 | 3-Major | MQTT Message Routing virtual may result in TMM crash | |
1010209-1 | 3-Major | BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings | |
1009921-3 | 3-Major | 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check | |
1008501-1 | 3-Major | TMM core | |
1008017-2 | 3-Major | Validation failure on Enforce TLS Requirements and TLS Renegotiation | |
1008009-3 | 3-Major | SSL mirroring null hs during session sync state | |
1007749-2 | 3-Major | URI TCL parse functions fail when there are interior segments with periods and semi-colons | |
1006857-1 | 3-Major | Adding a source address list to a virtual server in a partition with a non-default route domain fails | |
1006157-3 | 3-Major | FQDN nodes not repopulated immediately after 'load sys config' | |
1004897-5 | 3-Major | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | |
1004609-6 | 3-Major | SSL forward proxy virtual server may set empty SSL session_id in server hello. | |
1000561-5 | 3-Major | Chunk size incorrectly passed to client-side | |
1000069-3 | 3-Major | Virtual server does not create the listener | |
999709-6 | 4-Minor | iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2. | |
999669-1 | 4-Minor | Some HTTPS monitors are failing after upgrade when config has different SSL option★ | |
990173-1 | 4-Minor | Dynconfd repeatedly sends the same mcp message to mcpd | |
987885-6 | 4-Minor | Half-open unclean SSL termination might not close the connection properly | |
987401-1 | 4-Minor | Increased TMM memory usage on standby unit after pool flap | |
947745-3 | 4-Minor | Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error | |
940837-4 | 4-Minor | The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2. | |
929429-8 | 4-Minor | Oracle database monitor uses excessive CPU when Platform FIPS is licensed | |
921993-1 | 4-Minor | LTM policy with a 'contains' operator does not work as expected when using an external data group. | |
912945-3 | 4-Minor | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | |
904537-1 | 4-Minor | The csyncd process may keep trying to sync the GeoIP database to a secondary blade | |
904493 | 4-Minor | TRUNK name in F5 ethernet trailer limited to 15 characters in tcpdump capture | |
869553-5 | 4-Minor | HTTP2::disable fails for server side allowing HTTP/2 traffic | |
838305-9 | 4-Minor | BIG-IP may create multiple connections for packets that should belong to a single flow. | |
829021-1 | 4-Minor | BIG-IP does not account a presence of http2 profile when response payload is modified | |
717806-8 | 4-Minor | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | |
683534-2 | 4-Minor | 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading | |
1030533-1 | 4-Minor | The BIG-IP system may reject valid HTTP responses from OCSP servers. | |
1027805-4 | 4-Minor | DHCP flows crossing route-domain boundaries might fail. | |
1026605-6 | 4-Minor | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | |
1024761-1 | 4-Minor | HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body | |
1018493-1 | 4-Minor | Response code 304 from TMM Cache always closes TCP connection. | |
1016049-6 | 4-Minor | EDNS query with CSUBNET dropped by protocol inspection | |
1015793-1 | 4-Minor | Length value returned by TCP::payload is signed and can appear negative | |
1015117-5 | 4-Minor | Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used | |
1013937-1 | 4-Minor | In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work. | |
1011889-6 | 4-Minor | The BIG-IP system does not handle DHCPv6 fragmented traffic properly | |
1005109-4 | 4-Minor | TMM crashes when changing traffic-group on IPv6 link-local address | |
1004953-5 | 4-Minor | HTTP does not fall back to HTTP/1.1★ | |
1002945-4 | 4-Minor | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | |
979213-1 | 5-Cosmetic | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | |
897437-7 | 5-Cosmetic | First retransmission might happen after syn-rto-base instead of minimum-rto. | |
860277-6 | 5-Cosmetic | Default value of TCP Profile Proxy Buffer High Low changed in 14.1 | |
755061-1 | 5-Cosmetic | iRule audit logs may be written to separate files |
Performance Issues
ID Number | Severity | Solution Article(s) | Description |
908001-2 | 2-Critical | Possible 13%-16% TPS drop in performance on VIPRION and iSeries vCMP with v16.1.0 'host' |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Solution Article(s) | Description |
940733-5 | 2-Critical | K29290121 | Downgrading a FIPS-enabled BIG-IP system results in a system halt★ |
931149-3 | 2-Critical | Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings | |
705869-1 | 2-Critical | TMM crashes as a result of repeated loads of the GEOIP database | |
1027657-4 | 2-Critical | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. | |
1011433-1 | 2-Critical | Heap allocation failure would cause tmm core in resolver_deprecated_wire2result | |
1010617-1 | 2-Critical | String operation against DNS resource records cause tmm memory corruption | |
1009037-1 | 2-Critical | Tcl resume on invalid connection flow can cause tmm crash | |
994221-1 | 3-Major | ZoneRunner returns error 'Resolver returned no such record' | |
993489-1 | 3-Major | GTM daemon leaks memory when reading GTM link objects | |
990929-1 | 3-Major | Status of GTM monitor instance is constantly flapping | |
987709-6 | 3-Major | Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition | |
977625-1 | 3-Major | GTM persistence records linger in tmm | |
967737-3 | 3-Major | DNS Express: SOA stops showing up in statistics from second zone transfer | |
935249-3 | 3-Major | GTM virtual servers have the wrong status | |
911241-8 | 3-Major | The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug | |
1030881-1 | 3-Major | [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.★ | |
1030237-1 | 3-Major | Zxfrd core and continual restart when out of configured space | |
1026621-1 | 3-Major | DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist | |
1024905-1 | 3-Major | GTM monitor times out if monitoring a virtual server with translation address | |
1024553-1 | 3-Major | GTM Pool member set to monitor type "none" results in big3d: timed out | |
1021417-1 | 3-Major | Modifying GTM pool members with replace-all-with results in pool members with order 0 | |
1021061-4 | 3-Major | Config fails to load for large config on platform with Platform FIPS license enabled | |
1020337-2 | 3-Major | DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator | |
1018613-1 | 3-Major | Modify wideip pools with replace-all-with results pools with same order 0 | |
1012061-1 | 3-Major | Link Controller auto-discovery does not remove deleted virtual servers | |
1010697-1 | 3-Major | Disallow listener name with duplicate IP/port/rd combination for RESOLV::lookup | |
1001101-1 | 3-Major | Cannot update/display GTM/DNS listener route advertisement correctly | |
996261-1 | 4-Minor | Zrd in restart loop with empty named.conf | |
995369-1 | 4-Minor | DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm | |
464708-3 | 4-Minor | DNS logging does not support Splunk format log | |
1026813-7 | 4-Minor | LCD IP address is missing from /etc/hosts on iSeries | |
1014761-2 | 4-Minor | [GTM][GUI] Not able to enable/disable pool member from pool member property page | |
1008233-1 | 4-Minor | The gtm_add command fails but reports no error |
Application Security Manager Issues
ID Number | Severity | Solution Article(s) | Description |
993613-7 | 2-Critical | Device fails to request full sync | |
965229-5 | 2-Critical | ASM Load hangs after upgrade★ | |
912149-7 | 2-Critical | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | |
887621-4 | 2-Critical | ASM virtual server names configuration CRC collision is possible | |
1015881-4 | 2-Critical | TMM might crash after configuration failure | |
986937-3 | 3-Major | Cannot create child policy when the signature staging setting is not equal in template and parent policy | |
985205-2 | 3-Major | Event Log and Traffic Learning screens fail to load request details★ | |
984593-1 | 3-Major | BD crash | |
981069-3 | 3-Major | Reset cause: "Internal error ( requested abort (payload release error))" | |
974513-7 | 3-Major | Dropped requests are reported as blocked in Reporting/charts | |
966613-6 | 3-Major | Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’ | |
965785-4 | 3-Major | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | |
962589-4 | 3-Major | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | |
961509-5 | 3-Major | ASM blocks WebSocket frames with signature matched but Transparent policy | |
959965-1 | 3-Major | Asmlogd stops deleting old protobufs | |
959957-1 | 3-Major | Asmlogd stops deleting old protobufs | |
951133-4 | 3-Major | Live Update does not work properly after upgrade★ | |
943441-4 | 3-Major | Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK | |
932133-1 | 3-Major | Payloads with large number of elements in XML take a lot of time to process | |
926845-7 | 3-Major | Inactive ASM policies are deleted upon upgrade | |
923221-8 | 3-Major | BD does not use all the CPU cores | |
920149-3 | 3-Major | Live Update default factory file for Server Technologies cannot be reinstalled | |
907025-5 | 3-Major | Live update error" 'Try to reload page' | |
898825 | 3-Major | Attack signatures are enforced on excluded headers under some conditions | |
890169-4 | 3-Major | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | |
888289-8 | 3-Major | Add option to skip percent characters during normalization | |
887265-4 | 3-Major | BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★ | |
871881-5 | 3-Major | Apply Policy action is not synchronized after making bulk signature changes | |
1031461-2 | 3-Major | Session awareness entries aren't expired from one of active-active units | |
1029989-6 | 3-Major | CORS : default port of origin header is set 80, even when the protocol in the header is https | |
1023889-3 | 3-Major | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | |
1022269-1 | 3-Major | False positive RFC compliant violation | |
1020149-4 | 3-Major | Bot Defense does not support iOS's WKWebView framework | |
1017557-1 | 3-Major | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN | |
1017261-7 | 3-Major | Configuraton update triggers from MCP to ASM are ignored | |
1014973-5 | 3-Major | ASM changed cookie value | |
1012221-1 | 3-Major | childInheritanceStatus is not compatible with parentInheritanceStatus★ | |
1011093-5 | 3-Major | Remote log messages are separated into 2 lines if max_request_size limit falls exactly on \n char. | |
1010585-3 | 3-Major | XML profile is created incorrectly from WSDL | |
1005105-3 | 3-Major | Requests are missing on traffic event logging | |
994013-1 | 4-Minor | Modifying bot defense allow list via replace-all-with fails with match-order error | |
991765-3 | 4-Minor | Inheritance of staging_period_in_days from policy template | |
984521-4 | 4-Minor | Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name | |
950953-3 | 4-Minor | Browser Challenges update file cannot be installed after upgrade★ | |
941625-3 | 4-Minor | BD sometimes encounters errors related to TS cookie building | |
937541-4 | 4-Minor | Wrong display of signature references in violation details | |
882729-5 | 4-Minor | Applied Blocking Masks discrepancy between local/remote event log | |
807569-3 | 4-Minor | Requests fail to load when backend server overrides request cookies and Bot Defense is used | |
1026277-6 | 4-Minor | Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled | |
1021637-4 | 4-Minor | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs | |
1017149-1 | 4-Minor | User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs | |
1005309-4 | 4-Minor | Additional Tcl variables showing information from the AntiBot Mobile SDK | |
1005181-4 | 4-Minor | Bot Defense Logs indicate the mobile debugger is used even when it is not | |
1004537-2 | 4-Minor | Traffic Learning: Accept actions for multiple suggestions not localized |
Application Visibility and Reporting Issues
ID Number | Severity | Solution Article(s) | Description |
933777-5 | 3-Major | Context use and syntax changes clarification | |
932485-5 | 3-Major | Incorrect sum(hits_count) value in aggregate tables | |
932189-1 | 3-Major | Incorrect BD Swap Size units on ASM Resources chart | |
932137-7 | 3-Major | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | |
924945-5 | 3-Major | Fail to detach HTTP profile from virtual server | |
922105-1 | 3-Major | Avrd core when connection to BIG-IQ data collection device is not available | |
913085-6 | 3-Major | Avrd core when avrd process is stopped or restarted | |
909161-1 | 3-Major | A core file is generated upon avrd process restart or stop | |
830073-7 | 3-Major | AVRD may core when restarting due to data collection device connection timeout | |
808801-6 | 3-Major | AVRD crash when configured to send data externally | |
950305-5 | 4-Minor | Analytics data not displayed for Pool Names | |
948113-1 | 4-Minor | User-defined report scheduling fails | |
915005-3 | 4-Minor | AVR core files have unclear names | |
910777-1 | 4-Minor | Sending ASM report via AWS SES failed duo to wrong content type | |
1020705-2 | 4-Minor | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | |
930217-1 | 5-Cosmetic | Zone colors in ASM swap usage graph are incorrect |
Access Policy Manager Issues
ID Number | Severity | Solution Article(s) | Description |
1024029-2 | 2-Critical | TMM may crash when processing traffic with per-session APM Access Policy | |
1007869-1 | 2-Critical | Upgrade from v14.1.x to v15.1.2.1 or later fails for app-tunnel, RDP and config migration★ | |
1006893-4 | 2-Critical | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | |
993457-1 | 3-Major | TMM core with ACCESS::policy evaluate iRule | |
969317-4 | 3-Major | "Restrict to Single Client IP" option is ignored for vmware VDI | |
956645-4 | 3-Major | Per-request policy execution may timeout. | |
947613-2 | 3-Major | APM reset after upgrade and modify of LDAP Group Lookup★ | |
934825-2 | 3-Major | Restarting MCPD via command line may not restart the aced process | |
1022493-4 | 3-Major | Slow file descriptor leak in urldbmgrd (sockets open over time) | |
1017233-2 | 3-Major | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | |
1010597-1 | 3-Major | Traffic disruption when virtual server is assigned to a non-default route domain | |
1007677-2 | 3-Major | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | |
939877-3 | 4-Minor | OAuth refresh token not found | |
1022973-2 | 4-Minor | Sessiondb entries related to Oauth module not cleaned up in certain conditions | |
1004845-1 | 4-Minor | Accessing attribute using attributeNode value does not work with Portal Access |
Service Provider Issues
ID Number | Severity | Solution Article(s) | Description |
993913-4 | 2-Critical | TMM SIGSEGV core in Message Routing Framework | |
1012721-4 | 2-Critical | Tmm may crash with SIP-ALG deployment in a particular race condition | |
1012533-3 | 2-Critical | `HTTP2::disable serverside` can cause cores | |
1007821-3 | 2-Critical | SIP message routing may cause tmm crash | |
1007113-3 | 2-Critical | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | |
996113-2 | 3-Major | SIP messages with unbalanced escaped quotes in headers are dropped | |
921441-4 | 3-Major | MR_INGRESS iRules that change diameter messages corrupt diam_msg | |
917637-5 | 3-Major | Tmm crash with ICAP filter | |
911141-1 | 3-Major | GTP v1 APN is not decoded/encoded properly | |
805821-1 | 3-Major | GTP log message contains no useful information | |
1025529-2 | 3-Major | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | |
1008169-1 | 3-Major | BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP | |
919301-1 | 4-Minor | GTP::ie count does not work with -message option | |
913413-1 | 4-Minor | 'GTP::header extension count' iRule command returns 0 | |
1018285-2 | 4-Minor | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | |
1003633-1 | 4-Minor | There might be wrong memory handling when message routing feature is used |
Advanced Firewall Manager Issues
ID Number | Severity | Solution Article(s) | Description |
993269-3 | 3-Major | DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option | |
992213-3 | 3-Major | Protocol Any displayed as HOPTOPT in AFM policy view | |
990461-5 | 3-Major | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ | |
987637-3 | 3-Major | DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware | |
987605-3 | 3-Major | DDoS: ICMP attacks are not hardware-mitigated | |
977449-1 | 3-Major | Total address and Total endpoints is shown as '0' in nat stats | |
977153-3 | 3-Major | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | |
976621-1 | 3-Major | SIP ALG not processing IPv6 in NAT64 UDP | |
968953-1 | 3-Major | Unnecessary authorization header added in the response for an IP intelligence feed list request | |
935769-5 | 3-Major | Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time | |
926549-3 | 3-Major | AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect' | |
1022613-1 | 3-Major | Cannot modify Security "global-network" Logging Profile | |
1020061-3 | 3-Major | Nested address lists can increase configuration load time | |
1019557-1 | 3-Major | Bdosd does not create /var/bdosd/*.json | |
1019453-1 | 3-Major | Core generated for autodosd daemon when synchronization process is terminated | |
1012581-1 | 3-Major | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered | |
1012413-1 | 3-Major | Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled | |
1003397-3 | 3-Major | DoS TCP SYN-ACK vector with 'suspicious' set to true impacts MD5 AUTH (BGP) functionality | |
1000405-1 | 3-Major | VLAN/Tunnels not listed when creating a new rule via GUI | |
981145-1 | 4-Minor | DoS events do not include the attack name for "tcp syn ack flood" | |
967245-1 | 4-Minor | Incorrect SPVA counter incremented during Sweep attack on profile | |
935865 | 4-Minor | Rules that share the same name return invalid JSON via REST API | |
926425-4 | 4-Minor | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | |
885373-4 | 4-Minor | Another app is currently holding the xtables lock. Perhaps you want to use the -w option? | |
760355-4 | 4-Minor | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ | |
1022213-4 | 4-Minor | DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up | |
1003377-3 | 4-Minor | Disabling DoS TCP SYN-ACK does not clear suspicious event count option |
Policy Enforcement Manager Issues
ID Number | Severity | Solution Article(s) | Description |
829657-5 | 2-Critical | Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses | |
956013-4 | 3-Major | System reports{{validation_errors}} | |
924589-3 | 3-Major | PEM ephemeral listeners with source-address-translation may not count subscriber data | |
829653-1 | 3-Major | Memory leak due to session context not freed | |
1020041-3 | 3-Major | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | |
1015501-3 | 3-Major | Changes to DHCP Profile are not used by tmm |
Carrier-Grade NAT Issues
ID Number | Severity | Solution Article(s) | Description |
1019613-5 | 2-Critical | Unknown subscriber in PBA deployment may cause CPU spike | |
994985-3 | 3-Major | CGNAT GUI shows blank page when applying SIP profile | |
1023461-2 | 3-Major | Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created |
Fraud Protection Services Issues
ID Number | Severity | Solution Article(s) | Description |
905621 | 2-Critical | Incorrect interaction between DataSafe credential protection and modern customization Logon Page | |
1016481-1 | 3-Major | Special JSON characters in Dom Signatures breaks configuration |
Anomaly Detection Services Issues
ID Number | Severity | Solution Article(s) | Description |
1010717-1 | 3-Major | Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI |
Traffic Classification Engine Issues
ID Number | Severity | Solution Article(s) | Description |
984657 | 3-Major | Sysdb variable not working from tmsh | |
1013629-4 | 3-Major | URLCAT: Vulnerability Scan found many Group/User Read/Write (666/664/662) files | |
974205-5 | 4-Minor | Unconstrained wr_urldbd size causing box to OOM | |
941773-1 | 4-Minor | Video resolution mis-prediction | |
941765-1 | 4-Minor | Video resolution mis-predictions | |
941761 | 4-Minor | Multiple resolutions are predicted for a single video playback. |
Device Management Issues
ID Number | Severity | Solution Article(s) | Description |
929213-2 | 3-Major | iAppLX packages not rolled forward after BIG-IP upgrade★ | |
717174-5 | 3-Major | WebUI shows error: Error getting auth token from login provider★ | |
999085-1 | 4-Minor | REST endpoint registration errors in restjavad logs |
Protocol Inspection Issues
ID Number | Severity | Solution Article(s) | Description |
989529-1 | 3-Major | AFM IPS engine takes action on unspecified services | |
760740 | 3-Major | Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running | |
1011133 | 3-Major | Protocol Inspection compliance check 10208 gtp_disallowed_message_types does not take GTP version into account |
Guided Configuration Issues
ID Number | Severity | Solution Article(s) | Description |
991829-1 | 3-Major | Continuous connection refused errors in restjavad |
In-tmm monitors Issues
ID Number | Severity | Solution Article(s) | Description |
944121-4 | 3-Major | Missing SNI information when using non-default domain https monitor running in tmm mode | |
932857-5 | 3-Major | Delays marking Nodes or Pool Members DOWN with in-TMM monitoring | |
1002345-4 | 3-Major | Transparent DNS monitor does not work after upgrade★ | |
788257-5 | 4-Minor | Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart |
Known Issue details for BIG-IP v16.1.x
999881-6 : Tcl command 'string first' not working if payload contains Unicode characters.
Component: Local Traffic Manager
Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.
Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.
Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.
Workaround:
You can use any of the following workarounds:
-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex
999709-6 : iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.
Component: Local Traffic Manager
Symptoms:
The 'pool'/'virtual' iRule commands cause the specified pool to be used directly. However, with HTTP/2, the 'pool'/'virtual' command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent.
Conditions:
-- A 'pool'/'virtual' command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
-- HTTP/2 Message Routing is disabled.
Impact:
With HTTP/2 configured, the iRule 'pool'/'virtual' commands fail to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired pool/virtual.
Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.
999669-1 : Some HTTPS monitors are failing after upgrade when config has different SSL option★
Component: Local Traffic Manager
Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.
Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).
Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.
Workaround:
None
999125-1 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
999097-1 : SSL::profile may select profile with outdated configuration
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the VIP, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
999085-1 : REST endpoint registration errors in restjavad logs
Component: Device Management
Symptoms:
Errors are logged to /var/log/restjavad.0.log at the SEVERE log level:
[SEVERE]... [IcrWorker] Unable to register iControl endpoint "/xxxx/xxxx". Error: uriPath '/tm/xxxx/xxxx' already registered
Conditions:
The system reports these errors during startup of the restjavad service because of multiple registrations of the same endpoint.
Impact:
There is no functional impact and these errors can be ignored.
Workaround:
None
998957-1 : Mcpd consumes excessive CPU while collecting stats.
Component: TMOS
Symptoms:
Mcpd CPU utilization is 100%.
Conditions:
This can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected.
Impact:
CPU utilization by mcpd is excessive.
Workaround:
None
998649-1 : Log hostname should be consistent when it contains ' . '
Component: TMOS
Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
-- Hostname contains a period
-- Viewing log files emitted from journald and from syslog-ng
Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.
Workaround:
None.
998253-4 : SNI configuration is not sent via HTTPS when in-tmm monitors are disabled
Component: Local Traffic Manager
Symptoms:
The Server Name Indication (SNI) extension is missing on the HTTPS handshake.
Conditions:
-- Global in-tmm monitors are disabled
-- HTTPS monitor traffic
Impact:
The HTTPS client-server handshake occurs without a TLS SNI.
Workaround:
None
998221-1 : Accessing pool members from configuration utility is slow with large config
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
997793-3 : Error log: Failed to reset strict operations; disconnecting from mcpd★
Component: TMOS
Symptoms:
After rebooting the device you are unable to access the GUI. When checking the ltm logs in the SSH / console, it repeatedly prompts an error:
Failed to reset strict operations; disconnecting from mcpd.
Conditions:
Previous EPSEC packages that are still residing on the system from old BIG-IP versions is installing upon boot. An internal timer can cause the installation to be aborted and all daemons to be restarted via 'bigstart restart'
Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.
Workaround:
1. Stop the overdog daemon first by issuing the command:
systemctl stop overdog
2. Restart all services by issuing the command:
bigstart restart
3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.
997561-5 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
997541-5 : Round-robin Disaggregator for hardware and software
Component: TMOS
Symptoms:
GRE tunnel traffic is pinned to one CPU.
Conditions:
GRE traffic is passed through BIG-IP system.
Impact:
Traffic is pinned to one CPU and overall performance is degraded.
Workaround:
None
997313-2 : Unable to create APM policies in a sync-only folder★
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
996649-6 : Improper handling of DHCP flows leading to orphaned server-side connections
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
996261-1 : Zrd in restart loop with empty named.conf
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process enters a restart loop:
logger[20015]: Re-starting zrd
Conditions:
This occurs when /var/named/config/named.conf is empty.
Impact:
The zrd process enters a restart loop. If the device is in a sync group, zrd enters a restart loop on all devices.
Workaround:
Restore content to the named.conf file.
996145-1 : After UCS restore on HA pair, one of the devices is missing folder /var/config/rest/iapps/f5-iappslx-ssl-orchestrator
Component: TMOS
Symptoms:
After restoring via UCS file, the SSL Orchestrator page reads:
Not Found
The requested URL was not found on this server
Conditions:
-- Devices are in a high availability (HA) pair
-- SSL Orchestrator deployed
-- A UCS file is loaded
Impact:
SSL Orchestrator is not available.
/var/config/rest/iapps/f5-iappslx-ssl-orchestrator is not restored correctly during UCS load.
Workaround:
Restore the UCS file again
996113-2 : SIP messages with unbalanced escaped quotes in headers are dropped
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
996001-5 : AVR Inspection Dashboard 'Last Month' does not show all data points
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
995605-2 : PVA accelerated traffic does not update route domain stats
Component: TMOS
Symptoms:
PVA accelerated traffic does not update route domain stats
Conditions:
-- PVA accelerated traffic.
-- Viewing the route domain stats.
Impact:
The route domain stats may be inaccurate
Workaround:
Use the virtual server stats or ifc_stats instead.
995369-1 : DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm
Component: Global Traffic Manager (DNS)
Symptoms:
Generated DNSSEC keys always use RSA/SHA1 algorithm.
Conditions:
DNSSEC keys are generated with manual key management method.
Impact:
You are unable to create DNSSEC keys with other algorithms.
Workaround:
Choose automatic key management method.
995097-1 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
Component: TMOS
Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.
For instance, after reloading the configuration, the following section:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { "example.com" }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { "example.com" }
}
}
}
Becomes:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { example.com }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { example.com }
}
}
}
This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.
Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.
The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).
Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.
The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.
As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.
Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.
Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.
For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config
On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:
bigstart restart dhclient dhclient6
Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.
994985-3 : CGNAT GUI shows blank page when applying SIP profile
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
994365-1 : Inconsistency in tmsh 'object mode' for some configurations
Component: TMOS
Symptoms:
Tmsh does not support object mode when modifying certain configurations, such as the node configuration. This results in misleading error 'not found' even though the configuration is available.
Conditions:
Modify node config results in error, even though the config is present.
# Node Object 'example' is created successfully
(tmos)# create ltm node example address 1.2.3.4
# On modifying the node 'example', tmsh gives error
(tmos)# modify ltm node example
Data Input Error: node "example" not found
The modify command does work when a property is specified:
(tmos)# modify ltm node example description "Node 1234"
Impact:
Inconsistent tmsh syntax when using 'object mode' for modifying the configuration.
Workaround:
Use 'tmsh modify' commands, or the GUI, to make the required changes without 'entering' the object in tmsh.
994361-2 : Updatecheck script hangs/Multiple updatecheck processes
Component: TMOS
Symptoms:
Multiple updatecheck and 'rpm -qf' processes running simultaneously.
Updatecheck is not functional
Conditions:
Updatecheck is run periodically via a cronjob. Updatecheck runs 'rpm -qf' command.
Impact:
Due to that 'rpm -qf' command hangs. This causes multiple updatecheck and 'rpm -qf' processes. High CPU and memory usage.
The most likely explanation is that rpmdb has gotten corrupted.
Workaround:
To rebuild rpmdb:
1. Halt all running updatecheck and 'rpm -qf' processes.
2. Run these commands:
rm /var/lib/rpm/__db*
rpm --rebuilddb
994305-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools are not available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools are not available.
Workaround:
None.
994221-1 : ZoneRunner returns error 'Resolver returned no such record'
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner returns error 'Resolver returned no such record'.
Conditions:
When trying to retrieve TXT records with single backslash.
Impact:
Not able to manage TXT record.
Workaround:
Use double backslashes to retrieve TXT records.
994081-1 : Traffic may be dropped with an Immediate idle timeout setting.
Component: Local Traffic Manager
Symptoms:
When the idle timeout is set to Immediate, flows may be expired while packets are buffered. Buffered packets are dropped. This can impact iRules and non-L4 virtual servers.
Conditions:
-- Idle timeout set to Immediate.
-- iRules are configured or non-L4 virtual servers are used.
Impact:
Traffic is dropped.
Workaround:
You can use either workaround:
-- Configure an L4 virtual server.
-- Consider removing iRules.
994013-1 : Modifying bot defense allow list via replace-all-with fails with match-order error
Component: Application Security Manager
Symptoms:
An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration):
01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.
Conditions:
-- Either modification via replace-all-with:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } }
-- Or delete all, add, save and load-verify:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all }
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}}
tmsh save sys config
load sys config verify
Impact:
You are unable to add-replace the bot defense allow list configuration
Workaround:
You can use either of the following workarounds:
-- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config).
-- Change match-order of custom modify command (to continue with match-order 3 and up).
993913-4 : TMM SIGSEGV core in Message Routing Framework
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
993613-7 : Device fails to request full sync
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
993517-1 : Loading an upgraded config can result in a file object error in some cases
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
993489-1 : GTM daemon leaks memory when reading GTM link objects
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
993457-1 : TMM core with ACCESS::policy evaluate iRule
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
993269-3 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
Component: Advanced Firewall Manager
Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.
DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.
Conditions:
-- DoS timestamp cookies are enabled, and either of the following:
-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.
Impact:
Traffic is dropped due to incorrect timestamps.
Workaround:
Disable timestamp cookies on the affected VLAN.
992813-7 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
Component: TMOS
Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.
As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.
For example, you may be returned the following error when attempting to supersede the domain-search option:
01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search
Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.
Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.
Impact:
You are unable to instantiate the desired management-dhcp configuration.
Workaround:
None
992449-1 : The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI
Component: TMOS
Symptoms:
The total number of cores for a multi-slot vCMP guest is not shown correctly on the GUI page for a vCMP guest.
Conditions:
-- vCMP Host on VIPRION platforms with multiple blades.
-- vCMP guest spanning two or more blades.
Impact:
Incorrect number of cores listed.
-- The vCMP :: Guest List page shows all cores for all slots.
-- The vCMP -> Guest List specific_guest page shows only cores for that guest's slot.
Workaround:
View the Guest List page to see a graphical representation of the number of cores per guest.
992253-4 : Cannot specify IPv6 management IP addresses using GUI
Component: TMOS
Symptoms:
You are unable to set the IPv6 mgmt IP address using the GUI, even if the IPv6 address format is a not a short address. When you submit the change, the field is empty.
Conditions:
Attempt to set up IPv6 management address using the GUI
Impact:
You are unable to configure IPv6 management addresses using the GUI.
Workaround:
Use tmsh:
tmsh create sys management-ip <address>/<netmask>
tmsh create sys management-route default-inet6 <address>
992241-3 : Unable to change initial admin password from GUI after root password change
Component: TMOS
Symptoms:
While trying to change the admin password from GUI, an error occurs:
-- Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Change the password for the root user the first time, before the admin password has been changed. This action sets both the root and admin password at the same time.
-- Navigate to the GUI and attempt to update the admin password.
Impact:
GUI password change fails.
Workaround:
You can use either of the following workarounds:
-- Change the password admin via the GUI before changing the root admin via ssh.
-- After changing the root password, use tmsh to set the admin password using the command:
modify auth user admin password.
992213-3 : Protocol Any displayed as HOPTOPT in AFM policy view
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
992053-4 : Pva_stats for server side connections do not update for redirected flows
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
991829-1 : Continuous connection refused errors in restjavad
Component: Guided Configuration
Symptoms:
Continuous connection refused errors observed in restjavad.
[com.f5.rest.workers..AsmConfigWorker] nanoTime:[879945045679087] threadId:[63] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
[8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Unexptected exception in getting all the polcies: org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
Conditions:
The errors are observed regardless of asm provisioning
Impact:
This causes noisy log file of restjavad.
Workaround:
None
991765-3 : Inheritance of staging_period_in_days from policy template
Component: Application Security Manager
Symptoms:
Enforcement readiness period of newly created Policy does not get its value from Policy Template.
Conditions:
Creating new ASM Policy from a template with an Enforcement readiness period different from the default (default is 7).
Impact:
Newly created policy has an incorrect configuration.
Workaround:
Create the Policy using tmsh or REST API.
991265-3 : Persistence entries point to the wrong servers for longer periods of time
Component: Local Traffic Manager
Symptoms:
Persistence entries point to the wrong servers for a longer than expected.
Conditions:
A pool member goes down, causing the persistence entry to change to a new pool member. Then, the pool member comes back up.
Impact:
The persistence entry does not change to the pool member that came back up. It does not expire as client requests using this cookie continue to refresh the persistence entry that goes to the wrong server.
This can delay recovery of the pool members when they are marked down for regular maintenance, or if all pool members are cycled up/down periodically, it causes persistence entries to point to the wrong servers for longer periods of time than necessary.
Workaround:
None.
990929-1 : Status of GTM monitor instance is constantly flapping
Component: Global Traffic Manager (DNS)
Symptoms:
Status of GTM monitor instance is constantly flapping.
Conditions:
GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other.
Impact:
Resources are marked offline constantly.
Workaround:
Remove from the GTM server object definition the IP addresses that do not communicate with each other.
990853-1 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
Component: TMOS
Symptoms:
The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file:
-- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition
-- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410.
Conditions:
-- Multi-blade VIPRION system provisioned as vCMP host.
-- The system is configured with partitions using non-default route-domains.
-- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest.
-- A non-Common partition is selected in the GUI Partition drop-down menu when making the change.
Impact:
MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart.
Workaround:
Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI.
990461-5 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
990173-1 : Dynconfd repeatedly sends the same mcp message to mcpd
Component: Local Traffic Manager
Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.
An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.
Conditions:
This can occur when:
-- Using FQDN nodes and FQDN pool members.
-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.
Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.
Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.
989937-2 : Device Trust Certificates Expiring after 2038-01-19 show date of 1969
Component: TMOS
Symptoms:
If you import a Certificate into the Device Trust Certificates that expires after 2038-01-19, the system GUI shows an expiration date of 1969.
Conditions:
Certificate expiring on/after 2038-01-19T03:14:08Z.
Impact:
The expiration date in the GUI shows 1969. This does not impact iquery or device function.
Workaround:
You can use the command line interface to view the certificate:
$ cd /config/big3d
$ openssl crl2pkcs7 -nocrl -certfile client.crt | openssl pkcs7 -print_certs -noout -text | grep "Issuer:\|Subject:\|Not Before:\|Not After :"
989529-1 : AFM IPS engine takes action on unspecified services
Component: Protocol Inspection
Symptoms:
Specific ports configured in the IPS profile are not taken into account during the matching action exercised by the IPS subsystem. As a result, all ports are matched.
Conditions:
Service ports specified under Security :: Protocol Security : Inspection Profiles :: service type (e.g., HTTP).
Impact:
Increased resource usage and excessive logging.
Workaround:
None.
989517-3 : Acceleration section of virtual server page not available in DHD
Component: TMOS
Symptoms:
The acceleration section in the virtual server page(UI) is not visible if a DHD license is installed.
Conditions:
The acceleration section is not visible in case "Dos" is provisioned
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH
987885-6 : Half-open unclean SSL termination might not close the connection properly
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
987709-6 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load with errors similar to this:
01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2
Unexpected Error: Loading configuration process failed
Conditions:
There is a wide IP with the same name in another partition as the static target CNAME pool member.
Impact:
Gtm config fails to load.
Workaround:
Create the wide IP first and then add the static target CNAME pool member.
987637-3 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.
Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server
Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.
Workaround:
None
987605-3 : DDoS: ICMP attacks are not hardware-mitigated
Component: Advanced Firewall Manager
Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.
Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.
Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.
Workaround:
None
987401-1 : Increased TMM memory usage on standby unit after pool flap
Component: Local Traffic Manager
Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device.
Conditions:
Standby device with UDP mirroring traffic and datagram-load-balancing disabled.
Impact:
The standby device may not be able to take over traffic when failover happens.
Workaround:
None.
987301-3 : EHF install on guest via block-device may fail with error 'reason unknown'
Component: TMOS
Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.
Conditions:
This might occur after multiple times to install an EHF on a vCMP guest via block-device:
tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3
Impact:
Sometimes the EHF installation fails on the guest.
Workaround:
None
987081-1 : Alarm LED remains active on Secondary blades even after LCD alerts are cleared
Component: TMOS
Symptoms:
When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition.
When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared).
However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages.
Conditions:
This occurs when:
-- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display.
-- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command.
Impact:
The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared.
Workaround:
To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade.
For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis:
-- clsh --slot=4 "bigstart restart fpdd"
-- ssh slot4 "bigstart restart fpdd"
Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly.
987077-3 : TLS1.3 with client authentication handshake failure
Component: Local Traffic Manager
Symptoms:
SSL handshakes are failing, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OSCP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
A handshake failure occurs.
Workaround:
Use TLS1.2 or use TLS1.3 without LTM authentication profile.
986937-3 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
986821-1 : Command 'run util bash' event is not captured in log when initially executed
Component: TMOS
Symptoms:
The initiation of 'run util bash' is not captured in the audit log (/var/log/audit)
Conditions:
Run 'run util bash' command in tmsh mode.
Impact:
The timestamp for a 'run util bash' command will occur when the subshell exits, not when the subshell is first executed. It is difficult to determine when the bash subshell started.
Workaround:
None
985953-6 : GRE Transparent Ethernet Bridging inner MAC overwrite
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None.
985925-3 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
985749-1 : TCP exponential backoff algorithm does not comply with RFC 6298
Component: Local Traffic Manager
Symptoms:
The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets.
Conditions:
Using TCP.
Impact:
Retransmission timeout interval depends on the inclusion/exclusion of SYN flag.
Workaround:
None
985401-1 : ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached
Component: Local Traffic Manager
Symptoms:
Attempting to attach a web acceleration profile to a virtual server that has an SSL profile with ProxySSL enabled will result in the following validation error:
A validation error similar to:
01070734:3: Configuration error: Proxy SSL is not compatible with Web Acceleration profile on Virtual Server (<virtual server name>).
Conditions:
-- Virtual server using an SSL profile with ProxySSL enabled.
-- Attaching a web acceleration (webacceleration) profile to the virtual server.
Impact:
Unable to use the web acceleration profile with ProxySSL virtual servers.
Workaround:
Avoid using ProxySSL virtual servers with web acceleration (ramcache) profiles attached.
985205-2 : Event Log and Traffic Learning screens fail to load request details★
Component: Application Security Manager
Symptoms:
Event Log and Traffic Learning screens get stuck with loading animation. and request details are not displayed.
Conditions:
This problem might be introduced during upgrading, so you see the symptom with the post-upgrade version (boot location).
Impact:
Event Log and Traffic Learning screens do not function as expected.
Workaround:
You can manually trigger populating missing items in the database to recover from the problem.
1. When this problem occurs, you see all or some of rows have no value in the following output:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "select rest_uuid from PLC.VIOLATIONS"
+-----------+
| rest_uuid |
+-----------+
| |
| |
| |
...snip...
2. Trigger populating those missing values:
# perl -MF5::ASMConfig::Entity::Base -MF5::DbUtils -MF5::Utils::Rest -e 'F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh())'
3. Verify those values are indeed populated"
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "select rest_uuid from PLC.VIOLATIONS"
+------------------------+
| rest_uuid |
+------------------------+
| -GXGw7y7XeOe4EYDgpXA9g |
| -wRSIageblaImzwhL3Pobw |
| 0GtnXx4yBFSqaB7STLh1tA |
...snip...
4. You might need to restart this daemon to make the changes take effect.
# pkill -f asm_config_server
5. Wait 30 seconds.
NOTE: None of these steps have any impact on traffic. The last step halts ASM control plane functionality for 30 seconds or so. During that time you lose access to the ASM part of GUI, cannot change the ASM configuration, and cannot perform config-sync operations.
984897-1 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.
Component: Local Traffic Manager
Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.
Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.
Conditions:
A virtual server configured to perform SSL connection mirroring.
Impact:
Should the units fail over, some connections may not survive as expected.
Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.
Workaround:
None.
984657 : Sysdb variable not working from tmsh
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
984593-1 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
984585-3 : IP Reputation option not shown in GUI.
Component: TMOS
Symptoms:
Cannot configure IP Reputation option from the GUI.
Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.
Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.
Workaround:
Use tmsh to configure IP Reputation.
984521-4 : Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name
Component: Application Security Manager
Symptoms:
Bot Defense profile checks if a page is not an HTML page by checking the file extension (among other ways).
In case the filename contains a dot (.) - the parsing is wrong and it is not detected as incompatible. As a result, the Accept-Encoding header is removed (to allow injection in the response).
Conditions:
-- Bot Defense profile is attached to s virtual server configured with any response injection (Device ID, Browser Verification, or Single Page Application).
Request is sent to an incompatible file extension (one of gif,png,bmp,jpg,ico,css,mp3,mp4,mpg,avi,wmv,mov,3gp,fla,swf,js), and filename contains a dot (.).
Impact:
Accept-Encoding header is removed, causing the server to not send a gzipped response.
Workaround:
Add this specific URL to sys db:
dosl7.parse_html_excluded_urls
981485-6 : Neurond enters a restart loop after FPGA update.
Component: TMOS
Symptoms:
After FPGA firmware upgrade, the neurond process might enter a restart loop, unable to recover.
When the problem is present you might see logs similar to:
-- notice chmand[6674]: 012a0005:5: FPGA PNP FW upgrade check: req type 0, file:Latest
-- notice chmand[6674]: 012a0005:5: FPGA: Requesting type: 0, vers: Latest
-- notice chmand[6674]: 012a0005:5: FPGA: current type: 2, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.23.5.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: FPGA: match for type: 0, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.6.7.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: removed /var/db/mcpdb.* FPGA current disk firmware updated to: /L7L4_BALANCED_FPGA type: 0
-- notice chmand-fpga-pnp[17551]: Stopping TMM, BCM56xxd, and neurond
-- notice logger[17553]: /bin/bash /etc/init.d/fw_pnp_upgrade upgrade restart ==> /usr/bin/bigstart stop tmm bcm56xxd neurond
Conditions:
FPGA firmware mismatch, leading to FPGA firmware upgrade.
Impact:
Enhanced flow acceleration provided by the Neuron chip cannot be utilized.
Workaround:
Perform a full system restart.
981145-1 : DoS events do not include the attack name for "tcp syn ack flood"
Component: Advanced Firewall Manager
Symptoms:
BIG-IQ does not display the attack name for a 'tcp syn ack flood' attack.
Conditions:
DoS on BIG-IP enabled to address 'tcp syn ack flood' attack.
Impact:
Lack of DoS attack information. The mitigation occurs as expected. Only the notification information is missing.
Workaround:
None.
981069-3 : Reset cause: "Internal error ( requested abort (payload release error))"
Component: Application Security Manager
Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"
Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type
Impact:
Traffic is affected.
Workaround:
Any of the following actions can resolve the issue:
1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
980617-1 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles
Component: Local Traffic Manager
Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.
Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured
Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.
Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.
979213-1 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
979045-1 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed on certain platforms
Component: TMOS
Symptoms:
After installing an Engineering Hotfix version of BIG-IP v14.1.0 or later, certain BIG-IP hardware systems. The Trusted Platform Module (TPM), status is showing as INVALID.
Conditions:
This may occur:
-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
- ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
- ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
- ID963017 (https://cdn.f5.com/product/bugtracker/ID963017.html)
-- The issue is observed only on the following platforms:
- i11600 / i11800
- i11400-DS / i11600-DS / i11800-DS
Impact:
The TPM status INVALID indicates that the system integrity is compromised when it is actually valid.
Workaround:
None.
978953-3 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up
Component: Local Traffic Manager
Symptoms:
During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.
tmsh list net vlan tmm_bp all-properties -hidden.
Additionally, running the following command:
modify sys db vlan.backplane.mtu value <some value> (within the range accepted), and saving the configuration change does not last through a reboot.
Conditions:
This issue occurs on the first boot intermittently.
Impact:
When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot.
Workaround:
Rebooting the device resolves the issue
977953-3 : Show running config interface CLI could not fetch the interface info and crashes the imi
Component: TMOS
Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.
If you run 'show running-config interface', imi crashes.
Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command
Impact:
Imish cannot retrieve interface information from the show running-config command.
Workaround:
* Enable OSPF. For example,
# tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }
# ps -ef | egrep -i ospf
root 11954 4654 0 11:25 ? S 0:00 ospf6d%0
977625-1 : GTM persistence records linger in tmm
Component: Global Traffic Manager (DNS)
Symptoms:
-- GTM persistence records are not cleared.
-- GTM still answers from persist records even though the persist records not listed by the "tmsh show gtm persist" command.
Conditions:
Persistence for wideip or application is disabled and then enabled quickly afterwards
Impact:
GTM answers from stale persist records.
Workaround:
Do not enable persistence right after disabling.
977449-1 : Total address and Total endpoints is shown as '0' in nat stats
Component: Advanced Firewall Manager
Symptoms:
Total address and Total endpoints is shown as '0' (zero) in the output of 'show ltm nat-stats roll-up-level fw-nat-source-translation-object name <name> all',
Conditions:
The prefix length for IPv6 source translation is configured as less than or equal to 64.
Impact:
There is no functional impact, as only the 'show' output is affected for the two stats.
Workaround:
None
977153-3 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
976621-1 : SIP ALG not processing IPv6 in NAT64 UDP
Component: Advanced Firewall Manager
Symptoms:
NAT64 UDP does not work with application layer gateway (ALG) profiles configured for SIP traffic.
Conditions:
-- ALG profiles configured for SIP traffic.
-- NAT and IPv6 UDP traffic.
Impact:
NAT translation does not happen for IPv6 UDP traffic with SIP ALG.
Workaround:
Enable NAT64 explicitly for UDP SIP traffic to be translated.
976525-5 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
Component: Local Traffic Manager
Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.
Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.
Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.
Workaround:
Use either of the following workarounds:
-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable
-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.
976517-2 : Tmsh run sys failover standby with a device specified but no traffic group fails
Component: TMOS
Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:
Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).
Conditions:
Two or more BIG-IPs configured with high availability (HA)
Impact:
You are required to specify all the traffic groups you want to failover to a peer.
Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.
For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2
If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):
tmsh run /sys failover standby
975725-5 : Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast
Component: Local Traffic Manager
Symptoms:
L3 unicast traffic with L2 broadcast destination MAC (ff:ff:ff:ff:ff:ff) matching wildcard virtual servers is not handled properly.
Conditions:
Wildcard virtual server is configured to handle such traffic.
Impact:
Traffic will not be forwarded properly.
Workaround:
Use specific non-wildcard virtual-server.
974513-7 : Dropped requests are reported as blocked in Reporting/charts
Component: Application Security Manager
Symptoms:
Dropped requests are reported as blocked in Reporting/charts.
Conditions:
Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request.
Impact:
Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops.
Workaround:
None.
974241-3 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
Component: TMOS
Symptoms:
Mcpd exists with error similar to:
01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'
Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled
Impact:
Mcpd restarts leading to failover.
Workaround:
Use standard customization and not modern customization.
974205-5 : Unconstrained wr_urldbd size causing box to OOM
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
969317-4 : "Restrict to Single Client IP" option is ignored for vmware VDI
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
968953-1 : Unnecessary authorization header added in the response for an IP intelligence feed list request
Component: Advanced Firewall Manager
Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.
Conditions:
Feed list configured without username/password pair.
Impact:
Feed List request from dwbld adds unnecessary Authorization header. There is no functional impact.
Workaround:
None.
968929-2 : TMM may crash when resetting a connection on an APM virtual server
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
- HTTP profile without fallback host.
- iRules.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.
967905-5 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
967737-3 : DNS Express: SOA stops showing up in statistics from second zone transfer
Component: Global Traffic Manager (DNS)
Symptoms:
Start of Authority (SOA) record is not displayed in zone statistics.
Conditions:
The issue appears after the 2nd zone transfer.
Impact:
This is a cosmetic issue without any actual impact.
Workaround:
None
967573-3 : Qkview generation from Configuration Utility fails
Component: TMOS
Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.
Conditions:
Trying to generate a Qkview using the Configuration Utility.
Impact:
The Configuration Utility cannot be used to generate a qkview.
Workaround:
Use the qkview command to generate a qkview from the command line.
967353-1 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
Component: Local Traffic Manager
Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.
Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.
Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.
Workaround:
None
967245-1 : Incorrect SPVA counter incremented during Sweep attack on profile
Component: Advanced Firewall Manager
Symptoms:
Incorrect SPVA counters updated.
Conditions:
Configure DoS Sweep vector on an SPVA supported device.
Impact:
Usage of dos_spva_stat will result in displaying incorrect counters.
966949-6 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
966613-6 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
Component: Application Security Manager
Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node "<soap:address/>".
Conditions:
Creating a new content profile using a wsdl file which contains a "<soap:address/>" node which does not have a "location" attribute value.
When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation.
Impact:
After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null"
Workaround:
Delete the node "<soap:address/>" from the wsdl file
965785-4 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
Component: Application Security Manager
Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.
Conditions:
There is no specific condition, the problem occurs rarely.
Impact:
Sync process requires an additional ASM restart
Workaround:
Restart ASM after sync process finished
965229-5 : ASM Load hangs after upgrade★
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
962589-4 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
961509-5 : ASM blocks WebSocket frames with signature matched but Transparent policy
Component: Application Security Manager
Symptoms:
WebSocket frames receive a close frame
Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled
Impact:
WebSocket frame blocked in transparent mode
Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No
961001-5 : Arp requests not resolved for snatpool members when primary blade goes offline
Component: Local Traffic Manager
Symptoms:
Arp requests not resolved for snatpool members and traffic does not go through when the primary blade becomes offline.
Conditions:
-- VIPRION platforms serving as AAA and Diameter virtual server to load-balance.
-- route-domain configured other than 0.
-- Radius authentication pool and snatpool are configured.
-- Primary blade goes offline and new Primary is not elected.
Impact:
Traffic failure when primary became offline.
Workaround:
Disable primary blade which is offline.
959965-1 : Asmlogd stops deleting old protobufs
Component: Application Security Manager
Symptoms:
Protobuf files are being cleaned only when trying to write to the protobuf file and on startup.
Conditions:
This occurs during normal operation.
Impact:
/var/asmdata1 can run out of disk space.
Workaround:
None
959957-1 : Asmlogd stops deleting old protobufs
Component: Application Security Manager
Symptoms:
Asmlogd restarts and there are asmlogd errors:
asmlogd|ERR|Oct 19 13:46:35.199|6005|,,asmlogd ended unexpectedly
asmlogd|ERR|Oct 19 13:46:35.203|6005|,,Can't call method "size" on an undefined value at /usr/local/share/perl5/F5/RequestLog.pm line 1902.
Conditions:
Disk is full -- the following warnings are being displayed:
err diskmonitor[3483]: 011d0004:3: Disk partition /var/asmdata1 (slot 1) has only 0% free
Impact:
Old protobuf files are not cleaned up.
Workaround:
0) If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
1) To identify the empty partitions, look into:
SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G
2) For every partition that is empty, manually (or via shell script) execute this sql:
ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where 'empty_partition_name' is the partition name as 'p100001'
4) Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5) pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
959057-5 : Unable to create additional login tokens for the default admin user account
Component: TMOS
Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.
Conditions:
Remote Authentication is configured
Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured
958785-8 : FTP data transfer does not complete after QUIT signal
Component: Local Traffic Manager
Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.
Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.
Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.
Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.
958601-4 : In the GUI, searching for virtual server addresses does not match address lists
Component: TMOS
Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.
Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.
Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.
Impact:
Virtual servers that should match a search are not found.
Workaround:
None.
957993-4 : Unable to set a port list in the GUI for an IPv6 address for a virtual server
Component: TMOS
Symptoms:
When creating a virtual server in the GUI with an IPv6 destination address and a port list (shared object) or a source address list (shared object), the system returns an error similar to:
0107028f:3: The destination (0.0.0.0) address and mask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) for virtual server (/Common/vs03-v6_dns) must be be the same type (IPv4 or IPv6).
Conditions:
-- Creating or updating a virtual server.
-- Attempting to use an IPv6 Host address with a Port List shared object or a Source Address List shared object.
Impact:
Unable to create/modify virtual server.
Workaround:
Create an Address List shared object with the IPv6 address in it and use that instead of the Host address.
956645-4 : Per-request policy execution may timeout.
Component: Access Policy Manager
Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.
Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.
Impact:
Some clients will fail to connect to their destination.
Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).
Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.
956133-2 : MAC address might be displayed as 'none' after upgrading★
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0
Impact:
Traffic disrupted when the MAC address is set to 'none'
Workaround:
None.
956013-4 : System reports{{validation_errors}}
Component: Policy Enforcement Manager
Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses
Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.
Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.
Workaround:
None.
955617-8 : Cannot modify properties of a monitor that is already in use by a pool
Component: Local Traffic Manager
Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties can't be modified if they are in use by a pool.
Workaround:
Remove monitor, modify it, and then add it back.
953477-1 : Syncookie HW mode not cleared when modifying VLAN config.
Component: TMOS
Symptoms:
Changing VLAN configuration can cause BIG-IP get stuck in hardware syncookie mode.
Conditions:
- Changing VLAN configuration when vlan-based syncookies are active.
For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779
Impact:
Device is stuck in hardware syncookie mode and generates syncookies.
Workaround:
Run the following command:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts traffic.
951133-4 : Live Update does not work properly after upgrade★
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
950953-3 : Browser Challenges update file cannot be installed after upgrade★
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP, the Browser Challenges factory default update file cannot be installed, and you see this error:
Installation error: gpg: WARNING: unsafe ownership on homedir `/usr/share/live-update/share/gpg/browser_challenges_genesis_load'gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20 "asm_sigfile_installer"gpg: Signature made Mon Aug 2
Conditions:
The new file that comes with the installation is ready to install
Impact:
New updated cannot be installed
Workaround:
There are 2 options:
1. download a new version of the update file (if exists)
2.
2.1 download a copy of that file from the machine to your locale machine
2.2 rename it :
> cp BrowserChallenges_20200722_072935.im BrowserChallenges_<CURRENT_DATE>_<CURRENT_TIME>.im
## the date and time are for tracking and the have to be in a specific format DATE : YYYYMMDD, TIME: HHMMSS
2.3 upload the file and install it manually from the LiveUpdate screen.
950305-5 : Analytics data not displayed for Pool Names
Component: Application Visibility and Reporting
Symptoms:
You cannot see reports (statistics->analytics->pool) when you choose to view by pool names.
Conditions:
This is encountered in the statistics screen.
Impact:
You can't see the statistics->analytics->pool report when you choose view by pool names.
950201-3 : Tmm core on GCP
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Each of these workarounds have performance impact.
949137-1 : Clusterd crash and vCMP guest failover
Component: Local Traffic Manager
Symptoms:
Clusterd crashes and a vCMP guest fails over.
Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.
Impact:
Memory corruption and clusterd can crash, causing failover.
Workaround:
None.
948601-1 : File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU
Component: TMOS
Symptoms:
SHA1 checksum attribute/property of the file object is not persisted/published/propagated to the MCP datastore/GUI.
Conditions:
This could be observed when an external data-group file or external monitor file definition is edited from GUI.
Below mentioned is the workflow where the issue can be seen/replicated,
System ›› File Management : Data Group File List >> FILE
Edit the "definition" field of the file object & click update.
1.) edit sys file data-group "filename"
2.) list sys file data-group "filename"
Aforementioned commands can be used from TMOS shell to understand the correct behavior that is expected when the same is done from GUI
Impact:
You are unable to identify whether the file object was modified by just validating/comparing the file object's metadata/schema property i.e. "checksum SHA1"
Workaround:
None
948113-1 : User-defined report scheduling fails
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
948065-1 : DNS Responses egress with an incorrect source IP address.
Component: Local Traffic Manager
Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.
Conditions:
Large responses of ~2460 bytes from local BIND
Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.
Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.
Note: This workaround has limitations, as some records in 'Additional Section' are truncated.
947745-3 : Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error
Component: Local Traffic Manager
Symptoms:
Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error message:
hud_tcp_serverside_handler/3676: 10.0.0.20.21 - 10.10.10.1.51147: unexpected serverside message HUDEVT_CHILD_CONNECTE
Conditions:
FTP profile is in use
Impact:
Logs entries in the log file
Workaround:
None
947613-2 : APM reset after upgrade and modify of LDAP Group Lookup★
Component: Access Policy Manager
Symptoms:
-- Per-Request Policy fails.
-- APM reset the connection.
Conditions:
Upgrade from 13.1.3.4 to 15.1.0.4 and modify the LDAP Group Lookup.
Impact:
APM resets the connection.
Workaround:
1. Create a new empty object with the same expression as the LDAP Group Lookup.
2. Restart the system:
bigstart restart tmm
946185-3 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★
Component: TMOS
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
944173-4 : SSL monitor stuck does not change TLS version
Component: Local Traffic Manager
Symptoms:
The SSL monitor remains in the current TLS version and does not switch to another version when a server changes.
Conditions:
-- SSL monitor configured.
-- Server configuration changes from TLSv1.2 to TLSv1.
Impact:
Pool members marked down.
Workaround:
Use the In-TMM monitor.
944121-4 : Missing SNI information when using non-default domain https monitor running in tmm mode
Component: In-tmm monitors
Symptoms:
In-tmm https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.
Conditions:
-- SNI is configured in serverssl profile a
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.
Impact:
The TLS connection might fail.
Workaround:
None
943441-4 : Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK
Component: Application Security Manager
Symptoms:
Verification may be incomplete when using the F5 Anti-Bot Mobile SDK with the Bot Defense profile.
Conditions:
-- Using the Bot Defense profile together with the F5 Anti-Bot Mobile SDK.
-- Enabling the Mobile Applications section in the profile.
Impact:
Mobile application verification may be incomplete.
Workaround:
None
942217-6 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
Component: Local Traffic Manager
Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
941773-1 : Video resolution mis-prediction
Component: Traffic Classification Engine
Symptoms:
Certain video traffic is not getting classified with high accuracy.
Conditions:
- Behavioral classifier for Classification Engine is enabled
Impact:
- Mis-predictions can lead to higher definition videos being categorized as low-definition videos and vice versa.
941765-1 : Video resolution mis-predictions
Component: Traffic Classification Engine
Symptoms:
BIG-IP's traffic playback resolution prediction is calculated on all individual connections of a client's video stream.
Conditions:
- Video streaming client downloads through BIG-IP
- Video is downloaded using multiple connections.
Impact:
- Mis-prediction in the video resolution.
941761 : Multiple resolutions are predicted for a single video playback.
Component: Traffic Classification Engine
Symptoms:
BIG-IP's traffic control prediction is calculated on all individual connections of a client's video stream.
Conditions:
- Video streaming client downloads, audio and video data is downloaded using multiple parallel connections.
Impact:
- Multiple resolutions will be detected on the BIG-IP for a single video playback.
941625-3 : BD sometimes encounters errors related to TS cookie building
Component: Application Security Manager
Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:
-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.
-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.
Impact:
The cookie is not built and an error is logged.
Workaround:
None.
940837-4 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.
Component: Local Traffic Manager
Symptoms:
The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node.
Conditions:
-- A node command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
Impact:
With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node.
Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.
940733-5 : Downgrading a FIPS-enabled BIG-IP system results in a system halt★
Solution Article: K29290121
Component: Global Traffic Manager (DNS)
Symptoms:
After upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version results in a libcrypto validation error and system halt.
Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into an volume running an earlier version of the software.
Impact:
System boots to a halted state.
Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.
Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified.
If the target software volume has already experienced this issue (the system boots to a halted state), follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233, in addition to deleting /shared/bin/big3d.
For additional information, see K29290121: Rollback after upgrade, FIPS halts the system on boot :: https://support.f5.com/csp/article/K29290121.
940225-4 : Not able to add more than 6 NICs on VE running in Azure
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
939877-3 : OAuth refresh token not found
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
939249-1 : iSeries LCD changes to secure mode after multiple reboots
Component: TMOS
Symptoms:
After repeatedly rebooting an iSeries platform, the LCD can become erroneously set to secure mode on its own, and you are unable to use the menus on the LCD.
Conditions:
-- Repeated reboots of the device.
-- The db lcd.showmenu value initially set to enable are required.
-- Other required conditions are not fully known.
Impact:
-- LCD becomes set to secure mode.
-- The bigdb variable lcd.showmenu is changed to 'disable'.
Workaround:
Run the commands:
tmsh modify sys db lcd.showmenu value disable
tmsh modify sys db lcd.showmenu value enable
This clears the secure mode of the LCD.
938545-1 : Oversize plugin Tcl object results can result in 0-length messages and plugin crash
Component: Local Traffic Manager
Symptoms:
Bd crashes.
Conditions:
-- ASM enabled.
-- iRule used.
-- Command arguments are greater than maximum MPI message size.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None.
938145-3 : DAG redirects packets to non-existent tmm
Component: TMOS
Symptoms:
-- Connections to self-IP addresses may fail.
-- SYNs packets arrive but are never directed to the Linux host.
Conditions:
-- Provision as vCMP dedicated host.
-- Create a self-IP address with appropriate allow-service.
Impact:
Repeated attempts to connect to the self-IP (e.g., via ssh) fail.
Workaround:
None
937649-4 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
937573-1 : Connections drop in virtual server with Immediate Action On Service Down set to Drop
Component: Local Traffic Manager
Symptoms:
In a virtual server configured with Immediate Action On Service Down set to Drop and an iRule to pick a pool different from the one attached to the virtual server, if the default pool is attached in an offline state, connections are always dropped even when the default pool becomes available later.
Conditions:
- Virtual server configured with Immediate Action On Service Down set to Drop.
- An iRule selects a different pool from the one attached to the virtual server.
Impact:
Connections are silently dropped.
Workaround:
Change the virtual server's Immediate Action On Service Down setting to None.
937541-4 : Wrong display of signature references in violation details
Component: Application Security Manager
Symptoms:
The number '1' is added to the signature reference in violation details in the Request Log.
Conditions:
You click the '?' icon near signature name to view signature details and there are references for this signature
Impact:
The number 1 is shown before the link
937481-5 : Tomcat restarts with error java.lang.OutOfMemoryError
Component: TMOS
Symptoms:
In the GUI, while trying to list a large configuration, tomcat restarts with error java.lang.OutOfMemoryError: Java heap space due to a large read operation.
Conditions:
-- From the GUI, navigate to Local Traffic :: Pools :: Pool List.
-- The configuration contains approximately 10,000 objects (objects include pools, nodes, virtual servers, etc.).
Impact:
When the system attempts to list the large configuration, tomcat restarts, resulting in 503 error.
Workaround:
Use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process.
Impact of workaround: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Technical Support after considering the impact to Linux host memory resources.
-- Using a utility such as free or top, determine if you have enough free memory available to use this procedure.
For example, the following output from the free utility shows 686844 kilobytes available:
total used free shared buffers cachedMem:
16472868 15786024 686844 807340 827748 2543836
-/+ buffers/cache: 12414440 4058428
Swap: 1023996 0 1023996
-- View the current amount of memory allocated to the tomcat process by typing one of the following commands:
ps | grep " -client" | egrep -o Xmx'[0-9]{1,5}m'
The command output appears similar to the following example:
Xmx260m
Xmx260m
-- View the current value of the provision.tomcat.extramb database variable by typing the following command
tmsh list /sys db provision.tomcat.extramb
-- Set the provision.tomcat.extramb database variable to the desired amount of additional memory to be allocated using the following command syntax:
modify /sys db provision.tomcat.extramb value <MB>
-- If the device is part of a high availability (HA) configuration, the provision.tomcat.extramb database value should be synchronized to the peer devices from the command line. To run the ConfigSync process, use the following command syntax:
tmsh run /cm config-sync <sync_direction> <sync_group>
For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group:
tmsh run /cm config-sync to-group Syncfailover
-- Restart the tomcat process by typing the following command:
restart /sys service tomcat
935865 : Rules that share the same name return invalid JSON via REST API
Component: Advanced Firewall Manager
Symptoms:
When retrieving rule stats on a firewall policy, if two rules that share the same name but one of which is directly attached to the policy while the other is attached via a rule list, then a invalid JSON is returned. The JSON has identical keys for each entry associated with the rule. This is an invalid JSON structure that cannot be parsed correctly (Or data for one of the rules is lost)
Conditions:
A firewall policy that has one of rule directly attached to the policy while the other is attached via a rule list, and both rules share the same name.
Impact:
Invalid JSON structure returned for stat REST API call
Workaround:
Ensure that no rule shares its name with another rule.
935769-5 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time
Component: Advanced Firewall Manager
Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.
Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Attempt upgrade / reboot of the platform.
Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.
Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.
2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.
935485-4 : BWC: flows might stall when using dynamic BWC policy
Component: TMOS
Symptoms:
When multiple flows are passing through the single instance of BWC policy, one or more flows might stall for a few seconds or more. The fairness among the flows is also affected.
Conditions:
-- BWC dynamic policy is enabled.
-- Multiple flows are passing through a single instance of the BWC dynamic policy.
Impact:
Some of the flows may stall.
Workaround:
None.
935249-3 : GTM virtual servers have the wrong status
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).
Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.
935193-4 : With APM and AFM provisioned, single logout ( SLO ) fails
Component: Local Traffic Manager
Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:
-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message
Conditions:
Failures occur with Redirect SLO.
Impact:
SAML single logout does not work.
Workaround:
Use POST binding SLO requests.
935177-3 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
Component: TMOS
Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.
Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.
The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.
934825-2 : Restarting MCPD via command line may not restart the aced process
Component: Access Policy Manager
Symptoms:
Configurations with secure ID authentication may face issues after restarting MCPD using the command line (bigstart restart mcpd).
Conditions:
Executing the "bigstart restart mcpd" from command line does not always restart the aced process.
Impact:
Configurations with secure ID authentication may face issues after restarting MCPD and may not restart the aced process.
Workaround:
"bigstart restart mcpd" is not the recommended way to restart MCPD. Please restart the BIG-IP system to reflect any changes you have made.
934697-5 : Route domain not reachable (strict mode)
Component: Local Traffic Manager
Symptoms:
Network flows are reset and errors are found in /var/log/ltm:
Route domain not reachable (strict mode).
Conditions:
This might happen in either of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.
Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.
Impact:
Traffic is not sent to the node that is in a route domain.
The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.
Workaround:
Specify the node along with Route domain ID.
-- For iRules, change from this:
when HTTP_REQUEST {
node 10.10.10.10 80
}
To this (assuming route domain 1):
when HTTP_REQUEST {
node 10.10.10.10%1 80
}
-- For LTM policies, change from this:
actions {
0 {
forward
select
node 10.2.35.20
}
}
To this (assuming route domain 1):
actions {
0 {
forward
select
node 10.2.35.20%1
}
}
933777-5 : Context use and syntax changes clarification
Component: Application Visibility and Reporting
Symptoms:
There are two context and syntax-related issues:
-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.
-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.
Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.
Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.
Workaround:
None
933597-5 : Mandatory arguments missing in tmsh security protocol-inspection profile help
Component: TMOS
Symptoms:
Missing mandatory arguments for tmsh security protocol-inspection profile command list.
Conditions:
Profile - Configures the protocol inspection profiles
Module - security protocol-inspection profile
Impact:
Tmsh does not specify the mandatory arguments, which makes it difficult to write any script or automate the tmsh command around this security profile.
Workaround:
Specify the following arguments for this profile:
-- Ports
932857-5 : Delays marking Nodes or Pool Members DOWN with in-TMM monitoring
Component: In-tmm monitors
Symptoms:
When configured with a large number of in-TMM monitors, Nodes or Pool Members may not be marked DOWN immediately after the configured timeout period once the target stops responding to pings.
Conditions:
This may occur when:
-- In-TMM monitoring is enabled (via sys db bigd.tmm).
-- A large number of Nodes and/or Pool Members (several hundreds or thousands) are configured and monitored.
Impact:
Nodes or Pool Members which are not responsive may not be marked DOWN in a timely fashion.
Workaround:
You can work around this issue by disabling in-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
932485-5 : Incorrect sum(hits_count) value in aggregate tables
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
932189-1 : Incorrect BD Swap Size units on ASM Resources chart
Component: Application Visibility and Reporting
Symptoms:
The 'BD Swap Size' reported on the 'Security :: Reporting : ASM Resources : Memory Utilization' page is much too high and incorrect.
Conditions:
ASM provisioned.
Impact:
Graphically reported BD swap memory usage is incorrect.
Workaround:
None.
932137-7 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
932133-1 : Payloads with large number of elements in XML take a lot of time to process
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
931149-3 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
Component: Global Traffic Manager (DNS)
Symptoms:
RESOLV::lookup returns an empty string.
Conditions:
The name being looked up falls into one of these categories:
-- Forward DNS lookups in these zones:
- localhost
- onion
- test
- invalid
-- Reverse DNS lookups for:
- 127.0.0.0/8
- ::1
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 0.0.0.0/8
- 169.254.0.0/16
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 255.255.255.255/32
- 100.64.0.0/10
- fd00::/8
- fe80::/10
- 2001:db8::/32
- ::/64
Impact:
RESOLV::lookup fails.
Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:
1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:
tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }
2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:
proc resolv_ptr_v4 { addr_v4 } {
# Convert $addr_v4 into its constituent bytes
set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
if { $ret != 4 } {
return
}
# Perform a PTR lookup on the IP address $addr_v4, and return the first answer
set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
set ret [lindex [DNSMSG::section $ret answer] 0]
if { $ret eq "" } {
# log local0.warn "DNS PTR lookup for $addr_v4 failed."
return
}
# Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
return [lindex $ret end]
}
-- In an iRule, instead of:
RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
call resolv_ptr_v4 $ipv4_addr
930217-1 : Zone colors in ASM swap usage graph are incorrect
Component: Application Visibility and Reporting
Symptoms:
In GUI ASM memory utilization chart, 'BD swap size, Total swap size' graph show inconsistent background colors. It looks like these colors are assigned with an assumption that swap usage is shown as percentage but it is shown as absolute value.
Conditions:
-- ASM is provisioned.
-- Viewing ASM memory utilization chart/
Impact:
Potential confusion viewing colors in ASM memory utilization chart.
Workaround:
None. This is a cosmetic issue only.
929429-8 : Oracle database monitor uses excessive CPU when Platform FIPS is licensed
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle LTM monitor.
-- Add a pool member to the Oracle monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
929213-2 : iAppLX packages not rolled forward after BIG-IP upgrade★
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
929133-6 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
Component: TMOS
Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.
Conditions:
Vlan name that starts with "eth"
Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.
Workaround:
Rename all vlans that start with "eth"
928665-4 : Kernel nf_conntrack table might get full with large configurations.
Component: TMOS
Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:
warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.
Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15,000 or more active entries.
Impact:
Monitors are unstable/not working at all.
Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:
options nf_conntrack hashsize=262144
2. Save the file.
3. Reboot the system.
928353-4 : Error logged installing Engineering Hotfix: Argument isn't numeric★
Component: TMOS
Symptoms:
When installing an Engineering Hotfix, the following error may be logged in /var/log/liveinstall.log:
Argument "" isn't numeric in numeric eq (==) at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/Hotfix.pm line 651.
Conditions:
This error may occur when installing an Engineering Hotfix, if the Engineering Hotfix does not include an update to the nash-initrd component.
Impact:
The error message gives a mistaken impression that the Engineering Hotfix did not install successfully. However, it does install correctly, and the system operates without issue. You can safely ignore this message.
Workaround:
None.
928161-3 : Local password policy not enforced when auth source is set to a remote type.
Component: TMOS
Symptoms:
The local password policy is not enforced when the auth source type is set to the value of 'Remote'. Any non-default password policy changes are not enforced for local users.
Conditions:
1) Some parts of the local password policy has been changed from the default values, for example, changing the password required-uppercase to 2.
2) The auth source is set to a remote source, such as LDAP, AD, or TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example, even if the required-uppercase is set to 2, a local user's password can be set to something less than 2.
Even if the minimum-length is set to 12, a local user's password can be set to something less than 12.
Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Workaround:
None
927633-4 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
Component: Local Traffic Manager
Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.
Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.
Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.
Workaround:
None.
927589-1 : ILX::call command response get truncated
Component: Local Traffic Manager
Symptoms:
If a response to an ILX::call command is larger than 64 KB, data is truncated.
Conditions:
-- iRule script including an ILX::call command in use.
-- Return response is greater than 64 KB.
Impact:
iRule fails and the connection aborts.
Workaround:
None.
927441-5 : Guest user not able to see virtual server details when ASM policy attached
Component: TMOS
Symptoms:
When ASM is attached to a Virtual Server, a BIG-IP user account configured with the Guest role cannot see virtual server details. An error message is printed instead:
01070823:3: Read Access Denied: user (guestuser) type (GTM virtual score).
Conditions:
-- ASM Policy attached to virtual server.
-- Logging onto the BIG-IP system using an account configured with the guest user role.
-- Running the command:
tmsh show ltm virtual detail
Impact:
Cannot view virtual server details.
Workaround:
None.
927025-1 : Sod restarts continuously
Component: TMOS
Symptoms:
After upgrading to v14.1.2.6, sod keeps restarting and dumping core.
Conditions:
This occurs when /dev/shm/chmand is missing and the system restarts chmand and sod upon reload.
Note: It is unknown how this condition might occur.
Impact:
Unstable sod process can affect failover functionality in BIG-IP systems.
Note: This happens only the first time after upgrade. To recover, you must power down the system for a full reboot.
Workaround:
Run the following command:
restorecon /dev/shm/chmand
926845-7 : Inactive ASM policies are deleted upon upgrade
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
926549-3 : AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect'
Component: Advanced Firewall Manager
Symptoms:
With some configurations, executing a command such as 'tmsh show security firewall global-rules active' loops continuously, causing stat counters to rise, and possibly log messages to be written to /var/log/ltm.
Conditions:
-- AFM is routing traffic to a Virtual Server through the 'Send to Virtual' option.
-- The target Virtual Server uses the 'LB_FAILED' iRule to select a new Virtual Server through virtual command and 'LB::reselect'.
Impact:
The iRule loops continuously, causing stat counters to rise, and possibly logging messages in /var/log/ltm.
Workaround:
This configuration should be avoided, but if it is used, and if this does happen, you can restart tmm:
bigstart restart tmm
This stops the current looping, until it is triggered again.
Impact of workaround: Traffic disrupted while tmm restarts.
926425-4 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Component: Advanced Firewall Manager
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into BIG-IP system.
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.
924945-5 : Fail to detach HTTP profile from virtual server
Component: Application Visibility and Reporting
Symptoms:
The virtual server might stay attached to the initial HTTP profile.
Conditions:
Attaching new HTTP profiles or just detaching an existing one.
Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.
Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.
924589-3 : PEM ephemeral listeners with source-address-translation may not count subscriber data
Component: Policy Enforcement Manager
Symptoms:
When a PEM profile is associated with a protocol that can create dynamic server-side listeners (such as FTP), and source-address-translation is also enabled on the virtual server, traffic on that flow (for example ftp-data) is not associated with the subscriber, and is therefore not counted or categorized.
Conditions:
-- Listener configured with PEM and FTP profiles
-- Some form of source address translation is enabled on the listener (for example, SNAT, Automap, SNAT Pool)
Impact:
Inaccurate subscriber traffic reporting and classification.
Workaround:
None.
924297-4 : Ltm policy MCP objects are not being synced over to the peer device
Component: TMOS
Symptoms:
An LTM policy does not sync to the peer device, but the devices report "In Sync".
Conditions:
-- Sync/failover device group with full load on sync disabled
-- A draft policy is attached to a parent policy's rule actions and published.
-- A config sync occurs (manually or automatically)
Impact:
The LTM policy does not sync to the peer device.
Workaround:
Perform a full config sync:
tmsh run cm config-sync force-full-load-push to-group <device group name>
923221-8 : BD does not use all the CPU cores
Component: Application Security Manager
Symptoms:
Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.
Conditions:
BIG-IP is installed on a device with more than 32 cores.
Impact:
ASM does not use all of the available CPU cores.
Workaround:
1. Modify the following file on the BIG-IP system:
/usr/local/share/perl5/F5/ProcessHandler.pm
Change this:
ALL_CPUS_AFFINITY => '0xFFFFFFFF'
To this:
ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',
2. Restart the asm process:
bigstart restart asm.
922641-6 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
Component: Local Traffic Manager
Symptoms:
iRule commands issued after a clientside or serverside command operate on the wrong peer flow.
Conditions:
An iRule contains a script that parks in a clientside or serverside command.
Examples of parking commands include 'table' and 'persist'.
Impact:
The iRule commands operate on the wrong peer flow.
Workaround:
Avoid using commands that park inside the clientside or serverside command.
922613-6 : Tunnels using autolasthop might drop traffic with ICMP route unreachable
Component: TMOS
Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.
Conditions:
No route exists to the other end of the tunnel.
Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.
Workaround:
Create a route towards the other remote end of the tunnel.
922413-8 : Excessive memory consumption with ntlmconnpool configured
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
922185-3 : LDAP referrals not supported for 'cert-ldap system-auth'★
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
922153-5 : Tcpdump is failing on tmm 0.x interfaces
Component: TMOS
Symptoms:
The tcpdump command exits immediately with an error:
errbuf ERROR:TMM side closing: Aborted
tcpdump: pcap_loop: TMM side closing: Aborted
Conditions:
Capturing the packets on tmm interfaces.
Impact:
Unable to capture the packets on specific tmm interfaces.
Workaround:
There are two possible workarounds:
-- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command:
TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16
-- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20.<slot>.<tmmnumber+1> (e.g. 127.20.1.1 == slot1/tmm0, 127.20.2.16 == slot2/tmm15):
TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16
922105-1 : Avrd core when connection to BIG-IQ data collection device is not available
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
922053-1 : inaccurate number of trunk members reported by bcm56xxd/bcmLINK
Component: TMOS
Symptoms:
The "bcmLINK" process (sometimes referred to as "bcm56xxd") may fail with a segmentation fault and be restarted, leaving behind a core-dump file for "bcmLINK".
An error message may be logged about the condition "max_mbrs > 0".
Conditions:
-- occurs in multi-blade VIPRION system with trunked interfaces
-- precise trigger is not known
Impact:
Momentary disruption of traffic handling by TMM.
Workaround:
None known.
921993-1 : LTM policy with a 'contains' operator does not work as expected when using an external data group.
Component: Local Traffic Manager
Symptoms:
If a combination of other operators and the 'contains' operator are used in LTM Policy, searches might fail if the hashing-based operators have not populated the target entries.
Conditions:
-- LTM policy with 'contains' operator.
-- Use of external datagroups.
Impact:
LTM policy might not work as expected with external data groups.
Workaround:
Use either of the following workarounds:
-- If applicable, change the 'contains' operator to 'starts_with' in the policy.
-- Change the policy into an iRule (executing '[class get <datagroup]' )
921541-6 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
921441-4 : MR_INGRESS iRules that change diameter messages corrupt diam_msg
Component: Service Provider
Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.
There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found
Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:
ltm rule Diameter - iRule {
when MR_INGRESS {
DIAMETER:: host origin "hostname.realm.example"
}
}
-- Traffic arrives containing CER and ULR messages.
Impact:
Using the iRule to change the host origin corrupts the diameter message.
Workaround:
None.
921365-2 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby
Component: TMOS
Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.
Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs
This is a timing issue and can occur intermittently during a normal failover.
Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.
Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).
920149-3 : Live Update default factory file for Server Technologies cannot be reinstalled
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
919301-1 : GTP::ie count does not work with -message option
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
917637-5 : Tmm crash with ICAP filter
Component: Service Provider
Symptoms:
Tmm crashes while passing traffic.
Conditions:
-- Per-request policies configured.
-- ICAP is configured.
This is rare condition that occurs intermittently.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
915773-7 : Restart of TMM after stale interface reference
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
915493-6 : imish command hangs when ospfd is enabled
Component: TMOS
Symptoms:
Running the imish command hangs when ospfd is enabled.
Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.
Impact:
The imish operation hangs.
Workaround:
Restart the ospfd daemon.
915473-4 : Accessing Dashboard page with AVR provisioned causes continuous audit logs
Component: TMOS
Symptoms:
Navigating to Statistics :: Dashboard in the GUI with AVR or APM provisioned causes continuous audit logging and restjavad logs.
Conditions:
-- AVR provisioned
-- An administrator navigates to Statistics :: Dashboard.
Impact:
The continuous extra logs might lead to confusion and may not be helpful.
Workaround:
None.
915005-3 : AVR core files have unclear names
Component: Application Visibility and Reporting
Symptoms:
If avrd fails a core file created in this case is named accordung to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz
Conditions:
Avrd fails with a core
Impact:
It is inconvenient for identifying the process that caused the core.
914493 : Protocol Profile (Client) for virtual server is reset to 'tcp' after 'Update'
Component: TMOS
Symptoms:
After changing the Protocol Profile (Client) for a virtual server from 'tcp' to any other value, e.g., 'tcp-lan-optimized' in the GUI, the value remains set to 'tcp'.
Conditions:
-- Access GUI from Google Chrome Versions 83.0.4103.61 to 83.0.4103.97.
-- Update Protocol Profile (Client) for Virtual Server through GUI.
Impact:
Cannot view the actual Protocol Profile (Client) value for a virtual server using the GUI.
Workaround:
You can use any of the following workarounds to view/modify the Protocol Profile (Client) for virtual servers:
-- Use the tmsh command.
-- Use Chrome version 83.0.4103.106 or later.
-- Use another browser, such as Microsoft Internet Explorer or Mozilla Firefox.
913713-3 : Rebooting a blade causes MCPd to core as it rejoins the cluster
Component: TMOS
Symptoms:
Tmm and mcpd cores for slot2
Conditions:
On the standby chassis, reboot the primary blade and wait for it to rejoin the cluster. Once it does, mcpd will core.
Impact:
Traffic disrupted while tmm and mcpd mcpd restarts.
Workaround:
N/A
913413-1 : 'GTP::header extension count' iRule command returns 0
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
913085-6 : Avrd core when avrd process is stopped or restarted
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
913013-1 : Racoon daemon may crash once at startup
Component: TMOS
Symptoms:
When the IKEv1 racoon daemon starts, it may immediately exit with a core file.
Conditions:
One of the following events may lead to the restart:
-- BIG-IP systems start or restart as a standalone device.
-- BIG-IP becomes the Active member of High Availability (HA) setup.
Impact:
Racoon restarts. Because this restart happens when racoon is trying to start, no IPsec IKEv1 tunnels are affected because they are down anyway.
Workaround:
None
912945-3 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
912517-7 : MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
912253-2 : Non-admin users cannot run show running-config or list sys
Component: TMOS
Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
The list /sys or list /sys telemd commands trigger the following error:
01070823:3: Read Access Denied: user (oper) type (Telemd configuration).
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
912149-7 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/asm and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
911241-8 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
Component: Global Traffic Manager (DNS)
Symptoms:
The iqsyncer utility leaks memory.
Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.
Impact:
The iqsyncer utility exhausts memory and is killed.
Workaround:
Do not set log.gtm.level equal to or higher than debug.
911141-1 : GTP v1 APN is not decoded/encoded properly
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
910777-1 : Sending ASM report via AWS SES failed duo to wrong content type
Component: Application Visibility and Reporting
Symptoms:
When you attempt to send an ASM report via AWS SES, the message bounces with the following message:
Could not send e-mails: SMTP Error: data not accepted.; Transaction failed: Expected MIME type, got ;; Error code: 554.
This occurs because the BIG-IP system is sending out the report message with an empty Content-Type in the multipart MIME, which the AWS mail host cannot process.
Conditions:
This is encountered in the following scenario:
1. Set up SMTP and ASM schedule report.
2. Click Send Now, and get the error message in GUI.
3. SSH into the BIG-IP system.
4. Add this line under the following snippet:
[admin@bigip:Active:Standalone] ~ # chmod 644 /var/ts/dms/script/avrexport/avrmail.php
[admin@bigip:Active:Standalone] ~ # vi /var/ts/dms/script/avrexport/avrmail.php
if (!$mail_subject) $mail_subject = "BIG-IP Analytics Report";
if (!$mail_body) $mail_body = "Attached to this e-mail is a BIG-IP Analytics Report issued at $mail_time\n\n";
if (!$mail_from) $mail_from = 'BIG-IP Reporter';
if (!$mail_content_type) $mail_content_type = 'text/html'; <<<< Add this line for add text/html into content type.
[admin@bigip:Active:Standalone] ~ # chmod 444 /var/ts/dms/script/avrexport/avrmail.php
5. Click Send Now again and it works.
Note: To use AWS SES, you must verify your email address first (as a Sender). You can search SES in AWS and verify your email in Email Addresses. AWS sends an email. Click the embedded link after receipt, and then you can use it as the Sender address on the BIG-IP system.
Impact:
Cannot receive ASM reports.
910213-7 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status
Component: Local Traffic Manager
Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.
Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.
As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.
Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"
Conditions:
Using the LB::down command in an iRule.
Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.
If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.
Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.
Workaround:
No direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.
909161-1 : A core file is generated upon avrd process restart or stop
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
908753-5 : Password memory not effective even when password policy is configured
Component: TMOS
Symptoms:
The BIG-IP system does not prevent you from specifying previously used passwords, even if Secure Password Enforcement is enabled with password memory set to a non-zero value.
Conditions:
-- Password memory in auth settings is not 0 (zero).
-- Attempt to specify a previously specified password
Impact:
Password history to prevent user from using same password is not enforced.
Workaround:
None.
908001-2 : Possible 13%-16% TPS drop in performance on VIPRION and iSeries vCMP with v16.1.0 'host'
Component: Performance
Symptoms:
All Configurations might see a 13%-16% drop in TPS performance while running in vCMP on VIPRION and iSeries with the 'host' upgraded to v16.1.0.
Conditions:
-- All configurations
-- Running in vCMP on VIPRION and iSeries
-- 'Host' upgraded to v16.1.0
Impact:
Performance degradation in vCMP. If you are running vCMP on VIPRION and iSeries, you should evaluate your scenarios and capacity plan if you plan to upgrade the 'host' to 16.1.0.
Note: There is no performance degradation when v16.1.0 'guest' instances are run on an earlier 'host' version.
Guidance: In determining whether to proceed in upgrading the vCMP host to v16.1.0, customers running vCMP should carefully evaluate the performance and sizing requirements of their specific configuration.
Workaround:
None
907549-6 : Memory leak in BWC::Measure
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
907177-5 : Priority of embedded APM iRules is ignored
Component: Local Traffic Manager
Symptoms:
Custom iRule events are executed before the embedded APM iRule events, despite the custom iRule's priority value being larger than the APM iRule's priority value.
Conditions:
-- APM is provisioned.
-- Custom iRule with a priority value larger the APM iRule's priority value.
Impact:
Custom iRule event is executed before APM iRule event.
Workaround:
None.
907025-5 : Live update error" 'Try to reload page'
Component: Application Security Manager
Symptoms:
When trying to update Attack Signatures. the following error message is shown:
Could not communicate with system. Try to reload page.
Conditions:
Insufficient disk space to update the Attack Signature.
Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.
Workaround:
This following procedure restores the database to its default, initial state:
1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.
2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script
3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.
4. Add the following lines to create the live update database schema and set the SA user as expected:
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC
5. Restart the tomcat process:
bigstart restart tomcat
906653-1 : Server side UDP immediate idle-timeout drops datagrams
Component: Local Traffic Manager
Symptoms:
With immediate idle-timeout, flows may be closed before a datagram is forwarded.
Conditions:
-- Immediate idle-timeout is set on the server context of a UDP virtual server.
Impact:
Datagrams are dropped periodically depending on traffic load.
Workaround:
None.
905621 : Incorrect interaction between DataSafe credential protection and modern customization Logon Page
Component: Fraud Protection Services
Symptoms:
-- DataSafe credential protection does not work correctly with the logon page if Access Profile customization type is set to 'modern'.
-- Submitted credentials fail to get populated in the authentication form.
-- You do not complete the access policy.
Conditions:
-- Options 'Substitute Value' and 'Obfuscate' are enabled under DataSafe Profile (Note: Default value is enabled for both attributes if APM logon page template is loaded).
-- 'Modern' customization is used.
Impact:
Authentication is unsuccessful and the end user is unable to log in.
Workaround:
None.
905477-6 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX
Component: Local Traffic Manager
Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.
Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.
Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.
Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.
904713-2 : FailoverState device status and CM device status do not match shortly after triggering failover
Component: TMOS
Symptoms:
After triggering failover, the result returned by the API endpoint /mgmt/tm/shared/bigip-failover-state (the BIG-IP failover state worker) may not match the actual device failover state.
Conditions:
This may happen on an high availability (HA) setup with a sync-failover device group.
Impact:
Actions that require the correct output of the BIG-IP failover state worker may fail. For instance, deleting an SSL Orchestrator topology followed by immediately triggering failover may encounter this issue, causing the deletion to fail.
Workaround:
After waiting for a short amount of time, the BIG-IP failover state worker gets in sync with the device failover state. So in the example of deleting an SSL Orchestrator topology, the deletion should be successful if you try again after a short wait.
904537-1 : The csyncd process may keep trying to sync the GeoIP database to a secondary blade
Component: Local Traffic Manager
Symptoms:
The most common symptom is when csyncd repeatedly syncs the GeoIP files and loads the GeoIP database, causing a large number of Clock advanced messages on all tmms.
Repeated log messages similar to the following are reported when a secondary slot logs into the primary slot to load the sys geoip database:
-- info sshd(pam_audit)[17373]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=x.x.x.x attempts=1 start="Wed Apr 29 13:50:49 2020".
-- notice tmsh[17401]: 01420002:5: AUDIT - pid=17401 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys geoip.
Conditions:
-- VIPRION or vCMP guests.
-- Either of the following:
- First installing the GeoIP database if the /shared/GeoIP/v2 directory does not exist.
- When a new blade is installed into a chassis.
Impact:
Repeated logs of Clock advanced messages.
Workaround:
Run the command:
clsh bigstart restart csyncd
904493 : TRUNK name in F5 ethernet trailer limited to 15 characters in tcpdump capture
Component: Local Traffic Manager
Symptoms:
The TRUNK name in an F5 ethernet trailer is limited to 15 characters in tcpdump captures.
Conditions:
-- Trunk name is longer than 15 characters.
-- Send traffic from client to server.
-- Capture traffic on the BIG-IP system using tcpdump.
Impact:
TRUNK name in the F5 ethernet trailer is truncated to 15 characters in the tcpdump capture. The tcpdump utility adds internal tmm information to tcpdump captures. This is used for diagnostic purposes and is not used for communication between client and server.
That said, if you have multiple trunks where the first 15 characters are the same, there is no way to distinguish between the traffic information for the various trunks in the tcpdump output.
Note: The tmm process correctly handles the longer names in other circumstances (e.g., adding/removing trunks, or looking up a trunk by name).
Workaround:
Although there is no workaround for the issue of the trunk name being truncated, if you have multiple trunks in which the first 15 characters are the same, you should rename them so they are distinguishable in the case where you might need to collect tcpdump data.
You can read more about the information tcpdump gathers here: K13637: Capturing internal TMM information with tcpdump :: https://support.f5.com/csp/article/K13637.
904401-5 : Guestagentd core
Component: TMOS
Symptoms:
Guestagentd crashes on a vCMP guest.
Conditions:
This can occur during normal operation in a vCMP environment.
Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status.
Workaround:
None.
901669-6 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
Component: TMOS
Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.
-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.
Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.
Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.
The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.
Impact:
The 'tmsh show cm failover-status' command indicates an error.
Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:
tmsh restart sys service sod
901569-4 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
Component: Local Traffic Manager
Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.
Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).
Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.
Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.
898825 : Attack signatures are enforced on excluded headers under some conditions
Component: Application Security Manager
Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).
Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.
Impact:
False positive enforcement for header signature.
Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.
897437-7 : First retransmission might happen after syn-rto-base instead of minimum-rto.
Component: Local Traffic Manager
Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base.
This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning:
-- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number.
Conditions:
Configured value of syn-rto-base is lower than minimum-rto.
Impact:
Retransmission might happen sooner than expected.
Workaround:
There are two possible workarounds:
-- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto).
-- Consider enabling timestamps to allow faster RTT measurement.
891145-7 : TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
Component: Local Traffic Manager
Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.
Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.
Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.
Workaround:
There are two workarounds:
-- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner.
-- Disable TCP Timestamps.
890169-4 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
888885-3 : BIG-IP Virtual Edition TMM restarts frequently without core
Component: Local Traffic Manager
Symptoms:
The following messages are found in the QKViews:
"bigipA notice MCP bulk connection aborted, retrying"
"bigipA notice Initiating TMM shutdown"
Prior to this, the TMM process logs that it is waiting for its instances to reach different states. For example,
"localhost notice ixlv(1.3)[0:7.0]: Waiting for tmm1 to reach state 1..."
In the /var/log/ltm file, the following message are found sometimes.
"bigip1 crit tmm9[19358]: 01230017:2: Unable to attach to PCI device 00:09.00 for Interface 1.5"
Conditions:
BIG-IP VE with SR-IOV enabled on a Red Hat Enterprise Linux 7.7 which is a part of Red Hat OpenStack Platform 13
Impact:
The TMM process restarts without a core file repeatedly.
Traffic disrupted while tmm restarts.
888289-8 : Add option to skip percent characters during normalization
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
887621-4 : ASM virtual server names configuration CRC collision is possible
Component: Application Security Manager
Symptoms:
A policy add/modify/delete fails with the following error:
-- crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY').
Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers.
Impact:
Every config update fails.
Workaround:
Figure out which virtual servers have the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers.
You can get the name of the affected virtual server by using the entry reported in the 'Duplicate entry' log, and running this command.
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375'
887265-4 : BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration★
Component: Application Security Manager
Symptoms:
When booting to a boot location for the first time, the system does not come on-line.
Conditions:
-- There is a large configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.
Impact:
BIG-IP processes continually restart (VLAN failsafe-action failover-restart-tm), or the BIG-IP system continually reboots (VLAN failsafe-action reboot)
Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.
887117-4 : Invalid SessionDB messages are sent to Standby
Component: TMOS
Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:
SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.
Impact:
Standby drops these messages
Workaround:
None.
887045-7 : The session key does not get mirrored to standby.
Component: Local Traffic Manager
Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.
Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives
Impact:
The session key does not get mirrored to standby.
Workaround:
None
885373-4 : Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Component: Advanced Firewall Manager
Symptoms:
When running iptables-restore, you get this error:
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
This occurs because firewall rules are not created in iptables and therefore not enforced until after rebooting the device.
Conditions:
Creating firewall rules for the management interface.
Impact:
Firewall rules for the management interface are not reliably created or enforced.
Workaround:
There are four possible workarounds:
=======
-- [root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock
iptables 14009 root 3rW REG 0,20 0 26415 /run/xtables.lock
root 13945 0.5 0.3 163992 29216 ? S 19:58 0:00 | \_ /usr/bin/mgmt_acld -do -m
root 14009 0.0 0.0 24900 1360 ? S 19:58 0:00 | \_ /sbin/iptables -xvL f5acl
^^^ xtables.lock held by iptables which is being run by mgmt_acld
[root:Active:Disconnected] config # bigstart stop mgmt_acld
[root:Active:Disconnected] config # killall iptables
^^^ stop mgmt_acld, and kill iptables
[root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock
[root@blpv0678:Active:Disconnected] config #
^^^ verify the lock is gone
perform the merge and the rules are loaded. Make sure to restart mgmt_acld afterwards.
=======
-- Reboot after every management firewall rule that is created.
=======
-- Manually clear the iptables lock then make your changes
1) Run: rm -rf /run/xtables.lock
2) Then make your changes
=======
-- If the changes have already been made, Manually clear the iptables lock, then run load sys config.
1) Run: rm -rf /run/xtables.lock
2) Then Run: tmsh load sys config
884729-1 : The vCMP CPU usage stats are incorrect
Component: TMOS
Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.
Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.
Impact:
The vCMP CPU usage stats are intermittently incorrect.
Workaround:
None.
883049-9 : Statsd can deadlock with rrdshim if an rrd file is invalid
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
882729-5 : Applied Blocking Masks discrepancy between local/remote event log
Component: Application Security Manager
Symptoms:
Applied Blocking Masks discrepancy between local/remote event log, ASM logging event logs both locally and remotely to BIG-IQ has discrepancy.
Conditions:
This occurs when "Applied Blocking Masks" logs are emitted on a device where local and remove event logging is configured.
Impact:
This is cosmetic but can lead to confusion.
880689-1 : Update oprofile tools for compatibility with current architecture
Component: TMOS
Symptoms:
Current operf as shipped with BIG-IP is out of date and will not work.
Per the oprofile page (https://oprofile.sourceforge.io/news/) the version included in our systems (0.9.9) was released in 2013.
Conditions:
Opcontrol still works but operf will not load.
# operf --version
use the opcontrol command instead of operf.
Impact:
Outdated operf means that it cannot be used for troubleshooting purposes.
872165-4 : LDAP remote authentication for REST API calls may fail during authorization
Component: TMOS
Symptoms:
LDAP (or Active Directory) remote authentication fails during authorization for REST API calls.
Clients receive 401 Unauthorized messages and /var/log/restjavad.x.log may report messages similar to the following:
-- [I][1978][26 Mar 2021 13:23:36 UTC][8100/shared/authn/login AuthnWorker] User remoteuser failed to login from 192.0.2.1 using the tmos authentication provider
-- [WARNING][807][26 Mar 2021 14:43:24 UTC][RestOperationIdentifier] Failed to validate Authentication failed.
Conditions:
LDAP (or Active Directory) remote authentication configured with a User Template instead of a Bind Account.
Impact:
Unable to authenticate as remote-user for access that uses authorization, like REST API calls.
Workaround:
You can use either of the following workarounds:
-- Configure LDAP/AD remote authentication to utilize a Bind account instead of the User Template.
-- Create a local user account for each remote user, allowing local authorization (authentication remains remote).
871881-5 : Apply Policy action is not synchronized after making bulk signature changes
Component: Application Security Manager
Symptoms:
After an action that affects thousands of objects, a subsequent Apply Policy may be missed by a peer.
Conditions:
-- Devices are in an auto-sync device group with ASM sync enabled.
-- A bulk action that affects thousands of objects is performed (e.g., enforcing or disabling all signatures).
-- An Apply Policy action is taken immediately afterwards.
Impact:
Peer devices that are still busy processing the large request miss the Apply Policy action, and it is never sent again.
Workaround:
Make a spurious change and reapply the policy.
869553-5 : HTTP2::disable fails for server side allowing HTTP/2 traffic
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an iRule command 'HTTP2::disable serverside' to put http2 in passthrough mode. When the command is called during the CLIENT_ACCEPTED event, it should completely disable http2 until the end of TCP connection, or until the HTTP2::enable command is executed.
Conditions:
-- A virtual server has an HTTP/2 profile configured on the server side.
-- An iRule with an the command 'HTTP2::disable serverside' command is attached to the virtual server in the CLIENT_ACCEPTED event.
Impact:
The BIG-IP system continues to send HTTP/2 traffic to a server.
Workaround:
None.
867985-6 : LTM policy with a 'shutdown' action incorrectly allows iRule execution
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.
Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.
Impact:
The iRule is executed before the connection is being reset.
Workaround:
None.
867549-1 : LCD touch panel reports "Firmware update in progress" indefinitely★
Component: TMOS
Symptoms:
After a software upgrade that includes an LCD firmware update, the LCD touch panel may remain stuck reporting an error indefinitely / for longer than 30 minutes:
Firmware update in Progress may take up to 30 minutes.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have one of the following BIG-IP platforms:
* i850
* i2x00
* i4x00
* i5x00
* i7x00
* i10x00
* i11x00
* i15x00
* HRC-i2x00
* HRC-i5x00
* HRC-i10x00
-- You perform a software upgrade that updates the firmware on the LCD touch panel, e.g. upgrading from BIG-IP v13.1.x to BIG-IP v14.1.x or newer.
Impact:
The system is functional, but the LCD displays the firmware update screen indefinitely. The LCD cannot be used while it is frozen on the firmware update warning screen.
Workaround:
Important: Before attempting this workaround, check that there are no indications the system is still performing a firmware update (such as a terminal prompt), and that the following messages can be found in /var/log/ltm after the most recent boot:
notice chmand[6302]: 012a0005:5: firmware update succeeded.
notice chmand[6302]: 012a0005:5: Firmware check finished.
These messages indicates that the firmware update has finished, and the LCD is displaying the warning screen in error, so it is safe to perform the workaround.
Reboot the BIG-IP system to return the LCD to normal operation.
After a reboot of the BIG-IP operating system, the LCD touch panel should be responsive.
867253-4 : Systemd not deleting user journals
Component: TMOS
Symptoms:
When setting "SystemMaxUse" to any value, systemd does not get honored and the specified size is exceeded
Conditions:
-- Using a Non-TMOS user account with external authentication permission.
-- Systemd-journald is configured to create a user journal for every user that logs into the BIG-IP system.
Impact:
Journald filling up file system size. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.
Workaround:
Remove journal logs manually.
865653-1 : Wrong FDB table entries with same MAC and wrong VLAN combination
Component: TMOS
Symptoms:
Forwarding DataBase (FDB) table has duplicate MAC entries with the incorrect VLANs.
MAC entries are correct in the switch but not in the control plane.
Conditions:
Enable L2Wire.
Impact:
Duplicate MAC entries with incorrect VLANs in FDB table.
Workaround:
Restart bcm56xxd:
bigstart restart bcm56xxd
Note: You can use tmsh to see the table:
tmsh -m show net fdb
862001-6 : Improperly configured NTP server can result in an undisciplined clock stanza
Component: Local Traffic Manager
Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.
NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.
Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.
Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.
While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.
However, if the 'dummy' source starts responding, it could become a rogue time source.
860573-6 : LTM iRule validation performance improvement by tracking procedure/event that have been validated
Component: TMOS
Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with.
Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules.
Impact:
Task fails (via REST) or ends up taking a really long time when run manually.
Workaround:
None.
860277-6 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1
Component: Local Traffic Manager
Symptoms:
Version: 13.1.3.1
# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 49152
proxy-buffer-low 32768
}
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 49152.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 32768.
Version: 14.1.2.2
# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
proxy-buffer-high 65535
proxy-buffer-low 32768
}
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 131072.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 98304.
Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh
Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.
858877-5 : SSL Orchestrator config sync issues between HA-pair devices
Component: TMOS
Symptoms:
SSL Orchestrator configuration deployment across BIG-IP devices in a high-availability (HA) group may result in inconsistent state, if during deployment the connectivity between the HA peers is lost.
Conditions:
Deploying SSL Orchestrator configuration across BIG-IP devices in an HA group.
Impact:
Inconsistent SSL Orchestrator configuration on BIG-IP devices in an HA group.
Workaround:
Run the /usr/bin/ha-sync script. See ha-sync -h for help.
851385-8 : Failover takes too long when traffic blade failure occurs
Component: Local Traffic Manager
Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.
Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI
Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover
846977-7 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★
Component: Local Traffic Manager
Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.
Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:
/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].
Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.
Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.
Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.
844925-5 : Command 'tmsh save /sys config' fails to save the configuration and hangs
Component: TMOS
Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.
Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.
Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.
Workaround:
Run the command:
tmsh save /sys config binary
This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.
That way, you can reboot the BIG-IP system and not lose the configuration.
Note: It is possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save. It is possible that every time you want to save the config, you must use the binary option.
842669-6 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
Component: TMOS
Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:
cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )
Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as
- The cron process tries and fails to send an email because of output about a cron script.
- Modify syslog include configuration
- Apply ASM policy configuration change
- GTM.debugprobelogging output from big3d
Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to /var/log/user.log.
Workaround:
View the logs using journalctl -D /var/log/journal
842013-1 : ASM Configuration is Lost on License Reactivation★
Component: TMOS
Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.
Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded
Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'
Workaround:
In the case of license re-activation/before upgrade:
Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.
In a case of booting the system into the new version:
Option 1:
1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.
Option 2:
1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324
Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.
838305-9 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
830073-7 : AVRD may core when restarting due to data collection device connection timeout
Component: Application Visibility and Reporting
Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core
Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.
Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes
Workaround:
None.
829657-5 : Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
PEM configured with a multi-IP subscriber with more than 16 IP addresses.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not create a PEM subscriber with more than 16 IP addresses.
829653-1 : Memory leak due to session context not freed
Component: Policy Enforcement Manager
Symptoms:
Memory increases slowly
Conditions:
A PEM iRule times out
Impact:
Memory could be exhausted depending on the frequency of the command timeouts
829021-1 : BIG-IP does not account a presence of http2 profile when response payload is modified
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might close a connection when the HTTP response payload is modified and sent without chunking encoding. If communication goes over an HTTP connection, the BIG-IP system closes a connection to tell a client that a response is served. With HTTP/2 connections, an unsized response is marked with the END_STREAM flag. This case is not accounted for, and the BIG-IP system closes HTTP communication with a server anyway.
Conditions:
-- A virtual server has an http/2 profile configured on the client side.
-- There are other profiles configured which can modify the HTTP response payload.
Impact:
The BIG-IP system wastes resources not reusing a server side HTTP connection when an unsized response is sent over an HTTP/2 connection to a client.
Workaround:
None.
814273-6 : Multicast route entries are not populating to tmm after failover
Component: TMOS
Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.
Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.
Impact:
Multicast traffic does not pass through properly
Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group
809089-4 : TMM crash after sessiondb ref_cnt overflow
Component: TMOS
Symptoms:
Log message that indicates this issue may happen:
session_reply_multi: ERROR: unable to send session reply: ERR_BOUNDS
[...] valid s_entry->ref_cnt
Conditions:
-- Specific MRF configuration where all 500 session entries are owned by a single tmm.
-- High rate of session lookups with a lot of entries returned.
Note: This issue does not affect HTTP/2 MRF configurations.
Impact:
TMM core: the program terminates with signal SIGSEGV, Segmentation fault. Traffic disrupted while tmm restarts.
Workaround:
1. Change MRF configuration to spread session lookups across multiple tmms.
2. Reduce the sub-key entries to far below 500.
808801-6 : AVRD crash when configured to send data externally
Component: Application Visibility and Reporting
Symptoms:
AVRD can crash repeatedly when configured to send telemetry data externally.
Conditions:
-- AVR is configured to send telemetry data to an external source (like connection with BIG-IQ).
-- Large number of config objects in the system, such as virtual servers and pool members.
Impact:
AVRD process crashes, and telemetry data is not collected.
Workaround:
Split the configuration updates into smaller batches
807945-6 : Loading UCS file for the first time not updating MCP DB
Component: TMOS
Symptoms:
MCP DB is not updated after loading a UCS file.
Conditions:
1. Save UCS with 'flow-control' default value 'tx-rx'.
2. Modify the value from 'rx-tx' to 'none'.
3. Save another UCS with modified value.
4. Load the UCS with default value, everything works fine here.
5. Load the UCS with the modified value.
Impact:
The 'flow-control' setting gets changed. The functionality does not work after the first UCS load as MCP DB is not getting updated.
Workaround:
Load the same UCS again.
The MCP DB gets updated properly.
807569-3 : Requests fail to load when backend server overrides request cookies and Bot Defense is used
Component: Application Security Manager
Symptoms:
When Bot Defense is used on the backend server that overrides request cookies, requests to non-HTML resources may fail, or may receive the whitepage JavaScript challenge. An example is when a back-end server responds with a Set-Cookie header containing empty values for each cookie request cookie it does not recognize.
Conditions:
-- Bot Defense is enabled.
-- Backend server is overriding the Bot Defense cookies with the TS prefix.
Impact:
Some URLs fail to load following the JavaScript challenge.
Workaround:
Use an iRule to strip the TSPD_101 cookie from the request before forwarding it to the backend:
when HTTP_REQUEST_RELEASE {
HTTP::cookie remove "TSPD_101"
}
807309-5 : Incorrect Active/Standby status in CLI Prompt after failover test
Component: TMOS
Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt.
Conditions:
This occurs under the following conditions:
1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system.
Impact:
Status shown in the prompt does not change.
Workaround:
Do not run 'promptstatusd -y' command manually.
The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status.
Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought.
805821-1 : GTP log message contains no useful information
Component: Service Provider
Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.
Conditions:
GTP profile or iRules fails to process message
Impact:
User lacks of information for troubleshooting
Workaround:
N/A
805561-1 : Change of pool configuration in OneConnect environment can impact active traffic
Component: Local Traffic Manager
Symptoms:
In OneConnect environments, when the default pool is updated for the first time, active connections reconnect to new pool members. Further update to pool configuration has no impact on traffic.
Conditions:
-- Virtual server configured with OneConnect profile.
-- Default pool is updated when active connections are present.
Impact:
Active traffic disrupted.
Workaround:
None.
803157-4 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
Component: TMOS
Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.
Conditions:
Reboot the BIG-IP system.
Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.
Workaround:
None.
798885-6 : SNMP response times may be long when processing requests
Component: TMOS
Symptoms:
SNMP queries to the BIG-IP system may take longer (up to 15% more time) to process on BIG-IP systems with large configurations. mcpd CPU usage increases by a small amount (up to 10%) during these queries.
Conditions:
-- Large configuration.
-- Using SNMP to query statistics on the BIG-IP system.
Impact:
A small increase in response time to SNMP requests to the BIG-IP. Some SNMP queries might fail due to timeouts. mcpd CPU usage is slightly elevated while processing these queries.
Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.
797573-1 : TMM assert crash with resulting in core generation in multi-blade chassis
Component: Local Traffic Manager
Symptoms:
TMM crashes while changing settings.
Conditions:
Seen on multi-blade chassis with either one of the options:
-- Running system with DoS and other traffic.
-- Create a new vCMP guest and deploy it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
796985-4 : Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'★
Component: TMOS
Symptoms:
VCMP host or guest is upgraded, and the vCMP guest is 'Inoperative', with messages similar to the following in /var/log/ltm:
-- warning clusterd[1546]: 013a0005:4: Clusterd using /VERSION for SW specification.
-- info clusterd[1546]: 013a0023:6: Blade 1: No info received from slot: Starting up
-- err clusterd[1546]: 013a0004:3: result {
-- err clusterd[1546]: 013a0004:3: result.code 17237812
-- err clusterd[1546]: 013a0004:3: result.attribute float_mgmt2_ip
-- err clusterd[1546]: 013a0004:3: result.message 01070734:3: Configuration error: Cluster alt-address: 192.168.1.246 cannot be the same address family as cluster address: 192.168.1.246
-- err clusterd[1546]: 013a0004:3: }
-- err clusterd[1546]: 013a0004:3: Per-invocation log rate exceeded; throttling.
-- notice clusterd[1546]: 013a0006:5: Disconnecting from mcpd.
-- info clusterd[1546]: 013a0007:6: clusterd stopping...
Conditions:
-- Isolated vCMP guest.
-- Both 'Address' and 'Alt-Address' are assigned the same IPv4 address.
-- Upgrade occurs.
Impact:
Upon host/guest upgrade, vCMP guest is 'Inoperative'.
Workaround:
-- For new vCMP guests, or prior to booting the vCMP guest to an affected version for the first time, assign it a management-ip from the vCMP host. This prevents the alt-address from being assigned and the issue from occurring on subsequent upgrades.
tmsh modify vcmp <guest_name> management-ip 192.168.1.246/24
-- For existing vCMP guests already on an affected version, but not currently experiencing the issue, assign a management-ip from the vCMP host and remove the alt-address from within the vCMP guest to prevent the issue from occurring in a future upgrade or reboot:
host# tmsh modify vcmp guest <guest-name> management-ip 192.168.1.246/24
guest# tmsh modify sys cluster default alt-address none
-- When already upgraded and seeing the issue on a guest, set a management-ip from the vCMP host and run the following commands within the guest to remove the alternate address from the configuration file:
host# tmsh modify vcmp guest <guest-name> management-ip 192.168.1.246/24
guest# bigstart stop clusterd
guest# sed -i s/alt_addr=.*// -i /shared/db/cluster.conf
guest# bigstart start clusterd
794385-6 : BGP sessions may be reset after CMP state change
Component: Local Traffic Manager
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection
Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.
788257-5 : Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart
Component: In-tmm monitors
Symptoms:
The bigd.mgmtroutecheck db variable can be enabled to prevent monitor traffic from going through the management interface (for information, see K14549: Overview of the 'bigd.mgmtroutecheck' database key :: https://support.f5.com/csp/article/K14549); however, if in-tmm monitors are configured, the setting will be ignored after a bigstart restart.
Conditions:
-- bigd.mgmtroutecheck is enabled
-- bigd.tmm is enabled (i.e., in-tmm monitors are configured).
-- tmm has a route configured to the management interface.
-- A pool member exists that matches a route through the management interface.
-- bigstart restart is performed.
Impact:
In-tmm monitor traffic uses the management interface if there is a route to the pool member via the management interface, even when bigd.mgmtroutecheck indicates it is enabled.
Workaround:
None
780857-4 : HA failover network disruption when cluster management IP is not in the list of unicast addresses
Component: Local Traffic Manager
Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.
Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.
Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:
[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
Workaround:
You can add an explicit management IP firewall rule to allow this traffic:
tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }
This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.
780745-5 : TMSH allows creation of duplicate community strings for SNMP v1/v2 access
Component: TMOS
Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string.
Conditions:
Duplicate access records are created in TMSH.
Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record.
Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database.
If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol.
780437-8 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
Component: TMOS
Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.
As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.
The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.
Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.
Symptoms for this issue include:
-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.
-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.
-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):
qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img
qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img
-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]
Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.
-- Large configuration with many guests.
-- The VIPRION chassis is rebooted.
-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Impact:
-- Loss of entire configuration on previously working vCMP guests.
-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.
-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.
Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.
If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.
778501-5 : LB_FAILED does not fire on failure of HTTP/2 server connection establishment
Component: Local Traffic Manager
Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule.
Conditions:
- iRule with LB_FAILED event
- server connection establishment fails
Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted.
Workaround:
No workaround available.
777389-7 : In rare occurrences related to PostgreSQL monitor, the mcpd process restarts
Component: TMOS
Symptoms:
Possible indications include the following:
-- Errors such as the following may appear in ltm/log:
- notice postgres[10872]: [466-1] WARNING: pgstat wait timeout.
- notice sod[27693]: 01140041:5: Killing /usr/bin/mcpd pid 7144.
- BD_CONF|ERR| ...failed to connect to mcpd after 5 retries, giving up...
- BD_CONF|ERR| ...can't read message from mcp conn, status:16908291.
- BD_MISC|CRIT| ...Received SIGABRT - terminating.
-- Errors such as the following may appear in the dwbld/log:
- Couldn't send BLOB notification - MCP err 16908291.
- Got a terminate/abort signal - terminating ...
- Terminating mcp_bridge thread.
-- Processes may restart unexpectedly, including mcpd, bd, and postgresql.
Conditions:
-- The 'mcpd' process attempts to read monitoring data from the PostgreSQL server, but no data is available.
-- A contributing factor might be that the AFM module is licensed but not configured.
Impact:
Failing to receive a monitoring response from the SQL server, MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.
Workaround:
The chance of occurrence can be minimized by making sure that control-plane processes have sufficient memory to run efficiently.
775797-5 : Previously deleted user account might get authenticated
Component: TMOS
Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.
Conditions:
-- User account configured as local user.
-- The user account is deleted later.
(Note: The exact steps to produce this issue are not yet known).
Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.
Workaround:
None.
760740 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running
Component: Protocol Inspection
Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.
MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:
Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.
Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
+ LTM
+ FPS
+ GTM (DNS)
+ LC
+ SWG
+ iLX
+ SSLo
-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
+ APM
+ ASM
+ AVR
+ PEM
+ AFM
+ vCMP
Impact:
The error message is cosmetic and has no impact on the UCS save process.
Workaround:
None.
760355-4 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Component: Advanced Firewall Manager
Symptoms:
If firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
-- Firewall is configured on the management port.
-- Firewall is configured with an ICMP rule to block.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on management port. ICMP packets are allowed from the management port.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
760354-7 : Continual mcpd process restarts after removing big logs when /var/log is full
Component: TMOS
Symptoms:
Unit suddenly stops passing traffic. You might see errors similar to the following:
err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...
Conditions:
This might occur when when /var/log is full and then you remove big logs.
Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.
Workaround:
Fix the logs and reboot the BIG-IP system.
759737 : Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests
Component: TMOS
Symptoms:
CPU usage statistics reported for Control and Analysis planes are not described properly for single-core vCMP guests.
Conditions:
A vCMP guest with a single core.
Impact:
CPU usage statistics report 0 Control Plane cores and 1 Analysis Plane core.
Workaround:
On a single core, two hyperthread vCMP guest, one hyperthread/CPU is dedicated to Data Plane while the other is dedicated to Control and Analysis Plane. All statistics attributed to the Analysis Plane in this CPU configuration are in fact the aggregate of Control Plane and Analysis Plane.
758491-5 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
Component: Local Traffic Manager
Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):
-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.
After enabling pkcs11d debug, the pkcs11d.debug log shows:
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===
For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.
Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.
2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.
Impact:
SSL handshake failures.
Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.
IMPORTANT: This workaround is suitable for deployments that are new and not in production.
-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm
You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l
-- The string after label= in the 'cmu list' command for Safenet.
757787-5 : Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI.
Component: TMOS
Symptoms:
When creating a new rule or modifying an existing rule in a LTM/AFM Policy policy using the WebUI, the operation fails and an error similar to the following example is returned:
Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().
Conditions:
-- The LTM/AFM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.
Impact:
Unable to make changes to existing LTM/AFM Policies.
Workaround:
Use the tmsh utility to make the necessary modifications to the LTM/AFM Policy. For example, the following command modifies an existing rule:
tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }
755976-9 : ZebOS might miss kernel routes after mcpd deamon restart
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
755061-1 : iRule audit logs may be written to separate files
Component: Local Traffic Manager
Symptoms:
Only the first line of an iRule audit log is written into /var/log/audit. The rest of the iRule is logged to /var/log/messages.
Conditions:
This is encountered when iRule audit logging is enabled and iRule events are triggered.
Impact:
Snippets of iRules appear in unexpected locations.
Workaround:
Although there is no workaround, if you have sensitive information in your iRules and want to prevent it from appearing in audit logs, you can disable audit logging.
753712-4 : Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
Component: TMOS
Symptoms:
An incorrect warning message is given when the inline source/dest address is changed:
-- warning mcpd[6927]: 01071859:4: Warning generated : Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family.
Conditions:
This occurs after you create a traffic-matching-criteria (port-list, address-list) with different source and destination addresses.
Impact:
An incorrect and confusing warning message is given. This warning does not affect traffic processing. It is inadvertently triggered when reading the configuration of the traffic matching profile. Virtual servers should continue to work, and the config should load as expected, despite the warning.
Workaround:
None
751451-4 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
Component: Local Traffic Manager
Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.
Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later
Impact:
TLSv1.3 gets enabled on the server SSL profiles.
Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later
-- To mitigate this issue, modify the affected profile to disable TLSv1.3.
749757-4 : -s option in qkview help does not indicate maximum size
Component: TMOS
Symptoms:
When running qkview with the -h option to obtain help, the -s (size) option is incorrectly rendered.
It should read:
[ -s <max file size> range:0-104857600 Bytes ]
Conditions:
-- Running qkview -h.
-- Viewing the -s (size) option help.
Impact:
The measurement size, bytes, is missing, which might result in confusion.
Workaround:
Use the -s option as normal, but be advised that the number should be in bytes, and that the maximum number is 104857600.
749332-1 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation
Component: TMOS
Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.
Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.
Impact:
REST PUT operation cannot be used to update/modify the description.
Workaround:
You can use either of the following:
-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.
-- You can also use PATCH operation and send only the required field which need modification.
743950-6 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
Component: Local Traffic Manager
Symptoms:
TMM raises a segmentation violation and restarts.
Conditions:
-- Set up client-side and server-side SSL with:
+ Client Certificate Constrained Delegation (C3D) enabled.
+ OCSP enabled.
-- Supply SSL traffic.
Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.
Workaround:
Disable C3D.
742753-8 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
737739-4 : Bash shell still accessible for admin even if disabled
Component: TMOS
Symptoms:
With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted.
Conditions:
Use TMUI as the admin, or as a user with the administrator role, and either of the following:
-- Disable terminal access.
-- Restrict access to TMSH.
Impact:
Users with the Administrator role can obtain shell access via REST.
With terminal access disabled:
-- If you attempt to login using SSH, you will not be to do so.
-- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run.
With access to TMSH restricted:
-- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run.
Workaround:
None.
737692-5 : Handle x520 PF DOWN/UP sequence automatically by VE
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
724653-5 : In a device group, a non-empty partition can be deleted by a peer device during a config sync
Component: TMOS
Symptoms:
In a device cluster, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).
Conditions:
-- Two or more devices in a device service cluster.
-- Using partitions that contain only non-synced objects.
-- Deleting the partition on a peer and syncing the changes to the other devices.
Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects.
720610-4 : Updatecheck logs bogus 'Update Server unavailable' on every run
Component: TMOS
Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading messages in the log file, implying that the update server is not available.
Workaround:
None.
718291-4 : iHealth upload error does not clear
Component: TMOS
Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.
Conditions:
Setting an invalid hostname for db variable proxy.host.
Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.
Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"
717806-8 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
Component: Local Traffic Manager
Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.
Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.
Impact:
No performance impact
Workaround:
None
717174-5 : WebUI shows error: Error getting auth token from login provider★
Component: Device Management
Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.
This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.
Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.
Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.
Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:
bigstart restart restjavad
bigstart restart restnoded
716140 : Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
Component: TMOS
Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.
If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime)
Conditions:
Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data:
Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x):
usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x
Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data.
For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0.
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).
Workaround:
Use tmsh to configure SNMP users.
713183-7 : Malformed JSON files may be present on vCMP host
Component: TMOS
Symptoms:
Malformed JSON files may be present on vCMP host.
Conditions:
All needed conditions are not yet defined.
- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.
Impact:
Some vCMP guests may not show up in the output of the command:
tmsh show vcmp health
In addition, there might be files present named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.
Workaround:
None.
712241-8 : A vCMP guest may not provide guest health stats to the vCMP host
Component: TMOS
Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision
These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.
These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest
Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.
Impact:
There is no functional impact to the guests or to the host, other than these lost tables.
-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
Workaround:
There is no workaround at this time.
705869-1 : TMM crashes as a result of repeated loads of the GEOIP database
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes.
Conditions:
Repeatedly loading the GeoIP database in rapid succession.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't do repeated load of GeoIP Database.
703226-3 : Failure when using transactions to create and publish policies
Component: TMOS
Symptoms:
Use batch mode transactions to create Virtual Servers with Policies containing rules.
Conditions:
Create and publish in the same transaction a Policy containing rules.
Impact:
Operation fails.
This occurs because the system is trying to look up a policy that does not exist because the 'create' operation is not yet complete. This might happen when the create and publish operations occur simultaneously, which might happen in response to scripts from iApps, batch mode creation of policies, UCS load, upgrade operation--all try to create domain trust, and all might include the policy create in the same operation.
Workaround:
Separate the create Policy and publish Policy operations into two transactions when the Policy contains rules.
696363-7 : Unable to create SNMP trap in the GUI
Component: TMOS
Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.
Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.
Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.
Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.
Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.
690928-6 : System posts error message: 01010054:3: tmrouted connection closed
Component: TMOS
Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.
System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed
Conditions:
This message occurs when all of the following conditions are met:
-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.
Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.
Workaround:
None.
689147-6 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
Component: TMOS
Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.
Errors similar to the following appear in /var/log/ltm:
-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition
Errors similar to the following appear in /var/log/secure:
tac_authen_pap_read: invalid reply content, incorrect key?
Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.
Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.
Workaround:
Check /var/log/ltm for more specific error messages.
683534-2 : 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading
Component: Local Traffic Manager
Symptoms:
The 'tmsh show sys connection' may present a prompt asking you to confirm you want to display ~4 billion (4,294,967,295) connections:
# show sys connection max-result-limit infinite
Really display 4294967295 connections? (y/n)
Conditions:
-- The 'tmsh show sys connection' command is executed with max-result-limit option set to infinite.
Impact:
The value shown in the prompt (4294967295) is misleading, and does not reflect the actual number of connections being handled by the system. The 4294967295 number represents the maximum value the field can hold, not the number of actual connections.
Workaround:
None
674026-6 : iSeries AOM web UI update fails to complete.★
Component: TMOS
Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.
Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.
Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:
err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2
Workaround:
At the bash prompt run:
/etc/lcdui/bmcuiupdate
This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.
673573-8 : tmsh logs boost assertion when running child process and reaches idle-timeout
Component: TMOS
Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.
The errors in /var/log/ltm begin with the following text:
'boost assertion failed'
Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.
Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.
Workaround:
None.
672963-1 : MSSQL monitor fails against databases using non-native charset
Component: Local Traffic Manager
Symptoms:
MSSQL monitor is fails against databases using non-native charset.
Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).
Impact:
MSSQL monitoring always marks node / member down.
Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:
1. Log in to the BIG-IP console into a bash prompt.
2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr
3. Restart bigd:
bigstart restart bigd
662301-8 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Component: TMOS
Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
On an appliance, restart mcpd by running the following command:
bigstart restart mcpd
On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:
clsh bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
659579-6 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time
Component: TMOS
Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.
Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.
Impact:
Difficult to troubleshoot as the logs are not aligned with system time.
Workaround:
None
658943-5 : Errors when platform-migrate loading UCS using trunks on vCMP guest
Component: TMOS
Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:
01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.
01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.
Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.
Impact:
The platform migration fails and the configuration does not load.
Workaround:
You can use one of the following workarounds:
-- Remove all trunks from the source configuration prior to generation of the UCS.
-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.
-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.
658850-6 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
Component: TMOS
Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.
If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.
Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate
Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.
Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>
646768-6 : VCMP Guest CM device name not set to hostname when deployed
Solution Article: K71255118
Component: TMOS
Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.
Impact:
The vCMP guest does not use the configured hostname.
Workaround:
-- In tmsh, run the following commands, in sequence:
mv cm device bigip1 HOSTNAME
save sys config
-- Rename the device name in the GUI.
574762-4 : Forwarding flows leak when a routing update changes the egress vlan
Component: Local Traffic Manager
Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.
Conditions:
Conditions to hit this are a route change on forwarded flows.
Impact:
Memory leak.
Workaround:
None
571333 : FastL4 TCP handshake timeout not honored for offloaded flows
Solution Article: K36155089
Component: TMOS
Symptoms:
When a virtual server is configured with a FastL4 profile that enables full acceleration and offload state set to 'embryonic', and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the 'idle timeout' value of the FastL4 profile, but it should be set to the 'tcp handshake timeout' instead.
Conditions:
-- Virtual server is configured with a FastL4 profile that enables full acceleration and offload state of 'embryonic'.
-- A flow is offloaded for hardware acceleration.
Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.
Workaround:
Set the acceleration-offload state to establish. For example:
tmsh modify ltm profile fastl4 fastl4_xyzzy pva-offload-state establish
550526-3 : Some time zones prevent configuring trust with a peer device using the GUI.
Solution Article: K84370515
Component: TMOS
Symptoms:
AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI.
Conditions:
-- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.
-- Using the GUI to add a peer device to a trust configuration.
Impact:
Adding a peer device using the GUI fails.
Workaround:
You can use either of the following workarounds (you might find the first one easier):
-- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back:
1. Navigate to System :: Platform.
2. Under 'Time Zone', select 'UTC', and click 'Update'
3. Repeat steps one and two to change all devices that are to be part of the trust domain.
4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain.
5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone.
-- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.
528894-5 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition
Component: TMOS
Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.
Conditions:
-- The system includes partitions other than Common.
-- Configuration in a partition other than Common is modified.
-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").
Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).
/config/bigip_base.conf will no longer contain config stanzas that belong there.
Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.
However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.
Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.
Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".
Note that neither workaround is permanent and the issue will reoccur.
464708-3 : DNS logging does not support Splunk format log
Component: Global Traffic Manager (DNS)
Symptoms:
DNS logging does not support Splunk format logging. It fails to log the events, instead logging err messages:
hostname="XXXXXXXXXXXXX.XX",errdefs_msgno="01230140:3:
Conditions:
DNS logging configured for Splunk format.
Impact:
DNS logging does not log Splunk format to HSL.
Workaround:
Use an iRule to send Splunk-formatted messages to the Splunk server.
For example:
ltm rule dns_logging_to_splunk {
when DNS_REQUEST {
set ldns [IP::client_addr]
set virtual server [virtual name]
set q_name [DNS::question name]
set q_type [DNS::question type]
set hsl [HSL::open -proto UDP -pool splunk-servers]
HSL::send $hsl "<190>,f5-dns-event=DNS_REQUEST,ldns=$ldns,virtual=$vs,query_name=$q_name,query_type=$q_type"
}
when DNS_RESPONSE {
set ldns [IP::client_addr]
set virtual server [virtual name]
set q_name [DNS::question name]
set q_type [DNS::question type]
set answer [DNS::answer]
set hsl [HSL::open -proto UDP -pool splunk-servers]
HSL::send $hsl "<190>,f5-dns-event=DNS_RESPONSE,ldns=$ldns,virtual=$vs,query_name=$q_name,query_type=$q_type,answer=\"$answer\""
}
}
431503-10 : TMSH crashes in rare initial tunnel configurations
Solution Article: K14838
Component: TMOS
Symptoms:
In rare BigIP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.
Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.
Impact:
TMM crash in rare race conditions.
Workaround:
None.
382363-8 : min-up-members and using gateway-failsafe-device on the same pool.
Solution Article: K30588577
Component: TMOS
Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.
Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.
Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.
Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.
1031461-2 : Session awareness entries aren't expired from one of active-active units
Component: Application Security Manager
Symptoms:
Session db entries remain in bd (ASM) daemon until manually removed
Conditions:
- ASM provisioned
- Security policy attached to a virtual server
- Session tracking and Login Page enabled in the policy
Impact:
Session db keeps unnecessary entries in memory
Workaround:
Delete session bd entries manually
/usr/share/ts/bin/asm_sessiondump --delete_all
1031425-3 : Provide a configuration flag to disable BGP peer-id check.
Component: TMOS
Symptoms:
A fix for ID 945265 (https://cdn.f5.com/product/bugtracker/ID945265.html) introduced strict checking of a peer-id. This check might be not desired in some configurations.
Conditions:
EBGP peering with two routers in the same autonomous system, configured with the same peer-id.
Impact:
BIG-IP will not pass the NLRIs between two eBGP peers. The following message can be seen in debug logs:
172.20.10.18-Outgoing [RIB] Announce Check: 0.0.0.0/0 Route Remote Router-ID is same as Remote Router-ID
Workaround:
Change peer-ids to be unique on eBGP peers.
1030881-1 : [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.★
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config load fails with the following error message:
01070022:3: The monitor template min was not found.
Conditions:
Min or required feature is applied to GTM generic host and upgrade from v15.x to v16.x.
Impact:
GTM config load fails.
Workaround:
Delete the special config for the generic host server and add it back after upgrade.
1030645-4 : BGP session resets during traffic-group failover
Component: TMOS
Symptoms:
BGP session might be hard reset during a traffic group failover. The following log is displayed:
BGP[11111]: BGP : %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer reset due to nh address change
Conditions:
Floating self-ips defined on a single vlan/subnet, with different traffic-groups configured.
Impact:
BGP session goes down during traffic-group failover.
1030533-1 : The BIG-IP system may reject valid HTTP responses from OCSP servers.
Component: Local Traffic Manager
Symptoms:
When this happens, the BIG-IP system can be seen closing the TCP connection to the OCSP server prematurely (for instance, as soon as the HTTP response headers are received, before the response body is transmitted).
If log.keymgmtd.level is set to debug, an error similar to the following example will be logged to the /var/log/ltm file:
Jun 22 14:40:08 bigip1.local debug tmm[9921]: 01a40004:7: OCSP validation result of certificate(/config/filestore/files_d/Common_d/certificate_d/:Common:endpoint-intermediate_69993_1): OCSP response - (connection - HTTP error), certificate status - (error), lifetime - 10.
Conditions:
The server uses a Content-Type HTTP header in its response that isn't just "application/ocsp-response" (for instance, it may include a charset specification after that string, or the string may use a mix of uppercase and lowercase letters).
Impact:
Valid HTTP responses from OCSP servers are rejected. OCSP stapling and OCSP validation are not available on the BIG-IP system.
Workaround:
If you control the OCSP server and are able to customize its HTTP response headers, setting the Content-Type to simply "application/ocsp-response" (all lowercase) is a workaround for this issue.
Otherwise, no workaround exists.
1030237-1 : Zxfrd core and continual restart when out of configured space
Component: Global Traffic Manager (DNS)
Symptoms:
Zxfrd is in restart loop and occasionally cores.
Conditions:
Zxfrd is out of the configured space.
Impact:
Dns express and rpz does not work properly.
Workaround:
1. locate any zone that is suspiciously large and delete that zone from dns zones if unexpected;
2. Allocate more space for zxfrd using dnsexpress huge pages.
tmsh modify sys db dnsexpress.hugepages { value "8000" }
8000 should be adjusted accordingly.
1029989-6 : CORS : default port of origin header is set 80, even when the protocol in the header is https
Component: Application Security Manager
Symptoms:
Destination port is set to 80, instead of 443, for Origin header value that has https in the schema field.
This causes unexpected "Illegal cross-origin request" violation.
Conditions:
- Using CORS enforcement where you allow HTTPS and port 443 for an origin name
- The Origin header value has https in the schema
- The Origin header value does not specify non default port number
Impact:
Unexpected "Illegal cross-origin request" violation.
Workaround:
Allow port 80 or use 'any' for the given origin name.
1029949-2 : IPsec traffic selector state may show incorrect state on high availability (HA) standby device
Component: TMOS
Symptoms:
IPsec traffic selector state can be viewed in the config utility or by tmsh with the "tmsh show net ipsec traffic-selector" command. On an high availability (HA) standby device, some selector states may be incorrect.
Conditions:
-- High availability (HA) environment
-- Standby reboots or in some way, such as a tmm restart, is forced to re-learn all the mirrored IPsec security associations (SAs).
Impact:
There is no functional impact. The issue is that a selector may incorrectly appear down in one or both directions.
Workaround:
When the tunnel re-keys on the high availability (HA) active device, the selector state shows the correct value.
1028969-1 : An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working
Component: TMOS
Symptoms:
If both IKEv1 and IKEv2 try to listen to the same self IP address on the BIG-IP for a local tunnel IP address, only one can win, and previously a v2 ike-peer would be blocked if a v1 listener managed to get installed first.
If a partial tunnel config exists, with no ike-peer and only ipsec-policy and traffic-selector definitoins, this is understood to be IKEv1 implicitly, by default, and will install a v1 listener for the IP address and port.
Then if a fully configured ike-peer is added using IKEv2, it can fail to establish the required listener for v2 when an existing v1 listener is squatting on that IP address.
Conditions:
Conflict between IKEv2 and IKEv1 on the same IP address when:
-- a v2 ike-peer has local tunnel IP address X
-- a v1 ike-peer, or a traffic-selector with no peer at all, has the same local IP address X
Impact:
An IKEv2 tunnel can fail to negotiate when v2 packets cannot be received on a local IP address because a listener for IPsec cannot be established on that IP address.
Workaround:
You can avoid conflict between v1 and v2 by:
-- removing a traffic-selector not in use (which is v1)
-- avoiding use of the same local IP in both v1 and v2 definitions of ike-peer
1027805-4 : DHCP flows crossing route-domain boundaries might fail.
Component: Local Traffic Manager
Symptoms:
DHCP flows crossing route-domain boundaries might fail.
Conditions:
Example of a configuration leading to the problem:
- route-domain RD%2 with parent defined as route-domain RD%1.
- Virtual-server in route-domain RD%2.
- Pool member configured in RD%2 (sharing IP addressing with RD1)
- DHCP client connects to the virtual-server in route-domain RD%2.
- Route lookup for a pool member ends up with connection in route-domain RD%1
Impact:
The second and subsequent DHCP clients requests will not be forwarded to the DHCP pool members.
Workaround:
When configuring a DHCP pool member, use the ID of the parent route-domain (the one that will be returned by a route-lookup for the pool member's IP address).
1027657-4 : Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent monitor intervals for resource monitoring.
Conditions:
"require M from N" monitor rules configured.
Impact:
Monitor status flapping.
Workaround:
Do not use "require M from N" monitor rules.
1027481-3 : 'error: /bin/haloptns unexpected error -- 768' log messages generated on A110 and D112 platforms
Component: TMOS
Symptoms:
'error: /bin/haloptns unexpected error -- 768' message logged by system commands, including some startup scripts and the software installation process.
Running /bin/haloptns manually displays this output:
'Expected 32 bit OPTN field, found field "" instead.'
Conditions:
-- One of the following platforms:
- D112 (B10350v-F (FIPS) or B10150s-N (NEBS))
- A110 (VIPRION B4340N (NEBS) blades)
-- The system does not use RAID.
Impact:
Excessive "error: /bin/haloptns unexpected error -- 768" error messages in log files, and command output (e.g. "cpcfg").
There is no other impact, and the messages can be ignored.
Workaround:
Ignore the error messages.
1027477-3 : Virtual server created with address-list in custom partition non-RD0 does not create listener
Component: TMOS
Symptoms:
After creating a virtual-server in a partition with a non RD0 route-domain attached, the virtual address listener does not get associated with the virtual server and the virtual address stays offline.
Conditions:
-- An address list (traffic matching criteria) is used when creating the virtual server in the GUI.
-- The virtual server is created with a route domain other than the default route domain.
Impact:
The virtual address remains in an offline state.
Workaround:
None.
1027237-1 : Cannot edit virtual server in GUI after loading config with traffic-matching-criteria
Component: TMOS
Symptoms:
After creating a virtual server with a traffic-matching-criteria and then loading the configuration, you are unable to make changes to it in the GUI. Attempting to do so results in an error similar to:
0107028f:3: The destination (0.0.0.0) address and mask (::) for virtual server (/Common/test-vs) must be be the same type (IPv4 or IPv6).
Conditions:
-- A virtual server that has traffic-matching-criteria (i.e., address and/or port lists).
-- The configuration has been saved at least once.
-- Attempting to edit the virtual server in the GUI.
Impact:
Unable to use the GUI to edit the virtual server.
Workaround:
Use TMSH to modify the virtual server.
1026989-1 : More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet.
Component: TMOS
Symptoms:
When a dynamic or static route is instantiated for application traffic processing, protection exists at configuration-validation time to ensure that the new route does not overwrite how the management port's subnet is accessed.
To do so, the destination of the new route is compared to the management port's subnet. If the two match, the new route is only instantiated in TMM, but not in the Linux host's routing table.
The issue is this logic fails when the new route is a subset of the management port's subnet. For example, if the new route is to destination 10.215.50.0/25, and the management port's subnet is 10.215.50.0/24, the new route will be added to both TMM and the Linux host, bypassing the aforementioned protection.
Instead, the logic should check for overlapping subnets, not just strict equality.
Conditions:
- A dynamic or static route whose destination partially overlaps with the management port's subnet is added to or learnt by the system.
Impact:
A new and more specific route for part of the management port's subnet is added to the Linus host's routing table.
Part of the management port traffic can fail or be misrouted via a TMM interface.
If multiple routes of this kind are instantiated (e.g. 10.215.50.0/25 + 10.215.50.128/25), the whole management port's subnet can be overtaken.
Workaround:
Redesign your network and then reconfigure the BIG-IP system so that TMM does not need access to the management port's subnet or part of it (thus negating the need to create a route to that destination in the first place).
If this is not possible, you can temporarily resolve the issue by using the `route` or `ip` utility on the Linux host subsystem to manually fix the routing table. However, the issue will occur again the next time the problematic route is loaded or learnt by the system.
1026973-1 : Static routes created for application traffic processing can erroneously replace the route to the management subnet.
Component: TMOS
Symptoms:
If a static route is added via "tmsh create net route" (or equivalent configuration ingestion system), and this route's destination matches the management port's subnet, the protection that prevents the new route from being propagated to the Linux kernel will initially work, but will fail after mcpd is restarted or the system is rebooted.
Conditions:
- A static route whose destination matches the management port's subnet is added to the system.
- The system is rebooted or mcpd is restarted.
Impact:
The directly-connected route for the management port's subnet appearing in the Linux host's routing table is replaced, or complemented, by a new and unnecessary route.
In either case, management port traffic can fail or be misrouted via a TMM interface.
Workaround:
Align your network and the BIG-IP system so that TMM does not need access to the management port's subnet (thus negating the need to create a route to that destination in the first place).
If this is not possible, you can temporarily resolve the issue by using the `route` or `ip` utility on the Linux host subsystem to manually fix the routing table. However, the issue will occur again the next time mcpd or the system restarts.
1026861-3 : Live Update of Browser Challenges and Anti-Fraud are not cleaned up
Component: TMOS
Symptoms:
When installing live updates of either Browser Challenges (ASM) or Anti-Fraud (FPS), the update file remains in the system, taking up disk space and increasing config sync size.
Conditions:
Installing Live Update files of either Browser Challenges (part of ASM) or Anti-Fraud (part of FPS).
Impact:
Increased disk size, config size, and config-sync size.
Workaround:
It is possible to manually clean up old, unused Live Update files using TMSH or REST:
tmsh delete security datasync update-file datasync-global/<file>
Important: Use caution, as deleting update-files that are in use could cause the system to go offline or get out of sync. The in-use update files can be observed under the GENERATION PROFILES section of the /var/log/datasyncd.log file.
Note: There is no auto-completion on the 'update-file' keyword.
1026813-7 : LCD IP address is missing from /etc/hosts on iSeries
Component: Global Traffic Manager (DNS)
Symptoms:
On iSeries platforms, /etc/hosts is missing an entry for the LCD IP address, 127.4.2.2.
Conditions:
Run any iSeries appliance.
Impact:
- BIG-IP generates reverse DNS requests for the LCD.
- /var/log/touchscreen_lcd lists the IP address "127.4.2.2" as the hostname
Workaround:
Add an entry for the LCD to /etc/hosts by modifying the 'remote-host' global settings, by running the following tmsh command:
tmsh modify sys global-settings remote-host add { lcd { addr 127.4.2.2 hostname lcd } }
tmsh save sys config
Or, in the BIG-IP GUI, System >> Configuration : Device : Hosts
1026621-1 : DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist
Component: Global Traffic Manager (DNS)
Symptoms:
DNS query could not be resolved properly.
Conditions:
1. dnscache.matchwildcardvip is enabled
2. Multiple possible routes to destination DNS server exist. This can be triggered by either using a gateway pool, or using dynamic routing with multiple equal paths available.
Impact:
Unable to use snatpool for cache resolver.
Workaround:
Ensure only a single route to destination exists, or disable dnscache.matchwildcardvip
NOTE: With dnscache.matchwildcardvip disabled, snatpool will not be used.
1026605-6 : When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes
Component: Local Traffic Manager
Symptoms:
When bigd.mgmtroutecheck is enabled and monitors are configured in a non-default route-domain, bigd may calculate the interface index incorrectly. This can result in monitor probes improperly being denied when they egress a non-mgmt VLAN. Or monitor probes might be allowed to egress the management interface
Conditions:
-- Bigd.mgmtroutecheck is enabled.
-- Monitor probes in a non-default route domain
-- More than one VLAN configured in the route-domain
Impact:
Monitor probes may be denied even thought they egress a non-mgmt VLAN.
Monitor probes may be improperly allowed out a mgmt interface.
/var/log/ltm:
err bigd.0[19431]: 01060126:3: Health check would route via mgmt port, node fc02:0:0:b::1%1. Check routing table.
bigd debug log:
:(_do_ping): probe denied; restricted egress device and route check [ tmm?=false td=true tr=false addr=fc02:0:0:b::1%1:0 srcaddr=none ]
Workaround:
Disable bigd.mgmtroutecheck, reduce the number of VLANs inside the route-domain
1026549-1 : Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd
Component: TMOS
Symptoms:
For some BIG-IP Virtual Edition drivers, TMM may occasionally communicate an incorrect interface state change that might cause the interface to flap.
Conditions:
-- BIG-IP Virtual Edition using ixlv, ixvf, mlx5, or xnet drivers.
-- More TMMs and interfaces configured make this issue more likely to happen, but it happens randomly.
Impact:
In the case where the interface is part of a trunk a flap will occur when this happens.
There may be other as-yet unknown impacts for this issue.
Workaround:
Use a different VE driver than one of the ones listed above.
1026277-6 : Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled
Component: Application Security Manager
Symptoms:
With auto-sync enabled, replacing multiple policies on Unit-A with policies having Policy Builder enabled, "Apply Policy" initiated by Policy Builder can be ignored at Unit-B that results all the policy on Unit-A appear as not-edited while a few policies on Unit-B appear as edited.
Conditions:
-- Using auto-sync
-- Multiple policies are replaced (imported as replacing method) at the same time
Note : bulk import/replace is only possible via Ansible (also, maybe scripting that utilizes REST API)
-- Those imported policies have Policy Builder enabled
Impact:
Inconsistent policy state in auto-sync members
Workaround:
Make a minor update on those affected policies, then "Apply Policy" will fix the inconsistent state.
1026273-4 : HA failover connectivity using the cluster management address does not work on VIPRION platforms★
Component: TMOS
Symptoms:
Upon upgrade to an affected version, failover communication via the management port does not work. You may still see packets passing back and forth, but the listener on the receiving end is not configured, and therefore the channel is not up.
Here are a few symptoms you may see:
-- Running 'tmsh show cm failover-status' shows a status of 'Error' on the management network.
-- Running 'tmctl' commands reports the disconnected state:
Example:
$ tmctl -l sod_tg_conn_stat -s entry_key,last_msg,status
entry_key last_msg status
----------------------------- ---------- ------
10.76.7.8->10.76.7.9:1026 0 0 <--- Notice there is no 'last message' and 'status' is 0, which means disconnected.
10.76.7.8->17.1.90.2:1026 1623681404 1
-- Looking at 'netstat -pan | grep 1026 command output, you do not see the management port listening on port 1026:
Example (notice that the management IP from the above example of 10.76.7.9 is not listed):
# netstat -pan | grep 1026
udp 0 0 10.10.10.10:1026 0.0.0.0:* 6035/sod
-- Listing /var/run/ contents shows that the chmand.pid file is missing:
# ls /var/run/chmand.pid
ls: cannot access /var/run/chmand.pid: No such file or directory
Conditions:
-- Running on VIPRION platforms
-- Only cluster management IP address is configured: No cluster member IP addresses are configured
-- Install a software version where ID810821 is fixed (see https://cdn.f5.com/product/bugtracker/ID810821.html)
-- Management IP is configured in the failover configuration
Impact:
If only the management is configured for failover or there are communication issues over the self IP (such as misconfigured port lockdown settings), then the devices may appear to have unusual behavior such as both going active.
Workaround:
-- Configure a cluster member IP address on each individual blade in addition to the Cluster management IP address.
1025965-1 : Audit role users cannot see folder properties under sys-folder
Component: TMOS
Symptoms:
Users with auditor role cannot create, modify, or delete any data, nor can they view SSL keys or user passwords. Users with the Auditor role have access to all partitions on the system, and this partition access cannot be changed.
Conditions:
Run tmsh command to check the access under sys folder
Impact:
Tmsh does not allow sys folder component for auditor.
no-ref-check, traffic-group, device-group
1025529-2 : TMM generates core when iRule executes a nexthop command and SIP traffic is sent
Component: Service Provider
Symptoms:
If an iRule uses the 'nexthop' command to select a VLAN for a virtual server, TMM may crash.
Conditions:
-- Virtual server with SIP profile and iRule that executes a 'nexthop' command
-- SIP network traffic occurs
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Avoid using 'nexthop vlan' in an iRule in a SIP environment.
1025513-1 : PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog
Component: TMOS
Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent auth issue results in failure of some auth request.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to rerun auth request.
1025089-1 : Pool members marked down by database monitor due to stale cached connection
Component: Local Traffic Manager
Symptoms:
By default, BIG-IP database monitors (mssql, mysql, oracle, postgresql) are configured to keep a connection to the database server open between monitor probes to avoid the overhead of establishing the network connection to the database server for each query operation.
If this cached network connection times out or is dropped by the database server, it is marked as "stale" when the next probe occurs, and a new connection is made during the next scheduled monitor probe.
In the meantime, due to the lost connection, the monitored pool member may be marked DOWN until the next scheduled monitor probe. This is more likely to occur when a database monitor is used to monitor a GTM pool member instead of an LTM pool member, due to differences between how monitors are configured for GTM versus LTM.
Conditions:
This may occur under the following conditions:
-- GTM or LTM pool members are monitored by a database monitor, configured such that a single probe failure will mark the member DOWN. (Such configuration may be more common for GTM monitors.)
-- Either the database server times out or drops the connection for some reason, or no database monitor probes are sent to the database server within a 5 minute interval.
Impact:
GTM or LTM pool members monitored by a database monitor may be marked DOWN temporarily if the network connection to the database server is dropped or times out.
Workaround:
To work around this issue, perform one of the following actions:
-- Configure the database (mssql, mysql, oracle, postgresql) monitor with a "count" value of "1". This prevents the caching/reuse of network connections to the database server between probes. Thus there is no cached connection to time out/get dropped. However, the overhead of establishing the network connection to the database server will be incurred for each probe.
-- Configure the database monitor "interval" and "timeout" values (for an LTM monitor), or the "interval", "timeout", "probe-attempts", "probe-interval" and "probe-timeout" values (for a GTM monitor) such that multiple failed monitor probes are required before the monitored member is marked DOWN.
1024905-1 : GTM monitor times out if monitoring a virtual server with translation address
Component: Global Traffic Manager (DNS)
Symptoms:
GTM monitor flaps between UP and DOWN.
Conditions:
1. GTM configured with two type of IP addresses, one IPv4 with translated address and IPv6 without translated address, or the other way around.
2. The monitored resource is with the translated address of the other type. If step 1, IPV4 translated, then step with IPV4 translated address.
Impact:
Monitor flaps.
Workaround:
Configure both with translated address.
1024841-2 : SSL connection mirroring with ocsp connection failure on standby
Component: Local Traffic Manager
Symptoms:
SSL connection mirroring with ocsp stapling connection failure on standby, active completes handshake with delay.
Conditions:
SSL connection mirroring with ocsp stapling
Impact:
Handshake delay on active
Workaround:
Disable ocsp stapling or ssl connection mirroring
1024761-1 : HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body
Component: Local Traffic Manager
Symptoms:
When rechunking is requested, HTTP responses with methods or status codes indicating that no body be present (like HEAD or 304) are receiving a Transfer-Encoding header and a terminating chunk. These responses should not have a body of any sort.
Conditions:
HTTP virtual server with rewrite profile present with the server that does HTTP caching.
Impact:
HTTP clients are unable to connect.
Workaround:
Remove the rewrite profile.
Possibly change http profile response-chunking from sustain to unchunk. This resolves the issue for the 304, but means that all other requests are changed from either chunking or unchunked with Content-Length header to unchunked without Content-Length and with "Connection: Close".
1024661-3 : SCTP forwarding flows based on VTAG for bigproto
Component: TMOS
Symptoms:
Sometimes SCTP traffic is unidirectionally dropped on one link after an SCTP link down occurs.
Conditions:
-- SCTP configured and BIG-IP is passing traffic
-- A link goes down
Impact:
Flow creation on the wrong TMM and some traffic is dropped.
Workaround:
Disable SCTP flow redirection.
tmm.sctp.redirect_packets == disable
1024621-4 : Re-establishing BFD session might take longer than expected.
Component: TMOS
Symptoms:
It might take a few minutes for a BFD session to come up. During this time you will notice session state transition multiple times between 'Admin Down' <-> 'Down'.
Conditions:
BFD peer trying to re-establish a session with BIG-IP, choosing ephemeral ports dis-aggregating to different TMMs.
Impact:
It might take a few minutes for a BFD session to come up.
Workaround:
Increasing Tx/Rx timers will minimize a chance of hitting the problem (For example 1000 TX/RX)
1024553-1 : GTM Pool member set to monitor type "none" results in big3d: timed out
Component: Global Traffic Manager (DNS)
Symptoms:
A pool member is marked down with a 'none' type monitor attached.
Conditions:
-- GTM pool member with a 'none' monitor configured
Impact:
Setting a pool member to have "none" monitor should result in a blue "checking" status but it may mark the pool member as down/unavailable.
Workaround:
NA.
1024421-2 : At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log
Component: TMOS
Symptoms:
TMM log shows clock advancing and MPI timeout messages:
notice slot1 MPI stream: connection to node aborted for reason: TCP RST from remote system (tcp.c:5201)
notice slot1 tmm[42900]: 01010029:5: Clock advanced by 6320 ticks
Conditions:
-- pva.standby.flush DB key set to 1 (enabled). The default is 0.
-- Processing high traffic volume for some time
Impact:
Upstream switch could receive flow response from both active and standby units and cause a traffic disturbance.
1024301-1 : Missing required logs for "tmsh modify disk directory" command
Component: TMOS
Symptoms:
In case of failure of "tmsh modify disk directory" command, log which help to find reason for failure are getting missed.
Conditions:
Attempt to resize some volumes via the "tmsh modify disk directory" command
Impact:
Not able to find failure reason for resize of volumes.
Workaround:
Manually running the resize2fs command, can give the reason for failure.
1024269-1 : Forcing a file system check on the next system reboot does not check all filesystems.
Component: TMOS
Symptoms:
Forcing a file system check on the next system reboot, as described in K73827442, does not check all filesystems, but only the root (/) filesystem. This should not be the case and is a regression compared to previous BIG-IP versions.
After the reboot, you can inspect which filesystems were checked by running the following command:
journalctl --all --no-pager | grep -i fsck
Conditions:
A BIG-IP Administrator follows the procedure to force a file system check on the next system reboot.
Impact:
Some filesystems will not be fixed, and will continue to be corrupted. This can have a number of negative consequences. For instance, enlarging a filesystem (via the 'tmsh modify sys disk directory' command) can fail when a filesystem is dirty.
Workaround:
You can boot the system from the Maintenance Operating System (MOS), and perform all needed file system check operations from there. To boot the system into MOS, simply type 'mosreboot'. Note that once the system reboots into MOS, you will need video console access (for VE systems) or serial console access (for hardware systems) to be able to run fsck and the reboot the system into a regular BIG-IP boot location.
For more information on MOS, please refer to K14245.
1024241-1 : NULL TLS records from client to BIG-IP results in SSL session termination
Component: Local Traffic Manager
Symptoms:
After client completes TLS handshake with BIG-IP, when it sends a NULL TLS record, the client BIG-IP SSL connection is terminated.
Conditions:
This is reported on i7800 which has Intel QAT crypto device
The issue was not reported on Nitrox crypto based BIG-IP platforms. Issue is not seen when hardware crypto is disabled
Impact:
SSL connection termination is seen in TLS clients
Workaround:
Disable hardware crypto acceleration
1024225-3 : BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request
Component: Local Traffic Manager
Symptoms:
BIG-IP proxying http2 -> http1.1. In response to a HEAD request, pool member sends response with "Transfer-Encoding: chunked" header without chunked payload. BIG-IP sends "Transfer-Encoding: chunked" header back to http2 client which generates RST_STREAM, PROTOCOL_ERROR. According to RFC 7450 a proxy SHOULD remove such headers.
Conditions:
1) H2 <-> H1 is configured on virtual server
2) HEAD request over http2->http1.1 gateway getting chunked response.
Impact:
Http2 connection is reset
Workaround:
iRule to remove "Transfer-Encoding: Chunked" header from response.
1024029-2 : TMM may crash when processing traffic with per-session APM Access Policy
Component: Access Policy Manager
Symptoms:
Under certain conditions, TMM may crash while processing traffic with per-session APM Access Policy rules.
Conditions:
- APM provisioned
- Per-Request APM Access Policy enabled
Impact:
TMM crash leading to a failover event.
Workaround:
Remove all perflow vars like %{perflow.*} from per session APM policy
1023889-3 : HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message
Component: Application Security Manager
Symptoms:
Protocol filter does not suppress WS/WSS server->client message.
Conditions:
- protocol filter is set to HTTP, HTTPS or HTTP/HTTPS
- response logging is set to For All Requests
Impact:
Remote log server receives unexpected messages
Workaround:
None
1023829-2 : Security->Policies in Virtual Server web page spins mcpd 100%, which later cores
Component: TMOS
Symptoms:
With a hunger number of VLANs (3000+) and virtual servers (2000+), the virtual server list page consumes excessive resources, eventually leading to a mcpd crash.
Conditions:
-- A huge number of VLANs and virtual servers exist.
-- The virtual server list page is displayed
Impact:
Page becomes inaccessible. Mcpd may crash. Traffic and control plane disrupted while mcpd restarts.
1023817-2 : Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning
Component: TMOS
Symptoms:
While loading the configuration or specifying that NAT64 should be disabled on a virtual server, a warning is displayed or logged:
"Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required."
This warning should only be displayed when a virtual server has both NAT64 enabled and a security NAT policy present, but may occur incorrectly even when NAT64 is disabled.
Conditions:
This warning may be incorrectly generated when all of these conditions are met:
-- a multi-bladed VIPRION
-- virtual servers in the configuration security NAT policies
-- receiving a ConfigSync from a peer, or running "tmsh load sys config" on the primary blade
Impact:
An erroneous warning is logged. It can be safely ignored.
1023461-2 : Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created
Component: Carrier-Grade NAT
Symptoms:
Two pools are configured, for example:
A: any destination
B: destination 8.8.8.8
1. Making connections and utilizing port block allocation (PBA) pool A works as expected; pools are correctly allocated and released as needed.
2. When a client has active PBA pool A allocated and requests pool B (because of connectivity to specific destination IP), then each subsequent connection request from that client results in new PBA pool B allocation.
Conditions:
Multiple rules are defined to configure PBA.
Impact:
If a request does not belong to the first pool then it will not belong any other, so the system creates a new pool.
Workaround:
None
1023365-2 : SSL server response could be dropped on immediate shutdown
Component: Local Traffic Manager
Symptoms:
SSL server response might be dropped if peer shutdown arrives before server response
Conditions:
Serverssl receives peer shutdown before server response
Impact:
Possible server response dropped
Workaround:
Delay connection shutdown until after server response is received
1022997-1 : TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC)
Component: TMOS
Symptoms:
Deployments on AWS that use the sock driver (1NIC, for example) transmit packets with bad checksums when TSO/GSO is required. This causes significant delays as TMM re-segments the packets with correct checksums for retransmission, and may cause some operations to time out (such as configsyncs of large configurations).
Conditions:
-- BIG-IP Virtual Edition (VE) using the sock driver on AWS (all 1NIC deployments use this)
-- TSO/GSO required due to MTU limitations on one or more VLANs
Impact:
-- Delayed packets.
-- Possible timeouts for some operations (configsyncs, for example).
Workaround:
Modify (or create, if not present) the file /config/tmm_init.tcl on the affected BIG-IP systems, and add the following line to it:
ndal force_sw_tcs off 1d0f:ec20
Then restart TMM:
bigstart restart tmm
Note: Restarting TMM will cause a failover (or an outage if there is no high availability (HA) peer available).
1022973-2 : Sessiondb entries related to Oauth module not cleaned up in certain conditions
Component: Access Policy Manager
Symptoms:
When an OAuth AS is configured with a refresh lifetime of '0', this implies that the refresh token lifetime is infinite. This leads to all sessiondb entries related to this refresh token (including associated access token entries in sessiondb) to have infinite lifetime.
Conditions:
Refresh token lifetime is set to '0'.
Impact:
User will see consistent and persistent increase in memory consumption by TMM, potentially leading to out-of-memory situation.
Workaround:
Do not set refresh token lifetime to '0'.
1022877-3 : Ping missing from list of Types for OAuth Client
Component: TMOS
Symptoms:
Ping is missing from the 'Type' dropdown menu in Access ›› Federation : OAuth Client / Resource Server : OAuth Server ›› New OAuth Server Configuration...
Conditions:
-- Affected BIG-IP version
-- Add new Oauth server configuration from Access :: Federation : OAuth Client / Resource Server : OAuth Server :: New OAuth Server Configuration...
Impact:
Oauth client configuration for the server of type 'Ping' cannot be created via GUI
Workaround:
Use tmsh to create the configuration, e.g.:
tmsh create apm aaa oauth-server <server name> provider-name Ping dns-resolver-name <dns-resolver-name>
1022757-2 : Tmm core due to corrupt list of ike-sa instances for a connection
Component: TMOS
Symptoms:
Tmm generates a core when a corrupt list of ike-sa instances is processed.
Note: This issue has been observed only once.
Conditions:
Deletion of an expired ike-sa.
Impact:
Restart of tmm and re-negotiation of IPsec tunnels. Traffic disrupted while tmm restarts.
Workaround:
None
1022637-1 : A partition other than /Common may fail to save the configuration to disk
Component: TMOS
Symptoms:
A mismatch between the running-configuration (i.e. what is returned by "tmsh list ...") and the saved-configuration (i.e. what is stored in the flat configuration files) for a partition other than /Common, despite a "tmsh save config" operation was just performed (either by the user or as a result of a config-sync).
Conditions:
- One or more partitions other than /Common exist on the system.
- One or more of said partitions have no more configuration objects defined in them (i.e. are empty).
- A config save operation similar to "tmsh save sys config partitions { Common part1 [...] }" occurs, either manually initiated by an Administrator or as a result of a config-sync operation (in which case the device-group must be configured for manual synchronization).
Impact:
Should a BIG-IP Administrator notice the mismatch, the only immediate impact is confusion as to why the config save operation was not effective.
However, as the flat config files are now out-of-date, performing a config load operation on a unit in this state will resurrect old configuration objects that had been previously deleted.
On an Active unit, this may affect traffic handling. On a redundant pair, there is the risk that the resurrected objects may make it to the Active unit after a future config-sync operation.
Workaround:
If you notice the mismatch, you can resolve it by performing a config save operation for all partitions (i.e. "tmsh save sys config").
1022613-1 : Cannot modify Security "global-network" Logging Profile
Component: Advanced Firewall Manager
Symptoms:
When attempting to update the settings of the Security Logging profile, the window displays a modal dialog box titled "Saving Logging Profile" and never completes the update Action
Conditions:
"global-network" logging profile is selected for update
Impact:
You are unable to update the log settings for the "global-network" profile via UI
Workaround:
Use tmsh
1022493-4 : Slow file descriptor leak in urldbmgrd (sockets open over time)
Component: Access Policy Manager
Symptoms:
Unix domain sockets are opened and never closed in urldbmgrd. This is a very slow leak over time.
Conditions:
SWG or URLDB is provisioned.
Impact:
Urldbmgrd may hit a limit of open file descriptors, and may eventually core and restart. When urldbmgrd restarts, urldb also restarts. This may result in a momentary instant where URL categorization is not available.
Workaround:
Restarting urldbmgrd will clear the open file descriptors. Performing a forced restart during a time of no traffic will mitigate the risk of urldbmgrd restarting at an inconvenient time if there are too many sockets open.
"bigstart restart urldbmgrd" will restart the daemon.
1022453-4 : IPv6 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
Some or all of the fragments of an IPv6 packet are lost.
Workaround:
Disable packet filtering
1022421-4 : Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk
Component: TMOS
Symptoms:
The pendsec utility recognizes that the disk is a HDD and attempts to run a smart check against it but it does not recognize or support the disk type that is in the system and therefore you will see log messages like this in /var/log/messages when the cron job attempts to run:
May 14 15:34:04 fqdn.device.com notice pendsect[11461]: skipping drive --
May 14 15:34:04 fqdn.device.com notice pendsect[11461]: No known drives detected for pending sector check. Exiting
Conditions:
- i2x00 or i4x00 platform with the Seagate brand HDD
Impact:
Cosmetic
Workaround:
You can mitigate the cosmetic log issue by suppressing the pendsec utility.
Login to BIG-IP using SSH
Navigate to /etc/cron.daily
# cd /etc/cron.daily
Create new directory called suppress
# mkdir suppress
Move the pendsect cron job to suppres
# mv pendsect suppress
1022417-1 : Ike stops with error ikev2_send_request: [WINDOW] full window
Component: TMOS
Symptoms:
IKE SAs will be lost.
Conditions:
A failover occurs while IKE is sending DPD to the peer, and the reply is received by the newly active BIG-IP.
Multiple failovers can increase the likelihood that this occurs.
Impact:
IKE SAs may be deleted and there will be traffic loss.
Workaround:
Increase in DPD interval to reduce the probability of occurrence of the issue.
1022297-4 : In BIG-IP GUI using "Select All" with filters is not working appropriately for policies
Component: TMOS
Symptoms:
In BIG-IP GUI using "Select All" with filters is not working appropriately for policies. When you attempt to delete policies after using filtering, all policies are deleted.
Conditions:
In BIG-IP GUI policies page, apply filter and using select all, for an action is selecting all objects and filter not applied.
Impact:
All policies objects are affected for an action, and filter is not applied
1022269-1 : False positive RFC compliant violation
Component: Application Security Manager
Symptoms:
False positive RFC compliant violation.
Conditions:
Authorization header with specific types.
Impact:
False positive violations.
Workaround:
Turn on an internal parameter:
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failu
1022213-4 : DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up
Component: Advanced Firewall Manager
Symptoms:
When the BDoS log message level is set to "Warning", some high availability (HA) watchdog messages are logged:
info bdosd[14184]: BDoS: May 27 03:51:40|loadState|460|HA Watchdog was not found <DNS_CLASS_L>
Conditions:
-- DDoS is used.
-- Dynamic signature is enabled on vectors
-- Default BDoS log level is changed to Warning.
Impact:
Unwanted log messages displayed. They can be safely ignored.
1021873-1 : TMM crash in IPIP tunnel creation with a pool route
Component: TMOS
Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file in the /shared/core directory while processing traffic.
Conditions:
1)Virtual server attached with an ipip encapsulation enabled pool
2)Multiple paths to pool members
(pool route to pool member)
Impact:
Traffic disrupted while tmm restarts.
1021837-3 : When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected"
Component: Local Traffic Manager
Symptoms:
Connections are reset with "No server selected" cause.
Conditions:
-- An inline service profile ("ltm profile service") attached to a normal virtual server
Impact:
TCP connections are reset
Workaround:
Delete and recreate the virtual server without the inline service profile associated with it.
Simply removing the service profile from the virtual server is not sufficient.
1021637-4 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
Component: Application Security Manager
Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list
Conditions:
ASM policy with CSRF settings
Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.
Workaround:
None
1021417-1 : Modifying GTM pool members with replace-all-with results in pool members with order 0
Component: Global Traffic Manager (DNS)
Symptoms:
GTMpool has multiple members with order 0.
Conditions:
There is an overlap for the pool members for the command replace-all-with and the pool members to be replaced.
Impact:
Multiple pool members have the same order.
Workaround:
Perform this procedure:
1. Delete all pool members from the GTM pool.
2. Use replace-all-with.
1021109-4 : The cmp-hash VLAN setting does not apply to trunked interfaces.
Component: TMOS
Symptoms:
-- CPU usage is increased.
-- Throughput is reduced.
-- Packet redirections occur (visible when using 'tmctl -d blade tmm/flow_redir_stats')
Conditions:
-- Traffic is received on trunked interfaces.
-- The cmp-hash setting has a non-default value.
-- The platform is BIG-IP Virtual Edition (VE).
Impact:
Performance is reduced. Output from 'tmctl -d blade tmm/flow_redir_stats' shows redirections.
Workaround:
-- Use the default cmp-hash setting.
-- Do not trunk interfaces.
1021061-4 : Config fails to load for large config on platform with Platform FIPS license enabled
Component: Global Traffic Manager (DNS)
Symptoms:
Config fails to load.
Conditions:
-- Platforms with Platform FIPS license enabled.
-- There are several ways to encounter this. One is with a large GTM (DNS) configuration that requires extending the gtmd stats file.
Impact:
Config file fails to load. For the gtmd configuration, gtmd repeatedly logs error messages similar to:
err gtmd[14954]: 011af002:3: TMSTAT error 'Invalid argument' creating row '/Common/vs_45_53' in table 'gtm_vs_stat'
For merged daemon, reports messages similar to:
err merged[9166]: 011b0900:3: TMSTAT error tmstat_row_create: Invalid argument.
Workaround:
None
1020957-1 : HTTP response may be truncated by the BIG-IP system
Component: Local Traffic Manager
Symptoms:
Web pages are not rendered properly; HTTP responses are truncated when traversing the BIG-IP system.
Conditions:
-- Virtual server with an HTTP profile
-- HTTP server generates a compressed response
-- BIG-IP system determines that it must decompress the payload, e.g., a rewrite profile attached to the virtual server
Impact:
HTTP responses are truncated when passing through the BIG-IP system.
Workaround:
One of the following:
-- Add an HTTP Compression profile to the virtual server, and ensure that 'Keep Accept-Encoding' is not selected.
-- Use an iRule to remove the Accept-Encoding header from requests, e.g.:
ltm rule workaround {
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}
}
1020705-2 : tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name
Component: Application Visibility and Reporting
Symptoms:
Output of "tmsh show analytics dos-l3 report view-by attack-id" command has changed from version 13.x to 15.x. "Attack type" was removed from the system, so it was automatically replaced by the first metric "allowed-requests-per-second". For DOS L3 "Attack type" was replaced by "Vector Name" but it currently is not shown in the report along wit "Attack ID"
Conditions:
AFM is provisioned
Impact:
This change might cause scripts to fail if they use the name of the field.
Workaround:
1) edit /etc/avr/monpd/monp_dosl3_entities.cfg file. Change [dosl3_attack_id] section the following way: add 'vector_name' to measures list and add an additional parameter 'default_measure' as specified below :
[dosl3_attack_id]
...
measures=allowed_requests_per_sec,count,drop_per_sec,drop_count,total_per_sec,total_count,attacks_count,attack_type_name,category_name,vip_name,period,vector_name
default_measure=vector_name
...
2) edit /etc/avr/monpd/monp_dosl3_measures.cfg file. Add in the end the following section:
[vector_name]
id=vector_crc
formula=IF(count(distinct FACT.vector_crc)>1,'Aggregated',attack_vector_str)
merge_formula=IF(count(distinct vector_name)>1,'Aggregated',vector_name)
dim=AVR_DIM_DOS_VIS_ATTACKS_VECTOR
dim_id=attack_vector_crc
tmsh_display_name=vector-name
display_name=Vector
comulative=false
priority=65
3) restart the BIG-IP system: bigstart restart
After the system is up you can apply the same tmsh command: "tmsh show analytics dos-l3 report view-by attack-id"
You will get a result similar to 13.x. Note that "attack_type_name" is replaced by "vector-name"
1020645-5 : When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered
Component: Local Traffic Manager
Symptoms:
In an explicit proxy configuration when an HTTP request is sent to an HTTPS destination server via proxy, the HTTP CONNECT method is sent, but the iRule event HTTP_RESPONSE_RELEASE is not fired.
Conditions:
- Simple HTTP explicit proxy virtual server
- An HTTP request from the client is sent to an 'https://' destination server
Impact:
iRule event HTTP_RESPONSE_RELEASE does not get triggered.
Workaround:
None
1020549-1 : Server-side connections stall with zero window with OneConnect profile
Component: Local Traffic Manager
Symptoms:
Serverside connections from pool member to BIG-IP hang, with the BIG-IP advertising a TCP zero window.
Conditions:
-- Virtual server with OneConnect profile
-- The BIG-IP applies flow-control to the serverside connection (e.g. the server's response to the BIG-IP is faster than the BIG-IP's forwarding the response to the client)
-- The serverside connection is subsequently re-used
Impact:
Serverside connections hang in the middle of data transfer, and will eventually time out.
Workaround:
If possible, remove the OneConnect profile from the virtual server.
Note: removing a OneConnect profile may cause problems with persistence, as described in
K7964: The BIG-IP system may appear to ignore persistence information for Keep-Alive connections (https://support.f5.com/csp/article/K7964)
1020377-1 : Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon
Component: TMOS
Symptoms:
If an IKEv2 tunnel terminates with an error condition, afterward it is possible for IKE packets to be received by the IKEv1 racoon daemon, which is listening to local host (i.e 127.0.0.1) on ports 500 and 4500.
Conditions:
To get the problem to occur, you may need these details:
-- an IKEv2 config where traffic selector narrowing happens
-- termination of an IKEv2 tunnel with an error condition
-- some other BIG-IP service using the same local self IP
Packets can reach the IKEv1 racoon daemon only when some BIG-IP service uses bigself as the proxy, which forwards packets to localhost (127.0.0.1) with the same port number. So even if no IKEv1 config is present for a local self IP, if some other BIG-IP service also uses bigself as a proxy, this can forward IKE packets to localhost as well.
Impact:
The IKEv2 tunnel does not get renegotiated, because IKE packets reach the IKEv1 daemon, which ignores them, because the proper listener to handle IKEv2 is missing. As a result, tunnel service is interrupted.
Workaround:
Deleting and re-adding the problematic ike-peer and traffic-selector should bring back IPsec support for that tunnel.
If the initiating and responding sides of the tunnel have identical traffic-selector proposals, then narrowing should not happen, and this would also prevent the problem in the first place.
1020337-2 : DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores with umem debug enabled.
Conditions:
A string operation is performed against DNS resource records (RRs) from DNSMSG::section in an iRule.
Impact:
Tmm memory corruption. In some situations, tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use string operations against DNS RRs returned from DNSMSG::section.
1020277-1 : Mcpd may run out of memory when build image is missing★
Component: TMOS
Symptoms:
After installing a new blade, if the BIG-IP does not have the appropriate images to install all volumes onto the new blade, it can get stuck waiting to install. This may cause mcpd to eventually run out of memory.
Running "tmsh show sys software" shows a message similar to this for a prolonged period of time:
HD1.2 3 BIG-IP 12.1.3.5 0.0.10 no waiting for product image (BIG-IP 12.1.3)
Conditions:
-- Installing a new blade into a chassis-based system.
-- Missing BIG-IP image(s) necessary to update all volumes on the new blade.
Impact:
Mcpd eventually runs out of memory and cores.
Workaround:
Either delete the affected volume if it is no longer necessary, or copy the appropriate BIG-IP image to /shared/images.
1020149-4 : Bot Defense does not support iOS's WKWebView framework
Component: Application Security Manager
Symptoms:
When using the Bot Defense Profile, mobile apps which use iOS's WKWebView framework may get blocked from accessing the website.
Conditions:
-- Using the Bot Defense Profile
-- Mobile apps which use iOS's WKWebView framework try to access the website
Impact:
Mobile apps which use iOS's WKWebView framework may get blocked from accessing the website.
Workaround:
None
1020129-2 : Turboflex page in GUI reports 'profile.Features is undefined' error★
Component: TMOS
Symptoms:
The System :: Resource Provisioning : TurboFlex page is unusable, and the BIG-IP GUI reports an error:
An error occurred: profile.Features is undefined.
Conditions:
-- BIG-IP iSeries appliance
-- Upgrade to v15.1.3 or later within v15.1.x
-- Accessing the System :: Resource Provisioning : TurboFlex page in the BIG-IP GUI
Impact:
Unable to manage TurboFlex profile via the BIG-IP GUI.
Workaround:
Use tmsh or iControl REST to manage TurboFlex profile configuration.
1020109-1 : Subnet mask property of virtual addresses not displayed in management GUI
Component: TMOS
Symptoms:
You cannot determine the subnet mask for a displayed virtual address using only the BIG-IP management GUI.
Conditions:
-- A virtual address (automatically created by any virtual server) exists in the configuration.
-- Using the management GUI.
Impact:
Potential difficulty in troubleshooting and verifying config due to having to use other methods (accessing the CLI) to check a virtual address's netmask.
Workaround:
Use tmsh to determine the subnet mask.
1020089-1 : MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks
Component: TMOS
Symptoms:
Multiple virtual servers with the same virtual address but with different subnet masks are allowed.
Conditions:
Creation of multiple virtual servers with the same virtual address but with different subnet masks.
Impact:
Latest virtual server instantiation implicitly and silently modifies the subnet mask of the virtual address, making the system not behave as the user thinks or intended.
Workaround:
None.
1020069-1 : Equinix SmartKey HSM is not working with nethsm-partition 'fortanix'
Component: Local Traffic Manager
Symptoms:
Setting up the Equinix SmartKey HSM with nethsm-partition 'fortanix' (or anything other than 'auto') pkcs11d logs an error:
err pkcs11d[21535]: 01680040:3: netHSM: Failed to find partition with label 'fortanix' on the netHSM.
Conditions:
Configuring a nethsm-partition other than 'auto'.
Impact:
BIG-IP does not connect to the HSM and SSL traffic is disrupted.
Workaround:
Use the nethsm-partition 'auto'
tmsh create sys crypto fips nethsm-partition 'auto'
1020061-3 : Nested address lists can increase configuration load time
Component: Advanced Firewall Manager
Symptoms:
Whenever there are a number of nested address lists configured, the 'load sys config' command takes a long time to complete.
Conditions:
-- Several nested Address Lists are configured.
-- The 'load sys config' command is run.
Impact:
Upgrading (load sys config) takes a lot of time of time to complete, which sometimes causes Packet Correlation Classification Daemon (pccd) to fail.
If pccd fails, the system is unable to detect and compile firewall configuration changes, meaning that changes made to the firewall configuration are not enforced.
Note: The firewall configuration that was running before pccd goes down continues to be enforced; only changes are not enforced.
Workaround:
None
1020041-3 : "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs
Component: Policy Enforcement Manager
Symptoms:
The following message may be logged to /var/log/tmm*
Can't process event 16, err: ERR_NOT_FOUND
Conditions:
Applying a PEM policy to an existing session that already has that policy (eg, through an irule using 'PEM::subscriber config policy referential set xxxx'
Impact:
Since the PEM policy is already applied to the session, the failure message is essentially cosmetic, but it can cause the tmm logs to grow in size if this is happening frequently.
Workaround:
--
1019749-2 : Enabling DHCP for management should not be allowed on vCMP guest
Component: TMOS
Symptoms:
Options to enable DHCP for the management interface are available on vCMP guests.
Conditions:
-- BIG-IP vCMP guest running on an appliance
Impact:
VCMP guest can be configured with options that are incompatible with VCMP operation.
This might result in a loss of management IP in the guest after a reboot
Workaround:
Do not attempt to DHCP on the management interface of a vCMP guest.
1019709-1 : Modifying mgmt-dhcp options should not be allowed on VCMP guest
Component: TMOS
Symptoms:
Option to modify mgmt-dhcp to dhcpv4 or dhcpv6 is available on VCMP guest.
Conditions:
This is encountered with the following tmsh command
modify sys global-settings mgmt-dhcp
Values:
dhcpv4 dhcpv6 disabled enabled
Impact:
VCMP guest can be configured with options that are incompatible with VCMP operation.
This might result in a loss of management IP in the guest after a reboot
Workaround:
N/A
1019641-3 : SCTP INIT_ACK not forwarded
Component: Local Traffic Manager
Symptoms:
After SCTP link down/up (not physical IF link down up), SCTP session can't be established.
Conditions:
-- CMP forwarding enabled (source-port preserve-strict)
-- The BIG-IP system is encountering heavy traffic load
-- A connection is deleted from the connection table
Impact:
Flow state can become out of sync between TMMs
Workaround:
Once the problem occurs, execute "tmsh delete sys connection", and the SCTP session will be re-established.
1019613-5 : Unknown subscriber in PBA deployment may cause CPU spike
Component: Carrier-Grade NAT
Symptoms:
in PBA deployment, a CPU spike may be observed if the subscriber-id log is enabled and the subscriber-id is unknown.
Conditions:
-- PBA configuration
-- Address translation persistent is enabled
-- Subscriber-id log is enabled
-- There is an unknown subscriber
Impact:
Overall system capacity reduces.
Workaround:
Disable subscriber-id logging.
1019557-1 : Bdosd does not create /var/bdosd/*.json
Component: Advanced Firewall Manager
Symptoms:
JSON files for historical data are not created for each virtual server in /var/bdosd.
BDOS for DDoS works on current data in memory but cannot to depend on the historical data for all virtual servers
Conditions:
BDOS is configured for any virtual server
Impact:
Custom signature or BDDoS-generated signature for the virtual server does not work correctly.
Workaround:
None
1019453-1 : Core generated for autodosd daemon when synchronization process is terminated
Component: Advanced Firewall Manager
Symptoms:
Autodosd cores on SIGSEGV.
Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown
Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.
Workaround:
None
1019429-1 : CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated
Component: TMOS
Symptoms:
Virtuals with CMP forwarded flows and PVA acceleration may see a higher than expected syncache counter which can lead to permanent syncookie activation.
Also, under certain conditions the internal listeners used for config-sync may have syncookies activated. Logs will show the syncookie counter increasing after every activation.
bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9830 exceeded vip threshold 2496 for virtual = 192.168.1.1:4353
bigip1 warning tmm1[18356]: 01010038:4: Syncookie counter 9834 exceeded vip threshold 2497 for virtual = 192.168.1.1:4353
Conditions:
-- Virtual servers with CMP forwarded flows - commonly occurring when the FTP profile is in use.
-- A platform with PVA acceleration enabled.
-- Only the server-side flow of a connection is offloaded to hardware.
Impact:
Elevated syncache_curr, epva_connstat.embryonic_hw_conns, epva_connstat, embryonic_hw_tcp_conns stas. Improper syncooke activation. Syncookie activation on the config-sync listener may cause config-sync to fail.
Workaround:
Remove the ftp profile or disable PVA acceleration:
modify sys db pva.acceleration value none
1019357-2 : Active fails to resend ipsec ikev2_message_id_sync if no response received
Component: TMOS
Symptoms:
In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device.
If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow.
After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.
Conditions:
-- High availability (HA) environment
-- IKE tunnels configured
-- A failover occurs
Impact:
Traffic loss.
Workaround:
None
1019285-1 : Systemd hangs and is unresponsive
Component: TMOS
Symptoms:
When memory is exhausted on the system and systemd tries to fork to start or stop a service, systemd fails and enters "freeze" mode.
Conditions:
Following log messages can be seen in the daemon.log log file:
err systemd[1]: Failed to fork: Cannot allocate memory
crit systemd[1]: Assertion 'pid >= 1' failed at src/core/unit.c:1997, function unit_watch_pid(). Aborting.
emerg systemd[1]: Caught <ABRT>, cannot fork for core dump: Cannot allocate memory
emerg systemd[1]: Freezing execution.
Impact:
Systemd does not provide service anymore.
Workaround:
Reboot the system to restore the systemd services.
1019261-1 : in-tmm https monitor without a ssl-profile generates random session-ids
Component: Local Traffic Manager
Symptoms:
An in-tmm HTTPS monitor with 'ssl-profile none' config generates random session ids.
This behavior does not match the documentation.
---
SSL Profile:
The default is None. When None is selected, the system uses the default serverssl profile.
---
May result in handshake failures based on the environment and bring down the monitor.
Conditions:
In-tmm https monitor with 'ssl-profile none'.
Impact:
The monitor generates random session-ids. This may result in handshake failures based on the environment and the monitor will mark objects as DOWN.
Workaround:
Attach a server-ssl profile to the in-tmm https monitor.
1019129-4 : Changing syslog remote port requires syslog-ng restart to take effect
Component: TMOS
Symptoms:
Modified remote port in syslog configuration takes effect only after restart of the syslog-ng.
Conditions:
-- Configure the remote syslogs and allow some time to pass.
-- Change the local IP or remote port in syslog config.
Impact:
Change does not occur until you reboot or restart syslog-ng.
Workaround:
To cause the change to occur, restart syslog-ng:
bigstart restart syslog-ng
1018765-1 : Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system
Component: Local Traffic Manager
Symptoms:
After using "sys sshd port" to change the default port for sshd, some utilities may no longer work properly on the BIG-IP, such as:
"tmsh reboot slot ..."
or
qkview
or
any command using clsh
or
ssh slot<slot number>
Conditions:
-- Chassis system with multiple blades.
-- Default sshd port was modified.
Impact:
Unable to run commands on secondary blades.
Workaround:
-- Reconfigure SSHD to run on the default port, 22.
or
-- Specify an explicit port when using ssh and log in to each blade to run the desired commands, e.g. "ssh -p 40222 slot2"
1018673-1 : Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition receives a host packet that has a multicast MAC address as its nexthop, it will disaggregate this by forwarding it to all TMMs. This results in all TMMs egressing the packet.
Conditions:
-- BIG-IP Virtual Edition
-- A route is configured to a multicast MAC address
-- Host traffic (e.g. non-TMM monitors, ping, etc.) is routed to the multicast MAC address
Impact:
Extraneous packets are egressed from the BIG-IP.
Workaround:
Partial workaround for the case of monitors: use in-TMM monitors where possible. Otherwise, there is no workaround for this.
1018613-1 : Modify wideip pools with replace-all-with results pools with same order 0
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wideip pools have the order 0.
Conditions:
There are overlap for the pools for command replace-all-with and the pools to be replaced.
Impact:
iQuery flapping between GTMs.
Workaround:
First delete all pools from the wideip and then use replace-all-with.
1018577-4 : SASP monitor does not mark pool member with same IP Address but different Port from another pool member
Component: Local Traffic Manager
Symptoms:
When the LTM SASP monitor is applied to a pool with multiple members having the same IP Address but different Ports, only one of the pool members with the duplicated IP Address will be monitored (marked UP or DOWN as appropriate). Other pool members sharing the same IP Address will remain in a 'checking' state.
Conditions:
This occurs when using the SASP monitor in a pool with multiple members having the same IP Address but different Ports.
For example:
ltm pool sasp_test_pool {
members {
sasp_1:80 {
address 10.10.10.1
}
sasp_1:8080 {
address 10.10.10.1
}
sasp_2:80 {
address 10.10.10.2
}
sasp_2:8080 {
address 10.10.10.2
}
}
monitor sasp_test
}
In this case, only one pool member with a given IP Address will be correctly monitored by the sasp monitor.
Any additional pool members with the same IP Address but different port will not be monitored by the SASP monitor and will remain in a 'checking' state.
Impact:
Not all pool members may be effectively/accurately monitored by the SASP monitor.
1018493-1 : Response code 304 from TMM Cache always closes TCP connection.
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured to accelerate HTTP traffic, it caches responses with 200 and 304 response codes. Serving a response with "304 Not Modified" code, TMM may close a connection to a client.
Conditions:
-- A virtual server has a web-acceleration profile (without a web application for versions prior 16.0.0).
-- A response with code 304, stored in TMM cache, is served to a request.
Impact:
A client needs to open a new TCP connection every time when a response with "304 Not Modified" code is served.
1018309-5 : Loading config file with imish removes the last character
Component: TMOS
Symptoms:
While loading a configuration from the file with IMISH ('imish -f <f_name>'),truncating the last line.
printf 'log file /var/log/zebos.log1' >/shared/tmp/new.cfg
Running imish -r 0 -f /shared/tmp/new.cfg have the last character missing like below:
log file /var/log/zebos.log
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Configuration commands cannot be created properly.
Workaround:
For CLI, use extra control char at the end or \n.
1018285-2 : MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction
Component: Service Provider
Symptoms:
MRF DIAMETER is not DIAMETER-application aware. It does not have application-specific business logic. When creating a DIAMETER solution, BIG-IP operators often need to write iRule scripts that remove a session persistence entry at the end of a transaction.
Conditions:
Some applications require removal of the persistence entry upon successful and unsuccessful completion of a transaction.
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule log_dia_error
ltm rule log_dia_error {
when DIAMETER_INGRESS {
set cmd_code [DIAMETER::command]
if { $cmd_code == 272 } {
set cc_req_type [DIAMETER::avp data get 416 integer32]
if {[DIAMETER::is_response] && $cc_req_type == 3 } {
log local0. "Persistence record delete-on-any"
DIAMETER::persist delete-on-any
}
}
}
Impact:
iRule script is required.
1018165-1 : GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain
Component: TMOS
Symptoms:
A virtual server created in a non-default route-domain with a DHCPv6 profile shows as using a DHCPv4 profile 'None' in the GUI.
Conditions:
-- Virtual server using a DHCPv6 profile.
-- Virtual server must be in a non-default route-domain.
-- Using the GUI to view the virtual server.
Impact:
Incorrect view of the configuration.
Workaround:
None
1017897-1 : Self IP address creation fails with 'ioctl failed: No such device'
Component: TMOS
Symptoms:
Creating a self IP address after a route-domain using TMSH reports an error:
01070712:3: Cannot get device index for Backend in rd2 - ioctl failed: No such device.
Conditions:
Using tmsh, create a Trunk, create a VLAN on the trunk, create a route-domain, then create a self IP address.
Impact:
Self IP address creation fails after route-domain creation.
Unable to run declarative-onboarding declaration.
Workaround:
Add a short delay after modifying/creating the route domain before creating the self IP address.
Note: Self IP address should be created after route-domain creation.
1017885-5 : Wildcard server-name does not match multiple labels in FQDN
Component: Local Traffic Manager
Symptoms:
Wildcard server-name does not match multiple labels in FQDN
for example: *.domain.com matches a.domain.com or a.bc.domain.com, but it does not match domain.com but here multiple labels(a.bc.domain.com) are not matched to the wildcard (*.domain.com).
Conditions:
Client-ssl is configured with a wildcard server-name with the virtual server configured with multiple client-ssl profiles. The correct ssl profile (and therefore certificate) is chosen based on SNI from the client Hello.
Impact:
Generates default profile/certificate when trying to match with multiple labels using wildcard, when it should generate correct certificate matched to the wildcard in server name.
Workaround:
N/A
1017857-1 : Restore of UCS leads to incorrect UID on authorized_keys★
Component: TMOS
Symptoms:
After restoring a UCS from a different BIG-IP device, the admin user is unable to log in via SSH using SSH public key authentication.
Conditions:
-- Create a UCS on one BIG-IP system where a UCS archive has been restored in the past (including by an upgrade)
-- Import the UCS to a different BIG-IP system and load it
Impact:
You are unable to log in as the admin user via SSH using key-based authentication.
NOTE: Password authentication works without any issues.
Workaround:
Change the owner of /home/admin/.ssh/authorized_keys to 'root', by running the following command:
chown root /home/admin/.ssh/authorized_keys
This command can also be run via iControl REST using the /mgmt/tm/util/bash endpoint.
1017801-1 : Internal listeners (cgc, ftp data, etc) all share the same listener_key stats
Component: Local Traffic Manager
Symptoms:
Internal stats are not accurate because they are shared across multiple listener types
Conditions:
This can occur when multiple virtual server types are in use and passing traffic.
Impact:
Internal listener stats are not accurate.
1017721-5 : WebSocket does not close cleanly when SSL enabled.
Component: Local Traffic Manager
Symptoms:
After sending a close frame to the WebSocket server, the WebSocket client receives 1006 response.
Conditions:
Virtual server with the following profiles:
-- WebSocket
-- HTTP over SSL (at least server side SSL)
and connection closure is initiated by the client.
Impact:
Client side applications experience errors in the form of WebSocket abnormally closing connections with error code 1006.
Workaround:
Avoid using SSL on WebSocket server context.
1017557-1 : ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN
Component: Application Security Manager
Symptoms:
ASM BD sends a reset back to the client when the backend server sends a response without proper terminating 0 chunk followed by FIN.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- Backed server sends a bad chunked response
Impact:
Valid requests can be reset.
Workaround:
Any one of the following workarounds can be applied.
-- Fix backed server behavior.
-- Fix bad response using iRule, appending proper terminating 0 chunk
-- Change ASM internal /usr/share/ts/bin/add_del_internal update bypass_upon_load 1
1017513-5 : Config sync fails with error Invalid monitor rule instance identifier
Component: Local Traffic Manager
Symptoms:
If you remove or attach a different monitor to an fqdn pool, then perform a full config-sync, an error occurs:
Load failed from /Common/bigip1 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 58.
Conditions:
-- BIG-IP device is configured with fqdn nodes/pools with monitors.
-- Modify an fqdn pool to remove or attach a different monitor.
-- Run the command: run cm config-sync to-group Failover
-- Perform a full config-sync.
Impact:
Sync to the peer device(s) fails.
Workaround:
Use incremental-sync.
1017421-4 : SASP Monitor does not log significant error conditions at default logging level
Component: Local Traffic Manager
Symptoms:
Most error conditions encountered by the SASP monitor are not logged at the default logging level ("error"). Most of the meaningful error conditions, including Exceptions, are logged at "info" or "debug" levels. Obtaining details to diagnose the SASP monitor issues requires reconfiguring sys db saspd.loglevel for a value of "info" or "debug".
Conditions:
-- Using the SASP monitor to monitor LTM pool members
-- Leaving the saspd.loglevel system DB variable configured at the default value of "error"
Impact:
Errors which occur intermittently or once while monitoring LTM pool members using the SASP monitor may not be diagnosable.
Workaround:
Configure the saspd.loglevel system DB variable with a value of "info" (for normal operations) or "debug" (if problems are occurring repeatedly).
1017261-7 : Configuraton update triggers from MCP to ASM are ignored
Component: Application Security Manager
Symptoms:
If a stale/incorrect but running PID is present in /var/ts/var/install/ucs_install.pid, then ASMConfig will think it is in the middle of a UCS or Sync load event and ignore updates from MCP.
Conditions:
A UCS load event such as an upgrade or a config sync is interrupted and ASM is not restarted until another process reuses the process id from the upgrade.
Impact:
Updates from MCP are ignored which can cause:
* Missed sync events
* Missed updates for logging or pool configuration
* Missing security policies
Workaround:
Delete /var/ts/var/install/ucs_install.pid
1017233-2 : APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption
Component: Access Policy Manager
Symptoms:
A corrupted password is sent as part of the "Authorization" header to the backend device and as a result, http 404 is returned
Conditions:
-- iRule for ActiveSync is used
-- The BIG-IP system has multiple tmms running
Impact:
User Authentication is failed by the backed server
1017149-1 : User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs
Component: Application Security Manager
Symptoms:
User-defined bot signatures that are created in tmsh are not enforced if there are similar factory bot signatures even when they are staged.
Conditions:
User-defined bot signature is created in tmsh and is matched also by staged factory bot signature.
Impact:
User-defined signature is not enforced correctly
Workaround:
Define user-defined bot signature using the GUI and if signature domain are needed but can't be configured by the GUI, define the domain in tmsh after the signature is created with:
tmsh mod security bot-defense signature <sig_name> domains replace-all-with { domains }
1017029-5 : SASP monitor does not identify specific cause of failed SASP Registration attempt
Component: Local Traffic Manager
Symptoms:
On affected BIG-IP versions, upon startup, the SASP monitor sends a single Registration Request to the SASP GWM (Group Workload Manager) to initiate monitoring of configured LTM pool members. This Registration Request contains all configured LTM pools (SASP Groups) and members (SASP Group Members).
If an error is encountered by the SASP GWM with one of the SASP Groups in the request, the registration of all groups fails.
However, the GWM does not provide any indication of *which* Group or member does not match the GWM configuration, hindering troubleshooting efforts.
The current BIG-IP behavior does not allow identification of the specific pool/member or monitor that is misconfigured and thus responsible for the failed SASP Registration attempt.
Conditions:
This behavior occurs on affected BIG-IP versions when the LTM SASP monitor is configured to monitor members of multiple LTM pools, and when BIG-IP start/restarts/reboots or the configuration is loaded.
Impact:
If a single Registration Request fails, the GWM terminates the connection with the Load Balancer (BIG-IP SASP monitor). This behavior is defined by the SASP protocol and SASP GWM implementation.
As a result, the SASP monitor will mark all pool members DOWN that are monitored by the SASP monitor, halting traffic from flowing to all pools monitored by the SASP monitor.
When an error occurs during registration of the LTM pools (SASP Groups), the GWM does not provide any indication of *which* Group or member does not match the GWM configuration.
Since a single error message is returned by the SASP GWM for the entire Registration Request (for all SASP Groups), the SASP monitor cannot indicate which Group (pool/member) or monitor caused the error.
This hinders efforts to troubleshoot the cause of the failure, while all traffic has stopped flowing to the SASP-monitored pools.
Workaround:
To diagnose this issue, first enable saspd debug logging:
tmsh mod sys db saspd.loglevel value debug_msg
(Optional alternative values include deep_debug and debug, but provide less detail.)
With saspd debug logging enabled, a message like the following in /var/log/monitors/saspd.log confirms that an error occurred during the Registration step:
SASPProcessor::processRegistrationReply: received error registering workloads with GWM ##.##.##.###:3860: 69 'InvalidGroup'
If the above message is found to confirm this issue, the primary path to resolution should be for the BIG-IP administrator to very carefully compare the BIG-IP pool/member and sasp monitor configuration with the SASP GWM configuration, to identify any mismatches or inconsistencies between the configurations.
On the BIG-IP system, to help isolate the misconfigured LTM pool(s)/member(s) causing the SASP Registration failure:
1. Remove the sasp monitor from configured LTM pools/members one at a time, and observe whether any pool members still monitored by the sasp monitor are marked UP.
2. Add the sasp monitor back to configured LTM pools/members one at a time, in the same order as removed, except for the last LTM pool/member from which it was removed.
3. Save and reload the configuration, and check whether the LTM pools/members monitored by the sasp monitor are still marked UP.
4. Repeat as necessary if there appear to be multiple LTM pools/members causing a SASP Registration failure.
Alternately, it may be possible to choose a different monitor (using a more fault-tolerant protocol) to monitor the status of affected pool members.
1016921-3 : SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled
Component: Local Traffic Manager
Symptoms:
Eight-second delays occur on traffic through an SSL connection mirroring virtual server, and errors occur on the standby device:
crit tmm7[11598]: 01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:0906D06C:PEM
err tmm7[11598]: 01010282:3: Crypto codec error: sw_crypto-7 Couldn't initialize the elliptic curve parameters.
crit tmm7[11598]: 01010025:2: Device error: crypto codec No codec available to initialize request context.
Conditions:
All of these conditions:
-- SSL connection mirroring enabled
-- Session tickets are enabled
-- High availability (HA) environment
and one of the following:
-- Running BIG-IP v14.1.4.1 or above (in the v14.1.x branch)
or
-- Engineering hotfix applied to v14.x/v15.x that has the ID760406 fix (see https://cdn.f5.com/product/bugtracker/ID760406.html)
Impact:
SSL traffic is significantly delayed and errors are thrown on the standby device.
Workaround:
Any one of the following could prevent the problem.
-- client-ssl profile cache-size 0.
-- client-ssl profile session-ticket disabled (default).
-- disable SSL connection mirror on virtual server.
1016589-1 : Incorrect expression in STREAM::expression might cause a tmm crash
Component: Local Traffic Manager
Symptoms:
Tmm restarts and generates a core file
Conditions:
An iRule uses STREAM::expression that contains certain strings or is malformed.
Stream expressions use a string representing a series of search/replace or search components. If there is more than one search-only component, this might cause tmm to crash.
The delimiter character used is the first character of each component search/replace pair. This example uses the '@' character as the delimiter, but it is malformed.
Given
STREAM::expression "@dog@dot@cat@car@uvw@xyz@"
This would be interpreted as three items:
search for "dog" replace with "dot"
search for "at@"
search for "r@uvw@xyz@"
This string should likely be:
STREAM::expression "@dog@dot@@cat@car@@uvw@xyz@"
Which would be interpreted as
search for "dog" replace with "dot"
search for "cat" replace with "car"
search for "uvw" replace with "xyz"
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that strings in STREAM::expression iRule statements do not have more than one search-only component and are well formed.
1016481-1 : Special JSON characters in Dom Signatures breaks configuration
Component: Fraud Protection Services
Symptoms:
FPS modules malfunction.
Conditions:
Unescaped special JSON characters used in Dom Signatures.
Impact:
FPS client-side JS unable to load configuration JSON.
Workaround:
Manually escape all special JSON characters in Dom Signatures.
1016449-3 : Gratuitous ARP sent to the old self IP address when a self IP is deleted/created.
Component: Local Traffic Manager
Symptoms:
In a high availability (HA) device, when an existing self IP is deleted and created with same name but different IP address, the new IP address may not update on peer device. After a failover, a gratuitous ARP containing the old self IP address may be sent by the peer device.
Conditions:
- high availability (HA) environment.
- Updating IP address of a self IP using tmsh commands(delete/create).
tmsh delete net self <SELFIP>
tmsh create net self <SELFIP> address <NEW_IPADDRESS> ...
tmsh run cm config-sync to_group <HA_GROUP>
Impact:
After failover, the newly Active BIG-IP won't be able to receive traffic meant for the self IP.
Workaround:
After deleting a self IP address, perform a config sync, and then create the new self IP address.
1016433-2 : URI rewriting is incorrect for "data:" and "javascript:"
Component: TMOS
Symptoms:
In case of LTM rewrite, HTML content having attribute values like "javascript:", "mailto:", "data:" etc are incorrectly rewritten as URI. This can cause web applications to fail.
Conditions:
-- LTM rewrite profile in URI translation mode.
-- HTML contents of web application contains attribute values like "javascript:abc", "data:" etc.
Impact:
Incorrect URI rewriting may cause web application to fail.
1016113-1 : HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile.
Component: Local Traffic Manager
Symptoms:
Configurations containing HTTP response-chunking 'sustain' and a Web Acceleration profile do not rechunk payload regardless of whether the web server responds with a chunked response.
Conditions:
-- Incoming response payload to the BIG-IP system is chunked.
-- HTTP profile is configured with response-chunking 'sustain'.
-- Web Acceleration profile also configured on the same virtual server.
Impact:
The BIG-IP response is not chunked, regardless of whether the associated web server responds with a chunked payload when the Web Acceleration is utilized.
Workaround:
For a chunked response to be delivered to the client, apply the iRule command 'HTTP::rechunk' to responses when a Web Acceleration profile is used.
1016049-6 : EDNS query with CSUBNET dropped by protocol inspection
Component: Local Traffic Manager
Symptoms:
EDNS query might be dropped by protocol inspection with an error log in /var/log/ltm similar to:
info tmm[21575]: 23003139 SECURITYLOG Drop sip:192.168.0.0 sport:64869 dip:1.1.1.1 dport:53 query:test.f5.com qtype:malformed attack:malformed
Conditions:
Query containing CSUBNET option.
Impact:
Some queries might fail.
1015881-4 : TMM might crash after configuration failure
Component: Application Security Manager
Symptoms:
TMM crashes after DoSL7 application configuration failure
Conditions:
DoSL7 configuration is changed, and the configuration change fails in TMM.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
1015817-1 : Flows rejected due to no return route do not increment rejection stats
Component: Local Traffic Manager
Symptoms:
When flows are rejected due to no return route being present, the BIG-IP does not increment the appropriate statistics to indicated this.
Conditions:
Flows are rejected due to no return route.
Impact:
There is no indication of the real problem when viewing the statistics.
1015793-1 : Length value returned by TCP::payload is signed and can appear negative
Component: Local Traffic Manager
Symptoms:
When an iRule uses TCP::collect, if the amount of received data being buffered exceeds 2147483647 octets, the value returned from [TCP::payload length] will appear as a negative integer.
Conditions:
An iRule has been written to use TCP::collect with a very high-volume input stream.
Impact:
The unanticipated negative value may confuse the iRule's logic, with unpredictable effects. In extreme cases, a disruption of the TMM could occur.
Workaround:
Convert the result of "TCL::payload length" to an unsigned integer before using it, e.g.:
set curlen [expr { 0xffffffff & [TCP::payload length] }]
Note: the amount of accumulated payload still must not exceed 4,294,967,295 bytes (2^32-1).
1015501-3 : Changes to DHCP Profile are not used by tmm
Component: Policy Enforcement Manager
Symptoms:
After changing the authentication settings of a DHCP profile, the old authentication settings are still used.
Conditions:
Modify ltm profile dhcpv4 Discovery_DHCPv4_profile authentication { enabled true virtual RadiusAAA }
Impact:
New connections use existing listeners.
Workaround:
Restart tmm.
Impact of workaround: traffic disrupted while tmm restarts.
1015453-1 : Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI
Component: TMOS
Symptoms:
The "Local Traffic" menu in System -> Configuration is inaccessible in the GUI.
Conditions:
-- LTM is licensed but not provisioned.
-- AFM, DNS, and DoS are not provisioned.
-- Other modules (such as APM) are provisioned
Impact:
Unable to configure SYN cookies.
Workaround:
Use TMSH to configure SYN cookies.
1015117-5 : Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used
Component: Local Traffic Manager
Symptoms:
HTTP header corruption occurs after insertion/modification using an iRule in HTTP Headers which contain mixed end-of-line markers <CRLF> and <LF>.
Conditions:
- HTTP virtual server
- An iRule inserts an HTTP Request header
- An HTTP request contains some lines that end with <CRLF> and some that end with <LF>
Impact:
Inserted headers get concatenated in such a way that the HTTP request header gets corrupted.
Workaround:
Use HTTP headers with proper end-of-line markers in compliance with HTTP RFC
1015093-1 : The "iq" column is missing from the ndal_tx_stats table
Component: TMOS
Symptoms:
When viewing the ndal_tx_stats statistics table, the "iq" column is not present.
Conditions:
-- BIG-IP Virtual Edition.
-- Viewing statistics tables.
Impact:
Missing statistic; less information available.
1014973-5 : ASM changed cookie value
Component: Application Security Manager
Symptoms:
ASM changes the value of a cookie going to the server.
Conditions:
Specific conditions.
Impact:
Domain cookie will reach the server with a wrong value. Can cause different malfunctions depending on the application.
Workaround:
Change the following bigdb :
tmsh modify sys db asm.strip_asm_cookies value false
There is no need to restart asm.
1014761-2 : [GTM][GUI] Not able to enable/disable pool member from pool member property page
Component: Global Traffic Manager (DNS)
Symptoms:
You are unable to enable/disable pool members from the pool member property page.
Conditions:
Making changes via the pool member property page.
Impact:
You can submit the changes but the changes do not persist.
Workaround:
1. tmsh
or
2. enable/disable pool member from list of pool members instead of 'general properties' page
1014633-4 : Transparent / gateway monitors may fail if there is no route to a node
Component: Local Traffic Manager
Symptoms:
Transparent or gateway monitors may fail.
Conditions:
-- Transparent or gateway monitor configured.
-- Route does not exist to destination.
Impact:
The monitor fails and the node / pool member is marked unavailable.
Workaround:
Add a route to the destination.
1014361-2 : Config sync fails after provisioning APM
Component: TMOS
Symptoms:
Clustered high availability (HA) pair devices are not in sync and the status prompt indicates disconnected.
Conditions:
After provisioning APM
Impact:
HA pair devices are not in sync and break failover functionality
1014285-5 : Set auto-failback-enabled moved to false after upgrade★
Component: TMOS
Symptoms:
In a traffic group, auto-failback-enabled is changed from true to false after config save and upgrade.
During the upgrade, the following log can be observed:
info: Warning: Invalid configuration - Traffic Group has high availability (HA) Group "test_HA_Group" assigned and auto-failback-enabled set to true. Resetting auto-failback-enabled to false.
Conditions:
-- auto-failback-enabled is set to true and high availability (HA) groups are configured and assigned to traffic-group
-- The device is upgraded.
Impact:
Auto-failback-enabled is set from true to false and auto failback is disabled.
Workaround:
After upgrade, set the auto-failback-enabled to true.
1013937-1 : In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work.
Component: Local Traffic Manager
Symptoms:
Pool members that should be marked UP are incorrectly marked DOWN. No monitor traffic is seen on the wire.
If pool member monitor logging is enabled, an entry similar to the following example can be seen in the logs:
[0][1399] 2021-02-11 11:11:34.709360: ID 44 :TMM::handle_message(TMA_Message<tma_msg_args_notify>*): tmm monitor failed to connect [ tmm?=true td=true tr=false tmm_mid=0:1 addr=::ffff:192.168.10.100:80 srcaddr=none ]
If tma debug logging is enabled, an entry similar to the following example can be seen in the logs:
Feb 11 11:12:14 bigip1.local debug tmm[2259]: 01ad0019:7: Monitor Agent TMM 0: received probe response: MID 1, reason TMA_RESULT_FAIL(Probe response lost due to transient failure), info 0
Conditions:
- In-tmm monitoring is enabled (the bigd.tmm db key is set to enable).
- A HTTP or HTTPS monitor has been configured with a send string which is not RFC-compliant. For instance, the following string incorrectly includes a space before the Host header:
"GET / HTTP/1.1\r\n Host: example.com\r\nConnection: Close\r\n\r\n"
Impact:
Pool member monitoring is impacted and unreliable.
Workaround:
Ensure that you specify a send string which is fully RFC-compliant (for instance, in the example above, remove the space before the Host header).
1013629-4 : URLCAT: Vulnerability Scan found many Group/User Read/Write (666/664/662) files
Component: Traffic Classification Engine
Symptoms:
Shared memory files in relation with URLCAT are having (-rwxrwxrwx) file permissions. Which is not necessary and need to restricted to (-rw-rw-r--).
Conditions:
Shared memory files in relation with URLCAT are having (-rwxrwxrwx) file permissions. Which is not necessary and need to modified to (-rw-rw-r--).
Impact:
Full permission can result in unintentional/unauthorised access. which may result in unexpected behaviour of URLCAT feature.
Workaround:
Manually change permission from (-rwxrwxrwx) to (-rw-rw-r--) using chmod command.
1013597-2 : `HTTP2::disable serverside` can reset flows
Component: Local Traffic Manager
Symptoms:
If `HTTP2::disable serverside` is called on a flow that has no HTTP2 configured on the server-side then it can incorrectly report an error and RST the flow.
Conditions:
1) iRule calls `HTTP2::disable serverside` on HTTP_REQUEST.
2) No HTTP2 configured on server-side.
3) server-side has already handled a flow.
Impact:
Traffic interruption, potential for a core (see ID1012533). Traffic disrupted while tmm restarts.
Workaround:
Don't call `HTTP2::disable serverside` if there is no HTTP2 on server-side.
1013209-5 : BIG-IP components relying on ca-bundle.crt may stop working after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrading, the BIG-IP system components may stop working due to missing CA certificates in ca-bundle.crt.
Conditions:
CA cert which is expired/will expire in 6 months (or 182 days) after upgrade is removed from ca-bundle.crt.
Impact:
The BIG-IP components such as TMM, APM etc. may stop working due to missing CA certificates in ca-bundle.crt.
Workaround:
Download the blended-bundle.crt from the F5 download site. It is located at
https://downloads.f5.com/esd/product.jsp?sw=Certificate-Authority-Bundle&pro=Certificate-Authority-Bundle
1012813-1 : Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file"
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors similar to:
-- err statsd[4908]: 011b0600:3: Error ''/var/rrd/access' is not an RRD file' during rrd_update for rrd file '/var/rrd/access'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/access'.
Conditions:
Corruption of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock, resulting in the issues noted in the Symptoms section.
Workaround:
Remove the corrupted file and restart statsd:
bigstart restart statsd
1012721-4 : Tmm may crash with SIP-ALG deployment in a particular race condition
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment
Conditions:
--- SIP-ALG is deployed
--- While processing first SIP REGISTER at server-side
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1012601-4 : Alarm LED and LCD alert cleared prematurely on startup for missing PSU input
Component: TMOS
Symptoms:
Occasionally when starting up a BIG-IP system, if one PSU is connected but not supplying power, the corresponding amber alarm LED and "PSU status input lost" alert in the LCD menu can be incorrectly cleared after selecting System -> Power On from the LCD menu.
Conditions:
-- iSeries platforms
-- The BIG-IP device is powered on with one PSU connected and not supplying power
Impact:
The alarm LED is incorrectly turned off, and navigating to alerts on the LCD menu no longer shows a "PSU status input lost" alert after powering on.
Workaround:
Before powering on the BIG-IP device, check the alarm LED and navigate to alerts on the LCD screen. If there is a "PSU status input lost" alert, the corresponding power LED should be amber.
If the power LED is still amber after powering the system on but the alarm LED and LCD alert are cleared, please disregard the alarm LED and LCD in this case. The amber power LED is correct, and the PSU is still not supplying power.
Additionally, if you are logged into the console, running "bigstart restart chmand" will force a new "PSU status input lost" alert to be generated on the LCD and should also correct the alarm LED color to amber.
1012581-1 : Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered
Component: Advanced Firewall Manager
Symptoms:
As soon as global syncookie enabled stats counts starts decrementing and when attack_detection_common callback function calls, the stats range is always under the configured packets per-second threshold, resulting in some tmms not being able to detect the attack but syncookies are already enabled on these tmms, and no statistics are gathered.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
SYN cookies may still be sent after traffic goes below the attack detection threshold.
Workaround:
Restart tmm
1012533-3 : `HTTP2::disable serverside` can cause cores
Component: Service Provider
Symptoms:
If `HTTP2::disable serverside` is called on a flow that has no HTTP2 configured on the server-side then it can incorrectly report an error and RST the flow (this is ID1013597).
Because of the timing of this RST it can cause tmm to core.
Conditions:
1) iRule calls `HTTP2::disable serverside` on HTTP_REQUEST.
2) No HTTP2 configured on server-side.
3) server-side has already handled a flow.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't call `HTTP2::disable serverside` if there is no HTTP2 on server-side.
1012493-5 : Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check
Component: TMOS
Symptoms:
When polling the endpoint /mgmt/tm/sys/mcp-state you get an error:
{
"code": 500,
"message": "MCP Session terminated",
"errorStack": [],
"apiError": 32768003
}
Conditions:
-- A user other than 'admin' polls /mgmt/tm/sys/mcp-state
Impact:
An error is returned for users that are not the admin user
Workaround:
You can use either of these workarounds:
-- Make the API call as user "admin"
-- Use tmsh
tmsh show sys mcp-state
1012449-1 : Unable to edit custom inband monitor in the GUI
Component: TMOS
Symptoms:
Attempting to edit a custom inband monitor in the GUI results in an error:
An error has occurred while trying to process your request.
Conditions:
Editing a custom inband monitor in the GUI.
Impact:
Unable to make changes to inband monitors in the GUI.
Workaround:
Use TMSH to modify the monitor, for example:
tmsh modify ltm monitor inband <monitor name> ...
1012413-1 : Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled
Component: Advanced Firewall Manager
Symptoms:
When a DoS profile is attached to a virtual server, the mitigation limit is set to the system limit and not the HSB limit. This causes more packets to be handled by software. Depending on attack size, it could pass up to 200% of the set mitigation limit. This can impact tmm performance.
Conditions:
-- Dos profile is configured on virtual server.
-- Hardware platform that has HSB
-- Hardware mitigation is enabled
Impact:
Tmm performance may be degraded.
Workaround:
None
1012221-1 : childInheritanceStatus is not compatible with parentInheritanceStatus★
Component: Application Security Manager
Symptoms:
The BIG-IP system is unable to deploy a revision of upgraded child policies and you see an error:
"Failed pushing changed objects to device <device>: Could not update the Section 'Threat Campaigns'. childInheritanceStatus is not compatible with parentInheritanceStatus"
Conditions:
-- An ASM Child Policy is present on the BIG-IP device in a version earlier than 14.0
-- The BIG-IP system is upgraded to version 14.0 or later
Impact:
This corruption impacts BIG-IQ interactions with the Child Policy and causes exported Child Policies to be incorrect.
Workaround:
After upgrading, perform the following:
1. Log into the BIG-IP Configuration Utility
2. Go to Security -> Application Security -> Security Policies -> Policies List
3. Select the first Parent Policy
4. Go to Inheritance settings and change Threat Campaigns from None to Optional
5. Click Save Changes
6. Change Threat Campaigns from Optional back to None
7. Click Save Changes
8. Click Apply
9. Repeat steps 3-8 for each additional Parent Policy
1012061-1 : Link Controller auto-discovery does not remove deleted virtual servers
Component: Global Traffic Manager (DNS)
Symptoms:
Removed virtual servers are still displayed as available in link controller configuration.
Conditions:
1. GTM server representing Link Controller is configured for high availability (HA)
2. There is no working iQuery session with one of the units
Impact:
Virtual servers linger in bigip_gtm.conf configuration after they are deleted.
Workaround:
Make sure that there is at least one working iQuery channel with all devices configured under GTM server object.
1012049-1 : Incorrect virtual server list returned in response to status request
Component: TMOS
Symptoms:
Returned list of virtual servers shows all virtual servers rather than no servers, or a specific list of servers.
Conditions:
-- Navigate through the GUI to Local Traffic :: Virtual Servers : Virtual Server List page.
-- Click the 'Status' drop down and select a status that returns no virtual servers or a specific subset of the virtual servers.
-- Modify the resulting request to insert ' --' url-encoded.
Impact:
The returned list shows all virtual servers instead of the ones specifically queried.
Workaround:
None
1012009-3 : MQTT Message Routing virtual may result in TMM crash
Component: Local Traffic Manager
Symptoms:
The BIG-IP system provides an option to use Message Routing virtual servers for MQTT traffic. It uses a different approach to associate a client side and a server side than a standard virtual server. In some instances, a server side is incorrectly handled.
Conditions:
-- A Message Routing virtual with MQTT protocol.
-- A client attempts to reconnect.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1011889-6 : The BIG-IP system does not handle DHCPv6 fragmented traffic properly
Component: Local Traffic Manager
Symptoms:
In the following two scenarios, packets may get dropped by the BIG-IP device.
- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 1500server]
If the response from the server is large enough to be fragmented, the BIG-IP system is not able to process the packets.
- [client MTU 1500]<--->(vlan1)<--->[MTU 1500BIG-IP MTU 9000]<--->(vlan2)<--->[MTU 9000server]
Large response coming in a single packet is not fragmented properly on the client-side, then packets may be dropped.
Conditions:
DHCPv6 MTU size is greater than or equal to 1500.
Impact:
Packets are dropped, traffic is disrupted.
1011433-1 : Heap allocation failure would cause tmm core in resolver_deprecated_wire2result
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm core in resolver_deprecated_wire2result.
Conditions:
Out of heap space.
Impact:
Traffic disrupted while tmm restarts.
1011265-3 : Failover script cannot read /config/partitions/ after upgrade★
Component: TMOS
Symptoms:
After upgrading, failover does not work correctly. An error is encountered in /var/log/audit/log:
type=AVC msg=audit(1617263442.711:206): avc: denied { read } for pid=17187 comm="active" name="partitions" dev="dm-11" ino=259 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
Conditions:
-- High availability (HA) environment configured
-- Devices are upgraded to version 14.1.4
-- A failover occurs
Impact:
Failover does not complete. Floating IP addresses do not move to the active device.
Workaround:
Tmsh modify sys db failover.selinuxallowscripts enable
1011217-5 : TurboFlex Profile setting reverts to turboflex-base after upgrade★
Component: TMOS
Symptoms:
Custom TurboFlex Profile settings revert to the default turboflex-base profile after an upgrade.
Conditions:
-- iSeries platform with ix800 performance license
-- A non-default TurboFlex Profile is applied
-- The BIG-IP device is upgraded
Impact:
Some features of the previously selected TurboFlex Profile that are not part of the turboflex-base profile, are missing after upgrade. The TurboFlex Profile must be reconfigured after upgrade.
Workaround:
Reconfigure the TurboFlex Profile after upgrade.
1011133 : Protocol Inspection compliance check 10208 gtp_disallowed_message_types does not take GTP version into account
Component: Protocol Inspection
Symptoms:
GTP version 1 and GTP version 2 disagree on message type designations, so blocking a given message type has a different meaning depending on the GTP version.
Conditions:
Compliance check 10208 is configured in an environment where different versions of GTP traffic might be encountered.
Impact:
The device might drop GTP message types that are not intended to be dropped.
Workaround:
If the environment supports/expects only GTP version 1 or version 2 traffic, use compliance check 10223 gtp_disallowed_version to exclude all traffic from the unexpected GTP type to eliminate the message type ambiguity.
1011093-5 : Remote log messages are separated into 2 lines if max_request_size limit falls exactly on \n char.
Component: Application Security Manager
Symptoms:
Remote log messages are separated into 2 lines instead of one line when \n (newline) falls exactly on the last char of max_request_size.
Conditions:
-- A remote log profile is defined with maximum request size and a field list that contains 'request', and is attached to a virtual server.
-- A request is sent and newline falls exactly on the last byte of the maximum request size limit.
Impact:
Remote log messages are separated into 2 lines
Workaround:
Increase the maximum request size limit.
1010785-3 : Online help is missing for CRL in client SSL profile and server SSL profile
Component: TMOS
Symptoms:
Help tab does not show any documentation for CRL in client SSL profile and server SSL profile.
Conditions:
This can be seen in the online help for the client SSL and server SSL profiles.
Impact:
There are no online help instructions to configure CRLs.
Workaround:
None
1010761-3 : Missing TMSH help description for client-ssl profile 'CRL'
Component: TMOS
Symptoms:
Running the command "tmsh help ltm profile client-ssl" shows that certificate revocation list (CRL) is not present/described.
Conditions:
Run tmsh help ltm profile client-ssl
Impact:
The CRL is not present/described.
Workaround:
None
1010717-1 : Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI
Component: Anomaly Detection Services
Symptoms:
Creating a DoS profile from tmsh makes the Bados feature appear to be enabled in the GUI, which is incorrect.
Conditions:
Create DoS profile from tmsh, and not from GUI.
Impact:
Inconsistency between the DoS profile and what you see in the GUI.
Workaround:
Disable BADOS in the GUI after creating a DoS profile from tmsh.
1010697-1 : Disallow listener name with duplicate IP/port/rd combination for RESOLV::lookup
Component: Global Traffic Manager (DNS)
Symptoms:
RESOLV::lookup always picks the same listener, regardless of which listener name is specified.
Conditions:
There are multiple listeners configured with duplicate IP/port/rd combination, so that they are distinguished only by their enabled VLANs.
Impact:
RESOLV::lookup might end up with listener different from the intended one.
Workaround:
Make the listeners distinguishable by other factors like IP/Port/RD.
1010617-1 : String operation against DNS resource records cause tmm memory corruption
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores with umem debug enabled.
Conditions:
A string operation is performed against DNS resource records (RRs) in an iRule.
Impact:
Tmm memory corruption. In some situations, tmm could crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use string operation against DNS RRs.
1010597-1 : Traffic disruption when virtual server is assigned to a non-default route domain
Component: Access Policy Manager
Symptoms:
Assigning a virtual server to a non-default route domain might cause a traffic disruption.
Conditions:
-- An APM virtual server is assigned to a route domain other than 0 (zero, the default).
-- An access policy has an agent that results in tmm communicating to the renderer (e.g., Logon agent, HTTP 401 Response agent, and others).
Impact:
Access policy fails.
Workaround:
Choose 'Parent Name = 0 (Partition Default Route Domain)' in the route domain that is failing.
1010585-3 : XML profile is created incorrectly from WSDL
Component: Application Security Manager
Symptoms:
When XML profile is created from WSDL schema (containing an element with maxOccurs="unbounded") and request is sent with more than 1 instance of that element, a violation is raised: "XML data does not comply with schema or WSDL document".
Conditions:
-- ASM security policy contains XML profile created from WSDL schema
-- An HTML element has maxOccurs="unbounded"
-- The element is of a type which is defined in two different namespaces.
Impact:
A violation is raised on valid HTTP requests.
Workaround:
Rename one of the instances of the type which has same name in two namespaces.
1010341-4 : Slower REST calls after update for CVE-2021-22986
Component: TMOS
Symptoms:
As a result of changes were introduced to increase security around the REST API, REST calls that use HTTP basic authentication may take longer to execute that they did previously.
Conditions:
- REST API calls
- HTTP basic authentication used for the REST calls
Impact:
- Degraded performance of the REST API
Workaround:
Update automation scripting to use token based authentication, which is both faster and more secure than HTTP basic authentication
1010209-1 : BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings
Component: Local Traffic Manager
Symptoms:
It is possible, using REST or tmsh (vi the 'tmsh edit' command) to embed literal carriage return (CR) or line feed (LF) characters in an mcpd object's parameters, rather than the two-byte sequence \r or \n. This can be done with a monitor send or receive string. When the configuration is loaded, the CR characters are stripped off of the strings, resulting in invalid HTTP in the monitor strings.
Conditions:
-- Using HTTP monitors.
-- Embedding literal CR/LF characters in the monitor's send or receive string.
Impact:
Monitors stop working; pool members being monitored are considered inaccessible.
Workaround:
Do not use embedded unprintable characters in monitor send or receive strings.
1009949-4 : High CPU usage when upgrading from previous version★
Component: TMOS
Symptoms:
When upgrading version from 12.x to 14.1.4, ospfd has high cpu utilization.
Conditions:
-- OSPF is enabled.
-- The BIG-IP system is upgraded from 12.x to 14.1.4.
Impact:
Performance Impact.
1009921-3 : 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check
Component: Local Traffic Manager
Symptoms:
'SSL::verify_result' iRule command may return '0' (validation check success) even if the client certificate has already been revoked. The expected return value on a revoked certificate is '23' (certificate revoked).
Conditions:
-- Dynamic CRL check is configured on the client SSL profile.
-- An iRule checks client certificate validity by 'SSL::verify_result' command. Here is example.
when HTTP_REQUEST {
set cert [SSL::cert 0]
set cert_string [X509::verify_cert_error_string [SSL::verify_result]]
set code [SSL::verify_result]
if { [SSL::verify_result] == 0 }{
log local0. "success $cert_string $code" return
}
else {
log local0. "failed $cert_string $code" HTTP::respond 403 content "<html>Invalid client certificate:</html>\n" }
}
Note: SSL::cert command is in fact the trigger for the behavior as it causes a rebuild of the certificate chain and fetches the status from the cache, which is 0. The reason it is 0 in the cache is that, when dynamic CRLs are used, the system verifies the cert, receives a code 23 (revoked), but the system does not update the SSL session cache with the result.
Impact:
The iRule 'SSL::verify_result' command may return unexpected values. Traffic can be unexpectedly load-balanced to the backend pool member when the end user client requests the virtual server with the revoked certificate.
Workaround:
You can use any of the following workarounds:
-- Remove the SSL::cert command from the iRule (it is not needed in HTTP_REQUEST since the system still has the verify result in runtime code).
-- Set cache-size 0 (zero) on client SSL profiles:
# tmsh modify ltm profile client-ssl [client-ssl profile name] cache-size 0
-- Use authentication frequency 'always' on client SSL profiles:
# tmsh modify ltm profile client-ssl [client-ssl profile name] authenticate always
1009793-2 : Tmm crash when using ipsec
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
Set sys db variable IPsec.RemoveRedundantSA to enable.
set sys db variable ipsec.removeredundantsa.delay to one.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set sys db variable IPsec.RemoveRedundantSA to disable.
set sys db variable ipsec.removeredundantsa.delay to zero.
1009037-1 : Tcl resume on invalid connection flow can cause tmm crash
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores while passing traffic.
Conditions:
Tcl resume operations such as RESOLV::lookup performed on a dying connflow.
Impact:
Traffic disrupted while tmm restarts. This is a rarely occurring issue.
Workaround:
None
1008837-1 : Control plane is sluggish when mcpd processes a query for virtual server and address statistics
Component: TMOS
Symptoms:
When there are thousands of rows in the virtual_server_stat table and mcpd receives a query for for all virtual server or virtual address statistics, mcpd can take a long time to process the request.
There might be thousands of rows if thousands of virtual servers server are configured.
There could also be thousands of rows if there are virtual servers configured for source or destination address lists, where those lists contain tens or hundreds of addresses.
Conditions:
-- Thousands of virtual_server_stat rows.
-- mcpd processes a query_stats request for the virtual_server_stat table.
Impact:
When mcpd is processing a query for virtual server statistics:
-- TMSH and GUI access is very slow or non-responsive.
-- SNMP requests timeout.
-- mcpd CPU usage is high.
Workaround:
None
1008501-1 : TMM core
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1008269-1 : Error: out of stack space
Component: TMOS
Symptoms:
When polling for profile statistics via iControl REST, the BIG-IP system returns an error:
Error: out of stack space
Conditions:
Polling stats via iControl REST.
Impact:
You are intermittently unable to get stats via iControl REST.
Workaround:
None
1008233-1 : The gtm_add command fails but reports no error
Component: Global Traffic Manager (DNS)
Symptoms:
Running the command 'gtm_add' does not add the local GTM to the remote GTM sync group, and it does not display an error message.
Conditions:
The remote GTM has a GTM iRule that references an LTM datagroup that does not exist on the local GTM.
Impact:
The gtm_add command fails silently.
Workaround:
Add the remote LTM datagroup to the local LTM.
1008169-1 : BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP
Component: Service Provider
Symptoms:
If the BIG-IP system receives a DIAMETER answer message without a Result-Code AVP (and/or Experimental-Result-Code AVP), it terminates the connection at the transport (L4) level.
Conditions:
-- Using DIAMETER.
-- Processing an answer message that is missing both Result-Code and Experimental-Result-Code AVPs.
Impact:
The connection is terminated without properly notifying the DIAMETER peer.
Workaround:
None
1008017-2 : Validation failure on Enforce TLS Requirements and TLS Renegotiation
Component: Local Traffic Manager
Symptoms:
The configuration load fails with an error:
err mcpd[4182]: 0107186b:3: Invalid "enforce-tls-requirements" value for profile /prod/my_profile. In Virtual Server (/common/my_virtual_server) an http2 profile with enforce-tls-requirements enabled is incompatible with client-ssl/server-ssl profile with renegotiation enabled. Value must be disabled.
Conditions:
BIG-IP system allows this configuration and fails later:
-- Virtual server with HTTP/2, HTTP, and client SSL profiles (with renegotiation disabled).
1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add server SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.
4. Load the configuration.
Impact:
The configuration will not load if saved.
Workaround:
If enabling 'Enforce TLS Requirements' in a HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in the Server SSL profiles on that virtual server.
1008009-3 : SSL mirroring null hs during session sync state
Component: Local Traffic Manager
Symptoms:
Tmm crashes.
Conditions:
-- SSL connection mirroring enabled
-- Running a version where ID 760406 is fixed (https://cdn.f5.com/product/bugtracker/ID760406.html)
-- A handshake failure occurs during session sync
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable connection mirroring
1007909-1 : Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs
Component: TMOS
Symptoms:
When using tcpdump with the :p flag, it does not capture all packets that are processed by multiple TMMs.
Conditions:
Traffic flows are handled by multiple TMMs, e.g., one of the following:
-- 'preserve strict' set on virtual servers
-- a CMP-demoted virtual server
-- Service Provider (SP) DAG configured, but using custom mappings for some client IP addresses, or some traffic flows using VLANs without SPDAG configured.
Impact:
Causes confusion since there will be packets missing from tcpdump captures.
Workaround:
Use a packet capture filter to capture clientside and serverside flows directly, without relying on the peer flow flag (":p").
1007869-1 : Upgrade from v14.1.x to v15.1.2.1 or later fails for app-tunnel, RDP and config migration★
Component: Access Policy Manager
Symptoms:
Config load fails with the following error.
01070712:3: Failed: name (/Common/<customization resource name>) Cache path (/config/filestore/files_d/Common_d/customization_group_d/:Common:<customization resource name with revision>) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.
An upgraded config may show RDP resources missing from the Advanced resource assign agent:
# tmsh list apm policy agent resource-assign
apm policy agent resource-assign test-simple-ap-01_act_full_resource_assign_ag {
rules {
{
portal-access-resources { /Common/test-pa-01 }
remote-desktop-resources { /Common/test-rdp-01 } !!! this line may go missing in v15.1.2.1 !!!
webtop /Common/test-full-wt-01
}
}
}
Conditions:
Upgrade to v15.1.2.1 or later with AppTunnel and RDP resources.
Impact:
The configuration fails to load following the upgrade.
Workaround:
Modify the revision numbers resources, customization path for missing webtop links.
Example:
=======
(1) The following AppTunnel config causes config loading failure:
01070712:3: Failed: name (/Common/Example_resource_app_tunnel_customization) Cache path (/config/filestore/files_d/Common_d/customization_group_d/:Common:Example_resource_app_tunnel_customization_1) does not exist and there is no copy in trash-bin to restore from.
(2) Modify as follows:
In TMSH:
#cp /config/filestore/files_d/Common_d/customization_group_d/\:Common\:Example_resource_app_tunnel_customization_1 /config/filestore/files_d/Common_d/customization_group_d/\:Common\:Example_resource_app_tunnel_customization_2
In bigip.conf under customization configuration:
Rename Example_resource_app_tunnel_customization_1 to Example_resource_app_tunnel_customization_2 (modifying revision numbers from _1 to _2)
#tmsh load sys config
(3) For a missing RDP resource: use VPE to edit access profiles and find the appropriate 'Advanced Resource Assign' agents. Add the appropriate RDP resources in the 'Advanced Resource Assign' agent.
==============
1007821-3 : SIP message routing may cause tmm crash
Component: Service Provider
Symptoms:
In very rare circumstances, tmm may core while performing SIP message routing.
Conditions:
This can occur while passing traffic when SIP message routing is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1007749-2 : URI TCL parse functions fail when there are interior segments with periods and semi-colons
Component: Local Traffic Manager
Symptoms:
URI::path, URI::basename, etc., return the wrong strings, e.g., URI::path can return a subset of what it should return.
Conditions:
This happens for URIs like these:
/alpha/beta/Sample.text;param/trailer/
/alpha/beta/Sample.text;param/file.txt
Impact:
iRules fail to work as expected for these types of URIs.
This occurs because the combination of the period and semi-colon in 'Some.thing;param' confuses the BIG-IP system parser, causing incorrect results to be returned.
Workaround:
If this is happening for known URIs, then it should be possible to process those URIs in a special way within iRules to do things like temporarily replacing interior periods with another character, like a plus sign.
1007677-2 : Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector'
Component: Access Policy Manager
Symptoms:
SAML fails on APM SAML IdP after receiving the SAML ArtifactResolve Request, and needs to extract Artifact data from sessionDB to build the assertion. An error is logged:
-- err tmm[24421]: 014d1211:3: ::ee23458f:SAML SSO: Cannot find SP connector (/Common/example_idp)
-- err tmm[24421]: 014d0002:3: SSOv2 plugin error(12) in sso/saml.c:11864
Conditions:
The 'session-key' in the sessiondb includes a colon ':' in its value.
Impact:
SAML may fail on APM SAML IdP using artifact binding.
1007113-3 : Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds
Component: Service Provider
Symptoms:
In case of diameter over SCTP, while aborting the connection of the pool member, if SCTP INIT is sent by the BIG-IP system before the SCTP ABORT is processed, the pool member is marked UP (provided the SCTP connection is established successfully), and then goes down later, immediately after ABORT is fully processed.
Conditions:
The time difference between SCTP ABORT and SCTP INIT is very small, i.e., 2 seconds or less
Impact:
Pool member is marked DOWN even though it is active
Workaround:
If the watchdog is configured in the diameter session profile (i.e., watchdog-timeout is greater than 0), the pool member is marked UP after DWA is received from the pool member.
1006893-4 : Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core
Component: Access Policy Manager
Symptoms:
When ACCESS::oauth is used after ACCESS::session create/delete in an iRule event, TMM may core.
Conditions:
ACCESS::oauth is used after ACCESS::session create/delete in an iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
1006857-1 : Adding a source address list to a virtual server in a partition with a non-default route domain fails
Component: Local Traffic Manager
Symptoms:
Adding a source address list to a virtual server in a partition with a non-default route domain fails with an error similar to:
0107176c:3: Invalid Virtual Address, the IP address 10.10.10.20%2 already exists.
Conditions:
-- A partition with a non-default route domain.
-- A virtual server and address list in said partition.
-- Modifying the virtual server to use the address list as its source address.
Impact:
Unable to use a source address list in a partition with a non-default route domain.
Workaround:
Manually create a traffic-matching-criteria object in TMSH with the desired configuration, and then create the virtual server using that traffic-matching-criteria.
1006449-1 : The default size of the subagent object cache possibly leading to slow snmp response time★
Component: TMOS
Symptoms:
After upgrading from 13.1.0.8 to 15.1.0.5, BIG-IP CPU utilization increases and SNMP is slow to respond.
Conditions:
SNMP client repeatedly polls BIG-IP for OIDs in multiple tables over a short period of time.
Impact:
SNMP queries take an unusually long time to return data, and BIG-IP CPU utilization is higher.
1006345-4 : Static mac entry on trunk is not programmed on CPU-only blades
Component: TMOS
Symptoms:
More traffic egressing out from primary link of lacp when there is DLFs (destination lookup failures) since static mac is not present on CPU-only blades
Conditions:
Static mac configured on trunk on all platforms except i4000, i850/i2000, 2000/2200, 4000/4200,4100
Impact:
DLFs (destination lookup failures) will cause the first interface in the trunk to egress all DLF'd traffic
1006157-3 : FQDN nodes not repopulated immediately after 'load sys config'
Component: Local Traffic Manager
Symptoms:
A DNS query is not sent for configured FQDN nodes until the TTL value expires.
Conditions:
This occurs when 'load sys config' is executed.
Impact:
Name addresses do not resolve to IP addresses until the TTL expires.
Workaround:
You can use either of the following workarounds:
-- Change the default TTL value to be fewer than 300 seconds (the default value is 300 seconds).
-- Restart dynconfd daemon:
tmsh restart sys service dynconfd
1005309-4 : Additional Tcl variables showing information from the AntiBot Mobile SDK
Component: Application Security Manager
Symptoms:
When using the Bot Defense iRules together with the AntiBot Mobile SDK, there are several variables missing. These missing variables would be useful for correct troubleshooting and pattern matching.
Conditions:
Using the AntiBot Mobile SDK together with Bot Defense iRules
Impact:
Some variables that are required for troubleshooting and pattern matching of the AntiBot Mobile SDK are missing.
Workaround:
None
1005181-4 : Bot Defense Logs indicate the mobile debugger is used even when it is not
Component: Application Security Manager
Symptoms:
When using the AntiBot Mobile SDK, the Bot Defense Request Log may indicate that the mobile debugger is enabled, even when it is not.
Conditions:
Using the AntiBot Mobile SDK with the Bot Defense Profile
Impact:
Request log is showing an incorrect value.
Workaround:
None
1005109-4 : TMM crashes when changing traffic-group on IPv6 link-local address
Component: Local Traffic Manager
Symptoms:
TMM crashes when changing the traffic-group on an IPv6 link-local address.
Conditions:
Changing the traffic-group on an IPv6 link-local address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
1005105-3 : Requests are missing on traffic event logging
Component: Application Security Manager
Symptoms:
Some traffic requests are missing in Security :: Event Logs.
Conditions:
-- Local logging enabled
-- Two or more virtual servers passing heavy traffic
Impact:
High CPU load prevents the Policy Builder from analyzing and sending all traffic requests to the request log.
Workaround:
None
1004953-5 : HTTP does not fall back to HTTP/1.1★
Component: Local Traffic Manager
Symptoms:
After upgrading, the BIG-IP system's HTTP profile no longer falls back to HTTP/1.1 if a client sends a corrupted URI.
Conditions:
-- Client sends a corrupted URI (for example a URI containing a space).
Impact:
The BIG-IP system treats the URI as an HTTP/0.9 request (as per RFC) and forwards only the first request line. In previous releases, the BIG-IP system treated the URI as a HTTP/1.1 request.
Workaround:
None.
1004929-1 : During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid.
Component: TMOS
Symptoms:
While receiving a config sync operation, mcpd on a secondary blade may restart, logging:
err mcpd[6383]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020012:3: A unsigned four-byte integer message item is invalid.... failed validation with error 16908306
Conditions:
-- A VIPRION system (or cluster-based vCMP guest) with more than one blade processes a full configuration load, i.e. as a result of running "tmsh load sys config" or receiving a full-load config sync from peer BIG-IP.
-- The system generates a large number of warning messages during a configuration load, whose total length is larger than 65,535 bytes.
These warnings can be seen in the output of "tmsh load sys config" or "tmsh load sys config verify", or are logged under message ID 01071859
An example of such a warning is:
SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string of the ssl profile (/Common/ssl-profile-1) has been ignored.
Impact:
MCPD on secondary blades restart. Those blades are inoperative while services restart.
Workaround:
Address the warnings reported by the system.
1004897-5 : 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
Component: Local Traffic Manager
Symptoms:
In HTTP2 setup, when the header count from the client request exceeds max-header-count value in the HTTP profile , COMPRESSION_ERROR(0x09) is seen in GoAway frame instead of FRAME_SIZE_ERROR(0x06)
Conditions:
- Virtual server with HTTP2 enabled
- A http2 request has a header count that exceeds 'Maximum Header Count' in the HTTP profile (default value is 64)
Impact:
Wrong GoAway Reason is logged
1004845-1 : Accessing attribute using attributeNode value does not work with Portal Access
Component: Access Policy Manager
Symptoms:
URI normalization issue when using attributeNode to access attribute values.
Conditions:
Using attributeNode to access attribute value in web applications
Impact:
Web application does not work as expected.
Workaround:
Use custom iRule to fix this issue. There is no generic iRule for this issue, but here is a sample iRule:
XXXX is the file which usage attributeNode.
when REWRITE_REQUEST_DONE {
if {
[HTTP::path] ends_with "XXXX"
} {
# log "URI=([HTTP::path])"
# Found the file to modify
REWRITE::post_process 1
}
}
when REWRITE_RESPONSE_DONE {
set strt [string first {<script>try} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
(function (){
var old_F5_Inflate_value = F5_Inflate_value;
F5_Inflate_value = function (o,sw,incr,v) {
if (o && o.ownerDocument) {
if (o.name == 'action') {
if (o.ownerElement) {
F5_Inflate_action(o.ownerElement,incr,v);
}
}
}
return old_F5_Inflate_value.apply(this,arguments)
}
})();
</script>
}
}
}
1004609-6 : SSL forward proxy virtual server may set empty SSL session_id in server hello.
Component: Local Traffic Manager
Symptoms:
End user clients are unable to establish a TLS connection. Further investigation indicates that the Session ID length field is set to 0, but there is no session ID.
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 59
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 55
Version: Version: TLS 1.2 (0x0303)
Random: aa957f92a5de4cedcf9750b60b3efab6b345da6c32189e93…
Session ID Length: 0 <=== !!!
.....
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
.....
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
.....
Conditions:
-- SSL forward proxy virtual server.
-- This can occur intermittently with normal HTTPS traffic. It occurs more frequently if the session cache's cache-timeout value is set to a low value.
Impact:
After receiving the invalid server hello message from the BIG-IP system, the client may generate unexpected_message (10) TLS alerts and the client may terminate SSL connection.
Workaround:
None
1004537-2 : Traffic Learning: Accept actions for multiple suggestions not localized
Component: Application Security Manager
Symptoms:
When you open the accept suggestions actions list, the actions are not localized. Labels are shown instead of text, for example asm.button.Accept instead of Accept.
Conditions:
This occurs after selecting several suggestions and opening the Accept suggestions actions list.
Impact:
Actions not localized.
Workaround:
None
1004517-1 : BIG-IP tenants on VELOS cannot install EHFs
Component: TMOS
Symptoms:
BIG-IP tenants created on VELOS using v14.1.4 software earlier than v14.1.4.3 cannot accept engineering hotfixes (EHF).
Conditions:
Installing EHF updates to BIG-IP tenants on VELOS running BIG-IP v14.1.4 software earlier than v14.1.4.3.
Impact:
EHF installation fails.
Workaround:
None
1004469-1 : SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string
Component: TMOS
Symptoms:
SNMP polling fails for ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName.
Conditions:
Run the snmpwalk for ltmSipsessionProfileStatVsName :
[root@d1:Active:Standalone] tmp # snmpwalk -c public localhost ltmSipsessionProfileStatVsName
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/test-sip"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/sipsession"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSipsessionProfileStatVsName."/Common/sipsession-alg"."" = STRING:
----------
Run the snmpwalk for ltmSiprouterProfileStatTable
[root@ltm1:Active:Standalone] config # snmpwalk -c public localhost ltmSiprouterProfileStatTable
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatName."/Common/siprouter"."" = STRING: /Common/siprouter
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatName."/Common/siprouter-alg"."" = STRING: /Common/siprouter-alg
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatVsName."/Common/siprouter"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatVsName."/Common/siprouter-alg"."" = STRING:
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessgesIn."/Common/siprouter"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessgesIn."/Common/siprouter-alg"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessagesInRetry."/Common/siprouter"."" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmSiprouterProfileStatTotMessagesInRetry."/Common/siprouter-alg"."" = Counter64: 0
Impact:
Returns empty. Cannot extract the virtual server name of a SIP session and SIP router profile through SNMP.
Workaround:
None
1004317-4 : Csyncd removes files and directories under /config/zebos, /var/named/config/namedb, etc.
Component: Local Traffic Manager
Symptoms:
The csyncd operation fails to publish its manifest to another blade in the cluster.
Conditions:
Create some files and directories in /config/zebos or /var/named/config/namedb on the primary in multi-blade VIPRION or multi-blade vCMP guest.
Impact:
-- The named and zrd processes start failing on secondary blades.
-- If the /config/zebos directory is removed from the secondaries and one of the blades becomes primary tmm might fail to start.
-- This might affect directories other than /config/zebos and /var/named/config/namedb.
Workaround:
The following manual operation can be performed if this occurs:
# Stop all affected daemons
bigstart stop csyncd
bigstart stop named
bigstart stop tmrouted
# rsync zone and zebos files from primary to secondary
rsync -arvzAXI primary:/config/zebos /config/zebos
rsync -arvzAXI primary:/var/named/config/namedb /var/named/config/namedb
# Wait until the files have been copied
# Start all affected daemons
bigstart start csyncd
bigstart start named
bigstart start tmrouted
1003633-1 : There might be wrong memory handling when message routing feature is used
Component: Service Provider
Symptoms:
The following log is observed from /var/log/ltm
Oops @ 0x28c3060:232: buf->ref == 0
Conditions:
Message routing is used either by
- Generic message (ltm message-routing generic) or
- HTTP2 with Message router option enabled
Impact:
For most cases, this kind of incorrect memory handling may only generate warning log message. In rare case, it might lead to a tmm crash.
Workaround:
N/A
1003629 : PAYG license becomes invalid when swapping associated NICs for instances in both Azure and AWS.
Component: TMOS
Symptoms:
If swapping management and data plane NICs using the onboarding Terraform template, you will receive a, “License is not operational (expired or digital signature does not match contents)” message.
Conditions:
- A multi-NIC instance deployed in Azure or AWS using a PAYG license.
- Use the onboarding Terraform template to swap the management (1st NIC) and the data plane NICs.
Impact:
After swapping NICs and rebooting the instance, BIG-IP cannot successfully validate the PAYG license.
Workaround:
Due to Azure and AWS metadata service calls restricted to using the primary IP address, avoid swapping NICs, as it is currently NOT supported in those Clouds.
1003469-1 : The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error.
Component: TMOS
Symptoms:
When trying to reset the statistics for an IPv6 pool member using the GUI, the operation fails and the system returns one of the following errors (depending on the software version in use):
01030010:3: eXtremeDB - search operation failed
Unable to complete request
Conditions:
This issue occurs when you attempt to use the BIG-IP GUI to:
-- Reset the statistics of one or more IPv6 pool members you have selected individually.
-- Reset the statistics of all pools by using the 'Select All' checkbox (provided the system contains IPv6 pool members).
Impact:
Inability to reset the statistics using the GUI.
Workaround:
You can use the tmsh utility to reset the pool member's statistics from the CLI. Example command:
tmsh reset-stats ltm pool my-pool members { 2001:DB8::1.80 }
1003397-3 : DoS TCP SYN-ACK vector with 'suspicious' set to true impacts MD5 AUTH (BGP) functionality
Component: Advanced Firewall Manager
Symptoms:
Using device DoS with TCP SYN ACK Flood vector enabled and 'Only Count Suspicious Events' option enabled breaks connections using TCP MD5 AUTH, including BGP.
Conditions:
Device DoS with TCP SYN ACK Flood vector enabled and 'Only Count Suspicious Events' option enabled
Impact:
BGP peering is not established/connections failing.
Workaround:
Disable the 'Only Count Suspicious Events' option.
1003377-3 : Disabling DoS TCP SYN-ACK does not clear suspicious event count option
Component: Advanced Firewall Manager
Symptoms:
When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.
Conditions:
Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.
Impact:
BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.
Workaround:
Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.
1003257-6 : ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected
Component: TMOS
Symptoms:
ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' commands are not working properly. The address is always set to interface-configured global/local addresses respectively.
Conditions:
Using BGPv4 with IPv6 capability extension and a route-map with 'set ipv6 next-hop' and/or 'set ipv6 next-hop local' configuration.
Impact:
Wrong next-hop is advertised.
Workaround:
None.
1002945-4 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
None
1002809-4 : OSPF vertex-threshold should be at least 100
Component: TMOS
Symptoms:
OSPF vertex-threshold should be at least 100, but you are able to set it to any number between 0 and 10000000.
Conditions:
-- Using OSPFv2/OSPFv3
-- Configuring the vertex-threshold setting
Impact:
When the setting is less than the default of 100, routes may not be installed properly.
Workaround:
Ensure that vertex-threshold is set to 100 (default) or above.
1002417-2 : Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk
Component: TMOS
Symptoms:
In a chassis, when the switch needs to forward a packet where the destination MAC address does not exist in the L2 forwarding table (DLF, destination lookup failure), the packet is forwarded to blade one and flooded there. This can lead to interfaces on blade one being more heavily used.
Conditions:
Altering of trunk vlan memberships after failovers will lead to traffic imbalance on egress ports.
Impact:
It may lead to an out of bandwidth condition on interfaces.
1002345-4 : Transparent DNS monitor does not work after upgrade★
Component: In-tmm monitors
Symptoms:
DNS Pool state changes from up to down following an upgrade.
Conditions:
A transparent DNS monitor is configured to use the loopback address.
Impact:
The DNS pool is marked down.
Workaround:
None
1001129-1 : Maximum Login Failures lockout for root and admin
Component: TMOS
Symptoms:
The root/admin account does not lock out when multiple login failures occur.
Conditions:
Local accounts such as root and admin occur multiple login failures.
Impact:
The root or admin account is not locked out. Other accounts are locked out after multiple login failures.
Workaround:
None
1001101-1 : Cannot update/display GTM/DNS listener route advertisement correctly
Component: Global Traffic Manager (DNS)
Symptoms:
Not able to update/display GTM/DNS listener route advertisement correctly.
Conditions:
Operating from the GUI GTM/DNS listener page.
Impact:
Not able to manage route advertisement from GUI GTM listener page.
Workaround:
Instead of GTM/DNS GUI, use LTM virtual address operations to manage GTM/DNS listener route advertisement.
1001069-5 : VE CPU higher after upgrade, given same throughput
Component: TMOS
Symptoms:
Significant increase in CPU usage post-upgrade.
Conditions:
-- Upgrading from v13.x to a later version.
-- Configured BIG-IP Virtual Edition (VE) that uses the sock driver.
Impact:
Significant increase in CPU usage, leading to potential degradation or disruption of traffic.
Workaround:
Create the following overrides:
-- In '/config/tmm_init.tcl' add or append the following:
ndal mtu 1500 1137:0043
device driver vendor_dev 1137:0043 xnet
-- In '/config/xnet_init.tcl' add or append the following
device driver vendor_dev 1137:0043 dpdk
Note: These overrides must be re-applied every time an upgrade is done.
1000561-5 : Chunk size incorrectly passed to client-side
Component: Local Traffic Manager
Symptoms:
HTTP/2 Virtual Servers pass the chunk size bytes from the server-side (HTTP/1.1) to the client-side (HTTP/2) when OneConnect and request-logging profiles are applied.
Conditions:
-- BIG-IP hardware platform
-- BIG-IP configured with a HTTP/2 virtual server - context client-side with OneConnect and request-logging profile
-- The server sends a chunked response
Impact:
The server-side response is chunked but the chunk size header is passed to the client-side when it should not be.
Workaround:
Change HTTP response-chunking to 'unchunk'.
1000405-1 : VLAN/Tunnels not listed when creating a new rule via GUI
Component: Advanced Firewall Manager
Symptoms:
Available tunnels are not displayed on the AFM rules-creation page in the GUI.
Conditions:
-- Navigate to the firewall network rules creation page in the GUI.
-- In the rules source section, under the VLAN/Tunnel dropdown, select the 'specify' option.
Impact:
Available tunnels do not display in the select box. Cannot specify tunnels for firewall rules from the GUI.
Workaround:
Use tmsh to specify tunnels for firewall rules.
1000325-1 : UCS loads successfully status even when base configuration load fails★
Component: TMOS
Symptoms:
Installation of UCS is successful, but then the base configuration fails to load. The BIG-IP status prompt reads INOPERATIVE. You might observe an error message indicating a missing foreign key index:
01070712:3: Values (/Common/dtca.key) specified for trust domain (/Common/Root): foreign key index (key_fk) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Conditions:
Loading a UCS file using the 'platform-migrate' option.
Impact:
-- The BIG-IP system goes to INOPERATIVE state.
-- "tmsh show sys mcp-state" reports that MCPD has failed to load the base configuration, for instance:
# tmsh show sys mcp-state
-------------------------------------------------------
Sys::mcpd State:
-------------------------------------------------------
Running Phase platform
Last Configuration Load Status base-config-load-failed
End Platform ID Received true
Workaround:
Remove trust-domain from the bigip_base.conf file and reload the configuration.
1000069-3 : Virtual server does not create the listener
Component: Local Traffic Manager
Symptoms:
A virtual-address is in an offline state.
Conditions:
An address-list is used on a virtual server in a non-default route domain.
Impact:
The virtual IP address remains in an offline state.
Workaround:
Using tmsh, create the traffic-matching-criteria. Specify the route domain, and attach it to the virtual server.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/