Applies To:
Show VersionsBIG-IP APM
- 16.1.2
BIG-IP Analytics
- 16.1.2
BIG-IP Link Controller
- 16.1.2
BIG-IP LTM
- 16.1.2
BIG-IP PEM
- 16.1.2
BIG-IP AFM
- 16.1.2
BIG-IP FPS
- 16.1.2
BIG-IP DNS
- 16.1.2
BIG-IP ASM
- 16.1.2
BIG-IP Release Information
Version: 16.1.2.2
Build: 28.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Known Issues in BIG-IP v16.1.x
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
830361-9 | CVE-2012-6711 | K05122252 | CVE-2012-6711 Bash Vulnerability | 16.1.2.2 |
1087201-6 | CVE-2022-0778 | K31323265 | OpenSSL Vulnerability: CVE-2022-0778 | 16.1.2.2 |
1002565-1 | CVE-2021-23840 | K24624116 | OpenSSL vulnerability CVE-2021-23840 | 16.1.2.2 |
823877-7 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 14.1.4.5, 16.1.2.2 |
713754-3 | CVE-2017-15715 | K27757011 | Apache vulnerability: CVE-2017-15715 | 14.1.4.5, 16.1.2.2 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050537-1 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 16.1.2.2 |
882709-6 | 3-Major | BT882709 | Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors&start; | 16.1.2.2 |
874941-4 | 3-Major | HTTP authentication in the access policy times out after 60 seconds | 16.1.2.2 | |
669046-7 | 3-Major | BT669046 | Handling large replies to MCP audit_request messages | 16.1.2.2 |
1046669-1 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 16.1.2.2 |
982697-7 | 4-Minor | ICMP hardening | 16.1.2.2 | |
1033837-1 | 4-Minor | REST authentication tokens persist on reboot&start; | 16.1.2.2 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1070009 | 1-Blocking | BT1070009 | iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform | 16.1.2.2 |
976669-5 | 2-Critical | BT976669 | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | 16.1.2.2 |
935177-3 | 2-Critical | BT935177 | IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm | 16.1.2.2 |
915981-4 | 2-Critical | BIG-IP SCP hardening | 16.1.2.2 | |
1059185-1 | 2-Critical | iControl REST Hardening | 16.1.2.2 | |
1059165-1 | 2-Critical | BT1059165 | Multiple virtual server pages fail to load. | 16.1.2.2 |
1057801-6 | 2-Critical | TMUI does not follow current best practices | 16.1.2.2 | |
1051561-7 | 2-Critical | iControl REST request hardening | 16.1.2.2 | |
1048141-3 | 2-Critical | BT1048141 | Sorting pool members by 'Member' causes 'General database error' | 16.1.2.2 |
1047213-1 | 2-Critical | BT1047213 | VPN Client to Client communication fails when clients are connected to different TMMs. | 16.1.2.2 |
1007901-1 | 2-Critical | Support for FIPS 140-3 Module identifier service. | 16.1.2.2 | |
999125-1 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 16.1.2.2 |
992865-3 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | 15.1.4, 16.1.2.2 |
988165-3 | 3-Major | VMware CPU reservation is now enforced. | 16.1.2.2 | |
984585-3 | 3-Major | BT984585 | IP Reputation option not shown in GUI. | 16.1.2.2 |
982341-7 | 3-Major | iControl REST endpoint hardening | 16.1.2.2 | |
963541-1 | 3-Major | BT963541 | Net-snmp5.8 crash | 16.1.2.2 |
959985-3 | 3-Major | BT959985 | Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. | 16.1.2.2 |
943669-4 | 3-Major | BT943669 | B4450 blade reboot | 15.1.2, 16.1.2.2 |
943577-1 | 3-Major | BT943577 | Full sync failure for traffic-matching-criteria with port list under certain conditions | 16.1.2.2 |
912253-2 | 3-Major | BT912253 | Non-admin users cannot run show running-config or list sys | 16.1.2.2 |
907549-6 | 3-Major | BT907549 | Memory leak in BWC::Measure | 15.1.0.5, 16.1.2.2 |
901669-6 | 3-Major | BT901669 | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | 16.1.2.2 |
755976-9 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 16.1.2.2 |
1083537 | 3-Major | BT1083537 | FIPS 140-3 Certification | 16.1.2.2 |
1076377-3 | 3-Major | BT1076377 | OSPF path calculation for IA and E routes is incorrect. | 16.1.2.2 |
1074113-1 | 3-Major | BT1074113 | IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer | 16.1.2.2 |
1071609-2 | 3-Major | BT1071609 | IPsec IKEv1: Log Key Exchange payload in racoon.log. | 16.1.2.2 |
1066285-4 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 16.1.2.2 |
1065585-1 | 3-Major | BT1065585 | System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition | 16.1.2.2 |
1064461-4 | 3-Major | BT1064461 | PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. | 16.1.2.2 |
1060625-1 | 3-Major | BT1060625 | Wrong INTERNAL_IP6_DNS length. | 16.1.2.2 |
1060149-2 | 3-Major | BT1060149 | BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. | 16.1.2.2 |
1059853 | 3-Major | BT1059853 | Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2.&start; | 16.1.2.2 |
1057809-6 | 3-Major | Saved dashboard hardening | 16.1.2.2 | |
1056993-2 | 3-Major | 404 error is raised on GUI when clicking "App IQ." | 16.1.2.2 | |
1056741-2 | 3-Major | BT1056741 | ECDSA certificates signed by RSA CA are not selected based by SNI. | 16.1.2.2 |
1052893-4 | 3-Major | Configuration option to delay reboot if dataplane becomes inoperable | 16.1.2.2 | |
1048541-1 | 3-Major | BT1048541 | Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. | 16.1.2.2 |
1047169-1 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 16.1.2.2 |
1042009-1 | 3-Major | BT1042009 | Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes | 16.1.2.2 |
1022637-1 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 15.1.5, 16.1.2.2 |
1020789-4 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 16.1.2.2 |
1019357-2 | 3-Major | Active fails to resend ipsec ikev2_message_id_sync if no response received | 16.1.2.2 | |
1008837-1 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 14.1.4.4, 15.1.4, 16.1.2.2 |
1008269-1 | 3-Major | BT1008269 | Error: out of stack space | 16.1.2.2 |
976337-2 | 4-Minor | BT976337 | i40evf Requested 4 queues, but PF only gave us 16. | 16.1.2.2 |
742753-8 | 4-Minor | BT742753 | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | 16.1.2.2 |
528894-5 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 15.1.5, 16.1.2.2 |
1072237-1 | 4-Minor | BT1072237 | Retrieval of policy action stats causes memory leak | 16.1.2.2 |
1071365-5 | 4-Minor | iControl SOAP WSDL hardening | 16.1.2.2 | |
1067617-4 | 4-Minor | BT1067617 | BGP default route not advertised after mid-session OPEN. | 16.1.2.2 |
1062333-6 | 4-Minor | Linux kernel vulnerability: CVE-2019-19523 | 16.1.2.2 | |
1061797-1 | 4-Minor | Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 | 16.1.2.2 | |
1058677-2 | 4-Minor | BT1058677 | Not all SCTP connections are mirrored on the standby device when auto-init is enabled. | 16.1.2.2 |
1051797 | 4-Minor | Linux kernel vulnerability: CVE-2018-18281 | 16.1.2.2 | |
1046693-4 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 16.1.2.2 |
1045549-4 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 16.1.2.2 |
1040821-4 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 16.1.2.2 |
1034589-1 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 16.1.2.2 |
1034329-1 | 4-Minor | SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com | 16.1.2.2 | |
1031425-3 | 4-Minor | BT1031425 | Provide a configuration flag to disable BGP peer-id check. | 16.1.2.2 |
1030645-4 | 4-Minor | BT1030645 | BGP session resets during traffic-group failover | 16.1.2.2 |
1024621-4 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 16.1.2.2 |
1011217-5 | 4-Minor | BT1011217 | TurboFlex Profile setting reverts to turboflex-base after upgrade&start; | 16.1.2.2 |
1002809-4 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 16.1.2.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
968929-2 | 2-Critical | BT968929 | TMM may crash when resetting a connection on an APM virtual server | 16.1.2.2 |
910213-7 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 16.1.2.2 |
1071593-4 | 2-Critical | TMM may crash while processing TLS traffic | 16.1.2.2 | |
1071449-4 | 2-Critical | BT1071449 | Statsd memory leak on platforms with license disabled processors. | 16.1.2.2 |
1069629-4 | 2-Critical | TMM may crash while processing TLS traffic | 16.1.2.2 | |
1064617-1 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 16.1.2.2 |
1059053-2 | 2-Critical | BT1059053 | Tmm crash when passing traffic over some configurations with L2 virtual wire | 16.1.2.2 |
1055737-1 | 2-Critical | TMM may consume excessive resources while processing HTTP/2 traffic | 16.1.2.2 | |
1047581-3 | 2-Critical | BT1047581 | Ramcache can crash when serving files from the hot cache | 16.1.2.2 |
1047089-2 | 2-Critical | TMM may terminate while processing TLS/DTLS traffic | 15.1.5, 16.1.2.2 | |
1000021-7 | 2-Critical | TMM may consume excessive resources while processing packet filters | 15.1.5, 16.1.2.2 | |
999901-1 | 3-Major | Certain LTM policies may not execute correctly after a system reboot or TMM restart. | 16.1.2.2 | |
993981-3 | 3-Major | TMM may crash when ePVA is enabled | 16.1.2.2 | |
993517-1 | 3-Major | BT993517 | Loading an upgraded config can result in a file object error in some cases | 16.1.2.2 |
977761 | 3-Major | Connections are dropped if a certificate is revoked. | 16.1.2.2 | |
967101-1 | 3-Major | BT967101 | When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. | 16.1.2.2 |
955617-8 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 16.1.2.2 |
953601-4 | 3-Major | BT953601 | HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions | 16.1.2.2 |
951257-5 | 3-Major | FTP active data channels are not established | 16.1.2.2 | |
936441-7 | 3-Major | BT936441 | Nitrox5 SDK driver logging messages | 16.1.2.2 |
912517-7 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 16.1.2.2 |
902377-4 | 3-Major | BT902377 | HTML profile forces re-chunk even though HTML::disable | 16.1.2.2 |
883049-9 | 3-Major | BT883049 | Statsd can deadlock with rrdshim if an rrd file is invalid | 16.1.2.2 |
803109-4 | 3-Major | BT803109 | Certain configuration may result in zombie forwarding flows | 16.1.2.2 |
794385-6 | 3-Major | BT794385 | BGP sessions may be reset after CMP state change | 16.1.2.2 |
672963-1 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 16.1.2.2 |
1083989-1 | 3-Major | BT1083989 | TMM may restart if abort arrives during MBLB iRule execution | 16.1.2.2 |
1078053-1 | 3-Major | TMM may consume excessive resources while processing STEAM traffic | 16.1.2.2 | |
1073973-1 | 3-Major | BT1073973 | Gateway HTTP/2, response payload intermittently not forwarded to client. | 16.1.2.2 |
1072953-2 | 3-Major | BT1072953 | Memory leak in traffic management interface. | 16.1.2.2 |
1071585-1 | 3-Major | BT1071585 | BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode | 16.1.2.2 |
1068561-1 | 3-Major | BT1068561 | Can't create key on the second netHSM partition. | 16.1.2.2 |
1068353-1 | 3-Major | Unexpected event sequence may cause HTTP/2 flow stall during shutdown | 16.1.2.2 | |
1064157-1 | 3-Major | BT1064157 | Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows | 16.1.2.2 |
1063453-1 | 3-Major | BT1063453 | FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. | 16.1.2.2 |
1058469-1 | 3-Major | BT1058469 | Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. | 16.1.2.2 |
1056401-4 | 3-Major | BT1056401 | Valid clients connecting under active syncookie mode might experience latency. | 16.1.2.2 |
1055097-1 | 3-Major | BT1055097 | TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow. | 16.1.2.2 |
1052929-4 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 16.1.2.2 |
1043357-4 | 3-Major | BT1043357 | SSL handshake may fail when using remote crypto client | 16.1.2.2 |
1043017-4 | 3-Major | BT1043017 | Virtual-wire with standard-virtual fragmentation | 16.1.2.2 |
1042913-2 | 3-Major | BT1042913 | Pkcs11d CPU utilization jumps to 100% | 16.1.2.2 |
1042509-1 | 3-Major | BT1042509 | On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request | 16.1.2.2 |
1029897-1 | 3-Major | K63312282, BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 16.1.2.2 |
1024841-2 | 3-Major | BT1024841 | SSL connection mirroring with ocsp connection failure on standby | 16.1.2.2 |
1024225-3 | 3-Major | BT1024225 | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request | 16.1.2.2 |
1020549-1 | 3-Major | BT1020549 | Server-side connections stall with zero window with OneConnect profile | 16.1.2.2 |
1017721-5 | 3-Major | BT1017721 | WebSocket does not close cleanly when SSL enabled. | 16.1.2.2 |
1017533-3 | 3-Major | BT1017533 | Using TMC might cause virtual server vlans-enabled configuration to be ignored | 16.1.2.2 |
1016449-3 | 3-Major | BT1016449 | After certain configuration tasks are performed, TMM may run with stale Self IP parameters. | 16.1.2.2 |
1008501-1 | 3-Major | BT1008501 | TMM core | 16.1.2.2 |
1006781-2 | 3-Major | BT1006781 | Server SYN is sent on VLAN 0 when destination MAC is multicast | 15.1.4.1, 16.1.2.2 |
1004897-5 | 3-Major | BT1004897 | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | 14.1.4.4, 16.1.2.2 |
1004689-4 | 3-Major | BT1004689 | TMM might crash when pool routes with recursive nexthops and reselect option are used. | 16.1.2.2 |
838305-9 | 4-Minor | BT838305 | BIG-IP may create multiple connections for packets that should belong to a single flow. | 16.1.2.2 |
717806-8 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 16.1.2.2 |
1080341-4 | 4-Minor | BT1080341 | Changing an L2-forward virtual to any other virtual type might not update the configuration. | 16.1.2.2 |
1075205-1 | 4-Minor | BT1075205 | Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client. | 16.1.2.2 |
1064669-1 | 4-Minor | BT1064669 | Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. | 16.1.2.2 |
1032513-3 | 4-Minor | TMM may consume excessive resources while processing MRF traffic | 16.1.2.2 | |
1026605-6 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 16.1.2.2 |
1026005-1 | 4-Minor | BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. | 16.1.2.2 | |
1016441-4 | 4-Minor | RFC Enforcement Hardening | 16.1.2.2 | |
1016049-6 | 4-Minor | BT1016049 | EDNS query with CSUBNET dropped by protocol inspection | 16.1.2.2 |
968581-4 | 5-Cosmetic | BT968581 | TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description | 16.1.2.2 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1066729-1 | 2-Critical | TMM may crash while processing DNS traffic | 16.1.2.2 | |
1062513-4 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 16.1.2.2 |
1030881-1 | 2-Critical | BT1030881 | [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.&start; | 16.1.2.2 |
1027657-4 | 2-Critical | BT1027657 | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. | 16.1.2.2 |
1011433-1 | 2-Critical | BT1011433 | TMM may crash under memory pressure when performing DNS resolution | 16.1.2.2 |
1010617-1 | 2-Critical | BT1010617 | String operation against DNS resource records cause tmm memory corruption | 16.1.2.2 |
876677-2 | 3-Major | BT876677 | When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. | 16.1.2.2 |
1076401-5 | 3-Major | BT1076401 | Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. | 16.1.2.2 |
1064189-1 | 3-Major | DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning | 16.1.2.2 | |
1046785-1 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. | 16.1.2.2 |
1044425-1 | 3-Major | NSEC3 record improvements for NXDOMAIN | 16.1.2.2 | |
1020337-2 | 3-Major | BT1020337 | DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator | 16.1.2.2 |
1018613-1 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 16.1.2.2 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1069501-1 | 2-Critical | ASM may not match certain signatures | 16.1.2.2 | |
1069449-1 | 2-Critical | ASM attack signatures may not match cookies as expected | 16.1.2.2 | |
1068237-1 | 2-Critical | BT1068237 | Some attack signatures added to policies are not used. | 16.1.2.2 |
1000789-1 | 2-Critical | BT1000789 | ASM-related iRule keywords may not work as expected | 16.1.2.2 |
965785-4 | 3-Major | BT965785 | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | 16.1.2.2 |
961509-5 | 3-Major | BT961509 | ASM blocks WebSocket frames with signature matched but Transparent policy | 16.1.2.2 |
926845-7 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 16.1.2.2 |
923221-8 | 3-Major | BT923221 | BD does not use all the CPU cores | 16.1.2.2 |
818889-1 | 3-Major | BT818889 | False positive malformed json or xml violation. | 16.1.2.2 |
1077281-2 | 3-Major | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages | 16.1.2.2 | |
1072197-1 | 3-Major | Issue with input normalization in WebSocket. | 16.1.2.2 | |
1070273-1 | 3-Major | OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. | 16.1.2.2 | |
1069133-4 | 3-Major | BT1069133 | ASMConfig memory leak. | 16.1.2.2 |
1067285-1 | 3-Major | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 16.1.2.2 | |
1066829-1 | 3-Major | Memory leak for xml/json auto-detected parameter with signature patterns. | 16.1.2.2 | |
1061617-4 | 3-Major | Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". | 16.1.2.2 | |
1060933-1 | 3-Major | Issue with input normalization. | 16.1.2.2 | |
1059621-2 | 3-Major | IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs. | 16.1.2.2 | |
1056365-1 | 3-Major | Bot Defense injection does not follow best SOP practice. | 16.1.2.2 | |
1052173-1 | 3-Major | For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation. | 16.1.2.2 | |
1052169 | 3-Major | Traffic is blocked on detection of an SSRF violation even though the URI parameter is in staging mode | 16.1.2.2 | |
1051213-1 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 16.1.2.2 |
1051209-1 | 3-Major | BD may not process certain HTTP payloads as expected | 16.1.2.2 | |
1047389-4 | 3-Major | BT1047389 | Bot Defense challenge hardening | 16.1.2.2 |
1043533-3 | 3-Major | Unable to pick up the properties of the parameters from audit reports. | 16.1.2.2 | |
1043385-4 | 3-Major | No Signature detected If Authorization header is missing padding. | 16.1.2.2 | |
1042605-1 | 3-Major | ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above&start; | 16.1.2.2 | |
1041149-1 | 3-Major | Staging of URL does not affect apply value signatures | 16.1.2.2 | |
1038733-4 | 3-Major | Attack signature not detected for unsupported authorization types. | 16.1.2.2 | |
1037457-1 | 3-Major | High CPU during specific dos mitigation | 16.1.2.2 | |
1033017-1 | 3-Major | BT1033017 | Policy changes learning mode to automatic after upload and sync | 16.1.2.2 |
1030853-1 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 16.1.2.2 |
1028473-1 | 3-Major | URL sent with trailing slash might not be matched in ASM policy | 16.1.2.2 | |
1023993-4 | 3-Major | Brute Force is not blocking requests, even when auth failure happens multiple times | 16.1.2.2 | |
1021521-1 | 3-Major | JSON Schema is not enforced if OpenAPI media-type is wild card. | 16.1.2.2 | |
1019721-1 | 3-Major | Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export | 16.1.2.2 | |
1012221-1 | 3-Major | BT1012221 | Message: childInheritanceStatus is not compatible with parentInheritanceStatus&start; | 16.1.2.2 |
1011069-1 | 3-Major | Group/User R/W permissions should be changed for .pid and .cfg files. | 16.1.2.2 | |
1008849-4 | 3-Major | BT1008849 | OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. | 16.1.2.2 |
844045-4 | 4-Minor | ASM Response event logging for "Illegal response" violations. | 16.1.2.2 | |
1066377-1 | 4-Minor | OpenAPI - Content profile is not consistent with wildcard configuration | 16.1.2.2 | |
1050697-4 | 4-Minor | Traffic learning page counts Disabled signatures when they are ready to be enforced | 16.1.2.2 | |
1048445-1 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name | 16.1.2.2 |
1039245-2 | 4-Minor | Policy Properties screen does not load and display | 16.1.2.2 | |
1038741-4 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 16.1.2.2 |
1036521-1 | 4-Minor | BT1036521 | TMM crash in certain cases | 16.1.2.2 |
1035361-4 | 4-Minor | Illegal cross-origin after successful CAPTCHA | 16.1.2.2 | |
1034941-1 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 16.1.2.2 |
1021637-4 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs | 16.1.2.2 |
1020717-4 | 4-Minor | Policy versions cleanup process sometimes removes newer versions | 16.1.2.2 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038913-4 | 3-Major | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 16.1.2.2 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
992073-2 | 3-Major | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 16.1.2.2 | |
858005-1 | 3-Major | When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" | 16.1.2.2 | |
423519-5 | 3-Major | Bypass disabling the redirection controls configuration of APM RDP Resource. | 16.1.2.2 | |
1045229-1 | 3-Major | BT1045229 | APMD leaks Tcl_Objs as part of the fix made for ID 1002557 | 14.1.4.5, 16.1.2.2 |
1044121-3 | 3-Major | BT1044121 | APM logon page is not rendered if db variable "ipv6.enabled" is set to false | 14.1.4.5, 16.1.2.2 |
1001937-1 | 3-Major | APM configuration hardening | 16.1.2.2 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1047053-3 | 2-Critical | TMM may consume excessive resources while processing RTSP traffic | 15.1.5, 16.1.2.2 | |
1029397-4 | 2-Critical | BT1029397 | Tmm may crash with SIP-ALG deployment in a particular race condition | 15.1.5, 16.1.2.2 |
957905-1 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 16.1.2.2 |
1082885-1 | 3-Major | BT1082885 | MR::message route virtual asserts when configuration changes during ongoing traffic | 16.1.2.2 |
1078721-1 | 3-Major | TMM may consume excessive resources while processing ICAP traffic | 16.1.2.2 | |
1056933-3 | 3-Major | TMM may crash while processing SIP traffic | 15.1.5, 16.1.2.2 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
964625-5 | 3-Major | BT964625 | Improper processing of firewall-rule metadata | 16.1.2.2 |
959609-4 | 3-Major | BT959609 | Autodiscd daemon keeps crashing | 16.1.2.2 |
929909-3 | 3-Major | BT929909 | TCP Packets are not dropped in IP Intelligence | 16.1.2.2 |
1008265-1 | 3-Major | DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond&start; | 16.1.2.2 | |
1072057-1 | 4-Minor | BT1072057 | "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. | 16.1.2.2 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
946325-7 | 3-Major | PEM subscriber GUI hardening | 16.1.2.2 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1028269-2 | 2-Critical | BT1028269 | Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. | 16.1.2.2 |
1019613-5 | 2-Critical | BT1019613 | Unknown subscriber in PBA deployment may cause CPU spike | 16.1.2.2 |
1064217-1 | 3-Major | BT1064217 | Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. | 16.1.2.2 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038445-1 | 2-Critical | BT1038445 | During upgrade to 16.1, the previous FPS Engine live update remains active&start; | 16.1.2.2 |
873617-1 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 16.1.2.2 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071181-2 | 3-Major | Improving Signature Detection Accuracy | 16.1.2.2 | |
1060409-2 | 4-Minor | Behavioral DoS enable checkbox is wrong. | 16.1.2.2 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1033829-3 | 2-Critical | BT1033829 | Unable to load Traffic Classification package | 14.1.4.5, 16.1.2.2 |
1052153-2 | 3-Major | Signature downloads for traffic classification updates via proxy fail | 16.1.2.2 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1072733-4 | 2-Critical | Protocol Inspection IM package hardening | 16.1.2.2 | |
965853-6 | 3-Major | IM package file hardening&start; | 16.1.2.2 | |
964489-7 | 3-Major | Protocol Inspection IM package hardening | 16.1.2.2 | |
1070677-1 | 3-Major | Learning phase does not take traffic into account - dropping all. | 16.1.2.2 | |
940261-1 | 4-Minor | Support IPS package downloads via HTTP proxy. | 16.1.2.2 |
Guided Configuration Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
982757-3 | 3-Major | APM Access Guided Configuration hardening | 16.1.2.2 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944121-4 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 16.1.2.2 |
854129-6 | 3-Major | BT854129 | SSL monitor continues to send previously configured server SSL configuration after removal | 16.1.2.2 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050969-1 | 1-Blocking | BT1050969 | After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid | 16.1.2.2 |
969297 | 3-Major | BT969297 | Virtual IP configured on a system with SelfIP on vwire becomes unresponsive | 16.1.2.2 |
1058401-1 | 3-Major | BT1058401 | SSL Bypass does not work for inbound traffic | 16.1.2.2 |
1048033-1 | 3-Major | BT1048033 | Server-speaks-first traffic might not work with SSL Orchestrator | 16.1.2.2 |
1047377-1 | 3-Major | BT1047377 | "Server-speak-first" traffic might not work with SSL Orchestrator | 16.1.2.2 |
1029869-1 | 3-Major | BT1029869 | Use of ha-sync script may cause gossip communications to fail | 16.1.2.2 |
1029585-1 | 3-Major | BT1029585 | Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync | 16.1.2.2 |
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
940185-7 | CVE-2022-23023 | K11742742, BT940185 | icrd_child may consume excessive resources while processing REST requests | 14.1.4.5, 15.1.5, 16.1.2.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1015133-5 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 14.1.4.5, 15.1.5, 16.1.2.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
749332-1 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 14.1.4.4, 15.1.5, 16.1.2.1 |
996001-5 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 14.1.4.5, 15.1.5, 16.1.2.1 |
994305-3 | 3-Major | BT994305 | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 | 16.1.2.1 |
968657-1 | 3-Major | BT968657 | Added support for IMDSv2 on AWS | 16.1.2.1 |
1032949-1 | 3-Major | BT1032949 | Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. | 15.1.5, 16.1.2.1 |
1041765-2 | 4-Minor | BT1041765 | Racoon may crash in rare cases | 16.1.2.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
999097-1 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 14.1.4.5, 15.1.5, 16.1.2.1 |
910673-6 | 3-Major | BT910673 | Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' | 16.1.2.1 |
898929-6 | 3-Major | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 14.1.4.5, 15.1.5, 16.1.2.1 |
1065789-1 | 3-Major | TMM may send duplicated alerts while processing SSL connections | 15.1.5, 16.1.2.1 | |
1038629-4 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 14.1.4.5, 15.1.5, 16.1.2.1 |
1031609-1 | 3-Major | BT1031609 | Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.&start; | 16.1.2.1 |
1019609-1 | 3-Major | BT1019609 | No Error logging when BIG-IP device's IP address is not added in client list on netHSM.&start; | 16.1.2.1 |
1017513-5 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier | 14.1.4.5, 16.1.2.1 |
1007749-2 | 3-Major | BT1007749 | URI TCL parse functions fail when there are interior segments with periods and semi-colons | 15.1.5, 16.1.2.1 |
1048433-1 | 4-Minor | BT1048433 | Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation.&start; | 16.1.2.1 |
1024761-1 | 4-Minor | BT1024761 | HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body | 15.1.5, 16.1.2.1 |
1005109-4 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 14.1.4.5, 15.1.5, 16.1.2.1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
935249-3 | 3-Major | BT935249 | GTM virtual servers have the wrong status | 15.1.5, 16.1.2.1 |
1039553-1 | 3-Major | BT1039553 | Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors | 15.1.5, 16.1.2.1 |
1021061-4 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 14.1.4.5, 15.1.5, 16.1.2.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993613-7 | 2-Critical | BT993613 | Device fails to request full sync | 14.1.4.5, 15.1.5, 16.1.2.1 |
984593-1 | 3-Major | BT984593 | BD crash | 14.1.4.5, 15.1.5, 16.1.2.1 |
921697-1 | 3-Major | BT921697 | Attack signature updates fail to install with Installation Error.&start; | 16.1.2.1 |
907025-5 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 14.1.4.5, 15.1.5, 16.1.2.1 |
885765-1 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 14.1.4.5, 15.1.5, 16.1.2.1 |
830341-5 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1 |
1045101-4 | 3-Major | Bd may crash while processing ASM traffic | 15.1.5, 16.1.2.1 | |
1043205-1 | 3-Major | BT1043205 | SSRF Violation should be shown as a Parameter Entity Reference. | 16.1.2.1 |
1042069-1 | 3-Major | Some signatures are not matched under specific conditions. | 14.1.4.5, 15.1.4.1, 16.1.2.1 | |
1002385-1 | 4-Minor | Fixing issue with input normalization | 15.1.5, 16.1.2.1 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1009093-2 | 2-Critical | BT1009093 | GUI widgets pages are not functioning correctly | 15.1.5, 16.1.2.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
969317-4 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 14.1.4.5, 15.1.4.1, 16.1.2.1 |
828761-5 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 14.1.4.5, 15.1.5, 16.1.2.1 |
827393-5 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 14.1.4.5, 16.1.2.1 |
738593-3 | 3-Major | BT738593 | Vmware Horizon session collaboration (shadow session) feature does not work through APM. | 14.1.4.5, 15.1.5, 16.1.2.1 |
1007677-2 | 3-Major | BT1007677 | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | 15.1.4.1, 16.1.2.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039329-2 | 3-Major | BT1039329 | MRF per peer mode is not working in vCMP guest. | 14.1.4.5, 15.1.5, 16.1.2.1 |
1025529-2 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 14.1.4.5, 15.1.4.1, 16.1.2.1 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
956013-4 | 3-Major | BT956013 | System reports{{validation_errors}} | 14.1.4.5, 15.1.5, 16.1.2.1 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023437-1 | 3-Major | Buffer overflow during attack with large HTTP Headers | 14.1.4.5, 15.1.5, 16.1.2.1 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1055361-1 | 2-Critical | BT1055361 | Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. | 16.1.2.1 |
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
991421-2 | CVE-2022-23016 | K91013510, BT991421 | TMM may crash while processing TLS traffic | 15.1.4.1, 16.1.2 |
989701-8 | CVE-2020-25212 | K42355373, BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 14.1.4.5, 15.1.4.1, 16.1.2 |
988549-10 | CVE-2020-29573 | K27238230, BT988549 | CVE-2020-29573: glibc vulnerability | 14.1.4.5, 15.1.4.1, 16.1.2 |
968893-3 | CVE-2022-23014 | K93526903, BT968893 | TMM crash when processing APM traffic | 15.1.4.1, 16.1.2 |
940317-9 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 14.1.4.4, 15.1.4.1, 16.1.2 |
1037181-1 | CVE-2022-23022 | K96924184, BT1037181 | TMM may crash while processing HTTP traffic | 16.1.2 |
1032405-1 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 14.1.4.5, 15.1.4.1, 16.1.2 |
1031269 | CVE-2022-23020 | K17514331, BT1031269 | TMM may consume excessive resources when processing logging profiles | 16.1.2 |
1030689-1 | CVE-2022-23019 | K82793463, BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 14.1.4.4, 15.1.4.1, 16.1.2 |
1028669-7 | CVE-2019-9948 | K28622040, BT1028669 | Python vulnerability: CVE-2019-9948 | 14.1.4.5, 15.1.4.1, 16.1.2 |
1028573-6 | CVE-2020-10878 | K40508224, BT1028573 | Perl vulnerability: CVE-2020-10878 | 14.1.4.5, 15.1.4.1, 16.1.2 |
1028497-7 | CVE-2019-15903 | K05295469, BT1028497 | libexpat vulnerability: CVE-2019-15903 | 14.1.4.5, 15.1.4.1, 16.1.2 |
1012365-4 | CVE-2021-20305 | K33101555, BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 14.1.4.5, 15.1.4.1, 16.1.2 |
1007489-7 | CVE-2022-23018 | K24358905, BT1007489 | TMM may crash while handling specific HTTP requests&start; | 14.1.4.5, 15.1.4.1, 16.1.2 |
974341-6 | CVE-2022-23026 | K08402414, BT974341 | REST API: File upload | 14.1.4.5, 15.1.4.1, 16.1.2 |
973409-6 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 14.1.4.4, 15.1.4.1, 16.1.2 |
941649-8 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 14.1.4.5, 15.1.4.1, 16.1.2 |
803965-10 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 14.1.4.5, 15.1.4, 16.1.2 |
1035729-1 | CVE-2022-23021 | K57111075, BT1035729 | TMM may crash while processing traffic http traffic | 16.1.2 |
1009725-1 | CVE-2022-23030 | K53442005, BT1009725 | Excessive resource usage when ixlv drivers are enabled | 14.1.4.5, 15.1.4.1, 16.1.2 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
985953-6 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 14.1.4.5, 15.1.4.1, 16.1.2 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039049-2 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 14.1.4.5, 15.1.4.1, 16.1.2 |
997313-2 | 2-Critical | BT997313 | Unable to create APM policies in a sync-only folder&start; | 15.1.4.1, 16.1.2 |
1031357-2 | 2-Critical | BT1031357 | After reboot of standby and terminating peer, some IPsec traffic-selectors are still online | 16.1.2 |
1029949-2 | 2-Critical | BT1029949 | IPsec traffic selector state may show incorrect state on high availability (HA) standby device | 16.1.2 |
998221-1 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2 |
946185-3 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'&start; | 14.1.4.4, 15.1.4.1, 16.1.2 |
922185-3 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth'&start; | 14.1.4.5, 15.1.4.1, 16.1.2 |
881085-4 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 14.1.4.5, 15.1.4.1, 16.1.2 |
708991-1 | 3-Major | BT708991 | Newly entered password is not remembered. | 16.1.2 |
1045421-1 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 14.1.4.5, 15.1.4.1, 16.1.2 |
1032737-2 | 3-Major | BT1032737 | IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate | 15.1.4.1, 16.1.2 |
1032077-1 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 14.1.4.5, 15.1.4.1, 16.1.2 |
1028969-1 | 3-Major | BT1028969 | An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working | 16.1.2 |
1026549-1 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 14.1.4.5, 15.1.4.1, 16.1.2 |
1022757-2 | 3-Major | BT1022757 | Tmm core due to corrupt list of ike-sa instances for a connection | 16.1.2 |
1021773-1 | 3-Major | BT1021773 | Mcpd core. | 16.1.2 |
1020377-1 | 3-Major | BT1020377 | Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon | 16.1.2 |
1015645-2 | 3-Major | BT1015645 | IPSec SA's missing after reboot | 16.1.2 |
1009949-4 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version&start; | 14.1.4.4, 15.1.4.1, 16.1.2 |
1003257-6 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 14.1.4.5, 15.1.4.1, 16.1.2 |
921365-2 | 4-Minor | BT921365 | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | 15.1.4, 16.1.2 |
1034617-1 | 4-Minor | BT1034617 | Login/Security Banner text not showing in console login. | 16.1.2 |
1030845-1 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit. | 14.1.4.5, 15.1.4.1, 16.1.2 |
1022417-1 | 4-Minor | BT1022417 | Ike stops with error ikev2_send_request: [WINDOW] full window | 16.1.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039041 | 1-Blocking | BT1039041 | Log Message: Clock advanced by <number> ticks | 16.1.2 |
1040361-1 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. | 14.1.4.5, 15.1.5, 16.1.2 |
915773-7 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 14.1.4.4, 15.1.4.1, 16.1.2 |
1023365-2 | 3-Major | BT1023365 | SSL server response could be dropped on immediate client shutdown. | 15.1.4.1, 16.1.2 |
1021713-1 | 3-Major | TMM may crash when processing AFM NAT64 policy | 16.1.2 | |
1021481-1 | 3-Major | BT1021481 | 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden. | 16.1.2 |
1020957-1 | 3-Major | BT1020957 | HTTP response may be truncated by the BIG-IP system | 16.1.2 |
1018577-4 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 14.1.4.5, 15.1.4.1, 16.1.2 |
1016113-1 | 3-Major | BT1016113 | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | 15.1.4, 16.1.2 |
1008017-2 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 14.1.4.5, 15.1.4.1, 16.1.2 |
895557-5 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2 |
1031901-2 | 4-Minor | BT1031901 | In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked | 15.1.4.1, 16.1.2 |
1018493-1 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 14.1.4.5, 15.1.4, 16.1.2 |
1002945-4 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 14.1.4.5, 15.1.4.1, 16.1.2 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1035853-1 | 2-Critical | K41415626, BT1035853 | Transparent DNS Cache can consume excessive resources. | 14.1.4.5, 15.1.5, 16.1.2 |
1029629-1 | 2-Critical | TMM may crash while processing DNS lookups | 16.1.2 | |
1028773-1 | 2-Critical | BT1028773 | Support for DNS Over TLS | 16.1.2 |
1009037-1 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 14.1.4.5, 15.1.4.1, 16.1.2 |
1021417-1 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 14.1.4.5, 15.1.4.1, 16.1.2 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
912149-7 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 14.1.4.5, 15.1.4.1, 16.1.2 |
1019853-1 | 2-Critical | K30911244, BT1019853 | Some signatures are not matched under specific conditions | 14.1.4.5, 15.1.4.1, 16.1.2 |
1017153-4 | 2-Critical | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 14.1.4.5, 15.1.4.1, 16.1.2 |
1011065-1 | 2-Critical | Certain attack signatures may not match in multipart content | 15.1.4.1, 16.1.2 | |
1011061-4 | 2-Critical | Certain attack signatures may not match in multipart content | 14.1.4.5, 15.1.4.1, 16.1.2 | |
947341-4 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2 |
932133-1 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 14.1.4.4, 15.1.4.1, 16.1.2 |
842013-1 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation&start; | 14.1.4.5, 15.1.4.1, 16.1.2 |
1042917-1 | 3-Major | BT1042917 | Using 'Full Export' of security policy should result with no diffs after importing it back to device. | 16.1.2 |
1028109-1 | 3-Major | BT1028109 | Detected attack signature is reported with the wrong context. | 16.1.2 |
1022269-1 | 3-Major | BT1022269 | False positive RFC compliant violation | 14.1.4.4, 15.1.4, 16.1.2 |
1004069-4 | 3-Major | BT1004069 | Brute force attack is detected too soon | 14.1.4.5, 15.1.5, 16.1.2 |
1004537-2 | 4-Minor | BT1004537 | Traffic Learning: Accept actions for multiple suggestions not localized | 15.1.4, 16.1.2 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932137-7 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 14.1.4.4, 15.1.4.1, 16.1.2 |
922105-1 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 14.1.4.4, 15.1.4.1, 16.1.2 |
1035133-4 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 14.1.4.5, 15.1.4.1, 16.1.2 |
948113-1 | 4-Minor | BT948113 | User-defined report scheduling fails | 14.1.4.5, 15.1.4.1, 16.1.2 |
1020705-2 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 14.1.4.4, 15.1.3.1, 16.1.2 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1027217-1 | 1-Blocking | BT1027217 | Script errors in Network Access window using browser. | 15.1.4.1, 16.1.2 |
1006893-4 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 14.1.4.5, 15.1.4.1, 16.1.2 |
993457-1 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 14.1.4.5, 15.1.4.1, 16.1.2 |
1021485-3 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 14.1.4.5, 15.1.4.1, 16.1.2 |
1017233-2 | 3-Major | BT1017233 | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | 15.1.4.1, 16.1.2 |
939877-3 | 4-Minor | BT939877 | OAuth refresh token not found | 14.1.4.4, 15.1.4, 16.1.2 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1007113-3 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 14.1.4.5, 15.1.4.1, 16.1.2 |
1018285-2 | 4-Minor | BT1018285 | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | 15.1.4.1, 16.1.2 |
1003633-1 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 14.1.4.5, 15.1.4.1, 16.1.2 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1049229-1 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 14.1.4.5, 15.1.4.1, 16.1.2 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1013629-4 | 3-Major | BT1013629 | URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files | 16.1.2 |
686783-1 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 14.1.4.5, 15.1.4.1, 16.1.2 |
1032689 | 4-Minor | BT1032689 | UlrCat Custom db feedlist does not work for some URLs | 14.1.4.5, 15.1.4.1, 16.1.2 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
929213-2 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade&start; | 14.1.4.4, 15.1.4.1, 16.1.2 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038669-1 | 3-Major | BT1038669 | Antserver keeps restarting. | 15.1.5, 16.1.2 |
1032797-1 | 3-Major | BT1032797 | Tmm continuously cores when parsing custom category URLs | 15.1.5, 16.1.2 |
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
954425-4 | CVE-2022-23031 | K61112120, BT954425 | Hardening of Live-Update | 14.1.4.4, 15.1.4, 16.1.1 |
797797-7 | CVE-2019-11811 | K01512680, BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.1 |
1008561-4 | CVE-2022-23025 | K44110411, BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 14.1.4.4, 15.1.4, 16.1.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
911141-1 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 14.1.4.4, 15.1.4, 16.1.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
974241-3 | 2-Critical | BT974241 | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | 15.1.4, 16.1.1 |
887117-4 | 3-Major | BT887117 | Invalid SessionDB messages are sent to Standby | 15.1.4.1, 16.1.1 |
1019829-2 | 3-Major | BT1019829 | Configsync.copyonswitch variable is not functioning on reboot | 16.1.1 |
1018309-5 | 3-Major | BT1018309 | Loading config file with imish removes the last character | 15.1.4.1, 16.1.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023341-1 | 1-Blocking | HSM hardening | 16.1.1 | |
995405-1 | 2-Critical | BT995405 | After upgrade, the copied SSL vhf/vht profile prevents traffic from passing&start; | 16.1.1 |
1040677 | 2-Critical | BT1040677 | BIG-IP D120 platform reports page allocation failures in N3FIPS driver | 16.1.1 |
980617-1 | 3-Major | BT980617 | SNAT iRule is not working with HTTP/2 and HTTP Router profiles | 16.1.1 |
912945-3 | 4-Minor | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 14.1.4.4, 15.1.4, 16.1.1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039069-1 | 1-Blocking | BT1039069 | Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.&start; | 15.1.4, 16.1.1 |
993489-1 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
996381-1 | 2-Critical | K41503304, BT996381 | ASM attack signature may not match as expected | 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
970329-1 | 2-Critical | ASM hardening | 14.1.4.4, 15.1.4, 16.1.1 | |
965229-5 | 2-Critical | BT965229 | ASM Load hangs after upgrade&start; | 14.1.4.4, 15.1.4, 16.1.1 |
986937-3 | 3-Major | BT986937 | Cannot create child policy when the signature staging setting is not equal in template and parent policy | 15.1.4, 16.0.1.2, 16.1.1 |
981069-3 | 3-Major | BT981069 | Reset cause: "Internal error ( requested abort (payload release error))" | 15.1.4, 16.1.1 |
962589-4 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 14.1.4.4, 15.1.4, 16.1.1 |
951133-4 | 3-Major | BT951133 | Live Update does not work properly after upgrade&start; | 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
920149-3 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 14.1.4.4, 15.1.4.1, 16.1.1 |
888289-8 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1 |
1005105-3 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 14.1.4.5, 15.1.4, 16.1.1 |
1000741-1 | 3-Major | Fixing issue with input normalization | 14.1.4.4, 15.1.4, 16.1.1 | |
941625-3 | 4-Minor | BT941625 | BD sometimes encounters errors related to TS cookie building | 15.1.4, 16.1.1 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
924945-5 | 3-Major | BT924945 | Fail to detach HTTP profile from virtual server | 15.1.3, 16.0.1.2, 16.1.1 |
913085-6 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1 |
909161-1 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 14.1.4.4, 15.1.4, 16.1.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1024101-1 | 3-Major | BT1024101 | SWG as a Service license improvements | 16.1.1 |
1022625-2 | 3-Major | BT1022625 | Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator | 16.1.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993913-4 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 14.1.4.4, 15.1.4, 16.1.1 |
1012721-4 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 14.1.4.4, 15.1.4.1, 16.1.1 |
1007821-3 | 2-Critical | BT1007821 | SIP message routing may cause tmm crash | 15.1.4, 16.1.1 |
996113-2 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 14.1.4.4, 15.1.4, 16.1.1 |
805821-1 | 3-Major | BT805821 | GTP log message contains no useful information | 14.1.4.4, 15.1.4, 16.1.1 |
919301-1 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 14.1.4.4, 15.1.4, 16.1.1 |
913413-1 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 14.1.4.4, 15.1.4, 16.1.1 |
913409-1 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 14.1.4.4, 15.1.4, 16.1.1 |
913393-1 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 14.1.4.4, 15.1.4, 16.1.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
992213-3 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 14.1.4.2, 15.1.4, 16.1.1 |
1000405-1 | 3-Major | BT1000405 | VLAN/Tunnels not listed when creating a new rule via GUI | 15.1.4, 16.1.1 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1018145 | 3-Major | BT1018145 | Firewall Manager user role is not allowed to configure/view protocol inspection profiles | 15.1.4, 16.1.1 |
Guided Configuration Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1013569-1 | 3-Major | Hardening of iApps processing | 15.1.4, 16.1.1 |
Cumulative fix details for BIG-IP v16.1.2.2 that are included in this release
999901-1 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.
Component: Local Traffic Manager
Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.
This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).
Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.
Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.
Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.
Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.
Fix:
TMM now loads LTM policies with external data-groups as expected.
Fixed Versions:
16.1.2.2
999125-1 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
16.1.2.2
999097-1 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
998221-1 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2
997313-2 : Unable to create APM policies in a sync-only folder&start;
Links to More Info: BT997313
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
Fixed Versions:
15.1.4.1, 16.1.2
996381-1 : ASM attack signature may not match as expected
Links to More Info: K41503304, BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
996113-2 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
996001-5 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
995405-1 : After upgrade, the copied SSL vhf/vht profile prevents traffic from passing&start;
Links to More Info: BT995405
Component: Local Traffic Manager
Symptoms:
After an RPM upgrade, SSL Orchestrator traffic does not pass
Conditions:
Upgrading SSL Orchestrator via RPM
Impact:
Traffic will not pass.
Workaround:
Bigstart restart tmm
Fix:
Fixed an issue that was preventing from passing after an RPM upgrade.
Fixed Versions:
16.1.1
994305-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
Links to More Info: BT994305
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools are not available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools are not available.
Workaround:
None.
Fix:
The version of open-vm-tools has been updated to 11.1.5.
Fixed Versions:
16.1.2.1
993981-3 : TMM may crash when ePVA is enabled
Component: Local Traffic Manager
Symptoms:
When ePVA is enabled on the BIG-IP system, Increased CMP redirections can cause tmm to core and report an error:
tmm SIGFPE "nexthop ref valid".
Conditions:
-- ePVA acceleration is enabled on the BIG-IP system.
-- High rate of CMP redirections.
Impact:
Traffic disrupted while TMM restarts, and systems configured as part of a high availability (HA) group may failover.
Workaround:
Disable ePVA acceleration option.
Note: Performing this procedure may increase CPU use because TCP connections are subsequently processed in software by the Traffic Management Microkernel (TMM).
Fix:
TMM now operates as expected with ePVA enabled.
Fixed Versions:
16.1.2.2
993913-4 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
993613-7 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
993517-1 : Loading an upgraded config can result in a file object error in some cases
Links to More Info: BT993517
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
Fixed Versions:
16.1.2.2
993489-1 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
993457-1 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
992865-3 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
Fixed Versions:
15.1.4, 16.1.2.2
992213-3 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
14.1.4.2, 15.1.4, 16.1.1
992073-2 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS
Component: Access Policy Manager
Symptoms:
End user clients frequently get a prompt to enter credentials when they should not.
Conditions:
APM Access Profile with NTLM authentication enabled.
Impact:
NTLM handshake failure causing user authentication failures.
Workaround:
N/A
Fix:
APM now processes NTLM requests as expected.
Fixed Versions:
16.1.2.2
989701-8 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
988165-3 : VMware CPU reservation is now enforced.
Component: TMOS
Symptoms:
CPU reservation is not enforced which can result in users over-subscribing their hosts.
Conditions:
BIG-IP Virtual Edition running in VMware.
Impact:
If a host is oversubscribed, performance can suffer as traffic volumes increase.
Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.
Fix:
The VMware CPU reservation of 2GHz per core is now enforced. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will need 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).
Fixed Versions:
16.1.2.2
986937-3 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Links to More Info: BT986937
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
Fix:
The error no longer occurs on child policy creation.
Fixed Versions:
15.1.4, 16.0.1.2, 16.1.1
985953-6 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
984593-1 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
984585-3 : IP Reputation option not shown in GUI.
Links to More Info: BT984585
Component: TMOS
Symptoms:
Cannot configure IP Reputation option from the GUI.
Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.
Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.
Workaround:
Use tmsh to configure IP Reputation.
Fix:
The IP Reputation option is now shown in the GUI.
Fixed Versions:
16.1.2.2
982757-3 : APM Access Guided Configuration hardening
Component: Guided Configuration
Symptoms:
APM Guided Configuration does not follow current best practices
Conditions:
- APM provisioned
- Authenticated administrative user
Impact:
Guided Configuration does not follow current best practices.
Workaround:
N/A
Fix:
Guided Configuration now follows current best practices.
Fixed Versions:
16.1.2.2
982697-7 : ICMP hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM does not follow current best practices for ICMP traffic.
Conditions:
- ICMP traffic
- DNS in use
Impact:
TMM does not follow current best practices.
Workaround:
N/A
Fix:
TMM now follows current best practices while processing ICMP traffic.
Behavior Change:
The change randomly adjusts the BIG-IP's ICMP rate limit to within 1/8% of the configured rate. While the average rate will remain the same, the number of ICMP packets issued second-to-second will vary randomly.
Fixed Versions:
16.1.2.2
982341-7 : iControl REST endpoint hardening
Component: TMOS
Symptoms:
iControl REST endpoints do not apply current best practices.
Conditions:
- Authenticated administrative user
- Request to iControl endpoint
Impact:
iControl REST endpoints do not follow current best practices.
Workaround:
N/A
Fix:
iControl REST endpoints now follow current best practices.
Fixed Versions:
16.1.2.2
981069-3 : Reset cause: "Internal error ( requested abort (payload release error))"
Links to More Info: BT981069
Component: Application Security Manager
Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"
Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type
Impact:
Traffic is affected.
Workaround:
Any of the following actions can resolve the issue:
1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Fix:
Fixed an issue that was triggering resets on traffic.
Fixed Versions:
15.1.4, 16.1.1
980617-1 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles
Links to More Info: BT980617
Component: Local Traffic Manager
Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.
Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured
Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.
Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.
Fixed Versions:
16.1.1
977761 : Connections are dropped if a certificate is revoked.
Component: Local Traffic Manager
Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.
Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.
Impact:
Ssl handshake failures due to revoked server certificate
Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.
Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.
Fixed Versions:
16.1.2.2
976669-5 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
Links to More Info: BT976669
Component: TMOS
Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.
Conditions:
This can occur after rebooting or replacing a secondary blade.
Impact:
When the FIPS integrity checks fail the blades won't fully boot.
Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
To mitigate, copy the missing files from the primary blade to the secondary blade.
From the primary blade, issue the following command towards the secondary blade(s).
rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/
Fix:
Critical files are not deleted during secondary blade reboot.
Fixed Versions:
16.1.2.2
976337-2 : i40evf Requested 4 queues, but PF only gave us 16.
Links to More Info: BT976337
Component: TMOS
Symptoms:
During BIG-IP system boot, a message is logged:
i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.
Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)
Impact:
A message is logged but it is benign and can be ignored.
Fixed Versions:
16.1.2.2
974241-3 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
Links to More Info: BT974241
Component: TMOS
Symptoms:
Mcpd exists with error similar to:
01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'
Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled
Impact:
Mcpd restarts leading to failover.
Workaround:
Use standard customization and not modern customization.
Fixed Versions:
15.1.4, 16.1.1
970329-1 : ASM hardening
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
969317-4 : "Restrict to Single Client IP" option is ignored for vmware VDI
Links to More Info: BT969317
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1
969297 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive
Links to More Info: BT969297
Component: SSL Orchestrator
Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.
Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.
Impact:
The virtual server is unreachable.
Workaround:
None
Fix:
ARP forwarding to peer is decided based on whether Virtual IP and self-IP is configured or not.
Fixed Versions:
16.1.2.2
968929-2 : TMM may crash when resetting a connection on an APM virtual server
Links to More Info: BT968929
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
- HTTP profile without fallback host.
- iRules.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.
Fixed Versions:
16.1.2.2
968657-1 : Added support for IMDSv2 on AWS
Links to More Info: BT968657
Component: TMOS
Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:
get_dossier call on the command line fails with:
01170003:3: halGetDossier returned error (1): Dossier generation failed.
This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.
Conditions:
AWS instances started with IMDSv2.
Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.
Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
Fixed Versions:
16.1.2.1
968581-4 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description
Links to More Info: BT968581
Component: Local Traffic Manager
Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.
Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.
Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.
Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.
Fixed Versions:
16.1.2.2
967101-1 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.
Links to More Info: BT967101
Component: Local Traffic Manager
Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)
Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.
Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
965853-6 : IM package file hardening&start;
Component: Protocol Inspection
Symptoms:
IM package file uploads do not follow current best practices.
Conditions:
- IM package file uploaded to BIG-IP
Impact:
IM package file uploads do not follow current best practices.
Workaround:
N/A
Fix:
IM package file uploads now follow current best practices.
Fixed Versions:
16.1.2.2
965785-4 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
Links to More Info: BT965785
Component: Application Security Manager
Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.
Conditions:
There is no specific condition, the problem occurs rarely.
Impact:
Sync process requires an additional ASM restart
Workaround:
Restart ASM after sync process finished
Fixed Versions:
16.1.2.2
965229-5 : ASM Load hangs after upgrade&start;
Links to More Info: BT965229
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
964625-5 : Improper processing of firewall-rule metadata
Links to More Info: BT964625
Component: Advanced Firewall Manager
Symptoms:
The 'mcpd' process may suffer a failure and be restarted.
Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.
Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.
Workaround:
Reduce the number of firewall policy rules.
Fixed Versions:
16.1.2.2
964489-7 : Protocol Inspection IM package hardening
Component: Protocol Inspection
Symptoms:
Protocol Inspection IM packages do not follow current best practices.
Conditions:
- Authenticated administrative user
- Protocol Inspection IM packages uploaded to BIG-IP
Impact:
Protocol Inspection IM packages do not follow current best practices.
Workaround:
N/A
Fix:
Protocol Inspection IM packages now follows current best practices.
Fixed Versions:
16.1.2.2
963541-1 : Net-snmp5.8 crash
Links to More Info: BT963541
Component: TMOS
Symptoms:
Snmpd crashes.
Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.
Impact:
Snmpd crashes.
Fixed Versions:
16.1.2.2
962589-4 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Links to More Info: BT962589
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
961509-5 : ASM blocks WebSocket frames with signature matched but Transparent policy
Links to More Info: BT961509
Component: Application Security Manager
Symptoms:
WebSocket frames receive a close frame
Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled
Impact:
WebSocket frame blocked in transparent mode
Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No
Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.
Fixed Versions:
16.1.2.2
959985-3 : Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi.
Links to More Info: BT959985
Component: TMOS
Symptoms:
Virtual hardware version setting for BIG-IP VE VMware templates (virtualHW.version) are set to version 10 and must change to version 13, so more versions of vSphere ESXi (for example, ESXi v6.0 and later) can support deploying BIG-IP Virtual Edition.
Conditions:
Using BIG-IP Virtual Edition VMware hardware templates set to v10 running in most, later versions of VMware ESXi.
Impact:
BIG-IP Virtual Edition VMware hardware templates result in performance issues and deployment errors/failures.
Workaround:
None
Fix:
Changed the BIG-IP Virtual Edition VMware hardware template version setting (virtualHW.version) to 13 and deployed them successfully using later versions of VMware ESXi.
Fixed Versions:
16.1.2.2
959609-4 : Autodiscd daemon keeps crashing
Links to More Info: BT959609
Component: Advanced Firewall Manager
Symptoms:
Autodiscd daemon keeps crashing.
Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.
Impact:
Auto discovery feature is not working as expected
Workaround:
None.
Fix:
Auto discovery feature now works as expected.
Fixed Versions:
16.1.2.2
957905-1 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.
Links to More Info: BT957905
Component: Service Provider
Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.
SIP Responses that don't contain a content_length header are accepted and forwarded to the client.
The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.
Conditions:
SIP request / response without content_length header.
Impact:
RFC 6731 non compliance.
Workaround:
N/A
Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.
content_length header is treated as optional for UDP and SCTP.
Fixed Versions:
16.1.2.2
956013-4 : System reports{{validation_errors}}
Links to More Info: BT956013
Component: Policy Enforcement Manager
Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses
Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.
Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
955617-8 : Cannot modify properties of a monitor that is already in use by a pool
Links to More Info: BT955617
Component: Local Traffic Manager
Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties can't be modified if they are in use by a pool.
Workaround:
Remove monitor, modify it, and then add it back.
Fixed Versions:
16.1.2.2
953601-4 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions
Links to More Info: BT953601
Component: Local Traffic Manager
Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.
Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.
Impact:
HTTPS monitor shows pool members or nodes down when they are up.
Workaround:
Restart bigd or remove and add monitors.
Fix:
In case of handshake failure, BIG-IP will try TLS 1.2 version.
Fixed Versions:
16.1.2.2
951257-5 : FTP active data channels are not established
Component: Local Traffic Manager
Symptoms:
Under certain conditions FTP active data channels may not be established as expected.
Conditions:
-- The FTP profile has "allow-active-mode" enabled and "port" set to a non-zero value.
Impact:
FTP transfers with active data channels are not processed as expected.
Workaround:
- Disable 'active' FTP and only use passive FTP or
- Use a custom FTP profile with port set to '0' on FTP virtual servers.
Fix:
FTP active data channels are now established as expected.
Fixed Versions:
16.1.2.2
951133-4 : Live Update does not work properly after upgrade&start;
Links to More Info: BT951133
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
948113-1 : User-defined report scheduling fails
Links to More Info: BT948113
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
947341-4 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
Links to More Info: BT947341
Component: Application Security Manager
Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------
2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.
Conditions:
ASM/AVR provisioned
Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.
Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
2. To identify the empty partitions, look into:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"
3. For every partition that is empty, manually (or via shell script) execute this sql:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"
Note: <empty_partition_name> must be substituted with the partition name, for example p100001.
4. Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5. pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
This release increases the default 'open_files_limit' to '10000'.
Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2
946325-7 : PEM subscriber GUI hardening
Component: Policy Enforcement Manager
Symptoms:
The PEM subscriber GUI does not follow current best practices.
Conditions:
- Authenticated administrative user
- PEM GUI request
Impact:
PEM subscriber GUI does not follow current best practices.
Workaround:
N/A
Fix:
PEM subscriber GUI now follows current best practices.
Fixed Versions:
16.1.2.2
946185-3 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'&start;
Links to More Info: BT946185
Component: TMOS
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
944121-4 : Missing SNI information when using non-default domain https monitor running in TMM mode.
Links to More Info: BT944121
Component: In-tmm monitors
Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.
In-TMM monitors do not send any packet when TLS1.3 monitor is used.
Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.
- Another Condition :
TLS1.3 Monitor is used
Impact:
The TLS connection might fail in case of SNI
No SYN packet is sent in case of TLS1.3 monitor
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
943669-4 : B4450 blade reboot
Links to More Info: BT943669
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when needed.
Fixed Versions:
15.1.2, 16.1.2.2
943577-1 : Full sync failure for traffic-matching-criteria with port list under certain conditions
Links to More Info: BT943577
Component: TMOS
Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:
err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
- the same traffic-matching-criteria is attached to the same virtual server
- the original port-list is modified (e.g. a description is changed)
- the TMC is changed to reference a _different_ port-list
Impact:
Unable to sync configurations.
Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.
If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.
1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:
tmsh save sys config
(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
cat /config{/partitions/*,}/bigip{_base,}.conf |
awk '
BEGIN { p=0 }
/^(ltm traffic-matching-criteria|net port-list) / { p=1 }
/^}/ { if (p) { p=0; print } }
{ if (p) print; }
' ) > /var/tmp/portlists-and-tmcs.txt
2. Copy /var/tmp/portlists-and-tmcs.txt to the target system
3. On the target system, load that file:
tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt
3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
tmsh save sys config
clsh touch /service/mcpd/forceload
clsh reboot
4. On the source system, force a full-load sync to the device-group:
tmsh run cm config-sync force-full-load-push to-group <name of sync-group>
Fixed Versions:
16.1.2.2
941625-3 : BD sometimes encounters errors related to TS cookie building
Links to More Info: BT941625
Component: Application Security Manager
Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:
-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.
-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.
Impact:
The cookie is not built and an error is logged.
Workaround:
None.
Fixed Versions:
15.1.4, 16.1.1
940261-1 : Support IPS package downloads via HTTP proxy.
Component: Protocol Inspection
Symptoms:
IPS package download via HTTP proxy does not work.
2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.
Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered
Impact:
The IPS IM package fails to download.
Workaround:
No workaround.
Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.
Fixed Versions:
16.1.2.2
939877-3 : OAuth refresh token not found
Links to More Info: BT939877
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2
936441-7 : Nitrox5 SDK driver logging messages
Links to More Info: BT936441
Component: Local Traffic Manager
Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):
Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1
The above set of messages seems to be logged at about 2900-3000 times a second.
These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.
Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.
Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
16.1.2.2
935249-3 : GTM virtual servers have the wrong status
Links to More Info: BT935249
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).
Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.
Fix:
The HTTP status code is now correctly searched only in the first line of the response.
Fixed Versions:
15.1.5, 16.1.2.1
935177-3 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
Links to More Info: BT935177
Component: TMOS
Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.
Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.
The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.
Fixed Versions:
16.1.2.2
932137-7 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Links to More Info: BT932137
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
932133-1 : Payloads with large number of elements in XML take a lot of time to process
Links to More Info: BT932133
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
929909-3 : TCP Packets are not dropped in IP Intelligence
Links to More Info: BT929909
Component: Advanced Firewall Manager
Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets
Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned
Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.
Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.
Fixed Versions:
16.1.2.2
929213-2 : iAppLX packages not rolled forward after BIG-IP upgrade&start;
Links to More Info: BT929213
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
Fix:
All installed package management LX such as AS3, DO, telemetry, failover extension, service discovery are available after upgrade
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
926845-7 : Inactive ASM policies are deleted upon upgrade
Links to More Info: BT926845
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
Fixed Versions:
16.1.2.2
924945-5 : Fail to detach HTTP profile from virtual server
Links to More Info: BT924945
Component: Application Visibility and Reporting
Symptoms:
The virtual server might stay attached to the initial HTTP profile.
Conditions:
Attaching new HTTP profiles or just detaching an existing one.
Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.
Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.
Fixed Versions:
15.1.3, 16.0.1.2, 16.1.1
923221-8 : BD does not use all the CPU cores
Links to More Info: BT923221
Component: Application Security Manager
Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.
Conditions:
BIG-IP software is installed on a device with more than 32 cores.
Impact:
ASM does not use all of the available CPU cores.
Workaround:
Run the following commands from bash shell.
1. # mount -o remount,rw /usr
2. Modify the following file on the BIG-IP system:
/usr/local/share/perl5/F5/ProcessHandler.pm
Important: Make a backup of the file before editing.
3. Change this:
ALL_CPUS_AFFINITY => '0xFFFFFFFF',
To this:
ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',
4. # mount -o remount,ro /usr
5. Restart the asm process:
# bigstart restart asm.
Fixed Versions:
16.1.2.2
922185-3 : LDAP referrals not supported for 'cert-ldap system-auth'&start;
Links to More Info: BT922185
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
922105-1 : Avrd core when connection to BIG-IQ data collection device is not available
Links to More Info: BT922105
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
921697-1 : Attack signature updates fail to install with Installation Error.&start;
Links to More Info: BT921697
Component: Application Security Manager
Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:
/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)
/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781
Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.
2. Installing a new ASU file
Impact:
The attack signature update fails.
Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.
Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:
1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg
2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800
3. Restart ASM.
# bigstart restart asm
Fixed Versions:
16.1.2.1
921365-2 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby
Links to More Info: BT921365
Component: TMOS
Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.
Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs
This is a timing issue and can occur intermittently during a normal failover.
Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.
Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).
Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.
Fixed Versions:
15.1.4, 16.1.2
920149-3 : Live Update default factory file for Server Technologies cannot be reinstalled
Links to More Info: BT920149
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1
919301-1 : GTP::ie count does not work with -message option
Links to More Info: BT919301
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
915981-4 : BIG-IP SCP hardening
Component: TMOS
Symptoms:
Under certain conditions SCP does not follow current best practices.
Conditions:
- Authenticated high-privilege user
- SCP file transfer
Impact:
BIG-IP do not follow current best practices for filesystem protection.
Workaround:
N/A
Fix:
All filesystem protections now follow best practices.
Fixed Versions:
16.1.2.2
915773-7 : Restart of TMM after stale interface reference
Links to More Info: BT915773
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
913413-1 : 'GTP::header extension count' iRule command returns 0
Links to More Info: BT913413
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
Fix:
'GTP::header extension count' command now returns number of header extension correctly.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
913409-1 : GTP::header extension command may abort connection due to unreasonable TCL error
Links to More Info: BT913409
Component: Service Provider
Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.
Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message
Impact:
TCL error log is shown and connection is aborted
Workaround:
None
Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
913393-1 : Tmsh help page for GTP iRule contains incorrect and missing information
Links to More Info: BT913393
Component: Service Provider
Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.
Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.
Impact:
User may not be able to use related iRule command properly.
Workaround:
None
Fix:
Tmsh help page for GTP iRule is updated
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
913085-6 : Avrd core when avrd process is stopped or restarted
Links to More Info: BT913085
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
912945-3 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Links to More Info: BT912945
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
Fix:
Fixed an issue with client SSL profile selection.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
912517-7 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT912517
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
Database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
16.1.2.2
912253-2 : Non-admin users cannot run show running-config or list sys
Links to More Info: BT912253
Component: TMOS
Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
The list /sys or list /sys telemd commands trigger the following error:
01070823:3: Read Access Denied: user (oper) type (Telemd configuration).
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
Fixed Versions:
16.1.2.2
912149-7 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Links to More Info: BT912149
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/:
asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
911141-1 : GTP v1 APN is not decoded/encoded properly
Links to More Info: BT911141
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.
Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
910673-6 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
Links to More Info: BT910673
Component: Local Traffic Manager
Symptoms:
Thales installation script fails with error message.
ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.
Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.
Impact:
Thales/nCipher NetHSM client software installation fails.
Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.
Fixed Versions:
16.1.2.1
910213-7 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status
Links to More Info: BT910213
Component: Local Traffic Manager
Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.
Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.
As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.
Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"
Conditions:
Using the LB::down command in an iRule.
Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.
If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.
Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.
Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.
There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.
Fixed Versions:
16.1.2.2
909161-1 : A core file is generated upon avrd process restart or stop
Links to More Info: BT909161
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
907549-6 : Memory leak in BWC::Measure
Links to More Info: BT907549
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
Memory is not leaked.
Fixed Versions:
15.1.0.5, 16.1.2.2
907025-5 : Live update error" 'Try to reload page'
Links to More Info: BT907025
Component: Application Security Manager
Symptoms:
When trying to update Attack Signatures. the following error message is shown:
Could not communicate with system. Try to reload page.
Conditions:
Insufficient disk space to update the Attack Signature.
Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.
Workaround:
This following procedure restores the database to its default, initial state:
1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.
2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script
3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.
4. Add the following lines to create the live update database schema and set the SA user as expected:
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC
5. Restart the tomcat process:
bigstart restart tomcat
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
902377-4 : HTML profile forces re-chunk even though HTML::disable
Links to More Info: BT902377
Component: Local Traffic Manager
Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.
Conditions:
Using HTML::disable in an HTTP_RESPONSE event.
Impact:
The HTML profile still performs a re-chunk.
Workaround:
None.
Fixed Versions:
16.1.2.2
901669-6 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
Links to More Info: BT901669
Component: TMOS
Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.
-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.
Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.
Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.
The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.
Impact:
The 'tmsh show cm failover-status' command indicates an error.
Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:
tmsh restart sys service sod
Fixed Versions:
16.1.2.2
898929-6 : Tmm might crash when ASM, AVR, and pool connection queuing are in use
Links to More Info: BT898929
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file.
Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Disable connection queuing on the pool.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
895557-5 : NTLM profile logs error when used with profiles that do redirect
Links to More Info: BT895557
Component: Local Traffic Manager
Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).
When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.
Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).
Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.
For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"
Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2
888289-8 : Add option to skip percent characters during normalization
Links to More Info: BT888289
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
887117-4 : Invalid SessionDB messages are sent to Standby
Links to More Info: BT887117
Component: TMOS
Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:
SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.
Impact:
Standby drops these messages
Workaround:
None.
Fixed Versions:
15.1.4.1, 16.1.1
885765-1 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT885765
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.
Conditions:
When processing a large number of configuration updates.
Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
883049-9 : Statsd can deadlock with rrdshim if an rrd file is invalid
Links to More Info: BT883049
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
Fix:
Now detecting and rectifying truncation of RRD files.
Fixed Versions:
16.1.2.2
882709-6 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors&start;
Links to More Info: BT882709
Component: TMOS
Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.
Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.
Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).
Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.
Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:
net vlan external {
interfaces {
1.1 {
tagged
}
}
tag 4000
}
-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.
-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.
Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.
-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.
Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.
Behavior Change:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Fixed Versions:
16.1.2.2
881085-4 : Intermittent auth failures with remote LDAP auth for BIG-IP managment
Links to More Info: BT881085
Component: TMOS
Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.
Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).
Impact:
There might be intermittent remote-auth failures.
Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
876677-2 : When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup.
Links to More Info: BT876677
Component: Global Traffic Manager (DNS)
Symptoms:
When running the debug version of TMM, if a particular DNS lookup takes more than 30 seconds, TMM may assert with a message in the /var/log/tmm file similar to the following example:
notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.
Conditions:
-- Using the debug TMM
-- Using the RESOLV::lookup iRule command
-- The DNS server targeted by the aforementioned command is pathologically slow or malfunctioning
Impact:
TMM crashes and, in redundant configurations, the unit fails over.
Workaround:
Do not use the debug TMM.
Fix:
The debug assert was removed and replaced by a debug log.
Fixed Versions:
16.1.2.2
874941-4 : HTTP authentication in the access policy times out after 60 seconds
Component: Access Policy Manager
Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.
Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.
Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.
Workaround:
None.
Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.
1. A db key to configure Connection Timeout for HTTP Server configuration:
+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout
2. A db key to configure Request Timeout for HTTP Server configuration:
+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout
Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.
The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.
Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.
Fixed Versions:
16.1.2.2
873617-1 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.
Links to More Info: BT873617
Component: Fraud Protection Services
Symptoms:
DataSafe is not available with an AWAF license.
Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart
Impact:
DataSafe is not available.
Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.
Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.
Fixed Versions:
16.1.2.2
858005-1 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"
Component: Access Policy Manager
Symptoms:
APM Access Policy evaluation failed.
Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"
Impact:
APM end user’s session cannot be established.
Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent
Fix:
This issue is fixed by trimming spaces from IP Subnet Match agent config in VPE
Fixed Versions:
16.1.2.2
854129-6 : SSL monitor continues to send previously configured server SSL configuration after removal
Links to More Info: BT854129
Component: In-tmm monitors
Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.
Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.
Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.
Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').
Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html
Fixed Versions:
16.1.2.2
844045-4 : ASM Response event logging for "Illegal response" violations.
Component: Application Security Manager
Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.
Conditions:
-- Response logging is enabled
-- An illegal response occurs
Impact:
Response logging does not occur.
Workaround:
N/A
Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.
Added an internal variable:
disable_illegal_response_logging -- default value 0.
If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).
Fixed Versions:
16.1.2.2
842013-1 : ASM Configuration is Lost on License Reactivation&start;
Links to More Info: BT842013
Component: Application Security Manager
Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.
Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded
Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'
Workaround:
In the case of license re-activation/before upgrade:
Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.
In a case of booting the system into the new version:
Option 1:
1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.
Option 2:
1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324
Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
838305-9 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Links to More Info: BT838305
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
Fixed Versions:
16.1.2.2
830361-9 : CVE-2012-6711 Bash Vulnerability
Links to More Info: K05122252
830341-5 : False positives Mismatched message key on ASM TS cookie
Links to More Info: BT830341
Component: Application Security Manager
Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"
Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact
Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation
Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.
OR
2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint
Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm
Once enabled, ASM system does not trigger false positives.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1
828761-5 : APM OAuth - Auth Server attached iRule works inconsistently
Links to More Info: BT828761
Component: Access Policy Manager
Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.
Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.
Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.
Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.
Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
827393-5 : In rare cases tmm crash is observed when using APM as RDG proxy.
Links to More Info: BT827393
Component: Access Policy Manager
Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.
Conditions:
APM is used as RDG proxy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm does not crash when APM is configured as RDG proxy.
Fixed Versions:
14.1.4.5, 16.1.2.1
818889-1 : False positive malformed json or xml violation.
Links to More Info: BT818889
Component: Application Security Manager
Symptoms:
A false positive malformed XML or JSON violation occurs.
Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.
Impact:
A false positive violation.
Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).
Fix:
N/A
Fixed Versions:
16.1.2.2
805821-1 : GTP log message contains no useful information
Links to More Info: BT805821
Component: Service Provider
Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.
Conditions:
GTP profile or iRules fails to process message
Impact:
User lacks of information for troubleshooting
Workaround:
N/A
Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
803109-4 : Certain configuration may result in zombie forwarding flows
Links to More Info: BT803109
Component: Local Traffic Manager
Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.
On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.
Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.
Conditions:
-- OneConnect configured.
And one of the following:
-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.
Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.
The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs
Workaround:
You can use any of the following workarounds:
-- Remove the OneConnect profile from the Virtual Server.
-- Do not use 'source-port preserve-strict' setting on the Virtual Server.
-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.
Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.
Fixed Versions:
16.1.2.2
794385-6 : BGP sessions may be reset after CMP state change
Links to More Info: BT794385
Component: Local Traffic Manager
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection
Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.
Fix:
BGP session is no longer reset during CMP state change.
Fixed Versions:
16.1.2.2
755976-9 : ZebOS might miss kernel routes after mcpd deamon restart
Links to More Info: BT755976
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.
Fixed Versions:
16.1.2.2
749332-1 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation
Links to More Info: BT749332
Component: TMOS
Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.
Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.
Impact:
REST PUT operation cannot be used to update/modify the description.
Workaround:
You can use either of the following:
-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.
-- You can also use PATCH operation and send only the required field which need modification.
Fixed Versions:
14.1.4.4, 15.1.5, 16.1.2.1
742753-8 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Links to More Info: BT742753
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
Fix:
CSRF checks based on HTTP headers pre-logon have been improved.
Fixed Versions:
16.1.2.2
738593-3 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.
Links to More Info: BT738593
Component: Access Policy Manager
Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.
Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client or browser.
-- Shadow session is enabled in desktop.
Impact:
Desktop's Shadow session resource icon is not showed on webtop or native client.
Workaround:
N/A
Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop or native client.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
717806-8 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
Links to More Info: BT717806
Component: Local Traffic Manager
Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.
Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.
Impact:
No performance impact
Workaround:
None
Fixed Versions:
16.1.2.2
713754-3 : Apache vulnerability: CVE-2017-15715
Links to More Info: K27757011
708991-1 : Newly entered password is not remembered.
Links to More Info: BT708991
Component: TMOS
Symptoms:
- Upon enabling password remember feature and running 'tmsh load sys config default', the password history fails to verify and save the newly entered password.
- Upon installing a BIG-IP image for the first time, the default password is not updated.
Conditions:
- Installing first time BIG-IP image.
- Resetting the configuration using 'tmsh load sys config default'.
Impact:
The password is not remembered.
Workaround:
N/A
Fix:
Corrected selinux policy script of the file /etc/security/opasswd for access permission.
Fixed Versions:
16.1.2
686783-1 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.
Links to More Info: BT686783
Component: Traffic Classification Engine
Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.
Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,
Impact:
Improper classification
Workaround:
Using an iRule can help classify the URL.
Fix:
Normalized the URL before putting in the custom database.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
672963-1 : MSSQL monitor fails against databases using non-native charset
Links to More Info: BT672963
Component: Local Traffic Manager
Symptoms:
MSSQL monitor is fails against databases using non-native charset.
Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).
Impact:
MSSQL monitoring always marks node / member down.
Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:
1. Log in to the BIG-IP console into a bash prompt.
2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr
3. Restart bigd:
bigstart restart bigd
Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.
Fixed Versions:
16.1.2.2
669046-7 : Handling large replies to MCP audit_request messages
Links to More Info: BT669046
Component: TMOS
Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.
In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.
Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).
Memory usage is already high.
Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.
Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.
Fix:
Viewing audit logs in the GUI is now limited to 10,000 lines, so this issue no longer occurs.
Behavior Change:
The GUI is limited to viewing no more than 10,000 lines of the audit log.
You can use tmsh/bash to view audit logs larger than 10,000 lines.
Fixed Versions:
16.1.2.2
528894-5 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition
Links to More Info: BT528894
Component: TMOS
Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.
Conditions:
-- The system includes partitions other than Common.
-- Configuration in a partition other than Common is modified.
-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").
Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).
/config/bigip_base.conf will no longer contain config stanzas that belong there.
Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.
However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.
Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.
Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".
Note that neither workaround is permanent and the issue will reoccur.
Fixed Versions:
15.1.5, 16.1.2.2
423519-5 : Bypass disabling the redirection controls configuration of APM RDP Resource.
Component: Access Policy Manager
Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.
Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.
Impact:
User can bypass RDP resource restrictions.
Workaround:
NA
Fix:
User is not allowed to perform any redirection controls of the RDP resource.
Fixed Versions:
16.1.2.2
1087201-6 : OpenSSL Vulnerability: CVE-2022-0778
Links to More Info: K31323265
1083989-1 : TMM may restart if abort arrives during MBLB iRule execution
Links to More Info: BT1083989
Component: Local Traffic Manager
Symptoms:
"Unallocated flow while polling for rule work. Skipping." is logged in /var/log/ltm.
*or*
"flow in use" assert fails causing TMM to restart.
Conditions:
- Virtual using MBLB proxy.
- iRule with LB_SELECTED, CLIENT_CLOSED, and SERVER_CLOSED events.
- client connection is aborted while LB_SELECTED is queued for execution.
Impact:
TMM may restart unexpectedly.
Workaround:
Remove LB_SELECTED event from the iRule, if feasible.
Fix:
The MBLB proxy now correctly handles being aborted when it has iRule events queued for execution.
Fixed Versions:
16.1.2.2
1083537 : FIPS 140-3 Certification
Links to More Info: BT1083537
Component: TMOS
Symptoms:
For FIPS 140-3 Certification
Conditions:
This applies to systems requiring FIPS 140-3 Certification.
Impact:
BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration.
Workaround:
None
Fix:
Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.
Fixed Versions:
16.1.2.2
1082885-1 : MR::message route virtual asserts when configuration changes during ongoing traffic
Links to More Info: BT1082885
Component: Service Provider
Symptoms:
MR::message route virtual causes TMM to crash / panic when the configuration changes during ongoing traffic. This is due to
an invalid validation of the TYPEIDs when mis-matched virtual servers / proxies are identified because of the configuration change.
Conditions:
A BIG-IP configuration change is made while passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Fix:
With the fix, proper validation of the Proxy TYPEIDs will make the server to gracefully close the connection when PROXIES TYPEIDs mismatch is detected and a relevant error log is printed in the ltm logs as well.
Fixed Versions:
16.1.2.2
1080341-4 : Changing an L2-forward virtual to any other virtual type might not update the configuration.
Links to More Info: BT1080341
Component: Local Traffic Manager
Symptoms:
Changing an L2-forward virtual-server to any other virtual-server type might not update the saved configuration.
Conditions:
Changing an L2-forward virtual-server to any other virtual-server type.
Impact:
Traffic still behaves as if L2-forward virtual-server is configured.
Workaround:
Remove and re-create the affected virtual-server.
Fixed Versions:
16.1.2.2
1078721-1 : TMM may consume excessive resources while processing ICAP traffic
Component: Service Provider
Symptoms:
Undisclosed ICAP traffic may cause an increase in TMM resource utilization.
Conditions:
ICAP profile enabled
Impact:
Undisclosed ICAP traffic may cause an increase in TMM resource utilization.
Workaround:
N/A
Fix:
TMM does not consume excessive resources while processing ICAP traffic.
Fixed Versions:
16.1.2.2
1078053-1 : TMM may consume excessive resources while processing STEAM traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing traffic with a STREAM profile
Conditions:
- STEAM profile enabled
Impact:
Excessive resource consumption potentially leading to reduced performance or a failover event
Workaround:
N/A
Fix:
TMM now processes STREAM traffic as expected.
Fixed Versions:
16.1.2.2
1077281-2 : Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages
Component: Application Security Manager
Symptoms:
When a policy contains an individual login page in session tracking, the exported xml policy fails to be imported back due to error “Malformed XML: Could not resolve foreign key dependence”.
Conditions:
The policy contains an individual login page in session tracking and the policy is exported in xml format
Impact:
Import the policy fails with an error: "Could not resolve foreign key dependence”.
Workaround:
This occurs when using XML format only, so you can use binary export/import
Fix:
XML export/import now will work also if policy contains an individual login page in session tracking
Fixed Versions:
16.1.2.2
1076401-5 : Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec.
Links to More Info: BT1076401
Component: Global Traffic Manager (DNS)
Symptoms:
Memory leak leading to TMM running out of free memory.
Conditions:
-- Dnssec.maxnsec3persec set to non-default value (default 0 - unlimited).
-- Number of DNS requests leading to NSEC3 responses goes above the limit of dnssec.maxnsec3persec.
Impact:
TMM runs out of memory.
Workaround:
Set dnssec.maxnsec3persec to 0.
Fix:
N/A
Fixed Versions:
16.1.2.2
1076377-3 : OSPF path calculation for IA and E routes is incorrect.
Links to More Info: BT1076377
Component: TMOS
Symptoms:
--OSPF path calculation for IA and E routes is incorrect.
--E2 route might be preferred over E1 route.
--Cost calculation for IA routes is incorrect.
Conditions:
Mixing E2/E1 routes and IA routes with different cost.
Impact:
Wrong route is installed.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
1075205-1 : Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client.
Links to More Info: BT1075205
Component: Local Traffic Manager
Symptoms:
Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client.
Conditions:
iRule similar to:
ltm rule REDIRECT {
when HTTP_REQUEST {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
TCP::close
}
Impact:
Redirect/response not delivered to the client.
Workaround:
Remove TCP::close from an iRule.
Fix:
N/A
Fixed Versions:
16.1.2.2
1074113-1 : IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer
Links to More Info: BT1074113
Component: TMOS
Symptoms:
When disabling an ike-peer, sometimes the traffic-selector is not marked "down" in one or both directions.
Conditions:
All the following must be true
-- IKEv2 IPsec tunnel
-- A nonzero value for ipsec.pfkey.load, ipsec.sp.migrate and ipsec.sp.owner is set.
-- During the life of the SA the tunnel was migrated to another tmm owner.
The final point is not normally visible unless debug2 logging is enabled on ike-daemon.
Impact:
Cosmetic. The traffic selector is incorrectly reported as up for one or both directions.
Workaround:
The selector state cannot be changed unless it goes up/down again. There is no way to manually fix it.
Fix:
Disabling an ike-peer config object will correctly mark the associated traffic-selector down.
Fixed Versions:
16.1.2.2
1073973-1 : Gateway HTTP/2, response payload intermittently not forwarded to client.
Links to More Info: BT1073973
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 requests through a Gateway HTTP2 (HTTP2 clientside/HTTP1 serverside, no MRF) stall, with:
- the BIG-IP receives a request and forwards it to the server
- the server responds with both headers and response body
- the BIG-IP forwards the response headers back to the client
- the BIG-IP does not forward the response body to the client
Conditions:
-- BIG-IP virtual server configured with an HTTP/2 profile on both the client side and server side
-- A high number of HTTP/2 requests traverse the HTTP/2 connection
Impact:
HTTP response body is not forwarded to the client from the BIG-IP system.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
1072953-2 : Memory leak in traffic management interface.
Links to More Info: BT1072953
Component: Local Traffic Manager
Symptoms:
When configuration objects that use a traffic management interface are modified, they leave behind orphaned objects. The memory leak can become significant over time if there are frequent config changes.
Conditions:
Request logging profile attached to a VIP.
Impact:
TMM uses more memory than it should.
Workaround:
Restart tmm to free the memory, avoid making frequent configuration changes to virtual servers that contain request logging profiles.
Fix:
Traffic management interface no longer leaks memory.
Fixed Versions:
16.1.2.2
1072733-4 : Protocol Inspection IM package hardening
Component: Protocol Inspection
Symptoms:
Protocol Inspection IM packages do not follow current best practices.
Conditions:
- Authenticated administrative user
- Protocol Inspection IM packages uploaded to BIG-IP
Impact:
Protocol Inspection IM packages do not follow current best practices.
Workaround:
N/A
Fix:
Protocol Inspection IM packages now follows current best practices.
Fixed Versions:
16.1.2.2
1072237-1 : Retrieval of policy action stats causes memory leak
Links to More Info: BT1072237
Component: TMOS
Symptoms:
When a virtual server with an L7 policy is present, the tmsh show ltm policy command triggers a memory leak.
Conditions:
The tmsh show ltm policy command is executed when a virtual server with an L7 policy attached is present.
Impact:
Memory leak for umem_alloc_16 cur_allocs for each request for
each request of tmsh show ltm policy
Workaround:
None
Fix:
Umem_alloc_16 cur_allocs no longer leaking memory.
Fixed Versions:
16.1.2.2
1072197-1 : Issue with input normalization in WebSocket.
Component: Application Security Manager
Symptoms:
Under certain conditions, attack signature violations might not be triggered in WebSocket scenario.
Conditions:
- ASM handles WebSocket flow.
- Malicious WebSocket message contains specific characters.
Impact:
Attack detection is not triggered as expected.
Workaround:
N/A
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
16.1.2.2
1072057-1 : "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy.
Links to More Info: BT1072057
Component: Advanced Firewall Manager
Symptoms:
The GUI incorrectly displays the sources address in certain conditions.
1. If the source address of a firewall policy is not empty (that is, some specific IP addresses available to the rule), the word "Any" is displayed.
2. If the source address is empty (that is, no specific IP addresses exist), nothing (empty) is displayed.
Conditions:
Viewing a firewall policy in the GUI via Security > Firewall > policy.
Impact:
No functional impact
Workaround:
N/A
Fix:
Fixed a display issue with the source address field.
Fixed Versions:
16.1.2.2
1071609-2 : IPsec IKEv1: Log Key Exchange payload in racoon.log.
Links to More Info: BT1071609
Component: TMOS
Symptoms:
The key exchange payload is not logged to the IPsec logs.
Conditions:
The issue is observed during IKEv1 tunnel establishment.
Impact:
If you are investigating the IKEv1 key calculation, the key exchange payload information will not be available.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
1071593-4 : TMM may crash while processing TLS traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing TLS traffic.
Conditions:
- SSL profile enabled
- Client certificate auth enabled
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes TLS traffic as expected.
Fixed Versions:
16.1.2.2
1071585-1 : BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode
Links to More Info: BT1071585
Component: Local Traffic Manager
Symptoms:
BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode in Virtual Edition platforms.
Conditions:
Configure network in virtual wire mode in VADC pltaform
Impact:
Virtual server traffic is disrupted.
Workaround:
None
Fix:
Fix for the ARP not getting resolved when BIG-IP is configured with selfip on vwire's while redirecting to a different tmm.
Fixed Versions:
16.1.2.2
1071449-4 : Statsd memory leak on platforms with license disabled processors.
Links to More Info: BT1071449
Component: Local Traffic Manager
Symptoms:
Memory usage in statsd will continue to grow until the control-plane is out of memory.
Conditions:
This issue occurs when the license on the BIG-IP disables some of the processors.
Impact:
Statsd may consume excessive memory causing OOM killer activity.
Workaround:
Restart statsd periodically.
Fix:
Statsd no longer leaks memory.
Fixed Versions:
16.1.2.2
1071365-5 : iControl SOAP WSDL hardening
Component: TMOS
Symptoms:
Under certain conditions iControl SOAP does not follow best practices for WSDL processing.
Conditions:
- Authenticated administrative user
- WSDL processing
Impact:
iControl SOAP does not follow current best practices.
Workaround:
N/A
Fix:
iControl SOAP now processes WSDL files according to current best practices.
Fixed Versions:
16.1.2.2
1071181-2 : Improving Signature Detection Accuracy
Component: Anomaly Detection Services
Symptoms:
BADOS generates signatures have up to 20% false positive if the signature covers 100% of bad traffic.
Conditions:
The attack signature generated covers all bad traffic.
Impact:
BADOS generates false positives
Workaround:
None
Fix:
This feature has been removed.
Fixed Versions:
16.1.2.2
1070677-1 : Learning phase does not take traffic into account - dropping all.
Component: Protocol Inspection
Symptoms:
Suggestions are generated every suggestion interval and every suggestion interval suggestions are overriding, so the last suggestion is considered after the staging period is completed.
Conditions:
Once the start of staging period, suggestions will override every time until the staging period completes.
Impact:
IPS learning phase, which lasts the default 7 days, sees a ton of traffic from websites hitting against signatures, but at the end of the 7 days it blocks all signatures and causes an outage.
Workaround:
N/A
Fix:
We now make the decision based on the overall suggestions that are generated during the staging period instead of the last suggestion.
Fixed Versions:
16.1.2.2
1070273-1 : OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly.
Component: Application Security Manager
Symptoms:
On OWASP dashboard, both 2021 and 2017, the Disallow DTDs in XML content profile protection is not calculated correctly on the xml-profile allowDTD field.
Conditions:
Open the OWASP page for any non-parent/child security policy, (Security ›› Overview : OWASP Compliance). For OWASP 2017, DTDs is located under A4 category, and for 2021 under A5 category.
Impact:
Actual OWASP compliance for this protection can be different from the one shown by the GUI.
Workaround:
The actual conditions that satisfy the Disallow DTDs in XML content profile protection are:
1. 'XML data does not comply with format settings' violation should be set to alarm+block.
2. 'Malformed XML data' violation should be set to alarm + block.
3. No XML content profile in the policy is set so that allowDTDs to true.
Fix:
Scoring calculation was changed: Now score will be given only if no XML content profile in the policy has allowDTDs field set as true.
Fixed Versions:
16.1.2.2
1070009 : iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform
Links to More Info: BT1070009
Component: TMOS
Symptoms:
32 bit applications (iprepd, icr_eventd and tmipsecd) uses clock_gettime to gather the time which causes the restart of applications. This issue occurs only in Azure and Google Cloud platform when FIPS 140 license is installed.
Conditions:
- Occurs only in Azure and Google Cloud platform
-32 bit applications (iprepd, icr_eventd and tmipsecd) which uses clock_gettime to gather the time for generating entropy data
- A FIPS 140 license is installed
Impact:
Applications restart continuously.
Workaround:
None.
Fix:
32-bit applications does not restart continuously while using clock_gettime to generate entropy data when FIPS 140 license is installed.
Fixed Versions:
16.1.2.2
1069629-4 : TMM may crash while processing TLS traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may crash while processing TLS traffic.
Conditions:
- SSL profile
- Client certificates enabled
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes TLS traffic as expected.
Fixed Versions:
16.1.2.2
1069501-1 : ASM may not match certain signatures
Component: Application Security Manager
Symptoms:
Under certain condition, ASM may not match signatures as expected.
Conditions:
- base64 violations not configured for blocking
Impact:
Signatures not matched as expected.
Workaround:
Illegal base64 value violation should be set to blocking.
This way if Base64 decoding fails the requests gets blocked.
Fix:
ASM now processes signature as expected.
Fixed Versions:
16.1.2.2
1069449-1 : ASM attack signatures may not match cookies as expected
Component: Application Security Manager
Symptoms:
Under certain conditions ASM attack signatures may not match cookies as expected.
Conditions:
- Specially crafted cookies
Impact:
Attack signatures are not detected as expected.
Workaround:
N/A
Fix:
ASM attack signatures now match cookies as expected.
Fixed Versions:
16.1.2.2
1069133-4 : ASMConfig memory leak.
Links to More Info: BT1069133
Component: Application Security Manager
Symptoms:
A slow leak exists for long-lived asm_config_handler processes that handle configuration updates.
Conditions:
Configuration updates are being regularly made.
Impact:
Processes slowly grow in size until they reach a limit and restart themselves.
Workaround:
N/A
Fix:
The slow leak has been fixed.
Fixed Versions:
16.1.2.2
1068561-1 : Can't create key on the second netHSM partition.
Links to More Info: BT1068561
Component: Local Traffic Manager
Symptoms:
While trying to create a key pair in a second partition, the key creation fails.
Conditions:
-- Multiple partitions are used
-- Attempt to create a key with the second partition
Impact:
Unable to use multiple netHSM partitions.
Workaround:
N/A
Fix:
Corrected session handle able to create keys in second partition.
Fixed Versions:
16.1.2.2
1068353-1 : Unexpected event sequence may cause HTTP/2 flow stall during shutdown
Component: Local Traffic Manager
Symptoms:
HTTP/2 flows may stall during shutdown, eventually being freed by expiration or reset from the TCP peer.
Conditions:
HTTP/2 configured
Impact:
Flows may be retained longer than expected and continue to consume system resources until expired or reset by the TCP peer.
Workaround:
None
Fix:
Shutdown events are now handled correctly for HTTP/2 flows.
Fixed Versions:
16.1.2.2
1068237-1 : Some attack signatures added to policies are not used.
Links to More Info: BT1068237
Component: Application Security Manager
Symptoms:
Some attack signatures added to an existing signature set may not be utilized by Policies associated with the signature set, despite the attack signatures being reported as now present in the Policies.
Conditions:
1. Have one or more policies utilizing a manual attack signature set.
2. Update the attack signature database by installing an ASU or creating a custom attack signature.
3. Update the previously created manual attack signature set with one or more attack signatures which were not updated by the ASU (if ASU installed) or are not the newly created custom attack signature (if new custom signature created).
Impact:
The additional attack signatures added to the attack signature set will show up in the Policies utilizing the signature set however the Policies will not actually use those additional attack signatures.
Workaround:
There are two workarounds:
1. When adding additional attack signatures to a Policy, place them in a new attack signature set rather than re-using an existing signature set.
2. If adding signatures to an existing set, afterwards create a new custom attack signature, add it to a new manual attack signature set, add the set to any active policy and then remove the set from the policy (the set and signature can then be deleted if desired).
Both workarounds will result in all attack signatures listed as present in all Policies being fully and properly utilized by the Policies.
Fix:
N/A
Fixed Versions:
16.1.2.2
1067617-4 : BGP default route not advertised after mid-session OPEN.
Links to More Info: BT1067617
Component: TMOS
Symptoms:
After BGP peer opens a new session with BIG-IP in the middle of the existing session and the session is dropped, BIG-IP does not send default route NLRI to the peer when the new session is established.
Conditions:
Mid-session OPEN (Event 16 or Event 17 per RFC spec).
Impact:
Default route is missing on a BGP peer.
Workaround:
Clear the BGP session manually.
Fix:
N/A
Fixed Versions:
16.1.2.2
1067285-1 : Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.'
Component: Application Security Manager
Symptoms:
F5 Networks, Inc.
F5 Networks Inc.
F5 Networks appear as F5, Inc.
Conditions:
NA
Impact:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.
Workaround:
NA
Fix:
F5 Networks, Inc
F5 Networks
F5 Networks Inc will appear as F5, Inc to the end user, be it online help, or any ASM related screens.
Fixed Versions:
16.1.2.2
1066829-1 : Memory leak for xml/json auto-detected parameter with signature patterns.
Component: Application Security Manager
Symptoms:
A memory leak is observed in ASM when specific traffic arrives.
Conditions:
A request contains a JSON parameter value with the signature pattern.
Impact:
Memory leak in the system.
Workaround:
N/A
Fix:
No memory leak observed after the fix.
Fixed Versions:
16.1.2.2
1066729-1 : TMM may crash while processing DNS traffic
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions TMM may crash while processing DNS traffic.
Conditions:
- DNS profile enabled
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes DNS traffic as expected.
Fixed Versions:
16.1.2.2
1066377-1 : OpenAPI - Content profile is not consistent with wildcard configuration
Component: Application Security Manager
Symptoms:
A content profile is created with an inconsistent order for wildcard content types.
Conditions:
-- Create OpenAPI policy
-- Configure any endpoint with multiple wildcard content types
Impact:
HTTP request body is not enforced properly
Workaround:
None
Fix:
Fix provided to create content profile with proper order for wild card content type
Fixed Versions:
16.1.2.2
1066285-4 : Master Key decrypt failure - decrypt failure.
Links to More Info: BT1066285
Component: TMOS
Symptoms:
After MCPD restarts or the system reboots:
-- the system is inoperative and MCPD may be restarting
-- the logs report this error:
err mcpd[12444]: 01071769:3: Decryption of the field (value) for object (config.auditing.forward.sharedsecret) failed while loading configuration that is encrypted with a different master key.
-- the system may be reporting this error:
load_config_files[5635]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
This may occur during a system upgrade.
Conditions:
When config.auditing.forward.sharedsecret is encrypted and masterkey value is changed.
Impact:
MCPD will continuously restart, and the system will remain inoperative.
Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:
- tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'
After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:
setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"
Fix:
N/A
Fixed Versions:
16.1.2.2
1065789-1 : TMM may send duplicated alerts while processing SSL connections
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may send duplicated SSL alerts while processing encrypted connections.
Conditions:
- Fatal SSL error
Impact:
Increased resource usage, potentially leading to degraded performance.
Workaround:
N/A
Fix:
SSL alerts are now processed as expected.
Fixed Versions:
15.1.5, 16.1.2.1
1065585-1 : System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition
Links to More Info: BT1065585
Component: TMOS
Symptoms:
BIG-IP Virtual Edition keeps running even after multiple FIPS/entropy errors occur.
Conditions:
Multiple FIPS/entropy errors on BIG-IP Virtual Edition system.
Impact:
BIG-IP Virtual Edition keeps running even after multiple FIPS/entropy errors occur
Workaround:
None
Fix:
System should halt after the threshold number of FIPS/entropy errors occue
Fixed Versions:
16.1.2.2
1064669-1 : Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash.
Links to More Info: BT1064669
Component: Local Traffic Manager
Symptoms:
TMM crashes if an iRule is configured that has HTTP::enable in the RULE_INIT event.
Conditions:
iRule that uses HTTP:enable command in RULE_INIT event, for example:
ltm rule example_rule {
when RULE_INIT {
# Don't do this!
HTTP::enable
}
}
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Do not use the HTTP::enable iRule command in the RULE_INIT event.
Fix:
N/A
Fixed Versions:
16.1.2.2
1064617-1 : DBDaemon process may write to monitor log file indefinitely
Links to More Info: BT1064617
Component: Local Traffic Manager
Symptoms:
If debug logging is enabled for a database monitor (mssql, mysql, postgresql or oracle), the DBDaemon process may write to a monitor log file indefinitely, including after the monitor log file is rotated and/or deleted.
Conditions:
This problem may occur when:
- using a database monitor (mssql, mysql, postgresql or oracle) which is configured with the "debug" value set to "yes"
- using a database monitor (mssql, mysql, postgresql or oracle) for a pool member which is configured with the "logging" set to "enabled"
Impact:
The DBDaemon process may write debug logging messages to the affected monitor log file indefinitely, including after the monitor log file has been rotated and/or deleted.
As a result, storage in the /var/log volume may be consumed to the point that other logging cannot be performed, and the BIG-IP instance may be restarted/rebooted.
Workaround:
To work around this issue, restart the DBDaemon process.
To find the PID of the DBDaemon process, observe the output of the following command:
ps -ef |grep -v grep | grep DB_monitor.jar | awk '{print($2)}'
To confirm whether the DBDaemon process is writing to a monitor log file, and if so, which file:
lsof -p $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}') | grep -e COMMAND -e '/var/log/monitors'
To kill the DBDaemon process:
kill $(ps -ef | grep -v grep | grep DB_monitor.jar | awk '{print($2)}')
NOTE:
Killing the DBDaemon process will cause a short-term loss of database monitoring functionality, until DBDaemon is restarted by the next database monitor probe.
Fixed Versions:
16.1.2.2
1064461-4 : PIM-SM will not complete RP registration over tunnel interface when floating IP address is used.
Links to More Info: BT1064461
Component: TMOS
Symptoms:
PIM-SM will not complete rendezvous point (RP) registration over the tunnel interface when a floating IP address is used (ip pim use-floating-address). Join/prune from RP gets dropped on BIG-IP when doing local-address validation.
BIG-IP never completes registration successfully.
Conditions:
RP registration over tunnel interface when floating IP address is used.
Impact:
BIG-IP never completes registration and outgoing packets are register-encapsulated.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
1064217-1 : Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.
Links to More Info: BT1064217
Component: Carrier-Grade NAT
Symptoms:
Port bits are not set as expected in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T.
Conditions:
This occurs in a MAP-T configuration.
Impact:
MAP-T port translation does not work as expected.
Workaround:
N/A
Fix:
Fixed an issue with the port bit not being set correctly.
Fixed Versions:
16.1.2.2
1064189-1 : DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning
Component: Global Traffic Manager (DNS)
Symptoms:
Dns Over HTTPS (DOH) is allowed to work without a clientssl profile on clientside. Setting it to none disables the DNS resolution via the HTTPS protocol.
Conditions:
- Selecting "None" in Client SSL Profile and Server SSL Profile in DOH Server Listener and DOH Proxy Listener from GUI
Impact:
An error occurs:
GUI: 01020036:3: The requested profile (/Common/NO_SELECTION) was not found.
TMSH: 01070734:3: Configuration error: In Virtual Server (/Common/mydohproxylistener) http2 specified activation mode requires a client ssl profile
Workaround:
None
Fixed Versions:
16.1.2.2
1064157-1 : Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows
Links to More Info: BT1064157
Component: Local Traffic Manager
Symptoms:
In a VIP-on-VIP (looped) situation, HTTP on one virtual server uses/reuses an existing 'http_proxy_opaque' whilst still in use by another virtual server that causes unexpected state changes in the opaque which may cause tmm to core.
Conditions:
-- Explicit Forward Proxy SSL Orchestrator, in other words an L3 Explicit Proxy which is usually deployed in a VIP on VIP configuration
-- Hostname resolution using explicit 'RESOLV::lookup' iRule in HTTP_PROXY_REQUEST on the explicit/client-facing VIP
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
16.1.2.2
1063453-1 : FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets.
Links to More Info: BT1063453
Component: Local Traffic Manager
Symptoms:
Tmm crashes while passing IPv4-to-IPv6 traffic over FastL4.
Conditions:
-- A FastL4 virtual server translates between IPv4 and IPv6.
-- Fragment reassembly is not enabled in the FastL4 profile.
-- A feature requiring asynchronous completion is configured including: asynchronous irules on LB events (LB_SELECTED, LB_FAILED, LB_PERSIST_DOWN, LB_QUEUED, SA_PICKED), persistence, sessiondb operations, HA, virtual rate limiting.
Impact:
All traffic is disrupted while the TMM restarts.
Workaround:
Configure the FastL4 profile to always reassemble fragments.
Fixed Versions:
16.1.2.2
1062513-4 : GUI returns 'no access' error message when modifying a GTM pool property.
Links to More Info: BT1062513
Component: Global Traffic Manager (DNS)
Symptoms:
When you modify a GTM pool property and then click "Update," the next page displays the error message "No access."
When you modify GTM pool properties using the GUI, the properties do not update or display.
Conditions:
This occurs when you modify a GTM pool property using the GUI.
Impact:
You cannot change a GTM pool property using the GUI.
Workaround:
Use TMSH to change the GTM pool property.
OR
Click on "Update" a second time in the GUI.
Fix:
N/A
Fixed Versions:
16.1.2.2
1062333-6 : Linux kernel vulnerability: CVE-2019-19523
Component: TMOS
Symptoms:
A flaw was found in the Linux kernel’s implementation for ADU devices from Ontrak Control Systems, where an attacker with administrative privileges and access to a local account could pre-groom the memory and physically disconnect or unload a module.
Conditions:
The attacker must be able to access either of these two events to trigger the use-after-free, and then race the access to the use-after-free, to create a situation where key USB structs can be manipulated into corrupting memory.
Impact:
An attacker could pre-groom the memory and physically disconnect or unload a module.
Workaround:
N/A
Fix:
Kernel patched to mitigate CVE-2019-19523
Fixed Versions:
16.1.2.2
1061797-1 : Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2
Component: TMOS
Symptoms:
For AWS's CloudFormation to work with IMDSv2, the Helper Script module had to be upgraded.
Conditions:
Using AWS CloudFormation for IMDSv2-only instances
Impact:
The Helper scripts throw a "No Handler found" error when used to launch IMDSv2 instances
Fix:
With the latest version of BIG-IP VE, you can now launch IMDSv2 instances using AWS's CloudFormation templates.
Fixed Versions:
16.1.2.2
1061617-4 : Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters".
Component: Application Security Manager
Symptoms:
The following Attack Signatures are not identified if "Handle Path Parameters" = "As Parameters".
200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644
Conditions:
- Configure "Handle Path Parameters" = "As Parameters"
- Enable URL attack signatures 200001660, 200001663, 200007032, 200101543, 200101632, 200101635, 200101638, 200101641, 200101644
Impact:
Some URL attack signatures are not detected by ASM.
Fixed Versions:
16.1.2.2
1060933-1 : Issue with input normalization.
Component: Application Security Manager
Symptoms:
Under certain conditions, attack signature violations may not be triggered.
Conditions:
- ASM provisioned with XML content profile
- Request contains XML body
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
16.1.2.2
1060625-1 : Wrong INTERNAL_IP6_DNS length.
Links to More Info: BT1060625
Component: TMOS
Symptoms:
Tunnel establishment fails when an IPv6 DNS IP address is provided in the IKE_AUTH payload. As per RFC it should be 16 octets, but BIG-IP sends 17 octets(that is, it tries to provide the subnet info also).
Conditions:
Initiator requests an IPv6 DNS IP during tunnel negotiation.
Impact:
Tunnel will not establish.
Workaround:
None
Fix:
The INTERNAL_IP6_DNS payload is now filled with only the IPv6 address (the subnet is excluded).
Fixed Versions:
16.1.2.2
1060409-2 : Behavioral DoS enable checkbox is wrong.
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS Enabled indicator is wrongly reported after configuration change, when no traffic is injected to the virtual server.
Conditions:
Behavioral DoS is enabled and then disabled when no traffic is injected to the virtual server.
Impact:
After server health is stabilized and constant, the BIG-IP system doesn't report the configuration changes.
Workaround:
Send 1-2 requests to the server and the configuration will be updated.
Fix:
Behavioral DoS enabled/disabled flag is now reported correctly.
Fixed Versions:
16.1.2.2
1060149-2 : BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host.
Links to More Info: BT1060149
Component: TMOS
Symptoms:
-- Interfaces in the vCMP guest may remain uninitialized.
-- 'Invalid VCMP PDE state version' log in /var/log/tmm*.
Conditions:
-- BIG-IP i5xxx/i7xxx/i10xxx/i11xxx platform.
-- vCMP provisioned.
-- turboflex-adc profile selected.
Impact:
Affected guest is non-functional.
Workaround:
Use the turboflex-base profile.
Fix:
N/A
Fixed Versions:
16.1.2.2
1059853 : Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2.&start;
Links to More Info: BT1059853
Component: TMOS
Symptoms:
Tmsh load sys config/tmsh load sys config verify takes much longer (~10x).
Conditions:
While loading config tmsh load sys config verify.
Impact:
Configuration loading takes a long time (more than 8 minutes).
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
1059621-2 : IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs.
Component: Application Security Manager
Symptoms:
IP Exceptions/SSRF does not work as expected if the same IPs are configured in both IP Exception and SSRF.
Conditions:
- Enable XFF Header.
- Configure same IP/IPs in both SSRF and IP Exceptions.
- Send traffic with xff header and URI parameter.
Impact:
One of the IP Exceptions or SSRF features do not work as expected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
1059185-1 : iControl REST Hardening
Component: TMOS
Symptoms:
Under certain conditions iControl REST does not follow current best practices.
Conditions:
- Authenticated administrative user
- iControl REST request
Impact:
iControl REST does not follow current best practices.
Workaround:
N/A
Fix:
iControl REST now follows current best practices.
Fixed Versions:
16.1.2.2
1059165-1 : Multiple virtual server pages fail to load.
Links to More Info: BT1059165
Component: TMOS
Symptoms:
Virtual server-related pages fail to load in the GUI.
Conditions:
This issue is observed only when the DOS module is provisioned.
Impact:
Virtual server properties do not load.
Workaround:
None
Fix:
Virtual Server pages now load successfully.
Fixed Versions:
16.1.2.2
1059053-2 : Tmm crash when passing traffic over some configurations with L2 virtual wire
Links to More Info: BT1059053
Component: Local Traffic Manager
Symptoms:
In very rare cases, tmm crashes while passing traffic over some configurations with L2 virtual wire.
Conditions:
-- L2 wire setup
-- A routing error occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Modified code to prevent such crashes.
Fixed Versions:
16.1.2.2
1058677-2 : Not all SCTP connections are mirrored on the standby device when auto-init is enabled.
Links to More Info: BT1058677
Component: TMOS
Symptoms:
When auto-init is enabled, Not all SCTP connections are mirrored to the standby device.
Conditions:
-- SCTP Profile and Mirroring.
-- Auto initialization is enabled.
Impact:
Only half of the connections are mirrored to the standby device.
Workaround:
Disable auto initialization:
tmsh modify ltm message-routing diameter peer <affected_peer> { auto-initialization disabled }
Fix:
SCTP connections are mirrored successfully to standby device.
Fixed Versions:
16.1.2.2
1058469-1 : Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working.
Links to More Info: BT1058469
Component: Local Traffic Manager
Symptoms:
A virtual server which is part of an iApp service and which was previously working correctly now rejects all traffic.
Upon inspecting the log, entries similar to the following examples may be noticed:
==> /var/log/tmm <==
<13> Oct 28 23:41:36 bigip1 notice hudfilter_init: clientside matches TCP position. 0 0
==> /var/log/ltm <==
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Proxy initialization failed for /Common/my.app/my-vs. Defaulting to DENY.
Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Listener config update failed for /Common/my.app/my-vs: ERR:ERR_UNKNOWN
Conditions:
This issue is known to occur when strict-updates is disabled for an iApp service which includes a non-default NTLM profile.
Impact:
Traffic outage as the affected virtual server(s) no longer passes any traffic.
Workaround:
To recover an affected system, either restart TMM (bigstart restart tmm) or delete and redeploy the iApp service.
To prevent this issue from occurring again, modify the iApp configuration to use the default NTLM profile rather than a custom one (if the iApp template involved allows this).
Fix:
Disabling strict-updates for an iApp service, which includes a non-default NTLM profile, no longer causes virtual servers associated with the profile to suddenly stop working.
Fixed Versions:
16.1.2.2
1058401-1 : SSL Bypass does not work for inbound traffic
Links to More Info: BT1058401
Component: SSL Orchestrator
Symptoms:
Per-request policy's SSL Bypass Set agent does not bypass TLS traffic for inbound topology.
Conditions:
-- SSL Orchestrator is licensed and provisioned.
-- Per-request policy is attached to interception rules and SSL Bypass Set agent is used in the policy.
Impact:
BIG-IP/SSL Orchestrator does not bypass the TLS traffic for inbound topology.
Fix:
SSL Bypass Set agent in the per-request policy now bypasses TLS traffic for inbound topology.
Fixed Versions:
16.1.2.2
1057809-6 : Saved dashboard hardening
Component: TMOS
Symptoms:
Saved dashboards do not follow current best practices.
Conditions:
- Authenticated administrative user
- Saved dashboard
Impact:
Dashboards do not follow current best practices.
Workaround:
N/A
Fix:
Saved dashboards now follow current best practices.
Fixed Versions:
16.1.2.2
1057801-6 : TMUI does not follow current best practices
Component: TMOS
Symptoms:
The TMUI does not follow current best practices.
Conditions:
- Authenticated administrative user
- TMUI request
Impact:
TMUI does not follow current best practices.
Workaround:
N/A
Fix:
TMUI now follows current best practices.
Fixed Versions:
16.1.2.2
1056993-2 : 404 error is raised on GUI when clicking "App IQ."
Component: TMOS
Symptoms:
When the App IQ menu option is clicked in the GUI workflow, (GUI: System ›› Configuration >> App IQ) the result is "Not Found. The requested URL was not found on this server."
Conditions:
Clicking the App IQ menu option in the GUI workflow, GUI: System ›› Configuration >> App IQ.
Impact:
Not able to access App IQ page.
Workaround:
Navigate directly to the following page on your BIG-IP (replacing <BIG-IP> with the IP/hostname of the system):
https://<BIG-IP>/tmui/tmui/system/appiq_ng/views/settings.html
Fix:
N/A
Fixed Versions:
16.1.2.2
1056933-3 : TMM may crash while processing SIP traffic
Component: Service Provider
Symptoms:
Under certain conditions, TMM may coredump while processing SIP traffic
Conditions:
- SIP ALG is configured
Impact:
TMM crash leading to a traffic interruption and failover event.
Workaround:
By using SIP::discard under specific conditions in SIP_RESPONSE iRule.
Fix:
SIP traffic is now processed as expected.
Fixed Versions:
15.1.5, 16.1.2.2
1056741-2 : ECDSA certificates signed by RSA CA are not selected based by SNI.
Links to More Info: BT1056741
Component: TMOS
Symptoms:
Attempts to select a client-ssl profile based on the certificate subject/SAN will not work for ECDSA certificates if ECDSA cert is signed by RSA CA. Even when the SNI in the client hello matches the certificate subject/SAN, BIG-IP selects the default client SSL profile.
Conditions:
-- ECDSA certificate signed by RSA CA.
-- Client SSL profile does not have "server name" option configured.
Impact:
The desired client-ssl profile is not selected for ECDSA hybrid certificates when the SNI matches the certificate subject/SAN.
Workaround:
Do not use hybrid certificates or configure the "server name" option in the client-ssl profile matching SNI.
Fix:
N/A
Fixed Versions:
16.1.2.2
1056401-4 : Valid clients connecting under active syncookie mode might experience latency.
Links to More Info: BT1056401
Component: Local Traffic Manager
Symptoms:
Valid clients that connect using active syncookie mode might experience latency.
Conditions:
- SYN Cookie (Hardware or Software) is enabled.
- SYN Cookies are activated (TCP Half Open) for the virtual server.
- Fastl4 tcp-generate-isn option or SYN-ACK vector 'suspicious event count' options are enabled.
- SYN Cookie issue and validation with client is correct.
- SSL Client Hello packet sent by client reaches DHD right after TCP SYN packet is sent to backend server.
Impact:
Random connections could be disrupted.
Fix:
N/A
Fixed Versions:
16.1.2.2
1056365-1 : Bot Defense injection does not follow best SOP practice.
Component: Application Security Manager
Symptoms:
In specific cases, Bot Defense challenge does not follow Same Origin Policy.
Conditions:
Bot Defense Profile is attached to VS.
Impact:
In some cases, Bot Defense Injection does not follow Same Origin Policy.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2.2
1055737-1 : TMM may consume excessive resources while processing HTTP/2 traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may consume excessive resources while processing HTTP/2 traffic
Conditions:
- HTTP/2 profile enabled
- Undisclosed conditions
Impact:
Excessive resource consumption potentially leading to decreased performance or a failover event.
Workaround:
N/A
Fix:
TMM now processes HTTP/2 traffic as expected
Fixed Versions:
16.1.2.2
1055361-1 : Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash.
Links to More Info: BT1055361
Component: SSL Orchestrator
Symptoms:
Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a TMM crash.
Conditions:
Suspending iRule command in L7CHECK_CLIENT_DATA
Example:
ltm rule /Common/rule-a {
when L7CHECK_CLIENT_DATA {
after 10000
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use Suspending iRule command in L7CHECK_CLIENT_DATA.
Fix:
Fixed a TMM crash.
Fixed Versions:
16.1.2.1
1055097-1 : TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow.
Links to More Info: BT1055097
Component: Local Traffic Manager
Symptoms:
Because the client resends the request, the connection is not lost, but is stalled for a considerable time.
Conditions:
-- virtual server running affected version has both webacceleration and OneConnect profiles.
-- The response has 'Cache-Control: no-cache' header.
Impact:
The stalled connection causes slow response times for application users.
Workaround:
Remove the configuration for either the OneConnect or Caching profile.
Fix:
N/A
Fixed Versions:
16.1.2.2
1052929-4 : MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized.
Links to More Info: BT1052929
Component: Local Traffic Manager
Symptoms:
When MCPD starts, it may log an error message reporting an issue communicating with the onboard FIPS HSM. If the HSM is uninitialized, this message is erroneous, and an be ignored.
Depending on the hardware platform, the message may be one of the following:
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. Please issue 'FIPSutil loginreset -r' followed by 'bigstart restart' for a password reset. You will need your FIPS Security Officer password to reset the password..
err mcpd[12345]: 01b50049:3: FIPSUserMgr Error: An internal login failure is being experienced on the FIPS card. The FIPS card must be reinitialized, which will erase its contents..
Conditions:
-- BIG-IP system with an onboard FIPS HSM, or a vCMP guest running on a BIG-IP system with an onboard FIPS HSM
-- the FIPS HSM is not initialized, i.e. "fipsutil info" reports "FIPS state: -1".
Impact:
This message can be ignored when the FIPS HSM is not in-use, and is uninitialized.
Workaround:
Initialize the FIPS HSM following the instructions in the F5 Platforms : FIPS Administration manual.
Fixed Versions:
16.1.2.2
1052893-4 : Configuration option to delay reboot if dataplane becomes inoperable
Component: TMOS
Symptoms:
When certain system failures occur and the dataplane cannot continue to handle network traffic, the BIG-IP system will automatically reboot. This behavior may restore traffic management, but it may prevent diagnosis of the failure.
Conditions:
Low-level system failure, possibly in HSB SRAM or other hardware
Impact:
Diagnosis of the dataplane failure is hindered.
Workaround:
None
Fix:
A new "sys db" variable "tmm.hsb.dataplanerebootaction" is added. The default value is "enable", which retains the previous behavior of rebooting, if a failure occurs making the dataplane inoperable. The value may optionally be set to "disable", which avoids an immediate system reboot by making the HA action be "go-offline-downlinks".
Fixed Versions:
16.1.2.2
1052173-1 : For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation.
Component: Application Security Manager
Symptoms:
"Matched Disallowed Address" and "Actual Disallowed Address" both are shown as same "Actual Disallowed Address" only.
Conditions:
- configure wildcard SSRF host
Impact:
Misleading SSRF violation details
Workaround:
None.
Fixed Versions:
16.1.2.2
1052169 : Traffic is blocked on detection of an SSRF violation even though the URI parameter is in staging mode
Component: Application Security Manager
Symptoms:
Traffic is blocked on an SSRF violation even though the URI parameter is in staging mode.
Conditions:
-- URI parameter should be in staging mode
-- Traffic contains an SSRF deny-listed host as URI parameter value
Impact:
Traffic is blocked even though the URI parameter is in staging mode
Workaround:
None.
Fixed Versions:
16.1.2.2
1052153-2 : Signature downloads for traffic classification updates via proxy fail
Component: Traffic Classification Engine
Symptoms:
Downloading IM package via proxy fails.
Conditions:
Downloading the IM file through a proxy.
Impact:
Auto-download IM package from f5.com will fail
Workaround:
Disable the proxy and trigger the IM package download from the management interface.
Fix:
Fixed an issue with downloading updates through a proxy.
Fixed Versions:
16.1.2.2
1051797 : Linux kernel vulnerability: CVE-2018-18281
Component: TMOS
Symptoms:
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks.
Conditions:
A syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap().
Impact:
A stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.
Workaround:
N/A
Fix:
Kernel updated to address CVE-2018-18281
Fixed Versions:
16.1.2.2
1051561-7 : iControl REST request hardening
Component: TMOS
Symptoms:
iControl REST does not follow current best practices.
Conditions:
- iControl REST request
Impact:
iControl REST does not follow current best practices.
Workaround:
N/A
Fix:
iControl REST now follows current best practices.
Fixed Versions:
16.1.2.2
1051213-1 : Increase default value for violation 'Check maximum number of headers'.
Links to More Info: BT1051213
Component: Application Security Manager
Symptoms:
Due to recent change in browsers, up to 7 headers are newly inserted in the request.
In ASM, there is default limit of 20 headers. So, when legitimate requests have more than 20 headers, they're blocked with violation "Maximum Number of Headers exceeded".
Conditions:
When the number of headers passed in request is greater than the value of maximum number of headers set, then this violation is raised.
Impact:
Legitimate requests are blocked with violation "Maximum Number of Headers exceeded" when number of header is greater than the value set for the policy (default 20).
Workaround:
Increase "Check maximum number of headers" to 30 under Learning and Blocking settings screen for a policy.
Fix:
Increased default value of maximum number of headers to 30.
Fixed Versions:
16.1.2.2
1051209-1 : BD may not process certain HTTP payloads as expected
Component: Application Security Manager
Symptoms:
Under certain conditions BD may not process HTTP payloads as expected.
Conditions:
- HTTP request
Impact:
Payloads are not processed as expected, potentially leading to missed signature matches.
Workaround:
N/A
Fix:
BD now processes HTTP payloads as expected.
Fixed Versions:
16.1.2.2
1050969-1 : After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid
Links to More Info: BT1050969
Component: SSL Orchestrator
Symptoms:
Running clear-rest-storage removes all the available tokens as well as cookie files from /var/run/pamchache.
Conditions:
Run the clear-rest-storage command.
Impact:
All users are logged out of the GUI.
Workaround:
Re-login.
Fix:
Clear-rest-storage should only remove tokens not cookies.
Fixed Versions:
16.1.2.2
1050697-4 : Traffic learning page counts Disabled signatures when they are ready to be enforced
Component: Application Security Manager
Symptoms:
The traffic learning page counts Disabled signatures when they are ready to be enforced.
Conditions:
Policy has a disabled signature.
Impact:
Traffic learning page shows different counts of "ready to be enforced" signatures compared to Security ›› Application Security : Security Policies : Policies List ›› <policy name>
Workaround:
None
Fixed Versions:
16.1.2.2
1050537-1 : GTM pool member with none monitor will be part of load balancing decisions.
Links to More Info: BT1050537
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM pool member containing no monitor (status=BLUE) is not included in load balancing decisions.
Conditions:
GTM pool member the monitor value set to none.
Impact:
GTM does not load balance to this pool member.
Workaround:
N/A
Fix:
Handled GTM pool with "none" monitor
Behavior Change:
GTM pool members with "none" monitor are now part of load balancing decisions
Fixed Versions:
16.1.2.2
1049229-1 : When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays.
Links to More Info: BT1049229
Component: Advanced Firewall Manager
Symptoms:
An authenticated administrative user tries to create a sub-rule under the Network Firewall rule list from the GUI and is redirected to a 'No Access' error page.
Conditions:
This error can occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI on a version of BIG-IP (including engineering hotfixes) that include the fixes for BIG-IP bugs ID1032405 and ID941649.
Impact:
The user cannot create a sub-rule under the Network Firewall rule list in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
After the fixes for ID1032405 and ID941649 are installed, the "No Access" errors no longer occur when you create a sub-rule under the Network Firewall rule list in the TMOS GUI.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1048541-1 : Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful.
Links to More Info: BT1048541
Component: TMOS
Symptoms:
A BIG-IP Administrator utilizing the 'Certificate Order Manager' feature is unable to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.
Conditions:
Using the 'Certificate Order Manager' feature on BIG-IP to renew SSL certificates issued by the Comodo (now Sectigo) certification authority.
Impact:
The renew requests fail.
Fix:
The renew requests now succeed.
Fixed Versions:
16.1.2.2
1048445-1 : Accept Request button is clickable for unlearnable violation illegal host name
Links to More Info: BT1048445
Component: Application Security Manager
Symptoms:
For the following violations:
- VIOL_HOSTNAME (Hostname violation)
- VIOL_HOSTNAME_MISMATCH (Hostname mismatch violation)
The accept button is clickable when it should not. Accept Request button should be disabled for this violations.
Conditions:
Generate an illegal host name or hostname mismatch violation.
Impact:
Request will not be accepted even though you have elected to accept the illegal request.
Workaround:
Do not accept the request to hostname and hostname mismatch violation, no ASM config changes will be triggered.
Fixed Versions:
16.1.2.2
1048433-1 : Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation.&start;
Links to More Info: BT1048433
Component: Local Traffic Manager
Symptoms:
The thales-sync.sh script tries to install on the second blade eventually The packages provided by formerly Thales now nShield/Entrust are increasing version to version, The extract logic is not compatible with to latest versions.
Conditions:
While upgrading lower versions to 12.60.
Impact:
The installation script will fail to find to extract packages.
Workaround:
N/A
Fix:
Extract all the tarballs in the target directory to resolve the issue.
Fixed Versions:
16.1.2.1
1048141-3 : Sorting pool members by 'Member' causes 'General database error'
Links to More Info: BT1048141
Component: TMOS
Symptoms:
The configuration utility (web UI) returns 'General database error' when sorting pool members. The pool member display does not work for the duration of the login.
Conditions:
Sorting the pool member list by member.
Impact:
A pool's pool member page cannot be displayed.
Workaround:
Clear site and cached data on browser and do not sort by pool member.
Fix:
Pool members can be sorted by member.
Fixed Versions:
16.1.2.2
1048033-1 : Server-speaks-first traffic might not work with SSL Orchestrator
Links to More Info: BT1048033
Component: SSL Orchestrator
Symptoms:
Server-speaks-first traffic does not pass through BIG-IP SSL Orchestrator. BIG-IP does not do service chaining to the service that has port-remap enabled.
Conditions:
- Interception Rule has verified accept enabled.
- Security policy is service chaining and port-remap is enabled on one of the security services
Impact:
Connection does not succeed, client sees a reset after timeout.
Workaround:
Disable port-remap on service and redeploy.
Fix:
Fix SSL Orchestrator connector to handle server-speaks-first traffic. After fix, server speaks first traffic will work even with port-remap enabled on the service.
Fixed Versions:
16.1.2.2
1047581-3 : Ramcache can crash when serving files from the hot cache
Links to More Info: BT1047581
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, TMM may crash when processing traffic for a virtual server that uses RAM Cache.
Conditions:
- RAM Cache configured
- Document served not out of the hotcache
- The server served with must-revalidate.
- The server 304 contains a 0 byte gzip payload
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.2.2
1047389-4 : Bot Defense challenge hardening
Links to More Info: BT1047389
Component: Application Security Manager
Symptoms:
Under certain conditions, the Bot Defense profile does not follow current best practices.
Conditions:
Bot Defense profile used
Impact:
The Bot Defense profile does not follow current best practices.
Workaround:
None
Fix:
The Bot Defense profile now follows current best practices.
Fixed Versions:
16.1.2.2
1047377-1 : "Server-speak-first" traffic might not work with SSL Orchestrator
Links to More Info: BT1047377
Component: SSL Orchestrator
Symptoms:
Server-speaks-first traffic does not pass through BIG-IP SSL Orchestrator. BIG-IP does not perform a TCP three-way handshake to the server.
Conditions:
SSL Orchestrator interception rule has an attached security policy that is service chaining and at-least one service has port-remap enabled.
Impact:
Connection does not succeed, client sees a reset after timeout.
Workaround:
Disable port-remap on service and redeploy.
Fix:
Fix SSL Orchestrator connector to handle server speaks first traffic. After fix, server-speaks-first traffic will work even with port-remap enabled on the service.
Fixed Versions:
16.1.2.2
1047213-1 : VPN Client to Client communication fails when clients are connected to different TMMs.
Links to More Info: BT1047213
Component: TMOS
Symptoms:
Client-to-client communication between APM VPN clients connected to different TMMs does not work.
Conditions:
-- Clustered multiprocessing (CMP) is enabled.
Impact:
Client to client communication over the network access connection fails.
Workaround:
Demote the virtual server from CMP processing.
# tmsh modify ltm virtual <virtual> cmp-enabled no
Fix:
N/A
Fixed Versions:
16.1.2.2
1047169-1 : GTM AAAA pool can be deleted from the configuration despite being in use by an iRule.
Links to More Info: BT1047169
Component: TMOS
Symptoms:
A BIG-IP Administrator is incorrectly able to delete a GTM AAAA pool from the configuration, despite this object being referenced in an iRule in use by an AAAA wideip.
An error similar to the following example will be visible in the /var/log/gtm file should the iRule referencing the pool run after the pool has been deleted:
err tmm[11410]: 011a7001:3: TCL error: Rule /Common/my_rule <DNS_REQUEST> - GTM Pool 'my_pool' of type 'A' not found (line 1)GTM Pool 'my_pool' of type 'A' not found (line 1) invoked from within "pool my_pool"
Note the error message incorrectly reports the pool as type A (it should report type AAAA).
Conditions:
-- Two GTM pools of type A and AAAA share the same exact name (which is legal).
-- The pool name is referenced in an iRule by the 'pool' command.
-- The iRule is in use by an AAAA wideip.
-- A BIG-IP Administrator attempts to delete the AAAA pool.
Impact:
The system incorrectly allows the deletion of the AAAA pool from the configuration.
Consequently, the next time the GTM configuration is reloaded from file, the operation will fail.
Additionally, traffic which relied on the pool being present in the configuration will fail.
Fixed Versions:
16.1.2.2
1047089-2 : TMM may terminate while processing TLS/DTLS traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may terminate while proxying traffic between TLS and DTLS.
Conditions:
- Virtual configured for server-side DTLS
- Virtual configured for client-side TLS
Impact:
TMM may terminate, leading to a failover event.
Workaround:
N/A
Fix:
TMM may no longer be configured for DTLS/TLS gateway traffic.
Fixed Versions:
15.1.5, 16.1.2.2
1047053-3 : TMM may consume excessive resources while processing RTSP traffic
Component: Service Provider
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing RTSP traffic.
Conditions:
- RTSP profile enabled
- Undisclosed traffic
Impact:
An increase in TMM resource utilization, potentially leading to a crash and failover event.
Workaround:
N/A
Fix:
TMM now processes RTSP traffic as expected.
Fixed Versions:
15.1.5, 16.1.2.2
1046785-1 : Missing GTM probes when max synchronous probes are exceeded.
Links to More Info: BT1046785
Component: Global Traffic Manager (DNS)
Symptoms:
GTM probes are missing, resources are marked down.
When instances fail and BIG-IP is not aware of the failure, some virtual servers/pool members are marked as available and some objects are marked down on part of the sync group members.
Conditions:
Max synchronous probes are exceeded. This value is controlled by the GTM global variable max-synchronous-monitor-requests.
Impact:
-- Resources are marked down.
-- Inconsistent monitor statuses across BIG-IP DNS systems in a single sync group
-- Because some monitor instances don't have monitor traffic, if an instance fails, the BIG-IP DNS systems may not be aware of the failure.
Workaround:
Increase the value of Max Synchronous Monitor Requests:
tmsh modify gtm global-settings metrics max-synchronous-monitor-requests value <value - default is 20>
Fix:
All monitors are now allowed to probe without triggering a failure.
Fixed Versions:
16.1.2.2
1046693-4 : TMM with BFD confgured might crash under significant memory pressure
Links to More Info: BT1046693
Component: TMOS
Symptoms:
TMM might crash when processing BFD traffic under high memory pressure.
Conditions:
- BFD in use.
- TMM under high memory pressure.
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
16.1.2.2
1046669-1 : The audit forwarders may prematurely time out waiting for TACACS responses
Links to More Info: BT1046669
Component: TMOS
Symptoms:
If a TACACS server takes longer than five seconds to respond, the audit forwarder will reset the connection.
Conditions:
-- Using remote TACACS logging.
-- TACACS server takes longer than 5 seconds to respond to logging requests.
Impact:
Misleading log messages.
Fix:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.
Behavior Change:
The time that a BIG-IP system will wait for a response from a TACACS server is now configurable using the DB variable config.auditing.forward.tacacs.timeout.response.
Fixed Versions:
16.1.2.2
1045549-4 : BFD sessions remain DOWN after graceful TMM restart
Links to More Info: BT1045549
Component: TMOS
Symptoms:
BFD sessions remain DOWN after graceful TMM restart
Conditions:
TMM is gracefully restarted, for example with 'bigstart restart tmm' command.
Impact:
BFD sessions remain DOWN after graceful TMM restart
Workaround:
After restarting TMM, restart tmrouted.
Fixed Versions:
16.1.2.2
1045421-1 : No Access error when performing various actions in the TMOS GUI
Links to More Info: K16107301, BT1045421
Component: TMOS
Symptoms:
An authenticated administrative user is redirected to a 'No Access' error page while performing various actions in the TMOS GUI, including when trying to:
-- Apply a policy to a virtual server
-- Import images (TMOS images / hotfixes / apmclients)
-- Export/apply an APM policy
-- Run the high availability (HA) setup wizard
-- Export a certificate/key through one of the following paths:
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / test-renew-self-sign / Renew
---- DNS / GSLB : Pools : Pool List / Click Testpool / Click Members / Click Manage
---- System / Software Management : APM Clients / Import
---- System / Certificate Management : Traffic Certificate Management : SSL Certificate List / NewSSLCert / Certificate / Export / Click Download
Conditions:
This may occur when performing various actions in the TMOS GUI on a version of BIG-IP software (including Engineering Hotfixes) that includes fixes for ID1032405 :: https://cdn.f5.com/product/bugtracker/ID1032405.html and ID941649 :: https://cdn.f5.com/product/bugtracker/ID941649.html .
Impact:
Cannot perform various actions in the TMOS GUI.
Workaround:
Use the TMOS Shell (tmsh) command-line interface to perform the equivalent action.
Fix:
'No Access' errors no longer occur when performing various actions in the TMOS GUI under these conditions.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1045229-1 : APMD leaks Tcl_Objs as part of the fix made for ID 1002557
Links to More Info: BT1045229
Component: Access Policy Manager
Symptoms:
APMD memory grows over time causing OOM killer to kill apmd
Conditions:
Access policy has resource assignment agents/variable assignments
Impact:
APMD memory grows over time and OOM killer may terminate apmd thereby affecting traffic. Access traffic disrupted while apmd restarts.
If APMD is not killed by OOM killer the system may start thrashing and become unstable, generally resulting in cores from innocent processes that are no longer scheduled correctly - keymgmtd, bigd, mcpd are typical victims.
Ultimately system may restart automatically as watchdogs fail.
Fixed Versions:
14.1.4.5, 16.1.2.2
1045101-4 : Bd may crash while processing ASM traffic
Component: Application Security Manager
Symptoms:
Bd may crash when handling HTTP requests with APM and ASM.
Conditions:
- ASM and APM are provisioned
- Session awareness is enabled and "Use APM Username and Session ID" is selected in "Application Username" configuration
- Specially crafted HTTP request
Impact:
Bd crash leading to a traffic disruption and failover event.
Workaround:
N/A
Fix:
Bd now process ASM and APM traffic as expected.
Fixed Versions:
15.1.5, 16.1.2.1
1044425-1 : NSEC3 record improvements for NXDOMAIN
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses can be improved to support current best practices.
Conditions:
- DNSSEC zone configured
Impact:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses do not follow current best practices.
Workaround:
N/A
Fix:
BIG-IP DNSSEC NSEC3 records for NXDOMAIN responses now follow current best practices.
Fixed Versions:
16.1.2.2
1044121-3 : APM logon page is not rendered if db variable "ipv6.enabled" is set to false
Links to More Info: BT1044121
Component: Access Policy Manager
Symptoms:
When accessing a Virtual Server with an access policy, users are redirected to the hangup page.
Conditions:
Db variable "ipv6.enabled" is set to false
Impact:
Users will not be able to access the virtual server and associated resources behind it.
Workaround:
Keep the value of db variable "ipv6.enabled" set to true.
# setdb "ipv6.enabled" true
Fixed Versions:
14.1.4.5, 16.1.2.2
1043533-3 : Unable to pick up the properties of the parameters from audit reports.
Component: Application Security Manager
Symptoms:
In the GUI under Security ›› Application Security : Audit : Reports, if you select "User-input parameters..." in the menu "Security Policy Audit Reports", then click on the parameter to retrieve the properties, you will see this error:
" Could not retrieve parameter; Could not get the Parameter, No matching record was found."
Conditions:
1) Create a new parameter.
2) Customize or overwrite an existing ASM signature for the parameter in question.
3) Save and apply to the policy the new changes
4) Go to:
Security ›› Application Security : Audit : Reports
Report Type : User-input parameters with overridden attacks signatures (this also happens for other "User-input parameters...")
Select the parameter to audit
Error: "Could not retrieve parameter; Could not get the Parameter, No matching record was found."
Impact:
A page error occurs.
Workaround:
1. Open in a separate tab the following screen: Security ›› Application Security : Parameters : Parameters List
2. Under "Parameter List" title, there is a filter dropdown with the "Parameter Contains" texting.
3. On the blank part (before "Go" button) type the name of the required parameter.
4. You will get the desired page with the desired parameter properties.
Fixed Versions:
16.1.2.2
1043385-4 : No Signature detected If Authorization header is missing padding.
Component: Application Security Manager
Symptoms:
If the Authentication scheme value in the Authorization header contains extra/missing padding in base64, then ASM does not detect any attack signatures.
Conditions:
HTTP request with Authorization header contains base64 value with extra/missing padding.
Impact:
Attack signature not detected.
Workaround:
N/A
Fix:
Base64 values with extra/missing padding has been handled to detect attack signature
Fixed Versions:
16.1.2.2
1043357-4 : SSL handshake may fail when using remote crypto client
Links to More Info: BT1043357
Component: Local Traffic Manager
Symptoms:
ServerSSL handshake fails when verifying ServerKeyExchange message.
Conditions:
Remote crypto client is configured and the ServerSSL profile connects using an ephemeral RSA cipher suite.
Impact:
The virtual server is unable to connect to the backend server.
Workaround:
Use non-ephemeral RSA or ECDSA cipher suite on ServerSSL.
Fix:
Fix remote crypto client.
Fixed Versions:
16.1.2.2
1043205-1 : SSRF Violation should be shown as a Parameter Entity Reference.
Links to More Info: BT1043205
Component: Application Security Manager
Symptoms:
SSRF Violation is shown as a URL Entity Reference instead of a Parameter Entity Reference.
Conditions:
- Create a URI data type parameter
- Add a host to the SSRF Host List
- Send traffic which contains the URI parameter with the value configured in the SSRF Host List
Impact:
Wrong Entity Reference in the SSRF violation is misleading.
Workaround:
N/A
Fix:
Corrected the Entity reference as a parameter instead of a URL in the SSRF violation.
Fixed Versions:
16.1.2.1
1043017-4 : Virtual-wire with standard-virtual fragmentation
Links to More Info: BT1043017
Component: Local Traffic Manager
Symptoms:
A standard virtual-server configured on top of a virtual-wire has unexpected handling of fragmented IP traffic.
Conditions:
Standard virtual-server configured on top of a virtual-wire handling fragmented IP traffic.
Impact:
- Fragments missing on egress.
- Packet duplication on egress.
Workaround:
Use fastl4 virtual-server instead.
Fixed Versions:
16.1.2.2
1042917-1 : Using 'Full Export' of security policy should result with no diffs after importing it back to device.
Links to More Info: BT1042917
Component: Application Security Manager
Symptoms:
'Declarative policy import' is adding entities into the policy according what it has in the JSON file.
When it imports the policy builder settings, some automatic changes are created in the policy, and it may override other entities which were added before.
Conditions:
Policy builder settings are added in import after other affected entities were added before.
Impact:
The resulted policy will be different from the exported policy.
Workaround:
N/A
Fix:
'Declarative Policy import' first adds the policy builder settings, and all other affected entities are imported only after it, and in this way the resulted policy is the same as the exported one.
Fixed Versions:
16.1.2
1042913-2 : Pkcs11d CPU utilization jumps to 100%
Links to More Info: BT1042913
Component: Local Traffic Manager
Symptoms:
CPU utilization of pkcs11d increases to 100%.
Conditions:
This occurs when pkcs11d is disconnected from the external HSM.
Impact:
As the pkcs11d consumes most of the CPU, other processes are starved for CPU.
Workaround:
None.
Fix:
Pkcs11d no longer consumes 100% CPU when it is disconnected from the external HSM.
Fixed Versions:
16.1.2.2
1042605-1 : ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above&start;
Component: Application Security Manager
Symptoms:
Following an upgrade, an error occurs:
ERROR: Failed during loading ASM configuration.
An "ASM critical warning" banner is displayed in the ASM GUI.
Conditions:
-- ASM is upgraded to v15.1.0 or above
-- The following query returns results prior to upgrading:
SELECT policy_name_crc FROM DCC.ACCOUNTS accounts WHERE policy_name NOT IN (SELECT name FROM PLC.PL_POLICIES)
Impact:
ASM upgrade is aborted due to an exception:
Can't call method "clear_traffic_data" on unblessed reference
Fixed Versions:
16.1.2.2
1042509-1 : On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request
Links to More Info: BT1042509
Component: Local Traffic Manager
Symptoms:
On an HTTP2 gateway virtual server (HTTP/2 on clientside, no httprouter profile), TMM does not update the stream's window (i.e. acking data at the HTTP/2 stream layer). This causes large HTTP requests with payloads (i.e. POSTs) to stall and eventually time out.
TMM does sometimes send WINDOW_UPDATE messages for the entire connection, but not for the stream. Since flow control is required at both the connection and stream levels, the client stalls out.
Conditions:
-- Virtual server with HTTP2 profile
-- Configured as HTTP2 Gateway (HTTP2 profile on clientside and no 'httprouter' profile)
-- Client sends large data transfer to the virtual server
Impact:
Client data transfer through HTTP/2 virtual server (POST / PUT / etc) fails.
Workaround:
Use an HTTP router profile (assign the 'httprouter' profile to the virtual server, or select the 'HTTP MRF Router' option in TMUI)
Fixed Versions:
16.1.2.2
1042069-1 : Some signatures are not matched under specific conditions.
Component: Application Security Manager
Symptoms:
Some signatures are not matched and attack traffic can pass through.
Conditions:
There are more than 20 signatures that have a common keyword with a signature that does not match (and has a common keyword and a new keyword).
Impact:
Attacking traffic can bypass the WAF.
Workaround:
N/A
Fix:
Attack signatures that share words with other attack signatures will be matched correctly now.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1
1042009-1 : Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes
Links to More Info: BT1042009
Component: TMOS
Symptoms:
Mcpd does not reply to the request if the publisher's connection closes/fails, in this case when bcm56xxd
is restarted. The perceivable signs of the failure are the snmpwalk failing with a timeout and the
"MCPD query response exceeding" log messages
Conditions:
1) Configure snmp on the BIG-IP so you can run snmpwalk locally on the BIG-IP.
2) From one session on the BIG-IP, run a snmpwalk in the while loop.
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)
3) From a second session on the BIG-IP restart bcm56xxd
bigstart restart bcm56xxd
4a) the snmpwalk will continually report the following:
Timeout: No Response from 127.0.0.1
And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm
Impact:
SNMP stopped responding to queries after upgrade
Workaround:
Snmpd restart
Fixed Versions:
16.1.2.2
1041765-2 : Racoon may crash in rare cases
Links to More Info: BT1041765
Component: TMOS
Symptoms:
Racoon may crash when NAT Traversal is on and passing IPsec traffic in IKEv1.
Conditions:
-- IKEv1 IPsec tunnel configured
-- NAT Traversal is on in ike-peer configuration.
Impact:
Racoon will crash and any IKEv1 tunnels will restart
Workaround:
Use IKEv2 only.
Fix:
This racoon crash has been stopped.
Fixed Versions:
16.1.2.1
1041149-1 : Staging of URL does not affect apply value signatures
Component: Application Security Manager
Symptoms:
When a URL is staged and a value content signature is detected, the matched request is blocked.
Conditions:
-- URL is set to staging;
-- Only default ("Any") content profile is present, set to apply value signatures (all other content profiles deleted);
-- Request matches attack signature
Impact:
The request for staged URL is blocked
Workaround:
Configure relevant content profiles or leave the default content profiles configuration.
Fix:
Fixed to correctly handle URL staging in case of only "Any" content profile.
Fixed Versions:
16.1.2.2
1040821-4 : Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes
Links to More Info: BT1040821
Component: TMOS
Symptoms:
Address Translation and Port Translation checkboxes are automatically checked under the virtual server's advanced configuration.
Conditions:
Virtual Server's Advanced configuration option is selected followed by adding an iRule or a pool.
Impact:
The Address and Port translation options are automatically checked when the default is to have them unchecked.
Workaround:
Manually un-check Address Translation and Port Translation checkboxes under virtual server's advanced configuration
Fixed Versions:
16.1.2.2
1040677 : BIG-IP D120 platform reports page allocation failures in N3FIPS driver
Links to More Info: BT1040677
Component: Local Traffic Manager
Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/6: page allocation failure: order:2, mode:0x204020
After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the appliance D120 (iSeries i15820-DF).
Impact:
As different processes can experience this issue, and the system may behave unpredictably. Software installation may fail.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this to 128 MB (131072 KB).
When instantiating this workaround, consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
Fix:
The BIG-IP system no longer experiences excessive kernel page allocation failures.
Fixed Versions:
16.1.1
1040361-1 : TMM crashes during its startup when TMC destination port list attached/deleted to virtual server.
Links to More Info: BT1040361
Component: Local Traffic Manager
Symptoms:
-- Log message written to TMM log file:
panic: ../kern/page_alloc.c:736: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
-- Virtual Server using a traffic-matching-criteria (TMC) with a destination-port-list, with multiple distinct ranges of ports.
-- Config changes to virtual server with traffic-matching criteria can cause memory corruption which can lead to delayed TMM crashes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use Traffic Matching Criteria with destination port lists.
TMM restart is required in case the virtual server is modified with traffic-matching-criteria related config.
Fix:
TMM no longer crashes under these conditions.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2
1039553-1 : Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors
Links to More Info: BT1039553
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up, depending on the monitor's configuration).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The monitor tries to match an HTTP status code other than 200 (for example, 301).
-- The monitor uses HTTP version 1.0 or 1.1 for the request (the default is 0.9).
Impact:
The system incorrectly considers all non-200 responses a failed monitor attempt, despite what the user specified as acceptable status codes in the monitor's configuration. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue in any of the following ways:
-- Use HTTP version 0.9 for the monitor requests.
-- Match on the 200 HTTP status code.
-- Do not use HTTP status matching altogether.
Fix:
GTM HTTP(S) monitors using HTTP version 1.0 or 1.1 can now successfully match status codes other than 200 in the response.
Fixed Versions:
15.1.5, 16.1.2.1
1039329-2 : MRF per peer mode is not working in vCMP guest.
Links to More Info: BT1039329
Component: Service Provider
Symptoms:
MRF diameter setup, in peer profile "auto-initialization" and "per peer" mode are enabled, but no connection attempts towards the pool member occur.
When the mode is switched to "per tmm" or "per blade", connections are established.
Conditions:
The peer connection mode in the peer profile is set to "per peer".
Impact:
The "per peer" setting does not work.
Workaround:
Switch the connection mode to "per tmm" or "per blade"
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1039245-2 : Policy Properties screen does not load and display
Component: Application Security Manager
Symptoms:
On the Security ›› Application Security : Security Policies : Policies List page, if you click one of the policies, the page gets stuck in " Loading policy general settings... "
Conditions:
This occurs if you try to view a policy that has no template associated
Impact:
Unable to use the GUI for the affected ASM policies.
Workaround:
# cp /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js /shared/TsuiAngularPoliciesScripts.min.js.bk
# chmod 644 /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# sed -i -e 's/"POLICY_TEMPLATE_GRAPHQL/p.policy.template\&\&"POLICY_TEMPLATE_GRAPHQL/' /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# chmod 444 /var/ts/dms/script/dist/angular/TsuiAngularPoliciesScripts.min.js
# bigstart restart httpd
Fixed Versions:
16.1.2.2
1039069-1 : Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.&start;
Links to More Info: BT1039069
Component: Global Traffic Manager (DNS)
Symptoms:
For more information on the specific issues fixed, please refer to:
https://cdn.f5.com/product/bugtracker/ID1010697.html
https://cdn.f5.com/product/bugtracker/ID1037005.html
https://cdn.f5.com/product/bugtracker/ID1038921.html
Please note the only versions 15.1.3.1 and 16.1.0 are affected.
Conditions:
-- Running BIG-IP version 15.1.3.1 or 16.1.0
-- RESOLV::lookup iRule is used
Impact:
Multiple issues can occur with the RESOLV::lookup command, such as DNS resolutions failing or incorrect DNS responses being received.
Workaround:
None
Fix:
-
Fixed Versions:
15.1.4, 16.1.1
1039049-2 : Installing EHF on particular platforms fails with error "RPM transaction failure"
Links to More Info: BT1039049
Component: TMOS
Symptoms:
-- Installing an EHF fails with the error "RPM transaction failure"
-- Errors similar to the following are seen in the liveinstall.log file:
info: RPM: /var/tmp/rpm-tmp.LooFVF: line 11: syntax error: unexpected end of file
info: RPM: error: %preun(fpga-tools-atlantis-15.1.3-0.0.11.i686) scriptlet failed, exit status 2
Conditions:
-- Installing an EHF that contains an updated version of the 'fpga-tools-atlantis' package
-- Using the following platforms:
+ BIG-IP i4600 / i4800
+ BIG-IP i2600 / i2800
+ BIG-IP i850
Impact:
EHF installation fails.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1039041 : Log Message: Clock advanced by <number> ticks
Links to More Info: BT1039041
Component: Local Traffic Manager
Symptoms:
<ticks> is the number of milliseconds the Traffic Management Microkernel (TMM) clock is out of sync (behind) the system clock because the TMM thread is waiting for a response.
Logs are similar to below.
bigip1 notice tmm15[46856]: 01010029:5: Clock advanced by 103 ticks
bigip1 notice tmm7[46855]: 01010029:5: Clock advanced by 106 ticks
bigip1 notice tmm10[46855]: 01010029:5: Clock advanced by 107 ticks
bigip1 notice tmm25[46856]: 01010029:5: Clock advanced by 113 ticks
bigip1 notice tmm15[46856]: 01010029:5: Clock advanced by 121 ticks
bigip1 notice tmm5[46855]: 01010029:5: Clock advanced by 106 ticks
Conditions:
These logs are seen more frequently in i15820-DF platforms with FIPS enabled, in comparison to other FIPS platforms. The messages are observed during FIPS key lookup in the HSM. These lookups occur either during TMM start/restart or during SSL profile configuration modification.
Impact:
This message may appear intermittently depending on system load and conditions mentioned above, and it does not necessarily indicate system instability or a cause for concern unless accompanied by another error message or at the time of a serious event.
In all the above conditions, clock advance ticks are in the range of 100 - 170.
Fixed Versions:
16.1.2
1038913-4 : The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category
Component: Application Visibility and Reporting
Symptoms:
In GUI "Security ›› Reporting : Application : Charts" filtering "View By" as IP Intelligence "Last Week", "Last Month" and "Last Year" reports show the "Safe" category instead of "Aggregated".
Conditions:
-- ASM is provisioned
-- The system is under heavy traffic
-- The number of stats records per report period (5 min) is higher than 10,000
Impact:
Inaccurate Last Week IPI reporting
Fixed Versions:
16.1.2.2
1038741-4 : NTLM type-1 message triggers "Unparsable request content" violation.
Links to More Info: BT1038741
Component: Application Security Manager
Symptoms:
When internal parameter for "authorization header decode failure" is disabled, Valid NTLM type-1 message will be blocked with "Unparsable request content" violation.
Conditions:
Disable internal parameter ignore_authorization_header_decode_failure
Impact:
Valid NTLM Type-1 message will be blocked by ASM.
Workaround:
Enable internal parameter ignore_authorization_header_decode_failure, ASM will not block the NTLM type-1 message request
Fixed Versions:
16.1.2.2
1038733-4 : Attack signature not detected for unsupported authorization types.
Component: Application Security Manager
Symptoms:
ASM does not detect an Unsupported Bearer authorization type that contains header value in base64 format.
Conditions:
HTTP Request containing Bearer Authorization header which
contain a matching signature in base64 encoded format.
Impact:
ASM does not raise a violation and does not block the request.
Workaround:
N/A
Fix:
ASM decodes base64 value in Bearer Authorization header and perform attack signature matching, raises violation and block request if it contains attack.
Fixed Versions:
16.1.2.2
1038669-1 : Antserver keeps restarting.
Links to More Info: BT1038669
Component: SSL Orchestrator
Symptoms:
Antserver keeps restarting, as indicated in /var/log/ecm:
notice ant_server.sh[5898]: starting ant_server on 057caae1e95a11d7ecd1118861fb49f30ce1c22d
notice ant_server.sh[6311]: no ant_server process
notice ant_server.sh[6312]: check: no running ant_server
Conditions:
The Secure Web Gateway is provisioned on i15800 or i15820 platform.
Impact:
User connection will be reset if request or response analytics agent is deployed with per-request policy.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
15.1.5, 16.1.2
1038629-4 : DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client
Links to More Info: BT1038629
Component: Local Traffic Manager
Symptoms:
With the DTLS virtual server, when client sends the CLOSE_NOTIFY alert, BIG-IP is simply closing the connection without sending the CLOSE_NOTIFY back to client as well as the backend server. This causes the backend server to not close/shutdown the connection completely.
Conditions:
This issue occurs with all DTLS virtual servers which has associated client-ssl and server-ssl profiles.
Impact:
Backend server and client will have a dangling connection for certain period of time (Based on the timeout implementation at the respective ends).
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1038445-1 : During upgrade to 16.1, the previous FPS Engine live update remains active&start;
Links to More Info: BT1038445
Component: Fraud Protection Services
Symptoms:
On a BIG-IP system with FPS JS engine Live Update, after upgrade to 16.1.x , the old live update is not replaced by the engine in the build.
Conditions:
-- BIG-IP with FPS JS engine Live Update
-- Upgrade to 16.1.x
-- FPS / DataSafe / AWAF provisioned.
Impact:
In upgrade from 15.1 or older, this sometimes results in the device staying offline.
Workaround:
Installing a new, 16.1 FPS Engine update will fix the issue (where available).
Alternatively, running these commands fixes the issue, but results in the BIG-IP going offline for a few minutes.
rm -rf /var/datasync/updates/*
touch /etc/datasync/regenerate_all
tmsh -q -c 'cd datasync-global/; delete security datasync update-file update-file-versafe_js*'
bigstart restart tmm
Fixed Versions:
16.1.2.2
1037457-1 : High CPU during specific dos mitigation
Component: Application Security Manager
Symptoms:
CPU is high.
Conditions:
A dos attack with specific characteristic is active and the policy is configured in a specific way.
Impact:
While the attack is mitigated on the BIG-IP system and does not reach the server, the CPU of the BIG-IP increases and this may impact other services on the BIG-IP device.
Workaround:
N/A
Fix:
A specific high CPU scenario during dos attacks was fixed.
Fixed Versions:
16.1.2.2
1036521-1 : TMM crash in certain cases
Links to More Info: BT1036521
Component: Application Security Manager
Symptoms:
TMM crash in certain case when dosl7 is attached
Conditions:
TMM is configured with dosl7
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
N/A
Fixed Versions:
16.1.2.2
1035853-1 : Transparent DNS Cache can consume excessive resources.
Links to More Info: K41415626, BT1035853
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, the Transparent DNS Cache can consume excessive resources.
Conditions:
- GTM/DNS is provisioned
- Transparent DNS Cache is configured on a virtual server
Impact:
Excessive resource consumption, which can lead to increased server-side load.
Workaround:
N/A
Fix:
The Transparent DNS Cache now consumes resources as expected.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2
1035361-4 : Illegal cross-origin after successful CAPTCHA
Component: Application Security Manager
Symptoms:
After enabling CAPTCHA locally on BIG-IP with brute force, after configured login attempts, CAPTCHA appears, but after bypassing the CAPTCHA successfully the user receives a support ID with cross-origin violation.
Conditions:
- brute force with CAPTCHA mitigation enforced on login page.
- cross-origin violation is enforced on the login page.
- user fails to login until CAPTCHA appears
- user inserts the CAPTCHA correctly
Impact:
- blocking page appears.
- on the event log cross-origin violation is triggered.
Workaround:
- disable cross-origin violation enforcement.
Fix:
Fixing origin header offset in reconstruct challenge request.
Fixed Versions:
16.1.2.2
1035133-4 : Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab
Links to More Info: BT1035133
Component: Application Visibility and Reporting
Symptoms:
In various BIG-IQ GUI forms under the "Monitoring" tab (for example Monitoring -> Local Traffic -> HTTP), data for some time periods are missing.
Multiple "Unexpected end of ZLIB input stream" errors appear in BIG-IQ DCD logs under /var/log/appiq/gc_agent-manager.log
Conditions:
BIG-IP is attached to BIG-IQ, traffic volume is high
Impact:
Data in BIG-IQ are missing therefore some graphs show incorrect information
Workaround:
None
Fix:
Fixed an issue with missing statistics.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1034941-1 : Exporting and then re-importing "some" XML policy does not load the XML content-profile properly
Links to More Info: BT1034941
Component: Application Security Manager
Symptoms:
Exporting and then re-importing an existing ASM policy in XML format does not load its XML content-profile properly. An XML content-profile containing a firewall configuration shows the 'Import URL' as N/A for most .xsd files.
Conditions:
Corner case, when the second import_url value is null
Impact:
The import_url field is set as N/A for all files, except for the first one
Workaround:
None
Fix:
Fixed incorrect XML export when we've multiple import_url in content-profile
Fixed Versions:
16.1.2.2
1034617-1 : Login/Security Banner text not showing in console login.
Links to More Info: BT1034617
Component: TMOS
Symptoms:
Setting the Login/Security Banner causes the banner to appear when connecting via the management port and not when connecting via the console.
Conditions:
-- The login banner is configured.
-- You log into the command line.
Impact:
Mismatch in displaying banner text with management and console logins.
Workaround:
Configure an identical banner for ssh sessions by following https://support.f5.com/csp/article/K6068.
Fix:
The banner text now displays for both management and console logins.
Fixed Versions:
16.1.2
1034589-1 : No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration.
Links to More Info: BT1034589
Component: TMOS
Symptoms:
It is possible to delete a Pool or Trunk from the configuration while one or more high availability (HA) Groups still reference it.
As a result, the configuration of affected high availability (HA) Groups is automatically and silently adjusted (i.e. the deleted object is no longer referenced by any high availability (HA) Group).
The lack of warning about this automatic change could lead to confusion.
Conditions:
A pool or trunk is deleted from the configuration while still being referenced from a high availability (HA) Group.
Impact:
The automatic and silent removal of the deleted object from all high availability (HA) Groups may go unnoticed by BIG-IP Administrators, with potential consequences on the failover behavior of the devices.
Fix:
A warning message is logged to /var/log/ltm, and is also presented in tmsh.
Fixed Versions:
16.1.2.2
1034329-1 : SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com
Component: TMOS
Symptoms:
SHA-512 checksums for BIG-IP Virtual Edition images are not available on downloads.f5.com.
Conditions:
You wish to perform a SHA-512 validation of the BIG-IP Virtual Edition images.
Impact:
Cannot download the SHA-512 checksum for checksums for BIG-IP Virtual Edition images.
Workaround:
None
Fix:
Added SHA-512 checksum for ISOs and BIG-IP Virtual Edition images to downloads.f5.com.
Fixed Versions:
16.1.2.2
1033837-1 : REST authentication tokens persist on reboot&start;
Component: TMOS
Symptoms:
REST authentication tokens persist across reboots. Current best practices require that they be invalidated at boot.
Conditions:
- REST authentication token in use
- BIG-IP restarts
Impact:
REST authentication tokens are not invalidated at boot.
Workaround:
NA
Fix:
REST authentication are invalidated at boot.
Behavior Change:
Existing REST tokens are now invalidated on boot; new tokens will need to be generated after a reboot.
Fixed Versions:
16.1.2.2
1033829-3 : Unable to load Traffic Classification package
Links to More Info: BT1033829
Component: Traffic Classification Engine
Symptoms:
After installation and initial configuration, the latest Traffic Classification IM package fails to load.
Conditions:
This type of behavior is observed when the system is configured as follows,
1. LTM provisioned
2. Create virtual servers with classification profile
3. Then provision PEM module
4. Do a Hitless upgrade
Impact:
The latest Traffic Classification IM package fails to load.
Workaround:
Once the TMM is restarted after the issue, the latest IM is loaded.
Fix:
The traffic classification package now loads successfully.
Fixed Versions:
14.1.4.5, 16.1.2.2
1033017-1 : Policy changes learning mode to automatic after upload and sync
Links to More Info: BT1033017
Component: Application Security Manager
Symptoms:
When newly created policies are synchronized, the learning states of the policies are different.
Conditions:
-- Active/Active high availability (HA) setup in sync-failover device group with ASM enabled.
-- Sync a new policy configured with disabled/manual learning mode.
Impact:
Learning mode changes from disabled to automatic on peer device after sync, so learning modes differ on the peer devices.
Workaround:
1. On the peer device, change the learning mode to disabled.
2. Push sync from the originator device.
Both devices are then in sync and policies have the same learning mode (disabled), so operations complete as expected.
Fix:
The sync operation no longer attempts to keep the learning flags enabled on the receiving device.
Fixed Versions:
16.1.2.2
1032949-1 : Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate.
Links to More Info: BT1032949
Component: TMOS
Symptoms:
When you configure Dynamic CRL and set the client authentication as "Request", the handshake fails when clients do not supply a certificate.
Conditions:
Clientssl profile configured with the following:
1. Dynamic CRL
2. Client Authentication enabled with "Request" option
Impact:
SSL handshake fails
Workaround:
Workaround 1:
Use Static CRL
Workaround2:
Use Client authentication with either "Require" or "Ignore"
Workaround3:
Disable TLS1.2 and below versions in the Client SSL profile.
Which means allow only TLS1.3 traffic.
Fix:
N/A
Fixed Versions:
15.1.5, 16.1.2.1
1032797-1 : Tmm continuously cores when parsing custom category URLs
Links to More Info: BT1032797
Component: SSL Orchestrator
Symptoms:
Tmm crashes when trying to parse more than 256 custom category URLs.
Conditions:
-- More than 256 URLs defined in custom url-category.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM no longer crashes and it can parse more than 256 custom category URLs.
Fixed Versions:
15.1.5, 16.1.2
1032737-2 : IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate
Links to More Info: BT1032737
Component: TMOS
Symptoms:
Tmm crashes while passing IPsec traffic
Conditions:
Wildcard selectors are used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Avoid the core dump by adding checks.
Fixed Versions:
15.1.4.1, 16.1.2
1032689 : UlrCat Custom db feedlist does not work for some URLs
Links to More Info: BT1032689
Component: Traffic Classification Engine
Symptoms:
The first URL getting normalized is not classified.
Conditions:
The URL contains caps or 'www' is not getting categorized in few cases.
Impact:
The 'custom' category is not displayed for all the apps available in the feedlist file.
Workaround:
None
Fix:
Starting normalized lines with \n.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1032513-3 : TMM may consume excessive resources while processing MRF traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing traffic with the MRF.
Conditions:
- MRF routing enabled
Impact:
Excessive resource consumption, potentially leading to crash and failover event.
Workaround:
N/A
Fix:
TMM now processes MRF traffic as expected.
Fixed Versions:
16.1.2.2
1032077-1 : TACACS authentication fails with tac_author_read: short author body
Links to More Info: BT1032077
Component: TMOS
Symptoms:
If a TACACS user is part of a group with 10s of attribute value pairs (AVPs) were the length of all the avp's combined is such that the authorization reply message from the TACACS server is segmented, the login will fail.
The error message that is logged when the login fails is
"tac_author_read: short author body, 4468 of 6920: Operation now in progress" Where the numbers 4468 and 6920 will vary.
Conditions:
- TACACS authentication
- TACACS user that is part of a group where the combined length of the AVPs is greater then the largest TCP segment the TACACS server is able to send.
Impact:
User is unable to login.
Workaround:
If possible, reduce the number of attributes of the TACACS group or user.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1031901-2 : In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked
Links to More Info: BT1031901
Component: Local Traffic Manager
Symptoms:
When request from client is forwarded to server which is in CLOSING state due to server sent GOAWAY but not yet close the connection, request will be failed to be forwarded to server and RST_STREAM will be sent to client
Conditions:
-- Virtual Server with HTTP2 profile
-- There is an open connection from BIG-IP to the server.
-- The server sends a GOAWAY message to the BIG-IP and the connection is kept open.
-- The client sends a request to BIG-IP, BIG-IP picks the connection mentioned above to forward the request to
Impact:
Traffic from the specific client is interrupted
Workaround:
N/A
Fix:
In HTTP2 deployment, RST_STREAM is no longer sent to client if server in CLOSING state is picked
Fixed Versions:
15.1.4.1, 16.1.2
1031609-1 : Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.&start;
Links to More Info: BT1031609
Component: Local Traffic Manager
Symptoms:
Formerly Thales now nShield/Entrust has changed the directory structure of their client package and also added new libraries. Due to this change, install script will be incompatible with v12.60.10 onwards.
Conditions:
Upgrading to PKCS11 client package v12.60.10.
Impact:
The installation script will fail while extracting the package.
Workaround:
N/A
Fix:
Extracted all the tarballs in the target directory to resolve the issue.
Fixed Versions:
16.1.2.1
1031425-3 : Provide a configuration flag to disable BGP peer-id check.
Links to More Info: BT1031425
Component: TMOS
Symptoms:
A fix for ID 945265 (https://cdn.f5.com/product/bugtracker/ID945265.html) introduced strict checking of a peer-id. This check might be not desired in some configurations.
Conditions:
EBGP peering with two routers in the same autonomous system, configured with the same peer-id.
Impact:
BIG-IP will not pass the NLRIs between two eBGP peers. The following message can be seen in debug logs:
172.20.10.18-Outgoing [RIB] Announce Check: 0.0.0.0/0 Route Remote Router-ID is same as Remote Router-ID
Workaround:
Change peer-ids to be unique on eBGP peers.
Fix:
New, neighbor-specific, af-specific configuration option is provided to allow routes to be passed to external peers sharing the same router-id. The check is done on egress, so the configuration should be changed towards the peer that is supposed to receive a route.
router bgp 100
bgp graceful-restart restart-time 120
neighbor as200 peer-group
neighbor as200 remote-as 200
neighbor as200 disable-peerid-check
neighbor 172.20.8.16 peer-group as200
neighbor 172.20.8.16 disable-peerid-check
neighbor 172.20.10.18 peer-group as200
neighbor 172.20.10.18 disable-peerid-check
!
address-family ipv6
neighbor as200 activate
neighbor as200 disable-peerid-check
neighbor 172.20.8.16 activate
neighbor 172.20.8.16 disable-peerid-check
neighbor 172.20.10.18 activate
neighbor 172.20.10.18 disable-peerid-check
exit-address-family
When configured on a single neighbor it will cause session to be re-established.
When configured on a peer-group a manual session restart is required for changes to take effect.
Fixed Versions:
16.1.2.2
1031357-2 : After reboot of standby and terminating peer, some IPsec traffic-selectors are still online
Links to More Info: BT1031357
Component: TMOS
Symptoms:
HA Standby marks traffic selectors up when they are actually down on the Active device.
Conditions:
-- High availability (HA) configured and mirroring configured
-- IPsec tunnels up on Active
-- Reboot Standby
-- Standby starts correctly and all SAs are mirrored
-- Tunnel(s) go down on Active
Impact:
-- Traffic Selector is incorrectly marked up on the Standby when it is actually down on the Active.
-- While this is cosmetic, the information is misleading.
Workaround:
None
Fix:
After Standby reboot and deleting IPsec tunnels, the
traffic selectors on the Standby are marked in down state.
Fixed Versions:
16.1.2
1030881-1 : [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.&start;
Links to More Info: BT1030881
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config load fails with the following error message:
01070022:3: The monitor template min was not found.
Conditions:
Min or required feature is applied to GTM generic host and upgrade from v15.x to v16.x.
Impact:
GTM config load fails.
Workaround:
Delete the special config for the generic host server and add it back after upgrade.
Fixed Versions:
16.1.2.2
1030853-1 : Route domain IP exception is being treated as trusted (for learning) after being deleted
Links to More Info: BT1030853
Component: Application Security Manager
Symptoms:
Traffic is considered trusted for learning even though a trusted IP exception was deleted.
Conditions:
Creating and deleting a route domain-specific IP exception
Impact:
Traffic learning suggestions scores are miscounted.
In automatic policy builder mode the policy can be updated by the policy builder based on the wrong score counting.
Workaround:
Stop and restart learning for the relevant policy
Fix:
When a route domain IP Exception configured for trusted learning is deleted, the upcoming suggestions scores will be calculated correctly without considering the deleted IP trusted.
Fixed Versions:
16.1.2.2
1030845-1 : Time change from TMSH not logged in /var/log/audit.
Links to More Info: BT1030845
Component: TMOS
Symptoms:
Whenever time is changed, the message is not logged in /var/log/audit.
Conditions:
This occurs when the system time is changed manually using either the 'date' command or 'tmsh modify sys clock'.
Impact:
The time change is not logged to the audit log.
Workaround:
N/A
Fix:
Time changes are now logged to the audit log.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1030645-4 : BGP session resets during traffic-group failover
Links to More Info: BT1030645
Component: TMOS
Symptoms:
BGP session might be hard reset during a traffic group failover. The following log is displayed:
BGP[11111]: BGP : %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Peer reset due to nh address change
Conditions:
Floating self-ips defined on a single vlan/subnet, with different traffic-groups configured.
Impact:
BGP session goes down during traffic-group failover.
Fix:
Soft clear is performed instead.
Fixed Versions:
16.1.2.2
1029949-2 : IPsec traffic selector state may show incorrect state on high availability (HA) standby device
Links to More Info: BT1029949
Component: TMOS
Symptoms:
IPsec traffic selector state can be viewed in the config utility or by tmsh with the "tmsh show net ipsec traffic-selector" command. On an high availability (HA) standby device, some selector states may be incorrect.
Conditions:
-- High availability (HA) environment
-- Standby reboots or in some way, such as a tmm restart, is forced to re-learn all the mirrored IPsec security associations (SAs).
Impact:
There is no functional impact. The issue is that a selector may incorrectly appear down in one or both directions.
Workaround:
When the tunnel re-keys on the high availability (HA) active device, the selector state shows the correct value.
Fix:
IPsec traffic selectors show the correct state after the high availability (HA) standby device reboots.
Fixed Versions:
16.1.2
1029897-1 : Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members.
Links to More Info: K63312282, BT1029897
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may pass malicious requests to server-side pool members.
Conditions:
1. The BIG-IP LTM has one or more virtual servers configured to proxy HTTP/2 requests from the client-side to HTTP/1 requests on the server-side.
2. An HTTP/2 client sends a request with one of the following issues and the BIG-IP passes it to the server-side pool members:
a. H2.TE request line injection
I. An HTTP/1 request embedded within an HTTP/2 pseudo-header value
II. Individual carriage return (CR) or line feed (LF) allowed within an HTTP/2 pseudo-header
b. Request line injection (folder traps)
c. Request line injection (rule bypass)
Impact:
Malicious HTTP/2 requests can be translated to HTTP/1 requests and sent to the pool member web server. Depending on the behavior of the pool member web server, this can lead to an HTTP request smuggling attack. When the affected virtual server is configured with the OneConnect profile, an attacker might be able to impact the responses sent to a different client.
Workaround:
You can configure the BIG-IP ASM system or Advanced WAF to block an HTTP/1 request that is embedded within an HTTP/2 pseudo header value from being sent to the backend server.
Fix:
This has been fixed so that client requests are appropriately rejected by BIG-IP.
Fixed Versions:
16.1.2.2
1029869-1 : Use of ha-sync script may cause gossip communications to fail
Links to More Info: BT1029869
Component: SSL Orchestrator
Symptoms:
Using the ha-sync script on platforms in a sync-failover device group may cause gossip communications to fail.
Conditions:
This issue occurs after using the ha-sync script on devices that are in a sync-failover device-group.
Impact:
When the gossip communications fail, SSL Orchestrator will be unable to communicate iAppLX configuration from one device to the other. This can lead to deployment failures upon redeployment of SSL Orchestrator topologies.
Workaround:
None
Fixed Versions:
16.1.2.2
1029629-1 : TMM may crash while processing DNS lookups
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, TMM may crash while processing DNS lookups.
Conditions:
TMM processing DNS lookups.
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes DNS lookups as expected.
Fixed Versions:
16.1.2
1029585-1 : Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync
Links to More Info: BT1029585
Component: SSL Orchestrator
Symptoms:
Following the use of the ha-sync script on platforms in a sync-failover device group to become out of sync.
Conditions:
This can occur following the use of the ha-sync script.
Impact:
Both platforms in the sync-failover device group to fall out of sync. Forcing the admin to perform a device-group sync operation.
Workaround:
None
Fixed Versions:
16.1.2.2
1029397-4 : Tmm may crash with SIP-ALG deployment in a particular race condition
Links to More Info: BT1029397
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment, when lsn DB callback is returned from a different tmm, and the SIP connection has been lost on tmm where the REGISTER request arrived.
Conditions:
--- SIP-ALG is deployed
--- Processing of SIP REGISTER message at server side
--- lsn DB entry is mapped to a different tmm
Impact:
Traffic disrupted while tmm restarts
Workaround:
NA
Fix:
Tmm no longer crashes in this race condition
Fixed Versions:
15.1.5, 16.1.2.2
1028969-1 : An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working
Links to More Info: BT1028969
Component: TMOS
Symptoms:
If both IKEv1 and IKEv2 try to listen to the same self IP address on the BIG-IP for a local tunnel IP address, only one can win, and previously a v2 ike-peer would be blocked if a v1 listener managed to get installed first.
If a partial tunnel config exists, with no ike-peer and only ipsec-policy and traffic-selector definitoins, this is understood to be IKEv1 implicitly, by default, and will install a v1 listener for the IP address and port.
Then if a fully configured ike-peer is added using IKEv2, it can fail to establish the required listener for v2 when an existing v1 listener is squatting on that IP address.
Conditions:
Conflict between IKEv2 and IKEv1 on the same IP address when:
-- a v2 ike-peer has local tunnel IP address X
-- a v1 ike-peer, or a traffic-selector with no peer at all, has the same local IP address X
Impact:
An IKEv2 tunnel can fail to negotiate when v2 packets cannot be received on a local IP address because a listener for IPsec cannot be established on that IP address.
Workaround:
You can avoid conflict between v1 and v2 by:
-- removing a traffic-selector not in use (which is v1)
-- avoiding use of the same local IP in both v1 and v2 definitions of ike-peer
Fix:
The fix gives precedence to IKEv2, so any pre-existing IKEv1 listener is simply removed from an IP address whenever a v2 listener is desired for that IP address.
This means IKEv1 can never be negotiated on a local IP address which is also in use by an IKEv2 ike-peer.
Importantly, this fix may cause tunnels to be permanently down after an upgrade. Prior to this change it was possible to have IKEv1 and IKEv2 tunnels working on the same self IP, but in that scenario some tunnels would intermittently fail to establish and the success of the tunnel establishment depended on whether the BIG-IP was the Initiator. IKEv1 and IKEv2 tunnels on the same self IP may still work after this change, but are not considered a valid or supported config by F5.
Fixed Versions:
16.1.2
1028773-1 : Support for DNS Over TLS
Links to More Info: BT1028773
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system does not have support for DNS over TLS (DoT).
Conditions:
This is encountered if you wish to combine a clientssl profile with the dns profile on a virtual server.
Impact:
Performance is degraded.
Workaround:
None
Fix:
Clients can now initiate DNS over TLS requests to virtual servers that have the clientssl and dns profiles attached.
Fixed Versions:
16.1.2
1028473-1 : URL sent with trailing slash might not be matched in ASM policy
Component: Application Security Manager
Symptoms:
Request sent to a specific URL with added trailing slash may not be handled according to expected policy.
Conditions:
-- Request is sent with URL containing trailing slash.
-- Security policy contains the same URL, but without slash.
Impact:
URL enforcement is not done according to expected rules.
Workaround:
Add configuration for same URL with added trailing slash.
Fix:
URL with trailing slash is now handled as expected.
Fixed Versions:
16.1.2.2
1028269-2 : Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id.
Links to More Info: BT1028269
Component: Carrier-Grade NAT
Symptoms:
On a BIG-IP device configured with CGNAT + subscriber discovery license, the LSN log shows "unknown" for the pem_subscriber-id field.
Conditions:
-- PEM and CGNAT enabled
-- RADIUS and CGNAT traffic are in different route domains
Impact:
LSN log shows "unknown" for the pem_subscriber-id field.
Workaround:
N/A
Fix:
Subscriber-id now shows correctly in the LSN log after it is added with CGNAT provisioned check in subscriber-discovery.
Fixed Versions:
16.1.2.2
1028109-1 : Detected attack signature is reported with the wrong context.
Links to More Info: BT1028109
Component: Application Security Manager
Symptoms:
A detected attack signature on a multipart request might be reported with the wrong context.
Conditions:
Attack signature is detected in a multipart request.
Impact:
Reporting of the signature might contain the wrong context.
Workaround:
N/A
Fix:
All detected signatures on multipart requests are reported with the correct context.
Fixed Versions:
16.1.2
1027657-4 : Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules.
Links to More Info: BT1027657
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent monitor intervals for resource monitoring.
Conditions:
"require M from N" monitor rules configured.
Impact:
Monitor status flapping.
Workaround:
Do not use "require M from N" monitor rules.
Fixed Versions:
16.1.2.2
1027217-1 : Script errors in Network Access window using browser.
Links to More Info: BT1027217
Component: Access Policy Manager
Symptoms:
1. Users may receive JavaScript errors in their browser when starting Network Access resources.
2. User resources may fail to display when accessing a Full webtop.
3. When logging out, users may be redirected to https://apm-virtual-server/vdesk/undefined and get a blank page
4. Logon Page from SWG Policies may fail to display inside a browser.
Conditions:
The issue can be observed with at least one of these conditions.
1. Accessing APM virtual server using a browser.
2. Accessing APM resources via a Full webtop.
3. Starting APM resources via a Full webtop.
4. Accessing Logon Page in SWG deployment.
Impact:
1. Users cannot start Network Access resources.
2. Users are unable to logout properly from full webtop.
3. Logon page is not rendered and users will not be able to access resources.
Workaround:
1. Log into BIG-IP.
2. mount -o remount,rw /usr/.
3. Add "response_chunking 2" to _tmm_apm_portal_http in "/usr/lib/tmm/tmm_base.tcl" Example:
profile http _tmm_apm_portal_http {
max_header_size 32768
max_header_count 64
known_methods "CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK"
response_chunking 2
}
4. Restart tmm once the above param is added.
5. Garbage values in JavaScript aren't inserted after this change.
6. Remount the /usr directory as read-only.
mount -o remount,ro /usr/
-------------------------
Fix:
The logon page now renders correctly, resources are properly displayed on the webtop, you can start resources without JavaScript errors, and you no longer receive blank pages when logging out.
Fixed Versions:
15.1.4.1, 16.1.2
1026605-6 : When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes
Links to More Info: BT1026605
Component: Local Traffic Manager
Symptoms:
When bigd.mgmtroutecheck is enabled and monitors are configured in a non-default route-domain, bigd may calculate the interface index incorrectly. This can result in monitor probes improperly being denied when they egress a non-mgmt VLAN. Or monitor probes might be allowed to egress the management interface
Conditions:
-- Bigd.mgmtroutecheck is enabled.
-- Monitor probes in a non-default route domain
-- More than one VLAN configured in the route-domain
Impact:
Monitor probes may be denied even thought they egress a non-mgmt VLAN.
Monitor probes may be improperly allowed out a mgmt interface.
/var/log/ltm:
err bigd.0[19431]: 01060126:3: Health check would route via mgmt port, node fc02:0:0:b::1%1. Check routing table.
bigd debug log:
:(_do_ping): probe denied; restricted egress device and route check [ tmm?=false td=true tr=false addr=fc02:0:0:b::1%1:0 srcaddr=none ]
Workaround:
Disable bigd.mgmtroutecheck, reduce the number of VLANs inside the route-domain
Fix:
The Bigd interface index is now calculated properly
Fixed Versions:
16.1.2.2
1026549-1 : Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd
Links to More Info: BT1026549
Component: TMOS
Symptoms:
For some BIG-IP Virtual Edition drivers, TMM may occasionally communicate an incorrect interface state change that might cause the interface to flap.
Conditions:
-- BIG-IP Virtual Edition using ixlv, ixvf, mlx5, or xnet drivers.
-- More TMMs and interfaces configured make this issue more likely to happen, but it happens randomly.
Impact:
In the case where the interface is part of a trunk a flap will occur when this happens.
There may be other as-yet unknown impacts for this issue.
Workaround:
Use a different VE driver than one of the ones listed above.
Fix:
BIG-IP Virtual Edition drivers no longer communicate incorrect interface states to mcpd.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1026005-1 : BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms.
Component: Local Traffic Manager
Symptoms:
The ordering of NICs 5-10 in VMware ESXi is based on PCI coordinates for the first boot and the order is ensured based on the /etc/ethmap script written by the kernel during initialization. BIG-IP VE does not follow/maintain the NIC order defined in the VMware ESXi hypervisor.
Conditions:
Using 5-10 interfaces, swap/remove/add an interface at the hypervisor level.
Impact:
When using 5-10 NICs in VMware ESXi and NSXT platforms, automation is prohibited due to BIG-IP VE not maintaining the NIC order defined in the hypervisor.
Workaround:
N/A
Fix:
Enabled BIG-IP VE scripts to honor the NIC order defined by the user in the VMware ESXi hypervisor and NSXT platforms.
Fixed Versions:
16.1.2.2
1025529-2 : TMM generates core when iRule executes a nexthop command and SIP traffic is sent
Links to More Info: BT1025529
Component: Service Provider
Symptoms:
If an iRule uses the 'nexthop' command to select a VLAN for a virtual server, TMM may crash.
Conditions:
-- Virtual server with SIP profile and iRule that executes a 'nexthop' command
-- SIP network traffic occurs
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Avoid using 'nexthop vlan' in an iRule in a SIP environment.
Fix:
iRule creation does not cause any TMM core.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1
1024841-2 : SSL connection mirroring with ocsp connection failure on standby
Links to More Info: BT1024841
Component: Local Traffic Manager
Symptoms:
SSL connection mirroring with ocsp stapling connection failure on standby, active completes handshake with delay.
Conditions:
SSL connection mirroring with ocsp stapling
Impact:
Handshake delay on active
Workaround:
Disable ocsp stapling or ssl connection mirroring
Fix:
SSL connection mirroring handshake with ocsp stapling completes normally.
Fixed Versions:
16.1.2.2
1024761-1 : HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body
Links to More Info: BT1024761
Component: Local Traffic Manager
Symptoms:
When rechunking is requested, HTTP responses with methods or status codes indicating that no body be present (like HEAD or 304) are receiving a Transfer-Encoding header and a terminating chunk. These responses should not have a body of any sort.
Conditions:
HTTP virtual server with rewrite profile present with the server that does HTTP caching.
Impact:
HTTP clients are unable to connect.
Workaround:
Remove the rewrite profile.
Possibly change http profile response-chunking from sustain to unchunk. This resolves the issue for the 304, but means that all other requests are changed from either chunking or unchunked with Content-Length header to unchunked without Content-Length and with "Connection: Close".
Fixed Versions:
15.1.5, 16.1.2.1
1024621-4 : Re-establishing BFD session might take longer than expected.
Links to More Info: BT1024621
Component: TMOS
Symptoms:
It might take a few minutes for a BFD session to come up. During this time you will notice session state transition multiple times between 'Admin Down' <-> 'Down'.
Conditions:
BFD peer trying to re-establish a session with BIG-IP, choosing ephemeral ports dis-aggregating to different TMMs.
Impact:
It might take a few minutes for a BFD session to come up.
Workaround:
Increasing Tx/Rx timers will minimize a chance of hitting the problem (For example 1000 TX/RX)
Fixed Versions:
16.1.2.2
1024225-3 : BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request
Links to More Info: BT1024225
Component: Local Traffic Manager
Symptoms:
BIG-IP proxying http2 -> http1.1. In response to a HEAD request, pool member sends response with "Transfer-Encoding: chunked" header without chunked payload. BIG-IP sends "Transfer-Encoding: chunked" header back to http2 client which generates RST_STREAM, PROTOCOL_ERROR. According to RFC 7450 a proxy SHOULD remove such headers.
Conditions:
1) H2 <-> H1 is configured on virtual server
2) HEAD request over http2->http1.1 gateway getting chunked response.
Impact:
Http2 connection is reset
Workaround:
iRule to remove "Transfer-Encoding: Chunked" header from response.
Fixed Versions:
16.1.2.2
1024101-1 : SWG as a Service license improvements
Links to More Info: BT1024101
Component: Access Policy Manager
Symptoms:
SWG sessions maxed out and the SWG license is not released until the APM session is ended.
Conditions:
SWG and APM are in use.
Impact:
SWG sessions are tied to APM sessions and can reach the limit and not be recycled even if the APM session is not actively using SWG.
Workaround:
None
Fix:
Fixed an issue with SWG session tracking.
Fixed Versions:
16.1.1
1023993-4 : Brute Force is not blocking requests, even when auth failure happens multiple times
Component: Application Security Manager
Symptoms:
Send traffic with multiple Authorization headers in the request after configuring the brute force. The traffic will not be blocked, when it is supposed to be.
Conditions:
When there is more than one Authorization header present in the requests.
Impact:
Brute force is possible with specially crafted requests having multiple Authorization headers and will be able to bypass brute force checks.
Workaround:
Enable "Illegal repeated header violation" and configure Authorization header repeated occurrence to disallow.
Fix:
ASM detects the brute force attempt with multiple Authorization headers in the request.
Fixed Versions:
16.1.2.2
1023437-1 : Buffer overflow during attack with large HTTP Headers
Component: Anomaly Detection Services
Symptoms:
When the HTTP Headers are larger than 1024 characters and one of the anomalous textual headers is located after 1024, a buffer overflow might occur.
Conditions:
HTTP or TLS Signature protection is activated and during attack anomalous request arrives.
Impact:
Most of the time results in bad characters in the signature name, more rarely results in Memory Access Violation which could be exploited as buffer overflow attack.
Fix:
Enforce HTTP metadata size limit to be within the first 1024 characters of the HTTP Headers payload.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1023365-2 : SSL server response could be dropped on immediate client shutdown.
Links to More Info: BT1023365
Component: Local Traffic Manager
Symptoms:
SSL server response might be dropped if peer shutdown arrives before the server response.
Conditions:
-- the virtual server is using a Server SSL profile
-- the client sends FIN/ACK before the server responds
Impact:
The response from the pool member may be dropped.
Workaround:
N/A.
Fix:
Serverssl response now received after peer shutdown
Fixed Versions:
15.1.4.1, 16.1.2
1023341-1 : HSM hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, HSM interactions do not follow current best practices.
Conditions:
- HSM in use
Impact:
Certain HSM interactions do not follow current best practices.
Workaround:
N/A
Fix:
HSM interactions now follow current best practices.
Fixed Versions:
16.1.1
1022757-2 : Tmm core due to corrupt list of ike-sa instances for a connection
Links to More Info: BT1022757
Component: TMOS
Symptoms:
Tmm generates a core when a corrupt list of ike-sa instances is processed.
Conditions:
Deletion of an expired ike-sa.
Impact:
Restart of tmm and re-negotiation of IPsec tunnels. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
The internal list data structure has been reorganized to use fewer entities in less-complex relationships. This makes it less likely for a corrupted list to occur, so this issue is less likely to occur.
Fixed Versions:
16.1.2
1022637-1 : A partition other than /Common may fail to save the configuration to disk
Links to More Info: BT1022637
Component: TMOS
Symptoms:
A mismatch between the running-configuration (i.e. what is returned by "tmsh list ...") and the saved-configuration (i.e. what is stored in the flat configuration files) for a partition other than /Common, despite a "tmsh save config" operation was just performed (either by the user or as a result of a config-sync).
Conditions:
- One or more partitions other than /Common exist on the system.
- One or more of said partitions have no more configuration objects defined in them (i.e. are empty).
- A config save operation similar to "tmsh save sys config partitions { Common part1 [...] }" occurs, either manually initiated by an Administrator or as a result of a config-sync operation (in which case the device-group must be configured for manual synchronization).
Impact:
Should a BIG-IP Administrator notice the mismatch, the only immediate impact is confusion as to why the config save operation was not effective.
However, as the flat config files are now out-of-date, performing a config load operation on a unit in this state will resurrect old configuration objects that had been previously deleted.
On an Active unit, this may affect traffic handling. On a redundant pair, there is the risk that the resurrected objects may make it to the Active unit after a future config-sync operation.
Workaround:
If you notice the mismatch, you can resolve it by performing a config save operation for all partitions (i.e. "tmsh save sys config").
Fix:
Non /Common partitions now get saved to disk as intended.
Fixed Versions:
15.1.5, 16.1.2.2
1022625-2 : Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator
Links to More Info: BT1022625
Component: Access Policy Manager
Symptoms:
When creating a new service, certain default access profiles are not automatically selected.
Conditions:
1. SSL Orchestrator + APM + SWG provisioned
2. Select 'create-new' for access profile drop-down when adding a SwgAsService in SSL Orchestrator
A new tab opens with the profile creation page, but the access profile type drop-down does not have any type selected.
Impact:
When adding a SwgAsService in SSL Orchestrator, the only supported access profile type is SWG-Transparent, hence it should be automatically selected.
Workaround:
None
Fix:
Fixed an issue with automatic profile selection.
Fixed Versions:
16.1.1
1022417-1 : Ike stops with error ikev2_send_request: [WINDOW] full window
Links to More Info: BT1022417
Component: TMOS
Symptoms:
IKE SAs will be lost.
Conditions:
A failover occurs while IKE is sending DPD to the peer, and the reply is received by the newly active BIG-IP.
Multiple failovers can increase the likelihood that this occurs.
Impact:
IKE SAs may be deleted and there will be traffic loss.
Workaround:
Increase in DPD interval to reduce the probability of occurrence of the issue.
Fix:
Fixed an issue where IKE SAs were being lost during failover events.
Fixed Versions:
16.1.2
1022269-1 : False positive RFC compliant violation
Links to More Info: BT1022269
Component: Application Security Manager
Symptoms:
False positive RFC compliant violation.
Conditions:
Authorization header with specific types.
Impact:
False positive violations.
Workaround:
Turn on an internal parameter:
/usr/share/ts/bin/add_del_internal add ignore_authorization_header_decode_failure 1
Fix:
Added tolerance to the authorization headers parser.
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2
1021773-1 : Mcpd core.
Links to More Info: BT1021773
Component: TMOS
Symptoms:
Mcpd crashes and leaves a core file.
Conditions:
This issue can occur if BIG-IP fails to allocate huge pages, which can occur during module provisioning.
Impact:
Mcpd crashes and the system goes into an inoperative state.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
16.1.2
1021713-1 : TMM may crash when processing AFM NAT64 policy
Component: Local Traffic Manager
Symptoms:
TMM may crash or become unstable after producing the error:
Enabling NAT64 for virtual server (/Common/test) with security NAT policy configured is redundant/not required.
Conditions:
Either of the following configurations:
-- NAT64 enabled and AFM NAT64 policy attached.
-- security-nat-policy attached and NAT64 disabled.
Impact:
TMM may crash, leading to a traffic interruption and failover event.
Workaround:
N/A
Fix:
The system now handles these configurations.
Fixed Versions:
16.1.2
1021637-4 : In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs
Links to More Info: BT1021637
Component: Application Security Manager
Symptoms:
CSRF is sometimes enforced on URLs that do not match the CSRF URLs list
Conditions:
ASM policy with CSRF settings
Impact:
URLs that do not match the CSRF URLs list can be blocked due to CSRF violation.
Workaround:
None
Fix:
N/A
Fixed Versions:
16.1.2.2
1021521-1 : JSON Schema is not enforced if OpenAPI media-type is wild card.
Component: Application Security Manager
Symptoms:
If the openAPI configuration contains a wildcard media type for an endpoint, ASM does not enforce the JSON schema for requests with a JSON payload.
Conditions:
Create an OpenAPI policy with media type set to wildcard.
Impact:
ASM doesn't enforce JSON schema validation for HTTP requests containing a JSON payload.
Workaround:
N/A
Fix:
Provided fix and verified
Fixed Versions:
16.1.2.2
1021485-3 : VDI desktops and apps freeze with Vmware and Citrix intermittently
Links to More Info: BT1021485
Component: Access Policy Manager
Symptoms:
VMware VDI:
Blank screen is seen while opening remote desktop when VDI is configured with VMware.
Citrix:
Desktop freezes immediately after opening remote desktop when VDI is configured with Citrix.
Conditions:
VMware VDI:
-- VDI is configured with VMware
-- Desktop or App is launched using native client from Webtop.
wait till 2X inactivity timeout if inactivity timeout
Citrix:
-- VDI is configured with Citrix
-- Desktop or App is launched using native client from Webtop.
-- Configure Inactivity timeout to 0.
Impact:
VDI desktops freeze while opening or immediately after opening.
The following error is seen in APM logs:
"Session stats update failed: ERR_NOT_FOUND"
Workaround:
No
Fix:
Users should not experience any intermittent desktop freeze.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1021481-1 : 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden.
Links to More Info: BT1021481
Component: Local Traffic Manager
Symptoms:
The Linux command 'ifconfig' or 'ip a' shows two devices 'http-tunnel' and 'socks-tunnel' that are for TMM internal use only.
Conditions:
These interfaces show up regardless of the BIG-IP configuration.
Impact:
As long as these devices are not used there is no impact aside from possibly causing confusion. Any attempt to use those devices from a host process fails or produces unpredictable results. These devices should not be exposed on the Linux host.
Workaround:
N/A
Fix:
The devices 'http-tunnel' and 'sock-tunnel' no longer show up on the Linux host.
Fixed Versions:
16.1.2
1021417-1 : Modifying GTM pool members with replace-all-with results in pool members with order 0
Links to More Info: BT1021417
Component: Global Traffic Manager (DNS)
Symptoms:
GTMpool has multiple members with order 0.
Conditions:
There is an overlap for the pool members for the command replace-all-with and the pool members to be replaced.
Impact:
Multiple pool members have the same order.
Workaround:
Perform this procedure:
1. Delete all pool members from the GTM pool.
2. Use replace-all-with.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1021061-4 : Config fails to load for large config on platform with Platform FIPS license enabled
Links to More Info: BT1021061
Component: Global Traffic Manager (DNS)
Symptoms:
Config fails to load.
Conditions:
-- Platforms with Platform FIPS license enabled.
-- There are several ways to encounter this. One is with a large GTM (DNS) configuration that requires extending the gtmd stats file.
Impact:
Config file fails to load. For the gtmd configuration, gtmd repeatedly logs error messages similar to:
err gtmd[14954]: 011af002:3: TMSTAT error 'Invalid argument' creating row '/Common/vs_45_53' in table 'gtm_vs_stat'
For merged daemon, reports messages similar to:
err merged[9166]: 011b0900:3: TMSTAT error tmstat_row_create: Invalid argument.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1020957-1 : HTTP response may be truncated by the BIG-IP system
Links to More Info: BT1020957
Component: Local Traffic Manager
Symptoms:
Web pages are not rendered properly; HTTP responses are truncated when traversing the BIG-IP system.
Conditions:
-- Virtual server with an HTTP profile
-- HTTP server generates a compressed response
-- BIG-IP system determines that it must decompress the payload, e.g., a rewrite profile attached to the virtual server
Impact:
HTTP responses are truncated when passing through the BIG-IP system.
Workaround:
One of the following:
-- Add an HTTP Compression profile to the virtual server, and ensure that 'Keep Accept-Encoding' is not selected.
-- Use an iRule to remove the Accept-Encoding header from requests, e.g.:
ltm rule workaround {
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}
}
Fixed Versions:
16.1.2
1020789-4 : Cannot deploy a four-core vCMP guest if the remaining cores are in use.
Links to More Info: BT1020789
Component: TMOS
Symptoms:
When trying to deploy a vCMP guest on an i11800 vCMP host using four or more cores while all of the other cores are in use, the following error message may be seen:
err mcpd[<pid>]: 0107131f:3: Could not allocate vCMP guest (<guest_name>) because fragmented resources
--------------------------------------------------
one more similar issue has raised for 8 guests allocation failure
When trying to deploy a eight core guest on an i11800 vCMP host where four 2 cores are in use, the following error message may be seen:
0107131f:3: Could not allocate vCMP guest (guest-8cores-A) because fragmented resources
Conditions:
-- VCMP provisioned and all or most cores are in use.
-- Attempt to deploy a guest.
This is more likely to occur with vCMP guests that use four or more cores.
Impact:
All of the available cores cannot be used.
Workaround:
You may be able to work around this by deploying the largest guests first, then any remaining 2-core guests.
There is currently no other fix.
Fix:
N/A
Fixed Versions:
16.1.2.2
1020717-4 : Policy versions cleanup process sometimes removes newer versions
Component: Application Security Manager
Symptoms:
The policy versions cleanup process sometimes removes versions in incorrect order. Newer versions are removed while older versions are preserved.
Conditions:
"maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg" has very low value.
Impact:
Newer versions are removed.
Workaround:
increase value of "maxSizeOfSavedVersions" configuration parameter in "/etc/ts/tools/policy_history.cfg"
Fixed Versions:
16.1.2.2
1020705-2 : tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name
Links to More Info: BT1020705
Component: Application Visibility and Reporting
Symptoms:
Output of "tmsh show analytics dos-l3 report view-by attack-id" command has changed from version 13.x to 15.x. "Attack type" was removed from the system, so it was automatically replaced by the first metric "allowed-requests-per-second". For DOS L3 "Attack type" was replaced by "Vector Name" but it currently is not shown in the report along wit "Attack ID"
Conditions:
AFM is provisioned
Impact:
This change might cause scripts to fail if they use the name of the field.
Workaround:
1) edit /etc/avr/monpd/monp_dosl3_entities.cfg file. Change [dosl3_attack_id] section the following way: add 'vector_name' to measures list and add an additional parameter 'default_measure' as specified below :
[dosl3_attack_id]
...
measures=allowed_requests_per_sec,count,drop_per_sec,drop_count,total_per_sec,total_count,attacks_count,attack_type_name,category_name,vip_name,period,vector_name
default_measure=vector_name
...
2) edit /etc/avr/monpd/monp_dosl3_measures.cfg file. Add in the end the following section:
[vector_name]
id=vector_crc
formula=IF(count(distinct FACT.vector_crc)>1,'Aggregated',attack_vector_str)
merge_formula=IF(count(distinct vector_name)>1,'Aggregated',vector_name)
dim=AVR_DIM_DOS_VIS_ATTACKS_VECTOR
dim_id=attack_vector_crc
tmsh_display_name=vector-name
display_name=Vector
comulative=false
priority=65
3) restart the BIG-IP system: bigstart restart
After the system is up you can apply the same tmsh command: "tmsh show analytics dos-l3 report view-by attack-id"
You will get a result similar to 13.x. Note that "attack_type_name" is replaced by "vector-name"
Fix:
Workaround applied as fix.
Fixed Versions:
14.1.4.4, 15.1.3.1, 16.1.2
1020549-1 : Server-side connections stall with zero window with OneConnect profile
Links to More Info: BT1020549
Component: Local Traffic Manager
Symptoms:
Serverside connections from pool member to BIG-IP hang, with the BIG-IP advertising a TCP zero window.
Conditions:
-- Virtual server with OneConnect profile
-- The BIG-IP applies flow-control to the serverside connection (e.g. the server's response to the BIG-IP is faster than the BIG-IP's forwarding the response to the client)
-- The serverside connection is subsequently re-used
Impact:
Serverside connections hang in the middle of data transfer, and will eventually time out.
Workaround:
If possible, remove the OneConnect profile from the virtual server.
Note: removing a OneConnect profile may cause problems with persistence, as described in
K7964: The BIG-IP system may appear to ignore persistence information for Keep-Alive connections (https://support.f5.com/csp/article/K7964)
Fixed Versions:
16.1.2.2
1020377-1 : Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon
Links to More Info: BT1020377
Component: TMOS
Symptoms:
If an IKEv2 tunnel terminates with an error condition, afterward it is possible for IKE packets to be received by the IKEv1 racoon daemon, which is listening to local host (i.e 127.0.0.1) on ports 500 and 4500.
Conditions:
To get the problem to occur, you may need these details:
-- an IKEv2 config where traffic selector narrowing happens
-- termination of an IKEv2 tunnel with an error condition
-- some other BIG-IP service using the same local self IP
Packets can reach the IKEv1 racoon daemon only when some BIG-IP service uses bigself as the proxy, which forwards packets to localhost (127.0.0.1) with the same port number. So even if no IKEv1 config is present for a local self IP, if some other BIG-IP service also uses bigself as a proxy, this can forward IKE packets to localhost as well.
Impact:
The IKEv2 tunnel does not get renegotiated, because IKE packets reach the IKEv1 daemon, which ignores them, because the proper listener to handle IKEv2 is missing. As a result, tunnel service is interrupted.
Workaround:
Deleting and re-adding the problematic ike-peer and traffic-selector should bring back IPsec support for that tunnel.
If the initiating and responding sides of the tunnel have identical traffic-selector proposals, then narrowing should not happen, and this would also prevent the problem in the first place.
Fix:
BIG-IP systems now manage and handle multiple references to the same listener in a more rigorous way, so the IKEv2 listener cannot go away while it is still needed.
Fixed Versions:
16.1.2
1020337-2 : DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator
Links to More Info: BT1020337
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores with umem debug enabled.
Conditions:
A string operation is performed against DNS resource records (RRs) from DNSMSG::section in an iRule.
Impact:
Tmm memory corruption. In some situations, tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use string operations against DNS RRs returned from DNSMSG::section.
Fixed Versions:
16.1.2.2
1019853-1 : Some signatures are not matched under specific conditions
Links to More Info: K30911244, BT1019853
Component: Application Security Manager
Symptoms:
Some signatures are not matched, attacking traffic may pass through.
Conditions:
- Undisclosed signature conditions
Impact:
Attacking traffic can bypass the WAF.
Workaround:
N/A
Fix:
Signatures are now matched as expected.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1019829-2 : Configsync.copyonswitch variable is not functioning on reboot
Links to More Info: BT1019829
Component: TMOS
Symptoms:
Configsync.copyonswitch variable is not functioning properly during reboot to another partition
Conditions:
-- db variable configsync.copyonswitch modified
-- hostname is changed in global-settings
-- reboot to another partition
Impact:
The hostname will be changed back to the default hostname after reboot
Fixed Versions:
16.1.1
1019721-1 : Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export
Component: Application Security Manager
Symptoms:
When exporting template-based (minimal) JSON policy with profiles and associated validation files, the resulting configuration is wrong.
- Configuration for the JSON validation file is missing from the exported policy
- The JSON profile associated validation file has the name but no content
Conditions:
Export a minimal JSON policy with JSON/XML validation files associated to the JSON/XML profile.
Impact:
Error due to wrong configuration of the validation file during import.
Fixed Versions:
16.1.2.2
1019613-5 : Unknown subscriber in PBA deployment may cause CPU spike
Links to More Info: BT1019613
Component: Carrier-Grade NAT
Symptoms:
in PBA deployment, a CPU spike may be observed if the subscriber-id log is enabled and the subscriber-id is unknown.
Conditions:
-- PBA configuration
-- Address translation persistent is enabled
-- Subscriber-id log is enabled
-- There is an unknown subscriber
Impact:
Overall system capacity reduces.
Workaround:
Disable subscriber-id logging.
Fix:
Unknown subscriber in PBA deployment no longer causes a CPU spike.
Fixed Versions:
16.1.2.2
1019609-1 : No Error logging when BIG-IP device's IP address is not added in client list on netHSM.&start;
Links to More Info: BT1019609
Component: Local Traffic Manager
Symptoms:
"Ensure BIG-IP's IP address is added to the client list"
error log is not displayed, despite the BIG-IP not being added to the client list in Thales/nShield/Entrust HSM.
Conditions:
BIG-IP is not added to the client list in Thales/nShield/Entrust HSM.
Impact:
Difficult to debug the error condition to due lack of error message
Workaround:
None
Fix:
Grep error text information on stderror stream now works.
Fixed Versions:
16.1.2.1
1019357-2 : Active fails to resend ipsec ikev2_message_id_sync if no response received
Component: TMOS
Symptoms:
In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device.
If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow.
After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.
Conditions:
-- High availability (HA) environment
-- IKE tunnels configured
-- A failover occurs
Impact:
Traffic loss.
Workaround:
None
Fix:
Fetch latest connection flow during retransmission of IKE/IPSEC packet.
Fixed Versions:
16.1.2.2
1018613-1 : Modify wideip pools with replace-all-with results pools with same order 0
Links to More Info: BT1018613
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wideip pools have the order 0.
Conditions:
There are overlap for the pools for command replace-all-with and the pools to be replaced.
Impact:
iQuery flapping between GTMs.
Workaround:
First delete all pools from the wideip and then use replace-all-with.
Fixed Versions:
16.1.2.2
1018577-4 : SASP monitor does not mark pool member with same IP Address but different Port from another pool member
Links to More Info: BT1018577
Component: Local Traffic Manager
Symptoms:
When the LTM SASP monitor is applied to a pool with multiple members having the same IP Address but different Ports, only one of the pool members with the duplicated IP Address will be monitored (marked UP or DOWN as appropriate). Other pool members sharing the same IP Address will remain in a 'checking' state.
Conditions:
This occurs when using the SASP monitor in a pool with multiple members having the same IP Address but different Ports.
For example:
ltm pool sasp_test_pool {
members {
sasp_1:80 {
address 10.10.10.1
}
sasp_1:8080 {
address 10.10.10.1
}
sasp_2:80 {
address 10.10.10.2
}
sasp_2:8080 {
address 10.10.10.2
}
}
monitor sasp_test
}
In this case, only one pool member with a given IP Address will be correctly monitored by the sasp monitor.
Any additional pool members with the same IP Address but different port will not be monitored by the SASP monitor and will remain in a 'checking' state.
Impact:
Not all pool members may be effectively/accurately monitored by the SASP monitor.
Fix:
The ltm sasp monitor correctly monitors members of a pool which share the same IP Address but different Ports.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1018493-1 : Response code 304 from TMM Cache always closes TCP connection.
Links to More Info: BT1018493
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured to accelerate HTTP traffic, it caches responses with 200 and 304 response codes. Serving a response with "304 Not Modified" code, TMM may close a connection to a client.
Conditions:
-- A virtual server has a web-acceleration profile (without a web application for versions prior 16.0.0).
-- A response with code 304, stored in TMM cache, is served to a request.
Impact:
A client needs to open a new TCP connection every time when a response with "304 Not Modified" code is served.
Fix:
TMM correctly serves a response with "304 Not Modified" code, allowing to correctly handle TCP connection status.
Fixed Versions:
14.1.4.5, 15.1.4, 16.1.2
1018309-5 : Loading config file with imish removes the last character
Links to More Info: BT1018309
Component: TMOS
Symptoms:
While loading a configuration from the file with IMISH ('imish -f <f_name>'),truncating the last line.
printf 'log file /var/log/zebos.log1' >/shared/tmp/new.cfg
Running imish -r 0 -f /shared/tmp/new.cfg have the last character missing like below:
log file /var/log/zebos.log
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Configuration commands cannot be created properly.
Workaround:
For CLI, use extra control char at the end or \n.
Fixed Versions:
15.1.4.1, 16.1.1
1018285-2 : MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction
Links to More Info: BT1018285
Component: Service Provider
Symptoms:
MRF DIAMETER is not DIAMETER-application aware. It does not have application-specific business logic. When creating a DIAMETER solution, BIG-IP operators often need to write iRule scripts that remove a session persistence entry at the end of a transaction.
Conditions:
Some applications require removal of the persistence entry upon successful and unsuccessful completion of a transaction.
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule log_dia_error
ltm rule log_dia_error {
when DIAMETER_INGRESS {
set cmd_code [DIAMETER::command]
if { $cmd_code == 272 } {
set cc_req_type [DIAMETER::avp data get 416 integer32]
if {[DIAMETER::is_response] && $cc_req_type == 3 } {
log local0. "Persistence record delete-on-any"
DIAMETER::persist delete-on-any
}
}
}
Impact:
iRule script is required.
Fix:
DIAMETER::persist irule are supported to remove a persistence entry based on the result status of a answer message.
below irule commands are supported.
DIAMETER::persist delete-on-any
DIAMETER::persist delete-on-success
DIAMETER::persist delete-on-failure
DIAMETER::persist delete-none
Fixed Versions:
15.1.4.1, 16.1.2
1018145 : Firewall Manager user role is not allowed to configure/view protocol inspection profiles
Links to More Info: BT1018145
Component: Protocol Inspection
Symptoms:
A user account with the "firewall-manager" role that is assigned permissions only to custom partitions will not be able to configure protocol inspection profiles.
Conditions:
-- A user account is created with the role firewall-manager.
-- A custom partition is created.
-- The newly created user is given access to the newly created partition.
Impact:
Any user account without access to "/Common" partition is not allowed to configure protocol inspection profiles.
Workaround:
- If the user account is provided access to "/Common" partition as well, the user should be able to configure protocol-inspection profiles in the newly created custom partitions.
Fix:
The permissions are granted for any non-admin user to configure protocol inspection profiles in a custom partition as long as they have access to "/Common" partition as well.
Fixed Versions:
15.1.4, 16.1.1
1017721-5 : WebSocket does not close cleanly when SSL enabled.
Links to More Info: BT1017721
Component: Local Traffic Manager
Symptoms:
After sending a close frame to the WebSocket server, the WebSocket client receives 1006 response.
Conditions:
Virtual server with the following profiles:
-- WebSocket
-- HTTP over SSL (at least server side SSL)
and connection closure is initiated by the client.
Impact:
Client side applications experience errors in the form of WebSocket abnormally closing connections with error code 1006.
Workaround:
Avoid using SSL on WebSocket server context.
Fix:
WebSocket connections close without any error.
Fixed Versions:
16.1.2.2
1017533-3 : Using TMC might cause virtual server vlans-enabled configuration to be ignored
Links to More Info: BT1017533
Component: Local Traffic Manager
Symptoms:
When switching between traffic-matching-criteria (TMC) and regular virtual-server configuration, the vlans-enabled option might be ignored, causing unexpected traffic handling.
Conditions:
Changing virtual-server configuration when using traffic-matching-criteria.
Impact:
Unexpected traffic handling and disruption
Workaround:
Avoid using TMC (port lists and address lists). When in a 'faulty' state you can try changing vlan-enabled on and changing it back on the virtual server, you might need to clear existing connections afterwards.
Follow below articles.
K53851362: Displaying and deleting BIG-IP connection table entries from the command line
K52091701: Handling Connections that have been matched to the wrong Virtual Server.
Fixed Versions:
16.1.2.2
1017513-5 : Config sync fails with error Invalid monitor rule instance identifier
Links to More Info: BT1017513
Component: Local Traffic Manager
Symptoms:
If you remove or attach a different monitor to an fqdn pool, then perform a full config-sync, an error occurs:
Load failed from /Common/bigip1 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 58.
Conditions:
-- BIG-IP device is configured with fqdn nodes/pools with monitors.
-- Modify an fqdn pool to remove or attach a different monitor.
-- Run the command: run cm config-sync to-group Failover
-- Perform a full config-sync.
Impact:
Sync to the peer device(s) fails.
Workaround:
Use incremental-sync.
Fixed Versions:
14.1.4.5, 16.1.2.1
1017233-2 : APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption
Links to More Info: BT1017233
Component: Access Policy Manager
Symptoms:
A corrupted password is sent as part of the "Authorization" header to the backend device and as a result, http 404 is returned
Conditions:
-- iRule for ActiveSync is used
-- The BIG-IP system has multiple tmms running
Impact:
User Authentication is failed by the backed server
Fixed Versions:
15.1.4.1, 16.1.2
1017153-4 : Asmlogd suddenly deletes all request log protobuf files and records from the database.
Links to More Info: BT1017153
Component: Application Security Manager
Symptoms:
Asmlogd suddenly deletes all request log protobuf files and records from the database.
Additionally, after the deletion happens, newly generated event logs seen in database do not show up in TMUI.
Conditions:
-- ASM provisioned
-- Config-sync setup, with frequent sync recovery and/or with a manual-sync device-group with ASM sync enabled.
Impact:
Sudden loss of request logs.
Workaround:
Delete all empty partitions and restart asmlogd.
1) View all the partitions:
# perl -MF5::Db::Partition -MData::Dumper -MF5::DbUtils -e 'print Dumper(F5::Db::Partition::retrieve_partitions_info(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG"))'
Take note of the 'PARTITION_NAME' and 'TABLE_ROWS' for each partition.
2) For every partition_X (in PARTITION_NAME) with '0' in TABLE_ROWS, delete it by:
# perl -MF5::Db::Partition -MF5::DbUtils -e 'F5::Db::Partition::delete_partition(dbh => F5::DbUtils::get_dbh(), table_name => "PRX.REQUEST_LOG", partition_name => "partition_X")'
3) restart asmlogd if and after done all deletes:
# pkill -f asmlogd
NOTE: this workaround is temporary. Meaning, that the number of empty partitions will again accumulate and the same issue will happen again. The MAX number of partitions is - 100. Thus, it is advised to monitor the total number of *empty* partitions and repeat the workaround periodically. A cron script should work well. Normally, empty partitions should NOT accumulate. Thus, it is safe to run this script once an hour and remove all empty partitions.
Optionally, if you are having TMUI issue with newly generated event logs, perform the additional command below to delete rows from PRX.REQUEST_LOG_PROPERTIES for which no corresponding rows exist in PRX.REQUEST_LOG.
# mysql -t -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'delete from PRX.REQUEST_LOG_PROPERTIES where request_log_id > (select id from PRX.REQUEST_LOG order by id desc limit 1)'
Fix:
Upgrading to a fixed software version will not delete accumulated partitions and will not clear the symptom away. The fix will prevent ASM from accumulating partitions unnecessarily in the scenarios.
If your ASM system is experiencing this and partitions are accumulated, perform the workaround to clear the symptom. Using a fixed software version, you only need to perform the workaround once. You no longer have to perform it periodically.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1016449-3 : After certain configuration tasks are performed, TMM may run with stale Self IP parameters.
Links to More Info: BT1016449
Component: Local Traffic Manager
Symptoms:
A Self IP instantiated by performing specific configuration tasks (see Conditions) does not work (e.g. the system does not respond to ARP requests for it).
On the contrary, the system continues to use (e.g. respond to ARP requests for) an old version of the Self IP specifying a different address.
Conditions:
This issue is known to occur when one of the following operations is performed:
- Restoring a UCS or SCF archive in which a Self IP with a specific name specifies a different address.
- Performing a config-sync between redundant units in which the sender changes a Self IP with a specific name to use a different address. For example:
tmsh delete net self <name>
tmsh create net self <name> address <new_address> ...
tmsh run cm config-sync to_group ...
- Performing specific tmsh CLI transactions involving Self IP modifications.
Impact:
The system does not utilise the configured Self IP address. Traffic will be impacted as a result (for example, in connections to the unit, in snat automap, etc.).
Workaround:
Restart TMM (bigstart restart tmm) on affected units.
Fix:
TMM now correctly handles supported Self IP address modifications.
Fixed Versions:
16.1.2.2
1016441-4 : RFC Enforcement Hardening
Component: Local Traffic Manager
Symptoms:
When the HTTP profile RFC Enforcement Flag is enabled, certain non-RFC compliant headers are still allowed.
Conditions:
- Virtual Server with HTTP profile.
- RFC Enforcement Flag enabled.
- HTTP request with non-RFC compliant headers.
Impact:
Non-RFC compliant headers passed to server.
Workaround:
N/A
Fix:
BIG-IP will drop non-RFC compliant HTTP requests when the RFC compliance flag is ON.
Fixed Versions:
16.1.2.2
1016113-1 : HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile.
Links to More Info: BT1016113
Component: Local Traffic Manager
Symptoms:
Configurations containing HTTP response-chunking 'sustain' and a Web Acceleration profile do not rechunk payload regardless of whether the web server responds with a chunked response.
Conditions:
-- Incoming response payload to the BIG-IP system is chunked.
-- HTTP profile is configured with response-chunking 'sustain'.
-- Web Acceleration profile also configured on the same virtual server.
Impact:
The BIG-IP response is not chunked, regardless of whether the associated web server responds with a chunked payload when the Web Acceleration is utilized.
Workaround:
For a chunked response to be delivered to the client, apply the iRule command 'HTTP::rechunk' to responses when a Web Acceleration profile is used.
Fix:
The BIG-IP response is chunked appropriately when a Web Acceleration profile is used.
Fixed Versions:
15.1.4, 16.1.2
1016049-6 : EDNS query with CSUBNET dropped by protocol inspection
Links to More Info: BT1016049
Component: Local Traffic Manager
Symptoms:
EDNS query might be dropped by protocol inspection with an error log in /var/log/ltm similar to:
info tmm[21575]: 23003139 SECURITYLOG Drop sip:192.168.0.0 sport:64869 dip:1.1.1.1 dport:53 query:test.f5.com qtype:malformed attack:malformed
Conditions:
Query containing CSUBNET option.
Impact:
Some queries might fail.
Fixed Versions:
16.1.2.2
1015645-2 : IPSec SA's missing after reboot
Links to More Info: BT1015645
Component: TMOS
Symptoms:
Some IPSec SA's created after Tunnel migration may be missing after a reboot.
Conditions:
- IPSec tunnels
- Load balancing continues through tunnel migration
- The active BIG-IP system is rebooted
Impact:
Some IPSec SA's may be missing after the reboot
Workaround:
None
Fix:
During reboot, Load balancing information is loaded based on creation time instead of arrival time.
Fixed Versions:
16.1.2
1015133-5 : Tail loss can cause TCP TLP to retransmit slowly.
Links to More Info: BT1015133
Component: Local Traffic Manager
Symptoms:
If a long tail loss occurs during transmission, TCP might be slow to recover.
Conditions:
-- A virtual server is configured with the TCP profile attached.
-- SACK and TLP are enabled.
-- A tail loss of multiple packets sent by the BIG-IP occurs.
Impact:
BIG-IP retransmits one packet per RTT, causing a long recovery. The impact is more pronounced if an entire window is lost.
Workaround:
Disabling TLP may improve performance in this particular case, but may degrade performance in other situations.
Fix:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.
Behavior Change:
A new sys db key was added: tm.tcpaggressivepartialack (disabled by default). When enabled, more data is retransmitted every RTT, similar to slow-start.
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1013629-4 : URLCAT: Vulnerability Scan finds many Group/User Read/Write (666/664/662) files
Links to More Info: BT1013629
Component: Traffic Classification Engine
Symptoms:
Shared memory files in relation with URLCAT have file permissions set to (-rwxrwxrwx), which is not necessary and needs to be restricted to (-rw-rw-r--).
Conditions:
Performing a Vulnerability Scan on shared memory files in relation with URLCAT.
Impact:
Full permission can result in unintentional/unauthorized access, which could result in unexpected behavior of the URLCAT feature.
Workaround:
Manually change permissions from (-rwxrwxrwx) to (-rw-rw-r--) using the chmod command.
Fix:
Shared Memory file permissions are now set to (-rw-rw-r--).
Fixed Versions:
16.1.2
1013569-1 : Hardening of iApps processing
Component: Guided Configuration
Symptoms:
Under certain conditions, iApps do not follow current best practices.
Conditions:
- iApps in use
Impact:
iApps do not follow current best practices.
Workaround:
N/A
Fix:
iApps now follow current best practices.
Fixed Versions:
15.1.4, 16.1.1
1012721-4 : Tmm may crash with SIP-ALG deployment in a particular race condition
Links to More Info: BT1012721
Component: Service Provider
Symptoms:
Tmm crashes in SIP-ALG deployment
Conditions:
--- SIP-ALG is deployed
--- While processing first SIP REGISTER at server-side
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes in this race condition
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1
1012221-1 : Message: childInheritanceStatus is not compatible with parentInheritanceStatus&start;
Links to More Info: BT1012221
Component: Application Security Manager
Symptoms:
The BIG-IP system is unable to deploy a revision of upgraded child policies and you see an error:
Failed pushing changed objects to device <device>: Could not update the Section 'Threat Campaigns'. childInheritanceStatus is not compatible with parentInheritanceStatus.
Conditions:
-- An ASM Child Policy is present on the BIG-IP device in a version earlier than 14.0.0
-- The BIG-IP system is upgraded to version 14.0.0 or later
Impact:
This corruption impacts BIG-IQ interactions with the Child Policy and causes exported Child Policies to be incorrect.
Workaround:
After upgrading, perform the following:
1. Log into the BIG-IP Configuration Utility
2. Go to Security :: Application Security :: Security Policies :: Policies List
3. Select the first Parent Policy
4. Go to Inheritance settings and change Threat Campaigns from None to Optional
5. Click Save Changes
6. Change Threat Campaigns from Optional back to None
7. Click Save Changes
8. Click Apply
9. Repeat steps 3-8 for each additional Parent Policy
Fixed Versions:
16.1.2.2
1011433-1 : TMM may crash under memory pressure when performing DNS resolution
Links to More Info: BT1011433
Component: Global Traffic Manager (DNS)
Symptoms:
When running low on free memory, TMM may crash when performing DNS resolution.
Conditions:
-- TMM is under memory pressure.
-- TMM is performing DNS resolution via one of the following mechanisms:
--+ iRule using the "RESOLV::lookup" command
--+ AFM firewall rules that reference hostnames
--+ APM
Impact:
Traffic disrupted while tmm restarts.
Fixed Versions:
16.1.2.2
1011217-5 : TurboFlex Profile setting reverts to turboflex-base after upgrade&start;
Links to More Info: BT1011217
Component: TMOS
Symptoms:
Custom TurboFlex Profile settings revert to the default turboflex-base profile after an upgrade.
Conditions:
-- iSeries platform with ix800 performance license
-- A non-default TurboFlex Profile is applied
-- The BIG-IP device is upgraded
Impact:
Some features of the previously selected TurboFlex Profile that are not part of the turboflex-base profile, are missing after upgrade. The TurboFlex Profile must be reconfigured after upgrade.
Workaround:
Reconfigure the TurboFlex Profile after upgrade.
Fix:
TurboFlex Profile settings are now preserved after the upgrade.
Fixed Versions:
16.1.2.2
1011069-1 : Group/User R/W permissions should be changed for .pid and .cfg files.
Component: Application Security Manager
Symptoms:
The following files should be set with lower permissions:
/etc/ts/dcc/dcc.cfg (-rw-rw--w-)
/run/asmcsd.pid (-rw-rw--w-)
/run/bd.pid (-rw-rw--w-)
/run/dcc.pid (-rw-rw--w-)
/run/pabnagd.pid (-rw-rw--w-)
Conditions:
Always
Impact:
Incorrect file permissions.
Workaround:
chmod 664 <files_list>
Fix:
The corrected permissions 664 are applied to the given list of files.
Fixed Versions:
16.1.2.2
1011065-1 : Certain attack signatures may not match in multipart content
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.
Conditions:
- ASM provisioned
- Request contains multipart body that matches specific attack signatures.
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
15.1.4.1, 16.1.2
1011061-4 : Certain attack signatures may not match in multipart content
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM may not correctly detect attack signatures.
Conditions:
- ASM provisioned
- Request contains a specially-crafted multipart body
Impact:
Attack detection is not triggered as expected.
Workaround:
None
Fix:
Attack detection is now triggered as expected.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1010617-1 : String operation against DNS resource records cause tmm memory corruption
Links to More Info: BT1010617
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm cores with umem debug enabled.
Conditions:
A string operation is performed against DNS resource records (RRs) in an iRule.
Impact:
Tmm memory corruption. In some situations, tmm could crash. Traffic disrupted while tmm restarts.
Workaround:
Do not use string operation against DNS RRs.
Fixed Versions:
16.1.2.2
1009949-4 : High CPU usage when upgrading from previous version&start;
Links to More Info: BT1009949
Component: TMOS
Symptoms:
When upgrading version from 12.x to 14.1.4, ospfd has high cpu utilization.
Conditions:
-- OSPF is enabled.
-- The BIG-IP system is upgraded from 12.x to 14.1.4.
Impact:
Performance Impact.
Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2
1009093-2 : GUI widgets pages are not functioning correctly
Links to More Info: BT1009093
Component: Application Visibility and Reporting
Symptoms:
Some links and drop-down fields are not available for 'pressing/clicking' on AVR-GUI widgets pages
Conditions:
AVR/ASM is provisioned
Impact:
Cannot use AVR GUI pages correctly
Workaround:
1. Back up the following file, and then edit it:
/var/ts/dms/amm/templates/overview.tpl
1.a. Remove the following line:
<script type="text/javascript" src="script/analytics_stats.js{{BIGIP_BUILD_VERSION_JS}}"></script>
1.b. Add the following lines after the 'var _default_smtp = '{{smtp_mailer}}';' line:
$(document).ready(function() {
if(!window.AVR_LOCALIZATION) return;
$('.need-localization-avr').each(function() {
var item = $(this);
if (item.is("input")) {
var key = "avr." + item.val().replace(/\s/g, '');
item.val(window.AVR_LOCALIZATION[key] || item.val());
} else {
var key = "avr." + item.text().replace(/\s/g, '');
item.text(window.AVR_LOCALIZATION[key] || item.text());
}
}).removeClass('need-localization-avr');
});
1.c. Save and exit (might require the 'force' save with root user).
2. Log out of the GUI.
3. Log back in.
Fix:
GUI widgets pages now function correctly.
Fixed Versions:
15.1.5, 16.1.2.1
1009037-1 : Tcl resume on invalid connection flow can cause tmm crash
Links to More Info: BT1009037
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm crashes.
Tmm logs contain a line that looks like: "Oops @ 0x2bbd463:139: Unallocated flow while polling for rule work. Skipping."
Conditions:
1) iRule uses a function that may suspend iRule processing (see https://support.f5.com/csp/article/K12962 for more about this).
2) The connflow associated with the iRule is being torn down by tmm.
3) Depending upon the exact timing there is a rare chance that the iRule will resume on the wrong connflow which can cause a core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1008849-4 : OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration.
Links to More Info: BT1008849
Component: Application Security Manager
Symptoms:
To fulfill "A4 XML External Entities (XXE)", some required signatures need to be enforced.
Due to an update in some of those attack signatures names, this section does not find the signatures and by mistake it shows that the signatures are not enforced.
Also, when you choose to enforce the required signatures, this section tries to enforce the signatures, but looks for them via the old name, so it does not find them, and can't enforce them.
Conditions:
The attack signatures file is updated with the new names for the XXE signatures.
The old names are in use while trying to find and enforce the signatures, but it does not find them and can't enforce them and also can't see if they are already enforced.
Impact:
"A4 XML External Entities (XXE)" Compliance can't be fully compliant.
Workaround:
N/A
Fix:
The signature ID is being used instead of signature name, and now it can find them and enforce them if needed.
Fixed Versions:
16.1.2.2
1008837-1 : Control plane is sluggish when mcpd processes a query for virtual server and address statistics
Links to More Info: BT1008837
Component: TMOS
Symptoms:
When there are thousands of rows in the virtual_server_stat table and mcpd receives a query for for all virtual server or virtual address statistics, mcpd can take a long time to process the request.
There might be thousands of rows if thousands of virtual servers server are configured.
There could also be thousands of rows if there are virtual servers configured for source or destination address lists, where those lists contain tens or hundreds of addresses.
Conditions:
-- Thousands of virtual_server_stat rows.
-- mcpd processes a query_stats request for the virtual_server_stat table.
Impact:
When mcpd is processing a query for virtual server statistics:
-- TMSH and GUI access is very slow or non-responsive.
-- SNMP requests timeout.
-- mcpd CPU usage is high.
Workaround:
None
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2.2
1008501-1 : TMM core
Links to More Info: BT1008501
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
Transparent monitors monitoring a virtual server's IP address.
Note: Although this is the current understanding of the issue, it is not clear whether this is an true requirement for the issue to occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.2.2
1008269-1 : Error: out of stack space
Links to More Info: BT1008269
Component: TMOS
Symptoms:
When polling for profile statistics via iControl REST, the BIG-IP system returns an error:
Error: out of stack space
Conditions:
Polling stats via iControl REST.
Impact:
You are intermittently unable to get stats via iControl REST.
Workaround:
None
Fixed Versions:
16.1.2.2
1008265-1 : DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond&start;
Component: Advanced Firewall Manager
Symptoms:
DoS Flood and Sweep vector states are disabled after upgrade.
Conditions:
DoS Flood and Sweep vectors are enabled prior to an upgrade to software release 14.x and beyond.
Impact:
DoS Flood and Sweep vector states are disabled. System is susceptible to a DoS attack.
Workaround:
Reset the DoS Flood and Sweep vectors to their previous state.
Fix:
Removed default disabled state from upgrade scripts so that both vectors were restored to previous configured state
Fixed Versions:
16.1.2.2
1008017-2 : Validation failure on Enforce TLS Requirements and TLS Renegotiation
Links to More Info: BT1008017
Component: Local Traffic Manager
Symptoms:
The configuration load fails with an error:
err mcpd[4182]: 0107186b:3: Invalid "enforce-tls-requirements" value for profile /prod/my_profile. In Virtual Server (/common/my_virtual_server) an http2 profile with enforce-tls-requirements enabled is incompatible with client-ssl/server-ssl profile with renegotiation enabled. Value must be disabled.
Conditions:
BIG-IP system allows this configuration and fails later:
-- Virtual server with HTTP/2, HTTP, and client SSL profiles (with renegotiation disabled).
1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled).
2. Add server SSL profile with 'TLS Renegotiation' enabled.
3. Save the configuration.
4. Load the configuration.
Impact:
The configuration will not load if saved.
Workaround:
If enabling 'Enforce TLS Requirements' in a HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in the Server SSL profiles on that virtual server.
Fix:
There is now a validation check to prevent this configuration, which is the correct functionality.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1007901-1 : Support for FIPS 140-3 Module identifier service.
Component: TMOS
Symptoms:
The module provides a service to output module name/identifier and version that can be mapped to the validation records.
The 'tmsh show sys version' command shows a version, but it does not show a module name, where the "module name" is the name on the FIPS certificate.
Conditions:
Running 'tmsh show sys version' while the system is running in FIPS mode
Impact:
The module does not provide a service to output module name/identifier and version that can be mapped to the validation records.
Workaround:
N/A
Fix:
Added the FIPS module information to output of command "show sys version". FIPS module information is now appended after "Project" field info of the "show sys version"
The syntax of the new field is "FIPS Module <FIPS_module_name>"
In the GUI, FIPS module info shall be appended to existing "Version" information shown under system(tab)→Device→Version
The syntax will be "Version: <Existing Info> <FIPS_module_name>
Fixed Versions:
16.1.2.2
1007821-3 : SIP message routing may cause tmm crash
Links to More Info: BT1007821
Component: Service Provider
Symptoms:
In very rare circumstances, tmm may core while performing SIP message routing.
Conditions:
This can occur while passing traffic when SIP message routing is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
SIP message routing no longer results in a core due to internal memory errors in message parsing.
Fixed Versions:
15.1.4, 16.1.1
1007749-2 : URI TCL parse functions fail when there are interior segments with periods and semi-colons
Links to More Info: BT1007749
Component: Local Traffic Manager
Symptoms:
URI::path, URI::basename, etc., return the wrong strings, e.g., URI::path can return a subset of what it should return.
Conditions:
This happens for URIs like these:
/alpha/beta/Sample.text;param/trailer/
/alpha/beta/Sample.text;param/file.txt
Impact:
iRules fail to work as expected for these types of URIs.
This occurs because the combination of the period and semi-colon in 'Some.thing;param' confuses the BIG-IP system parser, causing incorrect results to be returned.
Workaround:
If this is happening for known URIs, then it should be possible to process those URIs in a special way within iRules to do things like temporarily replacing interior periods with another character, like a plus sign.
Fixed Versions:
15.1.5, 16.1.2.1
1007677-2 : Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector'
Links to More Info: BT1007677
Component: Access Policy Manager
Symptoms:
SAML fails on APM SAML IdP after receiving the SAML ArtifactResolve Request, and needs to extract Artifact data from sessionDB to build the assertion. An error is logged:
-- err tmm[24421]: 014d1211:3: ::ee23458f:SAML SSO: Cannot find SP connector (/Common/example_idp)
-- err tmm[24421]: 014d0002:3: SSOv2 plugin error(12) in sso/saml.c:11864
Conditions:
The 'session-key' in the sessiondb includes a colon ':' in its value.
Impact:
SAML may fail on APM SAML IdP using artifact binding.
Fix:
The system now handles this occurrence of 'session-key'.
Fixed Versions:
15.1.4.1, 16.1.2.1
1007113-3 : Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds
Links to More Info: BT1007113
Component: Service Provider
Symptoms:
In case of diameter over SCTP, while aborting the connection of the pool member, if SCTP INIT is sent by the BIG-IP system before the SCTP ABORT is processed, the pool member is marked UP (provided the SCTP connection is established successfully), and then goes down later, immediately after ABORT is fully processed.
Conditions:
The time difference between SCTP ABORT and SCTP INIT is very small, i.e., 2 seconds or less
Impact:
Pool member is marked DOWN even though it is active
Workaround:
If the watchdog is configured in the diameter session profile (i.e., watchdog-timeout is greater than 0), the pool member is marked UP after DWA is received from the pool member.
Fix:
The system now marks the pool member as UP if DWA is received from the pool member.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1006893-4 : Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core
Links to More Info: BT1006893
Component: Access Policy Manager
Symptoms:
When ACCESS::oauth is used after ACCESS::session create/delete in an iRule event, TMM may core.
Conditions:
ACCESS::oauth is used after ACCESS::session create/delete in an iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
TMM does not core and functionality works as expected.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1006781-2 : Server SYN is sent on VLAN 0 when destination MAC is multicast
Links to More Info: BT1006781
Component: Local Traffic Manager
Symptoms:
TCP connections cannot be established when a multicast destination MAC is used. Traffic outage occurs.
Conditions:
Virtual wire with multicast destination MAC used while establishing TCP connections.
Impact:
Traffic outage.
Workaround:
None
Fixed Versions:
15.1.4.1, 16.1.2.2
1005109-4 : TMM crashes when changing traffic-group on IPv6 link-local address
Links to More Info: BT1005109
Component: Local Traffic Manager
Symptoms:
TMM crashes when changing the traffic-group on an IPv6 link-local address.
Conditions:
Changing the traffic-group on an IPv6 link-local address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1
1005105-3 : Requests are missing on traffic event logging
Links to More Info: BT1005105
Component: Application Security Manager
Symptoms:
Some traffic requests are missing in Security :: Event Logs.
Conditions:
-- Local logging enabled
-- Two or more virtual servers passing heavy traffic
Impact:
High CPU load prevents the Policy Builder from analyzing and sending all traffic requests to the request log.
Workaround:
None
Fix:
The Policy Builder now attempts to send traffic requests to the request log, even when learning analysis is limited due to high CPU load.
Fixed Versions:
14.1.4.5, 15.1.4, 16.1.1
1004897-5 : 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
Links to More Info: BT1004897
Component: Local Traffic Manager
Symptoms:
In HTTP2 setup, when the header count from the client request exceeds max-header-count value in the HTTP profile , COMPRESSION_ERROR(0x09) is seen in GoAway frame instead of FRAME_SIZE_ERROR(0x06)
Conditions:
- Virtual server with HTTP2 enabled
- A http2 request has a header count that exceeds 'Maximum Header Count' in the HTTP profile (default value is 64)
Impact:
Wrong GoAway Reason is logged
Fix:
When header count in client request exceeds max-header-count value in HTTP profile
1) FRAME_SIZE_ERROR(0x06) error code sent with GoAway frame
2) In http2 profile stats (tmsh show ltm profile http2 all) 'Max Headers Exceeded' is logged as GoAway reason
Fixed Versions:
14.1.4.4, 16.1.2.2
1004689-4 : TMM might crash when pool routes with recursive nexthops and reselect option are used.
Links to More Info: BT1004689
Component: Local Traffic Manager
Symptoms:
When re-selecting to the non-directly-connected pool route member for which the route was withdrawn, TMM might experience a crash.
Conditions:
- Pool routes with non-directly-connected or recursive nexthops (pool members).
- Reselect option enabled.
- Pool members go down/up so that the re-select is triggered.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Do not use non-directly-connected/recursive nexthops (pool members) in pool routes.
Fix:
N/A
Fixed Versions:
16.1.2.2
1004537-2 : Traffic Learning: Accept actions for multiple suggestions not localized
Links to More Info: BT1004537
Component: Application Security Manager
Symptoms:
When you open the accept suggestions actions list, the actions are not localized. Labels are shown instead of text, for example asm.button.Accept instead of Accept.
Conditions:
This occurs after selecting several suggestions and opening the Accept suggestions actions list.
Impact:
Actions not localized.
Workaround:
None
Fix:
Fixed localization for Accept suggestions actions list.
Fixed Versions:
15.1.4, 16.1.2
1004069-4 : Brute force attack is detected too soon
Links to More Info: BT1004069
Component: Application Security Manager
Symptoms:
A Brute force attack is detected too soon.
Conditions:
The login page has the expected header validation criteria.
Impact:
The attack is detected earlier than the setpoint.
Workaround:
N/A
Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2
1003633-1 : There might be wrong memory handling when message routing feature is used
Links to More Info: BT1003633
Component: Service Provider
Symptoms:
The following log is observed from /var/log/ltm
Oops @ 0x28c3060:232: buf->ref == 0
Conditions:
Message routing is used either by
- Generic message (ltm message-routing generic) or
- HTTP2 with Message router option enabled
Impact:
For most cases, this kind of incorrect memory handling may only generate warning log message. In rare case, it might lead to a tmm crash.
Workaround:
N/A
Fix:
Wrong memory handling in message routing is fixed.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1003257-6 : ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected
Links to More Info: BT1003257
Component: TMOS
Symptoms:
ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' commands are not working properly. The address is always set to interface-configured global/local addresses respectively.
Conditions:
Using BGPv4 with IPv6 capability extension and a route-map with 'set ipv6 next-hop' and/or 'set ipv6 next-hop local' configuration.
Impact:
Wrong next-hop is advertised.
Workaround:
None.
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1002945-4 : Some connections are dropped on chained IPv6 to IPv4 virtual servers.
Links to More Info: BT1002945
Component: Local Traffic Manager
Symptoms:
IPv6 virtual servers targeting IPv4 virtual servers (for example, using the 'virtual' iRule command) might drop traffic coming from some clients unexpectedly.
Conditions:
- IPv6 to IPv4 virtual server chaining.
Impact:
Traffic is dropped.
Workaround:
None
Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2
1002809-4 : OSPF vertex-threshold should be at least 100
Links to More Info: BT1002809
Component: TMOS
Symptoms:
OSPF vertex-threshold should be at least 100, but you are able to set it to any number between 0 and 10000000.
Conditions:
-- Using OSPFv2/OSPFv3
-- Configuring the vertex-threshold setting
Impact:
When the setting is less than the default of 100, routes may not be installed properly.
Workaround:
Ensure that vertex-threshold is set to 100 (default) or above.
Fixed Versions:
16.1.2.2
1002565-1 : OpenSSL vulnerability CVE-2021-23840
Links to More Info: K24624116
1002385-1 : Fixing issue with input normalization
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
15.1.5, 16.1.2.1
1001937-1 : APM configuration hardening
Component: Access Policy Manager
Symptoms:
APM does not follow current best practices for configuration.
Conditions:
- APM provisioned
Impact:
APM does not follow current best practices for configuration.
Workaround:
N/A
Fix:
APM now follows current best practices for configuration.
Fixed Versions:
16.1.2.2
1000789-1 : ASM-related iRule keywords may not work as expected
Links to More Info: BT1000789
Component: Application Security Manager
Symptoms:
Some ASM-related iRule keywords may not work as expected when DoSL7 is used.
Conditions:
ASM iRule keywords are used in a bot defense- or DoSL7-related event, and DoSL7 is used.
Impact:
ASM-related iRule keywords may not work as expected.
Workaround:
None
Fixed Versions:
16.1.2.2
1000741-1 : Fixing issue with input normalization
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1
1000405-1 : VLAN/Tunnels not listed when creating a new rule via GUI
Links to More Info: BT1000405
Component: Advanced Firewall Manager
Symptoms:
Available tunnels are not displayed on the AFM rules-creation page in the GUI.
Conditions:
-- Navigate to the firewall network rules creation page in the GUI.
-- In the rules source section, under the VLAN/Tunnel dropdown, select the 'specify' option.
Impact:
Available tunnels do not display in the select box. Cannot specify tunnels for firewall rules from the GUI.
Workaround:
Use tmsh to specify tunnels for firewall rules.
Fix:
The available tunnels now display in the VLAN/Tunnels dropdown.
Fixed Versions:
15.1.4, 16.1.1
1000021-7 : TMM may consume excessive resources while processing packet filters
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may consume excessive resources while processing packet filters.
Conditions:
- Packet filters in use
Impact:
Excessive resource consumption, potentially leading to memory exhaustion and reduced performance or a failover event.
Workaround:
N/A
Fix:
TMM now processes packet filters as expected.
Fixed Versions:
15.1.5, 16.1.2.2
Known Issues in BIG-IP v16.1.x
TMOS Issues
ID Number | Severity | Links to More Info | Description |
947905-4 | 1-Blocking | BT947905 | Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails&start; |
913713-3 | 1-Blocking | BT913713 | Rebooting a blade causes MCPd to core as it rejoins the cluster |
1049085-3 | 1-Blocking | BT1049085 | Booting into a newly installed hotfix volume may stall on RAID-capable platforms&start; |
1042993-3 | 1-Blocking | K19272127, BT1042993 | Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' |
997793-3 | 2-Critical | K34172543, BT997793 | Error log: Failed to reset strict operations; disconnecting from mcpd&start; |
995849-1 | 2-Critical | BT995849 | Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c |
993481-1 | 2-Critical | Jumbo Frame issue with DPDK-eNIC. | |
990853-1 | 2-Critical | BT990853 | Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway. |
989517-3 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD |
988645-4 | 2-Critical | BT988645 | Traffic may be affected after tmm is aborted and restarted |
967905-5 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash |
967769-1 | 2-Critical | BT967769 | During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks |
967573-3 | 2-Critical | BT967573 | Qkview generation from Configuration Utility fails |
965897-4 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync |
950201-3 | 2-Critical | BT950201 | Tmm core on GCP |
943109-4 | 2-Critical | BT943109 | Mcpd crash when bulk deleting Bot Defense profiles |
940225-4 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure |
937481-5 | 2-Critical | BT937481 | Tomcat restarts with error java.lang.OutOfMemoryError |
929133-6 | 2-Critical | BT929133 | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' |
865653-1 | 2-Critical | BT865653 | Wrong FDB table entries with same MAC and wrong VLAN combination |
858877-5 | 2-Critical | BT858877 | SSL Orchestrator config sync issues between HA-pair devices |
842669-6 | 2-Critical | BT842669 | Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log |
808149-1 | 2-Critical | BT808149 | Tmm crash |
780437-8 | 2-Critical | BT780437 | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. |
777389-7 | 2-Critical | BT777389 | In rare occurrences related to PostgreSQL monitor, the mcpd process restarts |
776117-1 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type |
756830-6 | 2-Critical | BT756830 | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' |
737692-5 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE |
382363-8 | 2-Critical | K30588577 | min-up-members and using gateway-failsafe-device on the same pool. |
1095217-1 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after upgrade to version 16.1.2.1 |
1085805-2 | 2-Critical | BT1085805 | UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. |
1085597-1 | 2-Critical | BT1085597 | IKEv1 IPsec peer cannot be created in config utility (web UI) |
1077789-4 | 2-Critical | BT1077789 | System might become unresponsive after upgrading.&start; |
1076921-1 | 2-Critical | BT1076921 | Log hostname should be consistent when it contains ' . ' |
1048853-1 | 2-Critical | BT1048853 | "IKE VBUF" memory leak debug. |
1043277-4 | 2-Critical | K06520200, BT1043277 | 'No access' error page displays for APM policy export and apply options. |
1041865-4 | 2-Critical | BT1041865 | Correctable machine check errors [mce] should be suppressed |
1039609-1 | 2-Critical | BT1039609 | Unable to poll Dynamic routing protocols SNMP OID's on non-default route domain |
1035121-4 | 2-Critical | BT1035121 | Configsync syncs the node's monitor status |
1027961-2 | 2-Critical | BT1027961 | Changes to an admin user's account properties may result in MCPD crash and failover |
1024269-1 | 2-Critical | BT1024269 | Forcing a file system check on the next system reboot does not check all filesystems. |
1023829-2 | 2-Critical | BT1023829 | Security->Policies in Virtual Server web page spins mcpd 100%, which later cores |
1014361-2 | 2-Critical | BT1014361 | Config sync fails after provisioning APM or changing BIG-IP license |
1012493-5 | 2-Critical | BT1012493 | Systemauth.primaryadminuser set to anything but 'admin' causes internal error for mcp-state check |
1004929-1 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. |
1004517-1 | 2-Critical | BT1004517 | BIG-IP tenants on VELOS cannot install EHFs |
999021-2 | 3-Major | BT999021 | IPsec IKEv1 tunnels fail after a config sync from Standby to Active |
998957-1 | 3-Major | BT998957 | Mcpd consumes excessive CPU while collecting stats. |
998649-1 | 3-Major | BT998649 | Log hostname should be consistent when it contains ' . ' |
997561-5 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic |
997541-5 | 3-Major | BT997541 | Round-robin GRE Disaggregator for hardware and software |
996145-1 | 3-Major | BT996145 | After UCS restore on HA pair, one of the devices is missing folder /var/config/rest/iapps/f5-iappslx-ssl-orchestrator |
995605-2 | 3-Major | BT995605 | PVA accelerated traffic does not update route domain stats |
995097-1 | 3-Major | BT995097 | Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. |
994365-1 | 3-Major | BT994365 | Inconsistency in tmsh 'object mode' for some configurations |
994361-2 | 3-Major | BT994361 | Updatecheck script hangs/Multiple updatecheck processes |
992813-7 | 3-Major | BT992813 | The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. |
992449-1 | 3-Major | BT992449 | The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI |
992253-4 | 3-Major | BT992253 | Cannot specify IPv6 management IP addresses using GUI |
992053-4 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows |
987301-3 | 3-Major | BT987301 | Software install on vCMP guest via block-device may fail with error 'reason unknown' |
987081-1 | 3-Major | BT987081 | Alarm LED remains active on Secondary blades even after LCD alerts are cleared |
981485-6 | 3-Major | BT981485 | Neurond enters a restart loop after FPGA update. |
977953-3 | 3-Major | BT977953 | Show running config interface CLI could not fetch the interface info and crashes the imi |
967557-1 | 3-Major | BT967557 | Improve apm logging when loading sys config fails due to corruption of epsec rpm database |
966949-6 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node |
964125-6 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. |
959241-1 | 3-Major | BT959241 | Fix for ID871561 might not work as expected on the VCMP host |
959057-5 | 3-Major | BT959057 | Unable to create additional login tokens for the default admin user account |
958601-4 | 3-Major | BT958601 | In the GUI, searching for virtual server addresses does not match address lists |
957993-4 | 3-Major | BT957993 | Unable to set a port list in the GUI for an IPv6 address for a virtual server |
957637-1 | 3-Major | BT957637 | Pfmand crash during bootup |
955953-5 | 3-Major | BT955953 | iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg' |
953477-1 | 3-Major | BT953477 | Syncookie HW mode not cleared when modifying VLAN config. |
950153-3 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned |
948601-1 | 3-Major | File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU | |
945413-2 | 3-Major | BT945413 | Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync |
939249-1 | 3-Major | BT939249 | iSeries LCD changes to secure mode after multiple reboots |
938145-3 | 3-Major | BT938145 | DAG redirects packets to non-existent tmm |
936093-5 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline |
935485-4 | 3-Major | BT935485 | BWC: flows might stall when using dynamic BWC policy |
930393-2 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration |
928353-4 | 3-Major | BT928353 | Error logged installing Engineering Hotfix: Argument isn't numeric&start; |
928161-3 | 3-Major | BT928161 | Local password policy not enforced when auth source is set to a remote type. |
927025-1 | 3-Major | BT927025 | Sod restarts continuously |
925469-2 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo |
924297-4 | 3-Major | BT924297 | Ltm policy MCP objects are not being synced over to the peer device |
922613-6 | 3-Major | BT922613 | Tunnels using autolasthop might drop traffic with ICMP route unreachable |
922153-5 | 3-Major | BT922153 | Tcpdump is failing on tmm 0.x interfaces |
922053-1 | 3-Major | BT922053 | inaccurate number of trunk members reported by bcm56xxd/bcmLINK |
915493-6 | 3-Major | BT915493 | imish command hangs when ospfd is enabled |
913013-1 | 3-Major | BT913013 | Racoon daemon may crash once at startup |
908753-5 | 3-Major | BT908753 | Password memory not effective even when password policy is configured |
908453-5 | 3-Major | BT908453 | Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly |
904713-2 | 3-Major | BT904713 | FailoverState device status and CM device status do not match shortly after triggering failover |
904401-5 | 3-Major | BT904401 | Guestagentd core |
894593-2 | 3-Major | BT894593 | High CPU usage caused by the restjavad daemon continually crashing and restarting |
888081-6 | 3-Major | BT888081 | BIG-IP VE Migration feature fails for 1NIC |
886649-5 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH |
884729-1 | 3-Major | BT884729 | The vCMP CPU usage stats are incorrect |
880689-1 | 3-Major | BT880689 | Update oprofile tools for compatibility with current architecture |
879969-8 | 3-Major | BT879969 | FQDN node resolution fails if DNS response latency >5 seconds |
872165-4 | 3-Major | BT872165 | LDAP remote authentication for REST API calls may fail during authorization |
867549-1 | 3-Major | BT867549 | LCD touch panel reports "Firmware update in progress" indefinitely&start; |
867253-4 | 3-Major | BT867253 | Systemd not deleting user journals |
851837-1 | 3-Major | BT851837 | Mcpd fails to start for single NIC VE devices configured in a trust domain |
844925-5 | 3-Major | BT844925 | Command 'tmsh save /sys config' fails to save the configuration and hangs |
814273-6 | 3-Major | BT814273 | Multicast route entries are not populating to tmm after failover |
809089-4 | 3-Major | BT809089 | TMM crash after sessiondb ref_cnt overflow |
804529-1 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats will fail for some pools |
803157-4 | 3-Major | BT803157 | LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots |
798885-6 | 3-Major | BT798885 | SNMP response times may be long when processing requests |
796985-4 | 3-Major | BT796985 | Default IPv4 IP address is assigned to Alt-Address in isolated vCMP guest; vCMP host or guest are upgraded and guest is 'Inoperative'&start; |
780745-5 | 3-Major | BT780745 | TMSH allows creation of duplicate community strings for SNMP v1/v2 access |
775797-5 | 3-Major | BT775797 | Previously deleted user account might get authenticated |
760982-3 | 3-Major | BT760982 | An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios |
760400-1 | 3-Major | BT760400 | High number of vcmp guests on clusters and discovery appliances may result in retries for guest deployment |
760354-7 | 3-Major | BT760354 | Continual mcpd process restarts after removing big logs when /var/log is full |
757787-5 | 3-Major | BT757787 | Unable to edit LTM/AFM Policies that belong to an Application Service (iApp) using the WebUI. |
755207-3 | 3-Major | BT755207 | Large packets silently dropped on VE mlxvf5 devices |
749757-4 | 3-Major | BT749757 | -s option in qkview help does not indicate maximum size |
749011-3 | 3-Major | BT749011 | Datasync may start background tasks during high disk IO utilization |
737739-4 | 3-Major | BT737739 | Bash shell still accessible for admin even if disabled |
724653-5 | 3-Major | BT724653 | In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. |
720610-4 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run |
718291-4 | 3-Major | BT718291 | iHealth upload error does not clear |
711747-2 | 3-Major | BT711747 | Vcmp_pde_state_memcpy core during http traffic and pfmand resets. |
703226-3 | 3-Major | BT703226 | Failure when using transactions to create and publish policies |
691219-3 | 3-Major | BT691219 | Hardware syncookie mode is used when global auto last hop is disabled. |
690928-6 | 3-Major | BT690928 | System posts error message: 01010054:3: tmrouted connection closed |
673952-6 | 3-Major | BT673952 | 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot |
662301-8 | 3-Major | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config |
658850-6 | 3-Major | BT658850 | Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP |
566995-2 | 3-Major | BT566995 | bgpd might crash in rare circumstances. |
528314-2 | 3-Major | K16816, BT528314 | Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh |
499348-14 | 3-Major | BT499348 | System statistics may fail to update, or report negative deltas due to delayed stats merging. |
493740-4 | 3-Major | BT493740 | tmsh allows cipher group creation with non-existent "require" or "exclude" cipher rule. |
431503-11 | 3-Major | K14838, BT431503 | TMSH crashes in rare initial tunnel configurations |
342319-1 | 3-Major | BIND forwarder server list and the recursion and forward options. | |
1093973-7 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. |
1093553-4 | 3-Major | BT1093553 | OSPF "default-information originate" injects a new link-state advertisement |
1091725-4 | 3-Major | BT1091725 | Memory leak in IPsec |
1091345-2 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. |
1090313-3 | 3-Major | BT1090313 | Virtual server may remain in hardware SYN cookie mode longer than expected |
1085837-2 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode |
1080925-3 | 3-Major | BT1080925 | Changed 'ssh-session-limit' value is not reflected after restarting mcpd |
1080297-1 | 3-Major | BT1080297 | ZebOS does not show "log syslog" in the running configuration |
1077533-1 | 3-Major | BT1077533 | BIG-IP fails to restart services after mprov runs during boot. |
1077405-2 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. |
1076801-4 | 3-Major | BT1076801 | Loaded system increases CPU usage when using CS features |
1076785-2 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode |
1074841-1 | 3-Major | BT1074841 | Invalid syslog configuration kills syslog-ng after restarting syslog-ng. |
1074053-1 | 3-Major | BT1074053 | Delay in displaying the "Now Halting..." message while performing halt from LCD. |
1073429-1 | 3-Major | BT1073429 | Auth partition definition is incorrectly synchronized to peer and then altered. |
1072081-1 | 3-Major | BT1072081 | Imish segmentation fault when running 'ip pim sparse-mode ?' on interface config. |
1067797-1 | 3-Major | BT1067797 | Trunked interfaces that share a MAC address may be assigned in the incorrect order. |
1064893-1 | 3-Major | BT1064893 | Keymgmtd memory leak occurrs while configuring ca-bundle-manager. |
1064357-1 | 3-Major | BT1064357 | execute_post_install: EPSEC: Installation of EPSEC package failed |
1064257-2 | 3-Major | BT1064257 | Bundled SSL certificates may not get revalidated successfully over OCSP after stapling parameters have been modified. |
1063597-1 | 3-Major | Memory leak in rewrite in some cases when no pool is selected on virtual server | |
1063237-4 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 |
1062953-1 | 3-Major | BT1062953 | Unable to save configuration via tmsh or the GUI. |
1062901-1 | 3-Major | BT1062901 | The 'trap-source' and 'network' SNMP properties are ineffective, and SNMP traps may be sent from an unintended interface. |
1062857-3 | 3-Major | BT1062857 | Non-tmm source logs stop populating after a system time change. |
1061905-3 | 3-Major | BT1061905 | Adding peer unit into device trust changes the failover address family. |
1060181-3 | 3-Major | BT1060181 | SSL handshakes fail when using CRL certificate validator. |
1060145-1 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. |
1059293-1 | 3-Major | BT1059293 | During DPD config changes, the IKEv2 tunnel may not start. |
1058789-2 | 3-Major | BT1058789 | Virtual addresses are not created from an address list that includes an IP address range. |
1058765-2 | 3-Major | BT1058765 | Virtual Addresses created from an address list with prefix all say Offline (enabled) |
1057709-4 | 3-Major | BT1057709 | Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2. |
1057501-4 | 3-Major | BT1057501 | Expired DST Root CA X3 resulting in http agent request failing. |
1057305-1 | 3-Major | BT1057305 | On deployments that use DPDK, "-c" may be logged as the TMM process/thread name. |
1050457-1 | 3-Major | BT1050457 | The "Permitted Versions" field of "tmsh show sys license" only shows on first boot |
1048137-2 | 3-Major | BT1048137 | IPsec IKEv1 intermittent but consistent tunnel setup failures |
1046261-1 | 3-Major | BT1046261 | Asynchronous REST task IDs do not persist across process restarts |
1045277-4 | 3-Major | BT1045277 | The /var partition may become 100% full requiring manual intervention to clear space |
1044577-2 | 3-Major | BT1044577 | TMM crash on BIG-IP Virtual Edition using DPDK and xnet drivers |
1044281-1 | 3-Major | BT1044281 | In some cases, cpcfg does not trigger selinux relabel, leaving files unlabeled |
1044089-3 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. |
1044021-2 | 3-Major | BT1044021 | Searching for IPv4 strings in statistics module does not work. |
1043141-1 | 3-Major | BT1043141 | Misleading 'Symmetric Unit Key decrypt failure - decrypt failure' when loading UCS from another BIG-IP |
1042737-4 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. |
1042589-1 | 3-Major | BT1042589 | Wrong trunk_id is associated in bcm56xxd. |
1041317-1 | 3-Major | BT1041317 | MCPD delay in processing a query_all message if the update_status bit is set |
1040573-4 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel |
1040117-2 | 3-Major | BT1040117 | BIG-IP Virtual Edition drops UDP packets |
1036613-3 | 3-Major | BT1036613 | Client flow might not get offloaded to PVA in embryonic state |
1036557-1 | 3-Major | BT1036557 | Monitor information not seen in GUI |
1036541-4 | 3-Major | BT1036541 | Inherited-traffic-group setting of floating IP does not sync on incremental sync |
1036461-4 | 3-Major | BT1036461 | icrd_child may core with high numbers of open file descriptors. |
1036285-1 | 3-Major | Enforce password expiry after local user creation | |
1036097-4 | 3-Major | BT1036097 | VLAN failsafe does not trigger on guest |
1036009-4 | 3-Major | Fix DPDK RSS configuration settings | |
1035661-4 | 3-Major | BT1035661 | REST Requests return 401 Unauthorized when using Basic Auth |
1033689-1 | 3-Major | BT1033689 | BGP route map community value cannot be set to the required range when using AA::NN notation |
1033333-4 | 3-Major | BT1033333 | FIPS: importing a stub SSL key file results in 2 keys that share the same FIPS device |
1032821-7 | 3-Major | BT1032821 | Syslog: invalid level/facility from /usr/libexec/smart_parse.pl |
1032257-1 | 3-Major | BT1032257 | Forwarded PVA offload requests fail on platforms with multiple PDE/TMM |
1032001-2 | 3-Major | BT1032001 | Statemirror address can be configured on management network or clusterd restarting |
1031117-1 | 3-Major | BT1031117 | The mcpd error for virtual server profiles incompatible needs to have more details |
1031025-3 | 3-Major | BT1031025 | Nitrox 3 FIPS: Upgrade from v12.1.x to v14.1.x results in new .key.exp files for the FIPS keys created before upgrade.&start; |
1029105-1 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address |
1027481-3 | 3-Major | BT1027481 | 'error: /bin/haloptns unexpected error -- 768' log messages generated on A110 and D112 platforms |
1027477-3 | 3-Major | BT1027477 | Virtual server created with address-list in custom partition non-RD0 does not create listener |
1027237-1 | 3-Major | BT1027237 | Cannot edit virtual server in GUI after loading config with traffic-matching-criteria |
1026989-1 | 3-Major | BT1026989 | More specific dynamic or static routes created for application traffic processing can erroneously replace the route to the management subnet. |
1026973-1 | 3-Major | BT1026973 | Static routes created for application traffic processing can erroneously replace the route to the management subnet. |
1026861-3 | 3-Major | BT1026861 | Live Update of Browser Challenges and Anti-Fraud are not cleaned up |
1026581-4 | 3-Major | BT1026581 | NETFLOW/IPFIX observationTimeMilliseconds Information Element value is not populated correctly. |
1026273-4 | 3-Major | BT1026273 | HA failover connectivity using the cluster management address does not work on VIPRION platforms&start; |
1025513-1 | 3-Major | BT1025513 | PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog |
1025261-3 | 3-Major | BT1025261 | When restjavad.useextramb is set, java immediately uses more resident memory in linux |
1024661-3 | 3-Major | SCTP forwarding flows based on VTAG for bigproto | |
1024421-2 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log |
1022997-1 | 3-Major | BT1022997 | TCP segments with an incorrect checksum are transmitted when the sock driver is used in AWS deployments (e.g., 1NIC) |
1021925-4 | 3-Major | BT1021925 | During bootup AWS BIG-IP endpoint was not licensed when custom gateway configured over management interface |
1021873-1 | 3-Major | BT1021873 | TMM crash in IPIP tunnel creation with a pool route |
1021109-4 | 3-Major | BT1021109 | The cmp-hash VLAN setting does not apply to trunked interfaces. |
1020277-1 | 3-Major | BT1020277 | Mcpd may run out of memory when build image is missing&start; |
1020129-2 | 3-Major | BT1020129 | Turboflex page in GUI reports 'profile.Features is undefined' error&start; |
1020089-1 | 3-Major | BT1020089 | MCP validation should prevent defining multiple virtual servers with the same virtual address but with different subnet masks |
1019793-2 | 3-Major | BT1019793 | Image2disk does not work on F5OS BIG-IP tenant.&start; |
1019749-2 | 3-Major | BT1019749 | Enabling DHCP for management should not be allowed on vCMP guest |
1019709-1 | 3-Major | BT1019709 | Modifying mgmt-dhcp options should not be allowed on VCMP guest |
1019429-1 | 3-Major | BT1019429 | CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated |
1019285-1 | 3-Major | BT1019285 | Systemd hangs and is unresponsive |
1019129-4 | 3-Major | BT1019129 | Changing syslog remote port requires syslog-ng restart to take effect |
1018673-1 | 3-Major | BT1018673 | Virtual Edition systems replicate host traffic to all TMMs when a multicast MAC address is the traffic's nexthop |
1018165-1 | 3-Major | BT1018165 | GUI display of DHCPv6 profile not correct for virtual server in non-default route-domain |
1017897-1 | 3-Major | BT1017897 | Self IP address creation fails with 'ioctl failed: No such device' |
1017857-1 | 3-Major | BT1017857 | Restore of UCS leads to incorrect UID on authorized_keys&start; |
1015453-1 | 3-Major | BT1015453 | Under some circumstances, the "Local Traffic" menu in System -> Configuration is inaccessible in the GUI |
1015093-1 | 3-Major | BT1015093 | The "iq" column is missing from the ndal_tx_stats table |
1014285-5 | 3-Major | BT1014285 | Set auto-failback-enabled moved to false after upgrade&start; |
1012601-4 | 3-Major | BT1012601 | Alarm LED and LCD alert cleared prematurely on startup for missing PSU input |
1012449-1 | 3-Major | BT1012449 | Unable to edit custom inband monitor in the GUI |
1012049-1 | 3-Major | BT1012049 | Incorrect virtual server list returned in response to status request |
1011265-3 | 3-Major | BT1011265 | Failover script cannot read /config/partitions/ after upgrade&start; |
1010341-4 | 3-Major | BT1010341 | Slower REST calls after update for CVE-2021-22986 |
1009793-2 | 3-Major | BT1009793 | Tmm crash when using ipsec |
1007909-1 | 3-Major | BT1007909 | Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs |
1006345-4 | 3-Major | BT1006345 | Static mac entry on trunk is not programmed on CPU-only blades |
1004833 | 3-Major | BT1004833 | NIST SP800-90B compliance |
1004469-1 | 3-Major | BT1004469 | SNMP OID ltmSipsessionProfileStatVsName and ltmSiprouterProfileStatVsName returns empty string |
1003629 | 3-Major | PAYG license becomes invalid when swapping associated NICs for instances in both Azure and AWS. | |
1002417-2 | 3-Major | BT1002417 | Switch L2 forwarding entries learnt on multi-blade trunk in one blade needs to be synchronized to other blades of that trunk |
1001129-1 | 3-Major | Maximum Login Failures lockout for root and admin | |
1001069-5 | 3-Major | BT1001069 | VE CPU higher after upgrade, given same throughput |
1000325-1 | 3-Major | BT1000325 | UCS load with 'reset-trust' may not work properly if base configuration fails to load&start; |
992241-3 | 4-Minor | BT992241 | Unable to change initial admin password from GUI after root password change |
986821-1 | 4-Minor | BT986821 | Command 'run util bash' event is not captured in log when initially executed |
976517-2 | 4-Minor | BT976517 | Tmsh run sys failover standby with a device specified but no traffic group fails |
964533-2 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. |
933597-5 | 4-Minor | BT933597 | Mandatory arguments missing in tmsh security protocol-inspection profile help |
929173-3 | 4-Minor | BT929173 | Watchdog reset due to CPU stall detected by rcu_sched |
928665-4 | 4-Minor | BT928665 | Kernel nf_conntrack table might get full with large configurations. |
927441-5 | 4-Minor | BT927441 | Guest user not able to see virtual server details when ASM policy attached |
915473-4 | 4-Minor | BT915473 | Accessing Dashboard page with AVR provisioned causes continuous audit logs |
915141-5 | 4-Minor | BT915141 | Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown' |
889813-3 | 4-Minor | BT889813 | Show net bwc policy prints bytes-per-second instead of bits-per-second |
860573-6 | 4-Minor | BT860573 | LTM iRule validation performance improvement by tracking procedure/event that have been validated |
843293-1 | 4-Minor | BT843293 | When L7 performance FPGA is loaded, "tmsh show sys fpga" shows standard-balanced-fpga. |
808481-6 | 4-Minor | BT808481 | Hertfordshire county missing from GTM Region list |
807309-5 | 4-Minor | BT807309 | Incorrect Active/Standby status in CLI Prompt after failover test |
753712-4 | 4-Minor | BT753712 | Incorrect warning: Traffic Matching Criteria's inline source address has been set to any4 from any6 to match inline destination address' address family. |
714705-8 | 4-Minor | BT714705 | Excessive "The Service Check Date check was skipped" log messages. |
713183-7 | 4-Minor | BT713183 | Malformed JSON files may be present on vCMP host |
712241-8 | 4-Minor | BT712241 | A vCMP guest may not provide guest health stats to the vCMP host |
696363-7 | 4-Minor | BT696363 | Unable to create SNMP trap in the GUI |
689147-6 | 4-Minor | BT689147 | Confusing log messages on certain user/role/partition misconfiguration when using remote role groups |
674026-6 | 4-Minor | BT674026 | iSeries AOM web UI update fails to complete.&start; |
673573-8 | 4-Minor | BT673573 | tmsh logs boost assertion when running child process and reaches idle-timeout |
659579-6 | 4-Minor | BT659579 | Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time |
658943-5 | 4-Minor | BT658943 | Errors when platform-migrate loading UCS using trunks on vCMP guest |
646768-6 | 4-Minor | K71255118, BT646768 | VCMP Guest CM device name not set to hostname when deployed |
550526-3 | 4-Minor | K84370515, BT550526 | Some time zones prevent configuring trust with a peer device using the GUI. |
539648-4 | 4-Minor | K45138318, BT539648 | Disabled db var Watchdog.State prevents vCMP guest activation. |
447522-1 | 4-Minor | BT447522 | GUI: SNMPV3 Incorrectly requires "OID" when creating an SNMP user. |
1096461-5 | 4-Minor | TACACS system-auth Accounting setting has no effect when set to send-to-all-servers/send-to-first-server | |
1095973-3 | 4-Minor | Config load failure when Trusted CA Bundle is missing and URL is present in the Bundle Manager | |
1095205-4 | 4-Minor | Config.auditing.forward.multiple db Variable with value "none" is not working as expected with multiple destination addresses in audit_forwarder. | |
1090569-1 | 4-Minor | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV |
1089005-4 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. |
1082193-3 | 4-Minor | BT1082193 | TMSH: Need to update the version info for SERVER_INIT in help page |
1080317-3 | 4-Minor | BT1080317 | Logged hostname not consistent when hostname contains "." |
1077293-2 | 4-Minor | BT1077293 | APPIQ option still showing in BIG-IP GUI even though its functionality migrated to BIG-IQ. |
1076253-1 | 4-Minor | BT1076253 | IKE library memory leak |
1073965-1 | 4-Minor | BT1073965 | IPsec IKEv2 tunnel may report huge "life" for IKE SA. |
1071621-1 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors |
1067653-2 | 4-Minor | BT1067653 | Ndisc6 is not working with non-default route domain. |
1067105-2 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. |
1065821-4 | 4-Minor | BT1065821 | Cannot create an iRule with a newline between event and opening brace. |
1064753-4 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. |
1062385-4 | 4-Minor | BT1062385 | BIG-IP has an incorrect limit on the number of monitored HA-group entries. |
1060769-1 | 4-Minor | BT1060769 | The /mgmt/tm/sys/performance/all-stats and /mgmt/tm/sys/performance/throughput iControl REST endpoints cannot be successfully parsed by common JSON libraries. |
1060721-2 | 4-Minor | BT1060721 | Unable to disable auto renew in Certificate order manager via GUI. |
1057925-4 | 4-Minor | BT1057925 | GTP iRule generates a warning. |
1055053-4 | 4-Minor | BT1055053 | "tmsh load sys config default" does not clear Zebos config files. |
1054497-1 | 4-Minor | BT1054497 | Tmsh command "show sys fpga" does not report firmware for all blades. |
1053037-7 | 4-Minor | BT1053037 | MCP error on loading a UCS archive with a global flow eviction policy |
1050413-4 | 4-Minor | BT1050413 | Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml. |
1044893 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 |
1036265-4 | 4-Minor | BT1036265 | Overlapping summary routes might not be advertised after ospf process restart. |
1035017-6 | 4-Minor | Remove unused CA-bundles | |
1034509-6 | 4-Minor | BT1034509 | Sensor read errors on VIPRION C2200 chassis |
1033969-4 | 4-Minor | BT1033969 | MPLS label stripping needs next protocol indicator |
1032921-4 | 4-Minor | BT1032921 | VCMP Guest CPU usage shows abnormal values at the Host |
1029173-4 | 4-Minor | BT1029173 | MCP daemon does not log an error message upon connection failure to PostgreSQL server. |
1025965-1 | 4-Minor | BT1025965 | Audit role users cannot see folder properties under sys-folder |
1024301-1 | 4-Minor | BT1024301 | Missing required logs for "tmsh modify disk directory" command |
1023817-2 | 4-Minor | BT1023817 | Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning |
1022297-4 | 4-Minor | BT1022297 | In BIG-IP GUI using "Select All" with filters is not working appropriately for policies |
1020109-1 | 4-Minor | BT1020109 | Subnet mask property of virtual addresses not displayed in management GUI |
1010785-3 | 4-Minor | BT1010785 | Online help is missing for CRL in client SSL profile and server SSL profile |
1010761-3 | 4-Minor | BT1010761 | Missing TMSH help description for client-ssl profile 'CRL' |
1006449-1 | 4-Minor | BT1006449 | The default size of the subagent object cache possibly leading to slow snmp response time&start; |
1003469-1 | 4-Minor | BT1003469 | The BIG-IP GUI fails to reset the statistics for an IPv6 pool member and returns an error. |
1003081-3 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. |
989937-2 | 5-Cosmetic | BT989937 | Device Trust Certificates Expiring after 2038-01-19 show date of 1969 |
1036609 | 5-Cosmetic | BT1036609 | System boots to the login prompt after running mosreboot. |
1022421-4 | 5-Cosmetic | BT1022421 | Pendsec utility incorrectly starts on i2x00/i4x00 platform with NON WD disk |
Local Traffic Manager Issues
ID Number | Severity | Links to More Info | Description |
999669-1 | 2-Critical | BT999669 | Some HTTPS monitors are failing after upgrade when config has different SSL option&start; |
956109-4 | 2-Critical | BT956109 | Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target |
949137-1 | 2-Critical | BT949137 | Clusterd crash and vCMP guest failover |
944381-2 | 2-Critical | BT944381 | Dynamic CRL checking for client certificate is not working when TLS1.3 is used. |
938545-1 | 2-Critical | BT938545 | Oversize plugin Tcl object results can result in 0-length messages and plugin crash |
937649-4 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict |
935193-4 | 2-Critical | BT935193 | With APM and AFM provisioned, single logout ( SLO ) fails |
927633-4 | 2-Critical | BT927633 | Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic |
922737-1 | 2-Critical | BT922737 | TMM crash |
851385-8 | 2-Critical | BT851385 | Failover takes too long when traffic blade failure occurs |
797573-1 | 2-Critical | BT797573 | TMM assert crash with resulting in core generation in multi-blade chassis |
780857-4 | 2-Critical | BT780857 | HA failover network disruption when cluster management IP is not in the list of unicast addresses |
758491-5 | 2-Critical | BT758491 | When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys |
1091021-2 | 2-Critical | BT1091021 | The BIG-IP system may take no fail-safe action when the bigd daemon becomes unresponsive. |
1087469-2 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. |
1087217-2 | 2-Critical | BT1087217 | TMM crash as part of the fix made for ID912209 |
1086677-4 | 2-Critical | TMM Crashes in xvprintf() because of NULL Flow Key | |
1080581-1 | 2-Critical | BT1080581 | Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.&start; |
1078741-2 | 2-Critical | BT1078741 | Tmm crash |
1074517-1 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server |
1073897-2 | 2-Critical | BT1073897 | TMM core due to memory corruption |
1073609-4 | 2-Critical | BT1073609 | Tmm may core while using reject iRule command in LB_SELECTED event. |
1071689-1 | 2-Critical | SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout | |
1070181-3 | 2-Critical | BT1070181 | Secondary MCPD crashes with Configuration error |
1067669-1 | 2-Critical | BT1067669 | TCP/UDP virtual servers drop all incoming traffic. |
1064649-2 | 2-Critical | BT1064649 | Tmm crash after upgrade.&start; |
1063653 | 2-Critical | BT1063653 | TMM Crash while processing traffic on virtual server. |
1060369-1 | 2-Critical | BT1060369 | HTTP MRF Router will not change serverside load balancing method |
1053305-2 | 2-Critical | BT1053305 | TMM crashes with assertion "vmem_hashlist_remove not found." |
1039145-1 | 2-Critical | BT1039145 | Tenant mirroring channel disconnects with peer and never reconnects after failover. |
1030185-5 | 2-Critical | BT1030185 | TMM may crash when looking up a persistence record using "persist lookup" iRule commands |
1024241-1 | 2-Critical | BT1024241 | NULL TLS records from client to BIG-IP results in SSL session termination |
1020645-6 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered |
999881-6 | 3-Major | BT999881 | Tcl command 'string first' not working if payload contains Unicode characters. |
998253-4 | 3-Major | BT998253 | SNI configuration is not sent via HTTPS when in-tmm monitors are disabled |
996649-6 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections |
994081-1 | 3-Major | BT994081 | Traffic may be dropped with an Immediate idle timeout setting. |
991265-3 | 3-Major | BT991265 | Persistence entries point to the wrong servers for longer periods of time |
987077-3 | 3-Major | BT987077 | TLS1.3 with client authentication handshake failure |
985925-3 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. |
985749-1 | 3-Major | BT985749 | TCP exponential backoff algorithm does not comply with RFC 6298 |
985401-1 | 3-Major | BT985401 | ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached |
984897-1 | 3-Major | BT984897 | Some connections performing SSL mirroring are not handled correctly by the Standby unit. |
978953-3 | 3-Major | BT978953 | The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up |
976525-5 | 3-Major | BT976525 | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled |
975725-5 | 3-Major | BT975725 | Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast |
968949-7 | 3-Major | BT968949 | Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile |
967353-1 | 3-Major | BT967353 | HTTP proxy should trim spaces between a header field-name and colon in its downstream responses. |
966785-1 | 3-Major | BT966785 | Rate Shaping stops TCP retransmission |
961653-3 | 3-Major | BT961653 | Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate |
961001-5 | 3-Major | BT961001 | Arp requests not resolved for snatpool members when primary blade goes offline |
958785-8 | 3-Major | BT958785 | FTP data transfer does not complete after QUIT signal |
956133-2 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading.&start; |
948985-3 | 3-Major | BT948985 | Workaround to address Nitrox 3 compression engine hang |
948065-1 | 3-Major | BT948065 | DNS Responses egress with an incorrect source IP address. |
944173-4 | 3-Major | BT944173 | SSL monitor stuck does not change TLS version |
942217-6 | 3-Major | BT942217 | Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available' |
937573-1 | 3-Major | BT937573 | Connections drop in virtual server with Immediate Action On Service Down set to Drop |
934697-5 | 3-Major | BT934697 | Route domain not reachable (strict mode) |
927589-1 | 3-Major | BT927589 | ILX::call command response get truncated |
922641-6 | 3-Major | BT922641 | Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow |
922413-8 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured |
921541-6 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. |
912293-5 | 3-Major | BT912293 | Persistence might not work properly on virtual servers that utilize address lists |
907177-5 | 3-Major | BT907177 | Priority of embedded APM iRules is ignored |
906653-1 | 3-Major | BT906653 | Server side UDP immediate idle-timeout drops datagrams |
905477-6 | 3-Major | BT905477 | The sdmd daemon cores during config sync when multiple devices configured for iRules LX |
901569-4 | 3-Major | BT901569 | Loopback traffic might get dropped when VLAN filter is enabled for a virtual server. |
891145-7 | 3-Major | BT891145 | TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal |
888885-3 | 3-Major | BT888885 | BIG-IP Virtual Edition TMM restarts frequently without core |
887265-4 | 3-Major | BT887265 | BIG-IP systems may fail to come online after upgrade with ASM and VLAN-failsafe configuration&start; |
887045-7 | 3-Major | BT887045 | The session key does not get mirrored to standby. |
881937-2 | 3-Major | BT881937 | TMM and the kernel choose different VLANs as source IPs when using IPv6. |
881065-5 | 3-Major | BT881065 | Adding port-list to Virtual Server changes the route domain to 0 |
878253-5 | 3-Major | BT878253 | LB::down no longer sends an immediate monitor probe |
876569-2 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error |
867985-6 | 3-Major | BT867985 | LTM policy with a 'shutdown' action incorrectly allows iRule execution |
862001-6 | 3-Major | BT862001 | Improperly configured NTP server can result in an undisciplined clock stanza |
851121-6 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently |
846977-7 | 3-Major | BT846977 | TCP:collect validation changed in 12.0.0: the first argument can no longer be zero&start; |
812693-5 | 3-Major | BT812693 | Connection in FIN_WAIT_2 state may fail to be removed |
805561-1 | 3-Major | BT805561 | Change of pool configuration in OneConnect environment can impact active traffic |
779137-7 | 3-Major | BT779137 | Using a source address list for a virtual server does not preserve the destination address prefix |
778501-5 | 3-Major | BT778501 | LB_FAILED does not fire on failure of HTTP/2 server connection establishment |
751451-4 | 3-Major | BT751451 | When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles |
748886-4 | 3-Major | BT748886 | Virtual server stops passing traffic after modification |
739475-6 | 3-Major | BT739475 | Site-Local IPv6 Unicast Addresses support. |
679316-8 | 3-Major | BT679316 | iQuery connections reset during SSL renegotiation |
574762-4 | 3-Major | Forwarding flows leak when a routing update changes the egress vlan | |
369640-8 | 3-Major | K17195 | iRules might return incorrect data when multiple partitions and/or folders contain objects with the same name |
1097473-4 | 3-Major | BT1097473 | BIG-IP transmits packets with incorrect content |
1091969-3 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. |
1091785-2 | 3-Major | BT1091785 | DBDaemon restarts unexpectedly and/or fails to restart under heavy load |
1088597-2 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances |
1088173-2 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile |
1087569-4 | 3-Major | BT1087569 | Changing max header table size according HTTP2 profile value may cause stream/connection to terminate |
1086473-3 | 3-Major | BT1086473 | BIG-IP resumes a TLS session on the client-side but then proceeds to do a full handshake |
1083621-1 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length |
1083589-3 | 3-Major | BT1083589 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. |
1082225-4 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. |
1081813-2 | 3-Major | A rst_stream can erronously tear down the overall http2 connection. | |
1080985-1 | 3-Major | Route Domain ID specified in Address list does not take effect on virtual server IP via TMC. | |
1079769-1 | 3-Major | BT1079769 | Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers |
1079237-1 | 3-Major | BT1079237 | After certain configuration tasks are performed, TMM may run with stale SNAT translation parameters. |
1078357-2 | 3-Major | BT1078357 | HTTP_REJECT processing can lead to zombie SPAWN flows |
1077553-3 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration |
1076577-3 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' |
1075045-1 | 3-Major | BT1075045 | Proxy initialization failed, Defaulting to DENY, after applying additional profile to a virtual server |
1074505-1 | 3-Major | BT1074505 | Traffic classes are not attached to virtual server at TMM start |
1072397-1 | 3-Major | VLAN failsafe failover does not occur in three-node device group | |
1071385-3 | 3-Major | BT1071385 | SSL session resumption using session tickets is incorrectly logging handshake failure messages |
1070957-1 | 3-Major | BT1070957 | Database monitor log file backups cannot be rotated normally. |
1070789 | 3-Major | SSL fwd proxy invalidating certificate even through bundle has valid CA | |
1069001 | 3-Major | BT1069001 | TMM crash in SSL processing. |
1068673-3 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. |
1068445-1 | 3-Major | BT1068445 | TCP duplicate acks are observed in speed tests for larger requests |
1067469-4 | 3-Major | BT1067469 | Discrepancy in virtual server stats with LRO enabled. |
1065013-4 | 3-Major | BT1065013 | Tmm crash with iRuleLX plugin in use |
1063977-3 | 3-Major | BT1063977 | Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. |
1063865-7 | 3-Major | BT1063865 | Blade remains in an INOPERATIVE state after being moved to new chassis. |
1062569-1 | 3-Major | BT1062569 | HTTP/2 stream bottom filter leaks memory at teardown when streams are aborted with queued egress data/events. |
1060541-1 | 3-Major | BT1060541 | Bigd has high CPU utilization when https pool members do not allow SSL/TLS session resumption. |
1060029-1 | 3-Major | BT1060029 | MRHTTP proxy can leak init_args and attached streams/flows. |
1060021-1 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::lookup_name iRule might result in core. |
1059573-4 | 3-Major | BT1059573 | Variation in a case insensitive value of an operand in LTM policy may fail in some rules. |
1057561 | 3-Major | BT1057561 | Occasional Nitrox5 zip engine hang. |
1056941-2 | 3-Major | BT1056941 | HTTPS monitor continues using cached TLS version after receiving fatal alert. |
1053741-4 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason |
1053149-1 | 3-Major | BT1053149 | A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. |
1051153-4 | 3-Major | BT1051153 | DHCP fails intermittently when the connection is through BIG-IP. |
1043985-1 | 3-Major | BT1043985 | After editing an iRule, the execution order might change. |
1043805-3 | 3-Major | BT1043805 | ICMP traffic over NAT does not work properly. |
1043009 | 3-Major | BT1043009 | TMM dump capture for compression engine hang |
1040957-1 | 3-Major | BT1040957 | The ipother profile can be used with incompatible profiles in a virtual server |
1040465-3 | 3-Major | BT1040465 | Incorrect SNAT pool is selected |
1040045-3 | 3-Major | BT1040045 | Unable to delete trunk member on a VCMP guest |
1040017-5 | 3-Major | BT1040017 | Final ACK validation during flow accept might fail with hardware SYN Cookie |
1039349-1 | 3-Major | BT1039349 | HTTP statistics not updated |
1039277-4 | 3-Major | BT1039277 | TMM core |
1037645-4 | 3-Major | BT1037645 | TMM may crash under memory pressure when using iRule 'AES::key' command |
1036873-2 | 3-Major | BT1036873 | Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3 |
1036169-4 | 3-Major | BT1036169 | VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". |
1036093-4 | 3-Major | BT1036093 | Tmm sends out neighbor advertisements for the link local addresses even if IPv6 is disabled |
1036013-3 | 3-Major | BT1036013 | BIG-IP systems may terminate connections prematurely when a TLS close-notify alert is received |
1034953-3 | 3-Major | BT1034953 | In explicit proxy, HTTP_STATCODE missing from syslog |
1033937-1 | 3-Major | BT1033937 | HTTP message router stats do not increment for virtual servers and pools |
1033537-4 | 3-Major | BT1033537 | Cookie persistence profile only examines the first cookie. |
1029069-2 | 3-Major | Non-ASCII characters are not displayed correctly. | |
1025089-1 | 3-Major | BT1025089 | Pool members marked down by database monitor due to stale cached connection |
1023529-2 | 3-Major | BT1023529 | FastL4 connections with infinite timeout may become immune to manual deletion and remain in memory. |
1022453-4 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. |
1021837-3 | 3-Major | BT1021837 | When a virtual server has an inline service profile configured, connections will be reset with cause "No server selected" |
1020069-1 | 3-Major | BT1020069 | Equinix SmartKey HSM is not working with nethsm-partition 'fortanix' |
1019641-3 | 3-Major | BT1019641 | SCTP INIT_ACK not forwarded |
1019261-1 | 3-Major | BT1019261 | In-TMM HTTPS monitor with SSL Profile set to None does not use serverssl profile. |
1018765-1 | 3-Major | BT1018765 | Changing the sshd port breaks some BIG-IP utilities on a multi-bladed system |
1017885-5 | 3-Major | BT1017885 | Wildcard server-name does not match multiple labels in FQDN |
1017801-1 | 3-Major | BT1017801 | Internal listeners (cgc, ftp data, etc) all share the same listener_key stats |
1017421-4 | 3-Major | BT1017421 | SASP Monitor does not log significant error conditions at default logging level |
1017029-5 | 3-Major | BT1017029 | SASP monitor does not identify specific cause of failed SASP Registration attempt |
1016921-3 | 3-Major | BT1016921 | SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled |
1016909-1 | 3-Major | BT1016909 | BIG-IP iRule commands FLOW::this or FLOW::peer can create zombie flows. |
1016589-1 | 3-Major | BT1016589 | Incorrect expression in STREAM::expression might cause a tmm crash |
1016433-2 | 3-Major | BT1016433 | URI rewriting is incorrect for "data:" and "javascript:" |
1015817-1 | 3-Major | BT1015817 | Flows rejected due to no return route do not increment rejection stats |
1014633-4 | 3-Major | BT1014633 | Transparent / gateway monitors may fail if there is no route to a node |
1013597-2 | 3-Major | BT1013597 | `HTTP2::disable serverside` can reset flows |
1013209-5 | 3-Major | BT1013209 | BIG-IP components relying on ca-bundle.crt may stop working after upgrade&start; |
1012813-1 | 3-Major | BT1012813 | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" |
1012009-3 | 3-Major | BT1012009 | MQTT Message Routing virtual may result in TMM crash |
1010209-1 | 3-Major | BT1010209 | BIG-IP configuration allows literal CR and LF characters in LTM monitor send and recv strings |
1009921-3 | 3-Major | BT1009921 | 'SSL::verify_result' iRule command may return incorrect value when combined with dynamic CRL check |
1006857-1 | 3-Major | BT1006857 | Adding a source address list to a virtual server in a partition with a non-default route domain fails. |
1006157-3 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' |
1004609-6 | 3-Major | SSL forward proxy virtual server may set empty SSL session_id in server hello. | |
1000561-5 | 3-Major | BT1000561 | Chunk size incorrectly passed to client-side |
1000069-3 | 3-Major | BT1000069 | Virtual server does not create the listener |
999709-6 | 4-Minor | BT999709 | iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2. |
997357-1 | 4-Minor | BT997357 | iRule command "SSL:session invalidate" not working as expected |
990173-1 | 4-Minor | BT990173 | Dynconfd repeatedly sends the same mcp message to mcpd |
987885-6 | 4-Minor | BT987885 | Half-open unclean SSL termination might not close the connection properly |
987401-1 | 4-Minor | BT987401 | Increased TMM memory usage on standby unit after pool flap |
962177-6 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect |
947745-3 | 4-Minor | BT947745 | Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error |
940837-4 | 4-Minor | BT940837 | The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2. |
929429-8 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed |
921993-1 | 4-Minor | BT921993 | LTM policy with a 'contains' operator does not work as expected when using an external data group. |
904537-1 | 4-Minor | BT904537 | The csyncd process may keep trying to sync the GeoIP database to a secondary blade |
829021-1 | 4-Minor | BT829021 | BIG-IP does not account a presence of http2 profile when response payload is modified |
683534-2 | 4-Minor | BT683534 | 'tmsh show sys connection' command prompt displaying 4 billion connections is misleading |
1093545-4 | 4-Minor | BT1093545 | Attempts to create illegal virtual-server may lead to mcpd crash. |
1071269 | 4-Minor | SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0.&start; | |
1070141-1 | 4-Minor | BT1070141 | The SNAT Automap and self IP address selection. |
1067025-4 | 4-Minor | BT1067025 | Rate-shaping + immediate timeout causing connection to stall. |
1064725-4 | 4-Minor | BT1064725 | False alarm log message on ltm as CHMAN request for tag:19 as failed. |
1037153-1 | 4-Minor | BT1037153 | iRule "log" command to remote destinations may cause TMM to leak memory |
1035757-4 | 4-Minor | BT1035757 | iRulesLX restart leaves stale files in /var/tmstat/blade/tmplugin_ilx_* |
1034865-1 | 4-Minor | BT1034865 | CACHE::enable failed on private/no-store content |
1034217-2 | 4-Minor | BT1034217 | Quic_update_rtt can leave ack_delay uninitialized. |
1030533-1 | 4-Minor | BT1030533 | The BIG-IP system may reject valid HTTP responses from OCSP servers. |
1030093-1 | 4-Minor | BT1030093 | An http2 to http2 virtual connection with translate-address disabled might only use one stream on the server side. |
1027805-4 | 4-Minor | BT1027805 | DHCP flows crossing route-domain boundaries might fail. |
1016045-4 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. |
1015793-1 | 4-Minor | BT1015793 | Length value returned by TCP::payload is signed and can appear negative |
1015117-5 | 4-Minor | BT1015117 | Headers are corrupted during modification/insertion if a mix of end-of-line markers <CRLF> and <LF> are used |
1013937-1 | 4-Minor | BT1013937 | In-TMM HTTP and HTTPS monitors require RFC-compliant send strings to work. |
1011889-6 | 4-Minor | BT1011889 | The BIG-IP system does not handle DHCPv6 fragmented traffic properly |
1004953-5 | 4-Minor | BT1004953 | HTTP does not fall back to HTTP/1.1&start; |
979213-1 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. |
926085-2 | 5-Cosmetic | BT926085 | GUI: Node/port monitor test not possible in the GUI, but works in tmsh |
897437-7 | 5-Cosmetic | BT897437 | First retransmission might happen after syn-rto-base instead of minimum-rto. |
860277-6 | 5-Cosmetic | BT860277 | Default value of TCP Profile Proxy Buffer High Low changed in 14.1 |
1035741-1 | 5-Cosmetic | BT1035741 | Wrong default value for lacp-port-priority. |
Performance Issues
ID Number | Severity | Links to More Info | Description |
908001-2 | 2-Critical | BT908001 | vCMP guest CPU usage may increase 4-5% after upgrade of vCMP host to v16.1.x&start; |
1063173-2 | 2-Critical | BT1063173 | Blob size consistency after changes to pktclass. |
1037617-1 | 2-Critical | BT1037617 | Switching between bare-metal and vCMP modes can leave HSM with poorly deployed accelerator engine counts |
475997-2 | 3-Major | K16687, BT475997 | SSL stream throughput slows down when hardware SSL offloading is in use |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Links to More Info | Description |
940733-5 | 2-Critical | K29290121, BT940733 | Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt&start; |
931149-3 | 2-Critical | BT931149 | Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings |
887681-4 | 2-Critical | BT887681 | Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c |
705869-1 | 2-Critical | BT705869 | TMM crashes as a result of repeated loads of the GEOIP database |
1077701-1 | 2-Critical | BT1077701 | GTM "require M from N" monitor rules do not report when the number of "up" responses change |
1073273-1 | 2-Critical | BT1073273 | RESOLVER::name_lookup not returning truncated responses |
1031945-4 | 2-Critical | BT1031945 | DNS cache configured and tmm stuck in 'not ready' state indefinitely after TMM restart or reboot&start; |
994221-1 | 3-Major | BT994221 | ZoneRunner returns error 'Resolver returned no such record' |
990929-2 | 3-Major | BT990929 | Status of GTM monitor instance is constantly flapping |
987709-6 | 3-Major | BT987709 | Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition |
984749-1 | 3-Major | BT984749 | Discrepancy between DNS cache statistics "Client Summary" and "Client Cache." |
977625-1 | 3-Major | BT977625 | GTM persistence records linger in tmm |
973341-1 | 3-Major | BT973341 | Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt |
969553-1 | 3-Major | BT969553 | A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries. |
967737-3 | 3-Major | BT967737 | DNS Express: SOA stops showing up in statistics from second zone transfer |
966461-7 | 3-Major | BT966461 | Tmm leaks memory after each DNSSEC query when netHSM is not connected |
965053-4 | 3-Major | BT965053 | [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure |
958157-4 | 3-Major | BT958157 | Hash collisions in fastDNS packet processing |
936777-1 | 3-Major | BT936777 | Old local config is synced to other devices in the sync group. |
936417-4 | 3-Major | BT936417 | DNS/GTM daemon big3d does not accept ECDH or DH ciphers |
936361-2 | 3-Major | BT936361 | IPv6-based bind (named) views do not work |
935945-2 | 3-Major | BT935945 | GTM HTTP/HTTPS monitors cannot be modified via GUI |
920817-7 | 3-Major | BT920817 | Wide IP operations performed in quick succession result in missing resource records and out of sync journals. |
918693-5 | 3-Major | BT918693 | Wide IP alias validation error during sync or config load |
913917-1 | 3-Major | BT913917 | Unable to save UCS |
911497-1 | 3-Major | BT911497 | Unbound's backoff algorithm interacts badly with net resolver iRules |
911241-8 | 3-Major | BT911241 | The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug |
908829-2 | 3-Major | BT908829 | The iqsyncer utility may not write the core file for system signals |
908801-2 | 3-Major | BT908801 | SELinux policies may prevent from iqsh/iqsyncer dumping core |
903521-1 | 3-Major | BT903521 | TMM fails to sign responses from BIND when BIND has 'dnssec-enable no' |
899253-1 | 3-Major | BT899253 | [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist |
887921-2 | 3-Major | iRule command “RESOLVER::name_lookup” returns null for responses more than 512 bytes | |
795633-1 | 3-Major | BT795633 | GUI and REST API unable to add virtual servers containing a space in the name to a pool |
779185-1 | 3-Major | BT779185 | Forward zone deleted when wideip updated |
766593-7 | 3-Major | BT766593 | RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20 |
222220-8 | 3-Major | K11931 | Distributed application statistics are not passed correctly. |
1091249-2 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. |
1084173-1 | 3-Major | BT1084173 | Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup). |
1083405-3 | 3-Major | BT1083405 | "Error connecting to named socket" from zrd |
1082197-1 | 3-Major | BT1082197 | RNAME and MNAME field order reversed for Synthetic SOAs sent for negative response |
1078669-2 | 3-Major | iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. | |
1075469-1 | 3-Major | BT1075469 | DNS GUI: Refreshing a DNS Express record sometimes fails to populate the server. |
1073677-1 | 3-Major | Add a db variable to enable answering DNS requests before reqInitState Ready | |
1073673-1 | 3-Major | Prevent possible early exit from persist sync | |
1071301-1 | 3-Major | BT1071301 | GTM server does not get updated even when the virtual server status changes. |
1071233-1 | 3-Major | BT1071233 | GTM Pool Members may not be updated accurately when multiple identical database monitors are configured |
1070953-4 | 3-Major | BT1070953 | Dnssec zone transfer could cause numerous gtm sync events. |
1067309-1 | 3-Major | BT1067309 | GTMD cored followed by TMM core SIGSEGV due to illegal GTM server reference. |
1066397-1 | 3-Major | BT1066397 | GTM persists to last resort pool members even when primary pool members become available. |
1064205-1 | 3-Major | GSLB virtual server's status can't be changed from the drop-down selection box on its properties page. | |
1063829-1 | 3-Major | BT1063829 | Zxfrd could run out of memory because zone db files are not efficiently recycled. |
1055077-1 | 3-Major | BT1055077 | Modifying the datacenter does not check GTM server configuration for prober-pool. |
1051125-1 | 3-Major | BT1051125 | GTM marks virtual servers offline even when LTM virtual servers are available. |
1050661-1 | 3-Major | BT1050661 | Warning message with UDP on DOH server side. |
1044873-1 | 3-Major | BT1044873 | Deleted GTM link is not removed from virtual server object and causes load failure. |
1041889-2 | 3-Major | BT1041889 | RRSIG missing for CNAME with RDATA in different zone |
1041657-1 | 3-Major | BT1041657 | PEM and Analytics tabs are displayed when accessing DoH Proxy/Server profiles. |
1041625-5 | 3-Major | BT1041625 | Virtual server flapping when the active and standby devices have different configuration. |
1040153-1 | 3-Major | BT1040153 | Topology region returns narrowest scope netmask without matching |
1030237-1 | 3-Major | BT1030237 | Zxfrd core and continual restart when out of configured space |
1026621-1 | 3-Major | BT1026621 | DNS cache resolver could not connect to remote DNS server with snatpool if multiple routes exist |
1024905-1 | 3-Major | BT1024905 | GTM monitor times out if monitoring a virtual server with translation address |
1024553-1 | 3-Major | BT1024553 | GTM Pool member set to monitor type "none" results in big3d: timed out |
1012061-1 | 3-Major | BT1012061 | Link Controller auto-discovery does not remove deleted virtual servers |
1003233-2 | 3-Major | BT1003233 | SNMP Polling can cause inconsistencies in gtm link stats. |
1001101-1 | 3-Major | BT1001101 | Cannot update/display GTM/DNS listener route advertisement correctly |
996261-1 | 4-Minor | BT996261 | Zrd in restart loop with empty named.conf |
995369-1 | 4-Minor | BT995369 | DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm |
959613-1 | 4-Minor | BT959613 | SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason |
950069-1 | 4-Minor | BT950069 | Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" |
947217-6 | 4-Minor | BT947217 | Fix of ID722682 prevents GTM config load when the virtual server name contains a colon&start; |
886145-1 | 4-Minor | BT886145 | The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS GUI. |
882933-1 | 4-Minor | BT882933 | Nslookup might generate a core during system restart |
839361-7 | 4-Minor | BT839361 | iRule 'drop' command does not drop packets when used in DNS_RESPONSE |
808913-1 | 4-Minor | BT808913 | Big3d cannot log the full XML buffer data |
708680-4 | 4-Minor | BT708680 | TMUI is unable to change the Alias Address of DNS/GTM Monitors |
464708-3 | 4-Minor | BT464708 | DNS logging does not support Splunk format log |
1084673-2 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name |
1067821-1 | 4-Minor | BT1067821 | Stats allocated_used for region inside zxfrd is overflowed |
1026813-7 | 4-Minor | BT1026813 | LCD IP address is missing from /etc/hosts on iSeries |
1014761-2 | 4-Minor | BT1014761 | [DNS][GUI] Not able to enable/disable pool member from pool member property page |
1008233-1 | 4-Minor | BT1008233 | The gtm_add command fails but reports no error |
1053605-2 | 5-Cosmetic | BT1053605 | When you use NAT, the iQuery status displays 'BIGIP' instead of 'BIGIP-DNS'. |
Application Security Manager Issues
ID Number | Severity | Links to More Info | Description |
887621-4 | 2-Critical | BT887621 | ASM virtual server names configuration CRC collision is possible |
884945-1 | 2-Critical | BT884945 | Latency reduce in case of empty parameters. |
791669-5 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains |
1095185-2 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync |
1050089-5 | 2-Critical | TMM crash in certain cases | |
1048685-4 | 2-Critical | BT1048685 | Rare TMM crash when using Bot Defense Challenge |
1015881-4 | 2-Critical | BT1015881 | TMM might crash after configuration failure |
987453-3 | 3-Major | Bot Defense browser verification fails upon iframes of different top-level domains | |
974513-7 | 3-Major | BT974513 | Dropped requests are reported as blocked in Reporting/charts |
966613-6 | 3-Major | BT966613 | Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’ |
959965-1 | 3-Major | Asmlogd stops deleting old protobufs | |
959957-1 | 3-Major | BT959957 | Asmlogd stops deleting old protobufs |
943441-4 | 3-Major | BT943441 | Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK |
903313-4 | 3-Major | OWASP page: File Types score in Broken Access Control category is always 0. | |
890169-4 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. |
886533-5 | 3-Major | BT886533 | Icap server connection adjustments |
1085661-1 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer |
1083913-2 | 3-Major | BT1083913 | Missing error check in ICAP handling |
1082461-2 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule |
1080613-1 | 3-Major | BT1080613 | "Installation of Automatically Downloaded Updates" configuration in LiveUpdate is lost during the first tomcat restart, after upgrading to versions having the fix of ID907025.&start; |
1078765-1 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. |
1072165-2 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format |
1069729-3 | 3-Major | BT1069729 | TMM might crash after a configuration change. |
1069137-2 | 3-Major | BT1069137 | Missing AWAF sync diagnostics |
1069113-1 | 3-Major | BT1069113 | ASM process watchdog should be less aggressive. |
1062493-1 | 3-Major | BT1062493 | BD crash close to it's startup |
1062105-3 | 3-Major | BT1062105 | For specific configurations (Auto-Added Signature Accuracy and Case Sensitive parent policy), child security policy fails to create. |
1059513-1 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. |
1058597-5 | 3-Major | BT1058597 | Bd crash on first request after system recovery. |
1057557-5 | 3-Major | BT1057557 | Exported policy has greater-than sign '>' not escaped to '>' with response_html_code tag. |
1056957-1 | 3-Major | BT1056957 | An attack signature can be bypassed under some scenarios. |
1051589-1 | 3-Major | Missing configuration after upgrade&start; | |
1048949-1 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile |
1039361-1 | 3-Major | BT1039361 | [GraphQL] In case of more than one malformed violation, the first is reported multiple times |
1036969-1 | 3-Major | BT1036969 | Chrome sometimes ignores cross-site bot-defense cookies |
1036305-5 | 3-Major | "Mandatory request body is missing" violation in staging but request is unexpectedly blocked | |
1036057-1 | 3-Major | BT1036057 | Add support for line folding in multipart parser. |
1033025-4 | 3-Major | BT1033025 | TMM might crash when unsupported bot iRule is used |
1031461-2 | 3-Major | Session awareness entries aren't mirrored to both sides of an active-active deployment. | |
1030133-2 | 3-Major | BT1030133 | BD core on XML out of memory |
1029989-6 | 3-Major | CORS : default port of origin header is set 80, even when the protocol in the header is https | |
1029373-4 | 3-Major | BT1029373 | Firefox 88+ raising Suspicious browser violations with bot defense |
1028493-1 | 3-Major | Live Update genesis file for Server Technologies installation fails | |
1023889-3 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message |
1021609-1 | 3-Major | BT1021609 | Improve matching of URLs with specific characters to a policy. |
1020149-4 | 3-Major | BT1020149 | Bot Defense does not support iOS's WKWebView framework |
1017557-1 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN |
1017261-7 | 3-Major | BT1017261 | Configuraton update triggers from MCP to ASM are ignored |
1014973-5 | 3-Major | BT1014973 | ASM changed cookie value. |
1006181-3 | 3-Major | BT1006181 | ASM fails to start if different ASM policies use login pages with the same name&start; |
994013-1 | 4-Minor | BT994013 | Modifying bot defense allow list via replace-all-with fails with match-order error |
991765-3 | 4-Minor | BT991765 | Inheritance of staging_period_in_days from policy template |
984521-4 | 4-Minor | BT984521 | Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name |
984449-2 | 4-Minor | Unnecessary swagger validation violation may raise due to behavioral WAF parameter traps that have identical name | |
950953-3 | 4-Minor | BT950953 | Browser Challenges update file cannot be installed after upgrade&start; |
948241-4 | 4-Minor | Count Stateful anomalies based only on Device ID | |
937541-4 | 4-Minor | Wrong display of signature references in violation details | |
882729-5 | 4-Minor | BT882729 | Applied Blocking Masks discrepancy between local/remote event log |
807569-3 | 4-Minor | BT807569 | Requests fail to load when backend server overrides request cookies and Bot Defense is used |
757486-2 | 4-Minor | BT757486 | Errors in IE11 console appearing with Bot Defense profile |
1097853-1 | 4-Minor | Session Tracking screen may be missing the scroll bar after saving the configuration | |
1087005-2 | 4-Minor | BT1087005 | Application charset may be ignored when using Bot Defense Browser Verification |
1084857-2 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit |
1083513-1 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd |
1079721 | 4-Minor | OWASP 2017 A2 Category - Login enforcement link is broken | |
1076165-1 | 4-Minor | BT1076165 | GRPC traffic does not work with DoSL7. |
1073625-2 | 4-Minor | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | |
1067917-1 | 4-Minor | BT1067917 | Attaching iRule DOSL7::enable when mitigation is not enabled at dosl7 profile, it is not showing warning in GUI. |
1059421-4 | 4-Minor | Bot Signature is not updated when the signature rule is updated. | |
1058665-1 | 4-Minor | BT1058665 | Bot signature with a semicolon followed by a space is not detected. |
1057713-2 | 4-Minor | "South Sudan" is missing from the ASM Geolocation Enforcement list. | |
1048617-3 | 4-Minor | Nice level BigDB paramter is not applied for BD | |
1046317-2 | 4-Minor | Violation details are not populated with staged URLs for some violation types | |
1040513-5 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. |
1026277-6 | 4-Minor | Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled | |
1017149-1 | 4-Minor | User-defined bot sigs that are created in tmsh don't overlap staged factory bot sigs | |
1014573-1 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer |
1005309-4 | 4-Minor | BT1005309 | Additional Tcl variables showing information from the AntiBot Mobile SDK |
1005181-4 | 4-Minor | BT1005181 | Bot Defense Logs indicate the mobile debugger is used even when it is not |
1029689-2 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log |
Application Visibility and Reporting Issues
ID Number | Severity | Links to More Info | Description |
933777-5 | 3-Major | BT933777 | Context use and syntax changes clarification |
932485-5 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables |
932189-1 | 3-Major | BT932189 | Incorrect BD Swap Size units on ASM Resources chart |
926341-5 | 3-Major | BT926341 | RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start; |
830073-7 | 3-Major | BT830073 | AVRD may core when restarting due to data collection device connection timeout |
808801-6 | 3-Major | BT808801 | AVRD crash when configured to send data externally |
950305-5 | 4-Minor | BT950305 | Analytics data not displayed for Pool Names |
915005-3 | 4-Minor | BT915005 | AVR core files have unclear names |
910777-1 | 4-Minor | BT910777 | Sending ASM report via AWS SES failed duo to wrong content type |
930217-1 | 5-Cosmetic | BT930217 | Zone colors in ASM swap usage graph are incorrect |
Access Policy Manager Issues
ID Number | Severity | Links to More Info | Description |
349706-4 | 0-Unspecified | NetworkAccess assigns 1.1.1.1 address to remote ppp endpoint APM VPN | |
965837-4 | 2-Critical | BT965837 | When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection |
930625-1 | 2-Critical | BT930625 | TMM crash is seen due to double free in SAML flow |
1063261-4 | 2-Critical | BT1063261 | TMM crash is seen due to sso_config objects. |
1007869-1 | 2-Critical | BT1007869 | Upgrade from v14.1.x to v15.1.2.1 or later fails for app-tunnel, RDP and config migration&start; |
984765-2 | 3-Major | BT984765 | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)&start; |
956645-4 | 3-Major | BT956645 | Per-request policy execution may timeout. |
949477-4 | 3-Major | BT949477 | NTLM RPC exception: Failed to verify checksum of the packet |
947613-2 | 3-Major | BT947613 | APM reset after upgrade and modify of LDAP Group Lookup&start; |
934825-2 | 3-Major | BT934825 | Restarting MCPD via command line may not restart the aced process |
903573-3 | 3-Major | BT903573 | AD group cache query performance |
903501-3 | 3-Major | BT903501 | VPN Tunnel establishment fails with some ipv6 address |
898381-3 | 3-Major | BT898381 | Changing the setting of apm-forwarding-fastl4 profile does not take effect |
868557-1 | 3-Major | Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity. | |
806809-3 | 3-Major | BT806809 | JWT Claim value without quotes is invalid |
752077-4 | 3-Major | BT752077 | Kerberos replay cache leaks file descriptors |
527119-9 | 3-Major | BT527119 | An iframe document body might be null after iframe creation in rewritten document. |
1097821-2 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh command when source-path is specified |
1095909-1 | 3-Major | BT1095909 | DEBUG_NOTICE macro truncating log messages of size more than 1024 |
1089685-1 | 3-Major | BT1089685 | [APM]Webtop loading issue when 'oneconnect' profile is attached to a virtual server |
1089293 | 3-Major | Backend password reset is not working in Webtop when sso is disabled. | |
1071485-3 | 3-Major | BT1071485 | For IP based bypass, Response Analytics sends RST. |
1064001-1 | 3-Major | POST request to a virtual server with stream profile and a access policy is aborted. | |
1063345-5 | 3-Major | Urldbmgrd may crash while downloading the database. | |
1058873 | 3-Major | BT1058873 | Configuring Source Address as "address list" in a virtual server causes apmd to restart. |
1054677-1 | 3-Major | BT1054677 | Ng_export fails for users with the 'pager' option enabled in their 'cli preference' configuration. |
1053309-1 | 3-Major | Localdbmgr leaks memory while syncing data to sessiondb and mysql. | |
1050165 | 3-Major | BT1050165 | APM - users end up with SSO disabled for their session, admin intervention required to clear session |
1048913-1 | 3-Major | BT1048913 | APM internal virtual server leaks memory under certain conditions. |
1042505-1 | 3-Major | BT1042505 | Session variable "session.user.agent" does not get populated for edge clients |
1041989-4 | 3-Major | BT1041989 | APM Portal Access does not add automatically the / after the URL encoded (after the '$$'), Redirect breaks |
1039725-1 | 3-Major | BT1039725 | Reverse proxy traffic fails when a per-request policy is attached to a virtual server. |
1037877-3 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE |
1024437-6 | 3-Major | BT1024437 | Urldb index building fails to open index temp file |
1022877-3 | 3-Major | Ping missing from list of Types for OAuth Client | |
1022493-4 | 3-Major | BT1022493 | Slow file descriptor leak in urldbmgrd (sockets open over time) |
1018877-2 | 3-Major | BT1018877 | Subsession variable values mixing between sessions |
1013729-2 | 3-Major | Changing User login password using VMware View Horizon client results in “HTTP error 500” | |
1010961-1 | 3-Major | BT1010961 | Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow |
1010597-1 | 3-Major | BT1010597 | Traffic disruption when virtual server is assigned to a non-default route domain&start; |
1006509-1 | 3-Major | BT1006509 | TMM memory leak&start; |
1002413-2 | 3-Major | BT1002413 | Websso puts quotation marks around non-string claim type 'custom' values |
1000669-4 | 3-Major | BT1000669 | Tmm memory leak 'string cache' leading to SIGFPE |
996985-1 | 4-Minor | BT996985 | No IP address format validation while adding IP addresses in IPv4 LAN Address Space or IPv4 Exclude Address Space when configuring Network Access Resource. |
996977-1 | 4-Minor | BT996977 | No IP address format validation while adding IP addresses in IPv6 LAN Address Space or IPv6 Exclude Address Space when configuring Network Access Resource. |
949957-1 | 4-Minor | BT949957 | RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android) |
547947-2 | 4-Minor | BT547947 | Feeding empty username and password to the Logon Page followed by RadiusAuthAgent shows the session as Logged out |
1079441-2 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries |
1050153 | 4-Minor | BT1050153 | Unknown browscap value sent by the client. |
1041985-1 | 4-Minor | BT1041985 | TMM memory utilization increases after upgrade&start; |
1040829-4 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge |
1028081-1 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page |
1022973-2 | 4-Minor | BT1022973 | Sessiondb entries related to Oauth module not cleaned up in certain conditions |
1004845-1 | 4-Minor | BT1004845 | Accessing attribute using attributeNode value does not work with Portal Access |
Service Provider Issues
ID Number | Severity | Links to More Info | Description |
1093621-2 | 2-Critical | BT1093621 | BIG-IP may accumulate xbuf data for SIP keep-alive messages over TCP |
921441-4 | 3-Major | BT921441 | MR_INGRESS iRules that change diameter messages corrupt diam_msg |
917637-5 | 3-Major | BT917637 | Tmm crash with ICAP filter |
1058905-1 | 3-Major | BT1058905 | TMM crash as a result of "LB::detach" in an iRule on an MR HTTP configuration. |
1038057-4 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile |
1008169-1 | 3-Major | BT1008169 | BIG-IP systems disconnect the DIAMETER transport connection if it receives an answer message without a Result-Code AVP |
Advanced Firewall Manager Issues
ID Number | Severity | Links to More Info | Description |
1069809 | 2-Critical | BT1069809 | AFM rules with ipi-category src do not match traffic after failover. |
1060833-2 | 2-Critical | BT1060833 | After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash. |
1058645-2 | 2-Critical | BT1058645 | ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. |
1048425-4 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled |
1040685-4 | 2-Critical | BT1040685 | Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) |
993269-3 | 3-Major | BT993269 | DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option |
992233-1 | 3-Major | BT992233 | DNS DoS profile (Error Vector) does not mitigate/detect at the virtual server level. |
990461-5 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start; |
987637-3 | 3-Major | BT987637 | DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware |
987605-3 | 3-Major | BT987605 | DDoS: ICMP attacks are not hardware-mitigated |
977449-1 | 3-Major | BT977449 | Total address and Total endpoints is shown as '0' in nat stats |
977153-3 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded |
968953-1 | 3-Major | BT968953 | Unnecessary authorization header added in the response for an IP intelligence feed list request |
965849-1 | 3-Major | BT965849 | Displayed 'Route Domain ID' value is confusing if it is set to None |
952521-1 | 3-Major | BT952521 | Memory allocation error while creating an address list with a large range of IPv6 addresses&start; |
935769-5 | 3-Major | BT935769 | Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time |
929913-3 | 3-Major | BT929913 | External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events |
926549-3 | 3-Major | BT926549 | AFM rule loops when 'Send to Virtual' is used with Virtual Server iRule 'LB::reselect' |
1079985-3 | 3-Major | BT1079985 | int_drops_rate shows an incorrect value |
1079637-1 | 3-Major | BT1079637 | Incorrect Neuron rule order |
1078625 | 3-Major | TMM crashes during DoS processing | |
1076477-2 | 3-Major | BT1076477 | AFM allows deletion of a firewall policy even if it's being used in a route domain. |
1070737-2 | 3-Major | BT1070737 | AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated. |
1070033-2 | 3-Major | BT1070033 | Virtual server may not fully enter hardware SYN Cookie mode. |
1067405-3 | 3-Major | BT1067405 | TMM crash while offloading / programming bad actor connections to hardware. |
1053589-1 | 3-Major | BT1053589 | DDoS functionality cannot be configured at a Zone level |
1047933-1 | 3-Major | BT1047933 | Virtual server security policy - An error has occurred while trying to process your request |
1045065-3 | 3-Major | BT1045065 | Enable traffic group modification in source-translation object |
1032329-1 | 3-Major | BT1032329 | A user with role "Firewall Manager" cannot open the Rule List editor in UI |
1031909-2 | 3-Major | BT1031909 | NAT policies page unusable due to the page load time |
1022613-1 | 3-Major | BT1022613 | Cannot modify Security "global-network" Logging Profile |
1020061-3 | 3-Major | BT1020061 | Nested address lists can increase configuration load time |
1019557-1 | 3-Major | BT1019557 | Bdosd does not create /var/bdosd/*.json |
1019453-1 | 3-Major | BT1019453 | Core generated for autodosd daemon when synchronization process is terminated |
1012581-1 | 3-Major | BT1012581 | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered |
1012413-1 | 3-Major | BT1012413 | Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled |
981145-1 | 4-Minor | BT981145 | DoS events do not include the attack name for "tcp syn ack flood" |
967245-1 | 4-Minor | Incorrect SPVA counter incremented during Sweep attack on profile | |
926425-4 | 4-Minor | BT926425 | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts |
837101-3 | 4-Minor | BT837101 | AVR and BIG-IQ stats show N/A bar for Source IP and domain name on DNS query packet |
760355-4 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'&start; |
1084901-1 | 4-Minor | BT1084901 | Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh |
1033021-2 | 4-Minor | BT1033021 | UI: Partition does not work when clicking through security zones |
1022213-4 | 4-Minor | BT1022213 | DDOS: BDOS: Warning messages related to high availability (HA) watchdog seen on system bring up |
1003377-3 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option |
Policy Enforcement Manager Issues
ID Number | Severity | Links to More Info | Description |
829657-5 | 2-Critical | BT829657 | Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses |
1091565-1 | 2-Critical | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL | |
1019481-1 | 2-Critical | BT1019481 | Unable to provision PEM on VELOS platform |
924589-3 | 3-Major | BT924589 | PEM ephemeral listeners with source-address-translation may not count subscriber data |
829653-1 | 3-Major | BT829653 | Memory leak due to session context not freed |
1093357-4 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash |
1090649-3 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI |
1089829-3 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers |
1084993 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching |
1020041-3 | 3-Major | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | |
1015501-3 | 3-Major | BT1015501 | Changes to DHCP Profile are not used by tmm |
911585-5 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval |
815901-2 | 4-Minor | BT815901 | Add rule to the disabled pem policy is not allowed |
Carrier-Grade NAT Issues
ID Number | Severity | Links to More Info | Description |
751719-5 | 2-Critical | BT751719 | UDP::hold/UDP::release does not work correctly |
994985-3 | 3-Major | BT994985 | CGNAT GUI shows blank page when applying SIP profile |
1096317-4 | 3-Major | BT1096317 | SIP msg alg zombie flows |
1023461-2 | 3-Major | BT1023461 | Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created |
1034009-4 | 4-Minor | BT1034009 | CGNAT+Subscriber Discovery - NAT IP with wrong route domain on the CGNAT Log |
Fraud Protection Services Issues
ID Number | Severity | Links to More Info | Description |
1060393-1 | 3-Major | BT1060393 | Extended high CPU usage caused by JavaScript Obfuscator. |
1052781 | 3-Major | BT1052781 | JavaScript obfuscation is very slow. |
1016481-1 | 3-Major | BT1016481 | Special JSON characters in Dom Signatures breaks configuration |
Anomaly Detection Services Issues
ID Number | Severity | Links to More Info | Description |
1010717-1 | 3-Major | BT1010717 | Default DoS profile creation from tmsh is incorrectly interpreted by DoS profile GUI |
Traffic Classification Engine Issues
ID Number | Severity | Links to More Info | Description |
984657 | 3-Major | BT984657 | Sysdb variable not working from tmsh |
1058349-3 | 3-Major | BT1058349 | Requirement of new signatures to detect IMO and Google Duo service. |
974205-5 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM |
941773-1 | 4-Minor | BT941773 | Video resolution mis-prediction |
941765-1 | 4-Minor | BT941765 | Video resolution mis-predictions |
Device Management Issues
ID Number | Severity | Links to More Info | Description |
663754-1 | 2-Critical | BT663754 | Modifying the default management port can break internal functionality |
880565-5 | 3-Major | BT880565 | Audit Log: "cmd_data=list cm device recursive" is been generated continuously |
717174-5 | 3-Major | BT717174 | WebUI shows error: Error getting auth token from login provider&start; |
999085-1 | 4-Minor | BT999085 | REST endpoint registration errors in restjavad logs |
1049237-1 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix |
1041113 | 4-Minor | BT1041113 | BIG-IP Admin role credentials are not usable for getting device discovered by BIG-IQ |
iApp Technology Issues
ID Number | Severity | Links to More Info | Description |
842193-6 | 3-Major | BT842193 | Scriptd coring while running f5.automated_backup script |
1004697-3 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space |
Protocol Inspection Issues
ID Number | Severity | Links to More Info | Description |
989529-1 | 3-Major | BT989529 | AFM IPS engine takes action on unspecified services |
1013777-4 | 3-Major | An error is encountered when enabling reset-learning to all the signatures of a protocol inspection profile in the GUI. | |
1011133 | 3-Major | BT1011133 | Protocol Inspection compliance check 10208 gtp_disallowed_message_types does not take GTP version into account |
Guided Configuration Issues
ID Number | Severity | Links to More Info | Description |
991829-1 | 3-Major | BT991829 | Continuous connection refused errors in restjavad |
982801-2 | 3-Major | AGC hardening |
In-tmm monitors Issues
ID Number | Severity | Links to More Info | Description |
932857-5 | 3-Major | BT932857 | Delays marking Nodes or Pool Members DOWN with in-TMM monitoring |
1046917-4 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes |
1002345-4 | 3-Major | BT1002345 | Transparent DNS monitor does not work after upgrade&start; |
788257-5 | 4-Minor | BT788257 | Bigd.mgmtroutecheck setting ignored by in-tmm monitors after bigstart restart |
SSL Orchestrator Issues
ID Number | Severity | Links to More Info | Description |
1050273-1 | 3-Major | BT1050273 | ERR_BOUNDS errors observed with HTTP explicit proxy service in SSL Orchestrator. |
1095145-3 | 4-Minor | BT1095145 | Virtual server responding with ICMP unreachable after using /Common/service |
Known Issue details for BIG-IP v16.1.x
999881-6 : Tcl command 'string first' not working if payload contains Unicode characters.
Links to More Info: BT999881
Component: Local Traffic Manager
Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.
Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.
Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.
Workaround:
You can use any of the following workarounds:
-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex
999709-6 : iRule 'pool'/'virtual' commands not triggered in CLIENT_ACCEPTED with HTTP/2.
Links to More Info: BT999709
Component: Local Traffic Manager
Symptoms:
The 'pool'/'virtual' iRule commands cause the specified pool to be used directly. However, with HTTP/2, the 'pool'/'virtual' command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent.
Conditions:
-- A 'pool'/'virtual' command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
-- HTTP/2 Message Routing is disabled.
Impact:
With HTTP/2 configured, the iRule 'pool'/'virtual' commands fail to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired pool/virtual.
Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.
999669-1 : Some HTTPS monitors are failing after upgrade when config has different SSL option&start;
Links to More Info: BT999669
Component: Local Traffic Manager
Symptoms:
Some HTTPS monitors are failing after upgrade when the config has different SSL option properties for different monitors.
Conditions:
-- Individual SSL profiles exist for different HTTPS monitors with SSL parameters.
-- A unique server SSL profile is configured for each HTTP monitor (one with cert/key, one without).
Impact:
Some HTTPS monitors fail. Pool is down. Virtual server is down.
Workaround:
None
999085-1 : REST endpoint registration errors in restjavad logs
Links to More Info: BT999085
Component: Device Management
Symptoms:
Errors are logged to /var/log/restjavad.0.log at the SEVERE log level:
[SEVERE]... [IcrWorker] Unable to register iControl endpoint "/xxxx/xxxx". Error: uriPath '/tm/xxxx/xxxx' already registered
Conditions:
The system reports these errors during startup of the restjavad service because of multiple registrations of the same endpoint.
Impact:
There is no functional impact and these errors can be ignored.
Workaround:
None
999021-2 : IPsec IKEv1 tunnels fail after a config sync from Standby to Active
Links to More Info: BT999021
Component: TMOS
Symptoms:
When racoon (the IKEv1 daemon) sees a tunnel config change, which occurs due to a config sync from the standby device, the change causes tmm and racoon to have conflicting views on the state of that tunnel.
If the IKEv1 tunnel is up at the time of the config change, tmm fails to restart the tunnel.
Conditions:
-- IPsec IKEv1 tunnel in use.
-- Changes made to IPsec IKEv1 tunnel on the Standby BIG-IP device, which are then sync'd to the Active BIG-IP device.
-- And/or a full config sync from the Standby to Active BIG-IP system.
Impact:
IPsec IKEv1 tunnels fail and do not start again.
Workaround:
-- Do not make changes to IPsec IKEv1 tunnels on the Standby device.
-- Avoid full syncs from Standby to Active.
How to recover when the problem occurs:
-- Disable the affected ike-peer and re-enable it.
998957-1 : Mcpd consumes excessive CPU while collecting stats.
Links to More Info: BT998957
Component: TMOS
Symptoms:
Mcpd CPU utilization is 100%.
Conditions:
This can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected.
Impact:
CPU utilization by mcpd is excessive.
Workaround:
None
998649-1 : Log hostname should be consistent when it contains ' . '
Links to More Info: BT998649
Component: TMOS
Symptoms:
Messages that are logged to journald use the configured hostname, while sylog-ng uses the hostname (machine name) and truncates it starting at the first '.' (period). This results in hostnames being inconsistent when it contains '.'; e.g., 'my.hostname' is logged as 'my' by syslog-ng, and 'my.hostname' by journald. This can make it difficult for log analysis tools to work with the log files.
Conditions:
-- Hostname contains a period
-- Viewing log files emitted from journald and from syslog-ng
Impact:
The full hostname is logged for system logs while logs that go directly to syslog-ng use a truncated hostname.
Workaround:
None.
998253-4 : SNI configuration is not sent via HTTPS when in-tmm monitors are disabled
Links to More Info: BT998253
Component: Local Traffic Manager
Symptoms:
The Server Name Indication (SNI) extension is missing on the HTTPS handshake.
Conditions:
-- Global in-tmm monitors are disabled
-- HTTPS monitor traffic
Impact:
The HTTPS client-server handshake occurs without a TLS SNI.
Workaround:
None
997793-3 : Error log: Failed to reset strict operations; disconnecting from mcpd&start;
Links to More Info: K34172543, BT997793
Component: TMOS
Symptoms:
After rebooting the device you are unable to access the GUI. When checking the ltm logs in the SSH / console, it repeatedly prompts an error:
Failed to reset strict operations; disconnecting from mcpd.
Conditions:
Previous EPSEC packages that are still residing on the system from old BIG-IP versions is installing upon boot. An internal timer can cause the installation to be aborted and all daemons to be restarted via 'bigstart restart'
Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.
Workaround:
1. Stop the overdog daemon first by issuing the command:
systemctl stop overdog
2. Restart all services by issuing the command:
bigstart restart
3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.
997561-5 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
997541-5 : Round-robin GRE Disaggregator for hardware and software
Links to More Info: BT997541
Component: TMOS
Symptoms:
GRE tunnel traffic is pinned to one CPU.
Conditions:
GRE traffic is passed through BIG-IP system.
Impact:
Traffic is pinned to one CPU and overall performance is degraded.
Workaround:
None
997357-1 : iRule command "SSL:session invalidate" not working as expected
Links to More Info: BT997357
Component: Local Traffic Manager
Symptoms:
The iRule command "SSL:session invalidate" allows session resumption to happen. Session resumption not supposed to occur when this iRule command is used in an iRule.
Conditions:
"SSL:session invalidate" is used in the iRule event HTTP_REQUEST
Impact:
Session resumption would happen where the iRule is used with "SSL:session invalidate" included which is not supposed to occur
Workaround:
Session resumption should be disabled in SSL profiles
996985-1 : No IP address format validation while adding IP addresses in IPv4 LAN Address Space or IPv4 Exclude Address Space when configuring Network Access Resource.
Links to More Info: BT996985
Component: Access Policy Manager
Symptoms:
IP address format is not properly validated for IPv4 LAN Address Space and IPv4 Exclude Address Space fields which may lead to misconfiguration when IPv6 addresses are configured in this fields.
Conditions:
This can occur if you misconfigure the IPv4 LAN Address Space or IPv4 Exclude Address Space fields by adding IPv6 addresses while configuring Network Access Resource.
Impact:
This may cause the split tunnel to malfunction.
Workaround:
Correct the configuration by removing IPv6 Addresses in IPv4 LAN Address Space or IPv4 Exclude Address Space.
996977-1 : No IP address format validation while adding IP addresses in IPv6 LAN Address Space or IPv6 Exclude Address Space when configuring Network Access Resource.
Links to More Info: BT996977
Component: Access Policy Manager
Symptoms:
IP address format is not properly validated for IPv6 LAN Address Space and IPv6 Exclude Address Space fields which may lead to misconfiguration when IPv4 addresses are configured in this fields.
Conditions:
This can occur if you misconfigure the IPv6 LAN Address Space or IPv6 Exclude Address Space fields by adding IPv4 addresses while configuring Network Access Resource.
Impact:
This may cause the split tunnel to misfunction.
Workaround:
Correct the configuration by removing IPv4 Addresses in IPv6 LAN Address Space or IPv6 Exclude Address Space.
996649-6 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
996261-1 : Zrd in restart loop with empty named.conf
Links to More Info: BT996261
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process enters a restart loop:
logger[20015]: Re-starting zrd
Conditions:
This occurs when /var/named/config/named.conf is empty.
Impact:
The zrd process enters a restart loop. If the device is in a sync group, zrd enters a restart loop on all devices.
Workaround:
Restore content to the named.conf file.
996145-1 : After UCS restore on HA pair, one of the devices is missing folder /var/config/rest/iapps/f5-iappslx-ssl-orchestrator
Links to More Info: BT996145
Component: TMOS
Symptoms:
After restoring via UCS file, the SSL Orchestrator page reads:
Not Found
The requested URL was not found on this server
Conditions:
-- Devices are in a high availability (HA) pair
-- SSL Orchestrator deployed
-- A UCS file is loaded
Impact:
SSL Orchestrator is not available.
/var/config/rest/iapps/f5-iappslx-ssl-orchestrator is not restored correctly during UCS load.
Workaround:
Restore the UCS file again
995849-1 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c
Links to More Info: BT995849
Component: TMOS
Symptoms:
Tmm crashes while processing a large number of tunnels.
Conditions:
-- A large number of ipsec tunnels
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
995605-2 : PVA accelerated traffic does not update route domain stats
Links to More Info: BT995605
Component: TMOS
Symptoms:
PVA accelerated traffic does not update route domain stats
Conditions:
-- PVA accelerated traffic.
-- Viewing the route domain stats.
Impact:
The route domain stats may be inaccurate
Workaround:
Use the virtual server stats or ifc_stats instead.
995369-1 : DNSSEC manual key created with other algorithms ends up using RSA/SHA1 algorithm
Links to More Info: BT995369
Component: Global Traffic Manager (DNS)
Symptoms:
Generated DNSSEC keys always use RSA/SHA1 algorithm.
Conditions:
DNSSEC keys are generated with manual key management method.
Impact:
You are unable to create DNSSEC keys with other algorithms.
Workaround:
Choose automatic key management method.
995097-1 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
Links to More Info: BT995097
Component: TMOS
Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.
For instance, after reloading the configuration, the following section:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { "example.com" }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { "example.com" }
}
}
}
Becomes:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { example.com }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { example.com }
}
}
}
This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.
Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.
The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).
Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.
The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.
As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.
Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.
Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.
For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config
On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:
bigstart restart dhclient dhclient6
Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.
994985-3 : CGNAT GUI shows blank page when applying SIP profile
Links to More Info: BT994985
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
994365-1 : Inconsistency in tmsh 'object mode' for some configurations
Links to More Info: BT994365
Component: TMOS
Symptoms:
Tmsh does not support object mode when modifying certain configurations, such as the node configuration. This results in misleading error 'not found' even though the configuration is available.
Conditions:
Modify node config results in error, even though the config is present.
# Node Object 'example' is created successfully
(tmos)# create ltm node example address 1.2.3.4
# On modifying the node 'example', tmsh gives error
(tmos)# modify ltm node example
Data Input Error: node "example" not found
The modify command does work when a property is specified:
(tmos)# modify ltm node example description "Node 1234"
Impact:
Inconsistent tmsh syntax when using 'object mode' for modifying the configuration.
Workaround:
Use 'tmsh modify' commands, or the GUI, to make the required changes without 'entering' the object in tmsh.
994361-2 : Updatecheck script hangs/Multiple updatecheck processes
Links to More Info: BT994361
Component: TMOS
Symptoms:
Multiple updatecheck and 'rpm -qf' processes running simultaneously.
Updatecheck is not functional
Conditions:
Updatecheck is run periodically via a cronjob. Updatecheck runs 'rpm -qf' command.
Impact:
Due to that 'rpm -qf' command hangs. This causes multiple updatecheck and 'rpm -qf' processes. High CPU and memory usage.
The most likely explanation is that rpmdb has gotten corrupted.
Workaround:
To rebuild rpmdb:
1. Halt all running updatecheck and 'rpm -qf' processes.
2. Run these commands:
rm /var/lib/rpm/__db*
rpm --rebuilddb
994221-1 : ZoneRunner returns error 'Resolver returned no such record'
Links to More Info: BT994221
Component: Global Traffic Manager (DNS)
Symptoms:
ZoneRunner returns error 'Resolver returned no such record'.
Conditions:
When trying to retrieve TXT records with single backslash.
Impact:
Not able to manage TXT record.
Workaround:
Use double backslashes to retrieve TXT records.
994081-1 : Traffic may be dropped with an Immediate idle timeout setting.
Links to More Info: BT994081
Component: Local Traffic Manager
Symptoms:
When the idle timeout is set to Immediate, flows may be expired while packets are buffered. Buffered packets are dropped. This can impact iRules and non-L4 virtual servers.
Conditions:
-- idle timeout set to Immediate.
-- iRules are configured
-- non-L4 virtual servers (fastl4, ip fwd, l2 fwd) are used.
-- debug tmm is in use
Impact:
Traffic is dropped.
Workaround:
You can use either workaround:
-- Configure an L4 virtual server.
-- Consider removing iRules.
994013-1 : Modifying bot defense allow list via replace-all-with fails with match-order error
Links to More Info: BT994013
Component: Application Security Manager
Symptoms:
An error occurs when modifying the allow list (or in case of 'load sys config verify' with similar configuration):
01b90026:3: Bot defense profile (/Common/bot-defense-device-id-generate-before-access) error: match-order should be unique.
Conditions:
-- Either modification via replace-all-with:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist replace-all-with { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 { match-order 2 source-address ::/32 url /bar } }
-- Or delete all, add, save and load-verify:
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist delete { all }
tmsh modify security bot-defense profile bot-defense-device-id-generate-before-access whitelist add { first_1 { match-order 1 source-address 10.0.0.0/8 url /foo } second_2 {match-order 2 source-address ::/32 url /bar}}
tmsh save sys config
load sys config verify
Impact:
You are unable to add-replace the bot defense allow list configuration
Workaround:
You can use either of the following workarounds:
-- Change match-order of defaults in profile_base.conf to use match-order 3 and up (and load config).
-- Change match-order of custom modify command (to continue with match-order 3 and up).
993481-1 : Jumbo Frame issue with DPDK-eNIC.
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver w/ Cisco eNIC
-- TMM receives Jumbo-sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
A) Use a different driver such as sock.
B) Do not use or accept Jumbo-frames. One way to perform this is to set the MTU to <= 1500 using the following tmsh command:
tmsh modify net vlan external mtu 1500
993269-3 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
Links to More Info: BT993269
Component: Advanced Firewall Manager
Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.
DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.
Conditions:
-- DoS timestamp cookies are enabled, and either of the following:
-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.
Impact:
Traffic is dropped due to incorrect timestamps.
Workaround:
Disable timestamp cookies on the affected VLAN.
992813-7 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
Links to More Info: BT992813
Component: TMOS
Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.
As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.
For example, you may be returned the following error when attempting to supersede the domain-search option:
01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search
Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.
Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.
Impact:
You are unable to instantiate the desired management-dhcp configuration.
Workaround:
None
992449-1 : The vCMP host does not report the correct number of guest CPUs on the guest page of the GUI
Links to More Info: BT992449
Component: TMOS
Symptoms:
The total number of cores for a multi-slot vCMP guest is not shown correctly on the GUI page for a vCMP guest.
Conditions:
-- vCMP Host on VIPRION platforms with multiple blades.
-- vCMP guest spanning two or more blades.
Impact:
Incorrect number of cores listed.
-- The vCMP :: Guest List page shows all cores for all slots.
-- The vCMP -> Guest List specific_guest page shows only cores for that guest's slot.
Workaround:
View the Guest List page to see a graphical representation of the number of cores per guest.
992253-4 : Cannot specify IPv6 management IP addresses using GUI
Links to More Info: BT992253
Component: TMOS
Symptoms:
You are unable to set the IPv6 mgmt IP address using the GUI, even if the IPv6 address format is a not a short address. When you submit the change, the field is empty.
Conditions:
Attempt to set up IPv6 management address using the GUI
Impact:
You are unable to configure IPv6 management addresses using the GUI.
Workaround:
Use tmsh:
tmsh create sys management-ip <address>/<netmask>
tmsh create sys management-route default-inet6 <address>
992241-3 : Unable to change initial admin password from GUI after root password change
Links to More Info: BT992241
Component: TMOS
Symptoms:
While trying to change the admin password from GUI, an error occurs:
-- Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Change the password for the root user the first time, before the admin password has been changed. This action sets both the root and admin password at the same time.
-- Navigate to the GUI and attempt to update the admin password.
Impact:
GUI password change fails.
Workaround:
You can use either of the following workarounds:
-- Change the password admin via the GUI before changing the root admin via ssh.
-- After changing the root password, use tmsh to set the admin password using the command:
modify auth user admin password.
992233-1 : DNS DoS profile (Error Vector) does not mitigate/detect at the virtual server level.
Links to More Info: BT992233
Component: Advanced Firewall Manager
Symptoms:
The GUI makes it appear as if the DNS malformed vector can be configured at the virtual server level when it cannot be.
Conditions:
Using the GUI to configure DoS vectors in the virtual server context.
Impact:
The GUI allows you configure something that does not actually work.
Workaround:
None
992053-4 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
991829-1 : Continuous connection refused errors in restjavad
Links to More Info: BT991829
Component: Guided Configuration
Symptoms:
Continuous connection refused errors observed in restjavad.
[com.f5.rest.workers..AsmConfigWorker] nanoTime:[879945045679087] threadId:[63] Exception:[org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
[8100/tm/asm/owasp/task OWASPTaskScheduleWorker] Unexptected exception in getting all the polcies: org.apache.thrift.transport.TTransportException: java.net.ConnectException: Connection refused (Connection refused)
Conditions:
The errors are observed regardless of asm provisioning
Impact:
This causes noisy log file of restjavad.
Workaround:
None
991765-3 : Inheritance of staging_period_in_days from policy template
Links to More Info: BT991765
Component: Application Security Manager
Symptoms:
Enforcement readiness period of newly created Policy does not get its value from Policy Template.
Conditions:
Creating new ASM Policy from a template with an Enforcement readiness period different from the default (default is 7).
Impact:
Newly created policy has an incorrect configuration.
Workaround:
Create the Policy using tmsh or REST API.
991265-3 : Persistence entries point to the wrong servers for longer periods of time
Links to More Info: BT991265
Component: Local Traffic Manager
Symptoms:
Persistence entries point to the wrong servers for a longer than expected.
Conditions:
A pool member goes down, causing the persistence entry to change to a new pool member. Then, the pool member comes back up.
Impact:
The persistence entry does not change to the pool member that came back up. It does not expire as client requests using this cookie continue to refresh the persistence entry that goes to the wrong server.
This can delay recovery of the pool members when they are marked down for regular maintenance, or if all pool members are cycled up/down periodically, it causes persistence entries to point to the wrong servers for longer periods of time than necessary.
Workaround:
None.
990929-2 : Status of GTM monitor instance is constantly flapping
Links to More Info: BT990929
Component: Global Traffic Manager (DNS)
Symptoms:
Status of GTM monitor instance is constantly flapping.
Conditions:
GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other.
Impact:
Resources are marked offline constantly.
Workaround:
Remove from the GTM server object definition the IP addresses that do not communicate with each other.
990853-1 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
Links to More Info: BT990853
Component: TMOS
Symptoms:
The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file:
-- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition
-- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410.
Conditions:
-- Multi-blade VIPRION system provisioned as vCMP host.
-- The system is configured with partitions using non-default route-domains.
-- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest.
-- A non-Common partition is selected in the GUI Partition drop-down menu when making the change.
Impact:
MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart.
Workaround:
Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI.
990461-5 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start;
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
990173-1 : Dynconfd repeatedly sends the same mcp message to mcpd
Links to More Info: BT990173
Component: Local Traffic Manager
Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.
An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.
Conditions:
This can occur when:
-- Using FQDN nodes and FQDN pool members.
-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.
Impact:
By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
This might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.
Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.
989937-2 : Device Trust Certificates Expiring after 2038-01-19 show date of 1969
Links to More Info: BT989937
Component: TMOS
Symptoms:
If you import a Certificate into the Device Trust Certificates that expires after 2038-01-19, the system GUI shows an expiration date of 1969.
Conditions:
Certificate expiring on/after 2038-01-19T03:14:08Z.
Impact:
The expiration date in the GUI shows 1969. This does not impact iquery or device function.
Workaround:
You can use the command line interface to view the certificate:
$ cd /config/big3d
$ openssl crl2pkcs7 -nocrl -certfile client.crt | openssl pkcs7 -print_certs -noout -text | grep "Issuer:\|Subject:\|Not Before:\|Not After :"
989529-1 : AFM IPS engine takes action on unspecified services
Links to More Info: BT989529
Component: Protocol Inspection
Symptoms:
Specific ports configured in the IPS profile are not taken into account during the matching action exercised by the IPS subsystem. As a result, all ports are matched.
Conditions:
Service ports specified under Security :: Protocol Security : Inspection Profiles :: service type (e.g., HTTP).
Impact:
Increased resource usage and excessive logging.
Workaround:
None.
989517-3 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
The acceleration section in the virtual server page(UI) is not visible if a DHD license is installed.
Conditions:
The acceleration section is not visible in case "Dos" is provisioned
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH
988645-4 : Traffic may be affected after tmm is aborted and restarted
Links to More Info: BT988645
Component: TMOS
Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.
Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.
Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.
Workaround:
Reboot the tenant
987885-6 : Half-open unclean SSL termination might not close the connection properly
Links to More Info: BT987885
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
987709-6 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
Links to More Info: BT987709
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load with errors similar to this:
01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2
Unexpected Error: Loading configuration process failed
Conditions:
There is a wide IP with the same name in another partition as the static target CNAME pool member.
Impact:
Gtm config fails to load.
Workaround:
Create the wide IP first and then add the static target CNAME pool member.
987637-3 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
Links to More Info: BT987637
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.
Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server
Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.
Workaround:
None
987605-3 : DDoS: ICMP attacks are not hardware-mitigated
Links to More Info: BT987605
Component: Advanced Firewall Manager
Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.
Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.
Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.
Workaround:
None
987453-3 : Bot Defense browser verification fails upon iframes of different top-level domains
Component: Application Security Manager
Symptoms:
When using Bot Defense on a page which has an iframe to a different top-level domain, the iframe may fail to load.
Conditions:
Page has an iframe on a different top-level domain than that of the main page. Note that iframes with different sub-domains are not impacted.
Impact:
Page resources may fail to load.
Workaround:
None
987401-1 : Increased TMM memory usage on standby unit after pool flap
Links to More Info: BT987401
Component: Local Traffic Manager
Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device.
Conditions:
Standby device with UDP mirroring traffic and datagram-load-balancing disabled.
Impact:
The standby device may not be able to take over traffic when failover happens.
Workaround:
None.
987301-3 : Software install on vCMP guest via block-device may fail with error 'reason unknown'
Links to More Info: BT987301
Component: TMOS
Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.
-- /var/log/liveinstall may contain an error similar to:
I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty
-- /var/log/kern.log may contain an error similar to:
Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712
Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:
tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3
Impact:
Sometimes the EHF installation fails on the guest.
Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.
987081-1 : Alarm LED remains active on Secondary blades even after LCD alerts are cleared
Links to More Info: BT987081
Component: TMOS
Symptoms:
When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition.
When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared).
However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages.
Conditions:
This occurs when:
-- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display.
-- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command.
Impact:
The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared.
Workaround:
To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade.
For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis:
-- clsh --slot=4 "bigstart restart fpdd"
-- ssh slot4 "bigstart restart fpdd"
Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly.
987077-3 : TLS1.3 with client authentication handshake failure
Links to More Info: BT987077
Component: Local Traffic Manager
Symptoms:
SSL handshakes are failing, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
A handshake failure occurs.
Workaround:
Use TLS1.2 or use TLS1.3 without LTM authentication profile.
986821-1 : Command 'run util bash' event is not captured in log when initially executed
Links to More Info: BT986821
Component: TMOS
Symptoms:
The initiation of 'run util bash' is not captured in the audit log (/var/log/audit)
Conditions:
Run 'run util bash' command in tmsh mode.
Impact:
The timestamp for a 'run util bash' command will occur when the subshell exits, not when the subshell is first executed. It is difficult to determine when the bash subshell started.
Workaround:
None
985925-3 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
985749-1 : TCP exponential backoff algorithm does not comply with RFC 6298
Links to More Info: BT985749
Component: Local Traffic Manager
Symptoms:
The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets.
Conditions:
Using TCP.
Impact:
Retransmission timeout interval depends on the inclusion/exclusion of SYN flag.
Workaround:
None
985401-1 : ProxySSL virtual servers should work with web acceleration (ramcache) profiles attached
Links to More Info: BT985401
Component: Local Traffic Manager
Symptoms:
Attempting to attach a web acceleration profile to a virtual server that has an SSL profile with ProxySSL enabled will result in the following validation error:
A validation error similar to:
01070734:3: Configuration error: Proxy SSL is not compatible with Web Acceleration profile on Virtual Server (<virtual server name>).
Conditions:
-- Virtual server using an SSL profile with ProxySSL enabled.
-- Attaching a web acceleration (webacceleration) profile to the virtual server.
Impact:
Unable to use the web acceleration profile with ProxySSL virtual servers.
Workaround:
Avoid using ProxySSL virtual servers with web acceleration (ramcache) profiles attached.
984897-1 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.
Links to More Info: BT984897
Component: Local Traffic Manager
Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.
Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.
Conditions:
A virtual server configured to perform SSL connection mirroring.
Impact:
Should the units fail over, some connections may not survive as expected.
Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.
Workaround:
None.
984765-2 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)&start;
Links to More Info: BT984765
Component: Access Policy Manager
Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.
Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.
Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.
Workaround:
To resolve the issue temporarily, use either of the following:
-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.
-- Run the command:
bigstart restart nlad
The problem can reappear after a week, so you must repeat these steps each time the issue occurs.
984749-1 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."
Links to More Info: BT984749
Component: Global Traffic Manager (DNS)
Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".
Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache."
Impact:
Client Cache Hit/Miss Statistics ratio affected.
Workaround:
N/A
984657 : Sysdb variable not working from tmsh
Links to More Info: BT984657
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
984521-4 : Accept-Encoding header is stripped by Bot Defense profile in case of incompatible file extension and a dot in the file name
Links to More Info: BT984521
Component: Application Security Manager
Symptoms:
Bot Defense profile checks if a page is not an HTML page by checking the file extension (among other ways).
In case the filename contains a dot (.) - the parsing is wrong and it is not detected as incompatible. As a result, the Accept-Encoding header is removed (to allow injection in the response).
Conditions:
-- Bot Defense profile is attached to s virtual server configured with any response injection (Device ID, Browser Verification, or Single Page Application).
Request is sent to an incompatible file extension (one of gif,png,bmp,jpg,ico,css,mp3,mp4,mpg,avi,wmv,mov,3gp,fla,swf,js), and filename contains a dot (.).
Impact:
Accept-Encoding header is removed, causing the server to not send a gzipped response.
Workaround:
Add this specific URL to sys db:
dosl7.parse_html_excluded_urls
984449-2 : Unnecessary swagger validation violation may raise due to behavioral WAF parameter traps that have identical name
Component: Application Security Manager
Symptoms:
An unnecessary swagger validation violation may be raised about illegal parameters which is actually the parameter trap that was injected by ASM and failed to be ignored by the enforcer. Only one of these parameter traps will be ignored - enforcement will be avoided for it. Expected behavior is to avoid enforcement for both parameters traps.
Conditions:
Security team provide 2 traps with type parameter and with identical name but with different values. In adition one of these parameter traps was injected by ASM to the web-page.
Impact:
Unecessary swagger validation violation may raise regarding one of these parameters traps and request may be blocked, instead of ignoring swagger enforcement for both parameters traps.
Workaround:
None.
982801-2 : AGC hardening
Component: Guided Configuration
Symptoms:
AGC does not follow current best practices.
Conditions:
- APM is provisioned
- AGC used for Azure AD Application
Impact:
AGC does not follow current best practices.
Workaround:
N/A
981485-6 : Neurond enters a restart loop after FPGA update.
Links to More Info: BT981485
Component: TMOS
Symptoms:
After FPGA firmware upgrade, the neurond process might enter a restart loop, unable to recover.
When the problem is present you might see logs similar to:
-- notice chmand[6674]: 012a0005:5: FPGA PNP FW upgrade check: req type 0, file:Latest
-- notice chmand[6674]: 012a0005:5: FPGA: Requesting type: 0, vers: Latest
-- notice chmand[6674]: 012a0005:5: FPGA: current type: 2, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.23.5.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: FPGA: match for type: 0, vers: hsb_5SGXEA7H2F35C2_t37dc_1d10_v5.6.7.0_d20.06.11.00.bit
-- notice chmand[6674]: 012a0005:5: removed /var/db/mcpdb.* FPGA current disk firmware updated to: /L7L4_BALANCED_FPGA type: 0
-- notice chmand-fpga-pnp[17551]: Stopping TMM, BCM56xxd, and neurond
-- notice logger[17553]: /bin/bash /etc/init.d/fw_pnp_upgrade upgrade restart ==> /usr/bin/bigstart stop tmm bcm56xxd neurond
Conditions:
FPGA firmware mismatch, leading to FPGA firmware upgrade.
Impact:
Enhanced flow acceleration provided by the Neuron chip cannot be utilized.
Workaround:
Perform a full system restart.
981145-1 : DoS events do not include the attack name for "tcp syn ack flood"
Links to More Info: BT981145
Component: Advanced Firewall Manager
Symptoms:
BIG-IQ does not display the attack name for a 'tcp syn ack flood' attack.
Conditions:
DoS on BIG-IP enabled to address 'tcp syn ack flood' attack.
Impact:
Lack of DoS attack information. The mitigation occurs as expected. Only the notification information is missing.
Workaround:
None.
979213-1 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Links to More Info: BT979213
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
978953-3 : The value of the sys db variable vlan.backplane.mtu intermittently out-of-sync with the value of the MTU of the kernel interface tmm_bp during the initial boot up
Links to More Info: BT978953
Component: Local Traffic Manager
Symptoms:
During the initial boot of the device the MTU of the tmm_bp kernel interface is out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by the following command:
tmsh show /net vlan all-properties -hidden.
tmsh list net vlan tmm_bp all-properties -hidden.
Additionally, running the following command:
modify sys db vlan.backplane.mtu value <some value> (within the range accepted), and saving the configuration change does not last through a reboot.
Conditions:
This issue occurs on the first boot intermittently.
Impact:
When the values are seen at non-sync, after the modification of the backplane vlan mtu and saving the config, changing the mtu config value does not last through a reboot.
Workaround:
Rebooting the device resolves the issue
977953-3 : Show running config interface CLI could not fetch the interface info and crashes the imi
Links to More Info: BT977953
Component: TMOS
Symptoms:
The confd command 'show running-config' does not display interface information if nsm and bgpd are the only processes running.
If you run 'show running-config interface', imi crashes.
Conditions:
1. nsm and bgpd are the daemons running.
2. Run the "show running-config" command
Impact:
Imish cannot retrieve interface information from the show running-config command.
Workaround:
* Enable OSPF. For example,
# tmsh modify /net route-domain 0 routing-protocol add { BGP OSPFv3 }
# ps -ef | egrep -i ospf
root 11954 4654 0 11:25 ? S 0:00 ospf6d%0
977625-1 : GTM persistence records linger in tmm
Links to More Info: BT977625
Component: Global Traffic Manager (DNS)
Symptoms:
-- GTM persistence records are not cleared.
-- GTM still answers from persist records even though the persist records not listed by the "tmsh show gtm persist" command.
Conditions:
Persistence for wideip or application is disabled and then enabled quickly afterwards
Impact:
GTM answers from stale persist records.
Workaround:
Do not enable persistence right after disabling.
977449-1 : Total address and Total endpoints is shown as '0' in nat stats
Links to More Info: BT977449
Component: Advanced Firewall Manager
Symptoms:
Total address and Total endpoints is shown as '0' (zero) in the output of 'show ltm nat-stats roll-up-level fw-nat-source-translation-object name <name> all',
Conditions:
The prefix length for IPv6 source translation is configured as less than or equal to 64.
Impact:
There is no functional impact, as only the 'show' output is affected for the two stats.
Workaround:
None
977153-3 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
976525-5 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
Links to More Info: BT976525
Component: Local Traffic Manager
Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.
Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.
Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.
Workaround:
Use either of the following workarounds:
-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable
-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.
976517-2 : Tmsh run sys failover standby with a device specified but no traffic group fails
Links to More Info: BT976517
Component: TMOS
Symptoms:
The tmsh run /sys failiover standby device <device> command fails and returns an error if no traffic-group is specified:
Syntax Error: There is no failover device with a name (/Common/bigip2.localhost).
Conditions:
Two or more BIG-IPs configured with high availability (HA)
Impact:
You are required to specify all the traffic groups you want to failover to a peer.
Workaround:
For each traffic group that you want to failover to a peer run the tmsh run /sys failover standby.
For example if you want to fail over both traffic groups traffic-group-1 and traffic-group-2 to failover to bigip2.localhost, run the following:
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-1
tmsh run /sys failover standby device bigip2.localhost traffic-group traffic-group-2
If you want the device to be standby for all traffic groups but you don't care what device takes over as active, run the following command (note there is no traffic-group nor device):
tmsh run /sys failover standby
975725-5 : Wildcard virtual servers do not forward L3 unicast traffic sent to L2 broadcast
Links to More Info: BT975725
Component: Local Traffic Manager
Symptoms:
L3 unicast traffic with L2 broadcast destination MAC (ff:ff:ff:ff:ff:ff) matching wildcard virtual servers is not handled properly.
Conditions:
Wildcard virtual server is configured to handle such traffic.
Impact:
Traffic will not be forwarded properly.
Workaround:
Use specific non-wildcard virtual-server.
974513-7 : Dropped requests are reported as blocked in Reporting/charts
Links to More Info: BT974513
Component: Application Security Manager
Symptoms:
Dropped requests are reported as blocked in Reporting/charts.
Conditions:
Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request.
Impact:
Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops.
Workaround:
None.
974205-5 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
973341-1 : Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt
Links to More Info: BT973341
Component: Global Traffic Manager (DNS)
Symptoms:
Bigip_add, big3d_install, gtm_add will not work.
Conditions:
Device cert is customized.
Impact:
Bigip_add, big3d_install, gtm_add not work.
Workaround:
Copy the content of the new cert to default file "/etc/httpd/conf/ssl.crt/server.crt".
969553-1 : A DNS Cache (or Network DNS Resolver) returns SERVFAIL to some queries.
Links to More Info: BT969553
Component: Global Traffic Manager (DNS)
Symptoms:
- A DNS Cache (or Network DNS Resolver) returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers.
- When this happens, the BIG-IP system rejects the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable).
- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:
debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point
- If a Network DNS Resolver is used with an HTTP Explicit Proxy profile, the symptoms can appear as "503 Service Unavailable" responses to clients due to DNS lookup failure.
Conditions:
This issue occurs when the following conditions are met:
- A DNS Cache (or Network DNS Resolver) is in use on the BIG-IP system.
- The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions.
- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.
- 'Randomize Query Character Case' is enabled in the DNS Cache (or Network DNS Resolver).
- If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
Impact:
Clients of the BIG-IP DNS Cache (or Network DNS Resolver) are not returned an answer. As a result, application failures may occur.
Workaround:
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Cache (or Network DNS Resolver) settings.
968953-1 : Unnecessary authorization header added in the response for an IP intelligence feed list request
Links to More Info: BT968953
Component: Advanced Firewall Manager
Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.
Conditions:
Feed list configured without username/password pair.
Impact:
Feed List request from dwbld adds unnecessary Authorization header. There is no functional impact.
Workaround:
None.
968949-7 : Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile
Links to More Info: BT968949
Component: Local Traffic Manager
Symptoms:
When a client-side connection goes into FIN_WAIT_2, BIG-IP does not send keepalives even if they are being sent on the server-side connection.
Conditions:
- Virtual server configured with a TCP profile and network listener.
Impact:
Client-side connections timeout prematurely.
As a result, the server-side connections end up being open indefinitely.
Workaround:
No workaround currently known.
967905-5 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Links to More Info: BT967905
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
967769-1 : During reset of high-speed interfaces, TMMs may mistakenly continue hardware watchdog checks
Links to More Info: BT967769
Component: TMOS
Symptoms:
Tmm crashes and restarts. The following panic message is found in /var/log/tmm:
notice panic: ../dev/hsb/if_hsb.c:6129: Assertion "HSB lockup, see ltm and tmm log files" failed.
Conditions:
-- Running on a platform that incorporates 'HiGig MAC' network interfaces.
-- Some error or glitch is detected on the high-speed bus (HSB).
-- Software commands a reset of the HSB and interface hardware.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
967737-3 : DNS Express: SOA stops showing up in statistics from second zone transfer
Links to More Info: BT967737
Component: Global Traffic Manager (DNS)
Symptoms:
Start of Authority (SOA) record is not displayed in zone statistics.
Conditions:
The issue appears after the 2nd zone transfer.
Impact:
This is a cosmetic issue without any actual impact.
Workaround:
None
967573-3 : Qkview generation from Configuration Utility fails
Links to More Info: BT967573
Component: TMOS
Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.
Conditions:
Trying to generate a Qkview using the Configuration Utility.
Impact:
The Configuration Utility cannot be used to generate a qkview.
Workaround:
Use the qkview command to generate a qkview from the command line.
967557-1 : Improve apm logging when loading sys config fails due to corruption of epsec rpm database
Links to More Info: BT967557
Component: TMOS
Symptoms:
Loading sys config fails and mcpd may not be running properly due to corruption of EPSEC rpm database. It is difficult to tell from logs that the issue is with epsec rpm database. This error may be the only indication:
emerg load_config_files[10761]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
Conditions:
Loading of sys config fails due to corruption of EPSEC rpm database.
Impact:
Difficult to troubleshoot the root cause for config load failure.
967353-1 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
Links to More Info: BT967353
Component: Local Traffic Manager
Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.
Conditions:
-- HTTP profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.
Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.
Workaround:
None
967245-1 : Incorrect SPVA counter incremented during Sweep attack on profile
Component: Advanced Firewall Manager
Symptoms:
Incorrect SPVA counters updated.
Conditions:
Configure DoS Sweep vector on an SPVA supported device.
Impact:
Usage of dos_spva_stat will result in displaying incorrect counters.
966949-6 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
966785-1 : Rate Shaping stops TCP retransmission
Links to More Info: BT966785
Component: Local Traffic Manager
Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.
Conditions:
This issue occurs when both of the following conditions are met:
-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.
Impact:
The BIG-IP system does not retransmit unacknowledged data segments.
Workaround:
None
966613-6 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
Links to More Info: BT966613
Component: Application Security Manager
Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node "<soap:address/>".
Conditions:
Creating a new content profile using a wsdl file which contains a "<soap:address/>" node which does not have a "location" attribute value.
When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation.
Impact:
After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null"
Workaround:
Delete the node "<soap:address/>" from the wsdl file
966461-7 : Tmm leaks memory after each DNSSEC query when netHSM is not connected
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm memory increases per DNSSEC query.
Conditions:
NetHSM is configured but is disconnected
Impact:
Tmm high memory consumption.
Workaround:
Connect the netHSM.
965897-4 : Disruption of mcpd with a segmentation fault during config sync
Links to More Info: BT965897
Component: TMOS
Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop
Numerous messages may be logged in the "daemon" logfile of the following type:
emerg logger[2020]: Re-starting mcpd
Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs
Impact:
Continuous restarts of mcpd process on the peer device.
Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.
# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP
965849-1 : Displayed 'Route Domain ID' value is confusing if it is set to None
Links to More Info: BT965849
Component: Advanced Firewall Manager
Symptoms:
The numeric value of RT_DOMAIN_NONE is 65535. Lsndb displays this value, which is confusing.
Conditions:
If the parent route domain is set to "None", lsndb displays 65535.
Impact:
No impact on functionality.
Workaround:
None
965837-4 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection
Links to More Info: BT965837
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.
Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
965053-4 : [Regression of ID787881 & ID761032] DNSX fails to sign zone transfer using tsig key after failure
Links to More Info: BT965053
Component: Global Traffic Manager (DNS)
Symptoms:
DNSX fails to sign zone transfer using tsig key.
Conditions:
A transfer error occurs while DNSX is initializing.
Impact:
DNSX zones are not been updated.
Workaround:
Re-enter the tsig key secret.
964533-2 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
964125-6 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
962177-6 : Results of POLICY::names and POLICY::rules commands may be incorrect
Links to More Info: BT962177
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
961653-3 : Unable to retrieve DNS link statistics via SNMP OID gtmLinkStatRate
Links to More Info: BT961653
Component: Local Traffic Manager
Symptoms:
Unable to retrieve link statistics via SNMP OID gtmLinkStatRate
config # snmpwalk -c public localhost F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate
F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate = No Such Object available on this agent at this OID
Conditions:
A BIG-IP DNS/LC system configured with link objects.
Try to do an snmpwalk for F5-BIGIP-GLOBAL-MIB::gtmLinkStatRate which is not successful.
Impact:
BIG-IP DNS system link statistics cannot be retrieved via SNMP.
Workaround:
No workaround.
961001-5 : Arp requests not resolved for snatpool members when primary blade goes offline
Links to More Info: BT961001
Component: Local Traffic Manager
Symptoms:
Arp requests not resolved for snatpool members and traffic does not go through when the primary blade becomes offline.
Conditions:
-- VIPRION platforms serving as AAA and Diameter virtual server to load-balance.
-- route-domain configured other than 0.
-- Radius authentication pool and snatpool are configured.
-- Primary blade goes offline and new Primary is not elected.
Impact:
Traffic failure when primary became offline.
Workaround:
Disable primary blade which is offline.
959965-1 : Asmlogd stops deleting old protobufs
Component: Application Security Manager
Symptoms:
Protobuf files are being cleaned only when trying to write to the protobuf file and on startup.
Conditions:
This occurs during normal operation.
Impact:
/var/asmdata1 can run out of disk space.
Workaround:
None
959957-1 : Asmlogd stops deleting old protobufs
Links to More Info: BT959957
Component: Application Security Manager
Symptoms:
Asmlogd restarts and there are asmlogd errors:
asmlogd|ERR|Oct 19 13:46:35.199|6005|,,asmlogd ended unexpectedly
asmlogd|ERR|Oct 19 13:46:35.203|6005|,,Can't call method "size" on an undefined value at /usr/local/share/perl5/F5/RequestLog.pm line 1902.
Conditions:
Disk is full -- the following warnings are being displayed:
err diskmonitor[3483]: 011d0004:3: Disk partition /var/asmdata1 (slot 1) has only 0% free
Impact:
Old protobuf files are not cleaned up.
Workaround:
0) If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
1) To identify the empty partitions, look into:
SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G
2) For every partition that is empty, manually (or via shell script) execute this sql:
ALTER TABLE PRX.REQUEST_LOG DROP PARTITION empty_partition_name
where 'empty_partition_name' is the partition name as 'p100001'
4) Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5) pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
959613-1 : SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason
Links to More Info: BT959613
Component: Global Traffic Manager (DNS)
Symptoms:
When you double-monitor a Generic Host Virtual Server (pool level + virtual server level) using the same SIP/HTTPS monitor, the 'Reason' is omitted from the output. 'tmsh show gtm server <server> virtual-servers' shows a "blank" reason for monitoring failure/success.
Conditions:
Double-monitor a Generic Host virtual server (pool level + virtual server level) using the same SIP/HTTPS monitor.
Impact:
Impedes your ability to identify the failure/success reason quickly.
Workaround:
Do not use the same monitor on both the virtual server and the pool level.
959241-1 : Fix for ID871561 might not work as expected on the VCMP host
Links to More Info: BT959241
Component: TMOS
Symptoms:
Attempting to deploy an engineering hot fix (EHF) for ID871561 (https://cdn.f5.com/product/bugtracker/ID871561.html) fails in the same manner
Conditions:
-- Attempting to install an EHF containing a fix for ID871561 on a vCMP guest
-- The fix for ID871561 has not already been applied to the vCMP guest
Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host even if fix for ID871561 is available on VCMP guest.
Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:
tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>
Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.
Then restart the lind service on the vCMP Guest:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.
Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:
1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
isoinfo -d -i /dev/cdrom
Note: Pay attention to the volume ID in the output from within the vCMP guest.
2. Unlock (eject) the image:
eject -r -F /dev/cdrom && vcmphc_tool -e
3. Verify the CD drive is now empty:
isoinfo -d -i /dev/cdrom
The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>
4. Restart lind:
tmsh restart sys service lind
If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
clsh tmsh restart sys service lind
959057-5 : Unable to create additional login tokens for the default admin user account
Links to More Info: BT959057
Component: TMOS
Symptoms:
When remote user authentication is configured, BIG-IP systems apply maximum active login token limitation of 100 to the default admin user account.
Conditions:
Remote Authentication is configured
Impact:
Unable to create more than 100 tokens for admin when remote authentication is configured
958785-8 : FTP data transfer does not complete after QUIT signal
Links to More Info: BT958785
Component: Local Traffic Manager
Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.
Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.
Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.
Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.
958601-4 : In the GUI, searching for virtual server addresses does not match address lists
Links to More Info: BT958601
Component: TMOS
Symptoms:
In the GUI, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address list that contains an address that matches that search string, those virtual servers will not show up in the search results.
Similarly, if you filter the virtual server listing using an IP address, or part of an IP address, if there are any virtual servers that are using an address that matches the search string, but are using a port list, those virtual servers will not show up in the search results.
Conditions:
-- Using Address Lists or Port lists with a virtual server.
-- Using the GUI to search for virtual servers based on address.
Impact:
Virtual servers that should match a search are not found.
Workaround:
None.
958157-4 : Hash collisions in fastDNS packet processing
Links to More Info: BT958157
Component: Global Traffic Manager (DNS)
Symptoms:
FastDNS packet processing might cause unexpected traffic drops.
Conditions:
-- FastDNS is in use.
The problem is more likely to occur on a systems with a low number of TMMs.
Impact:
Unexpected traffic drops
957993-4 : Unable to set a port list in the GUI for an IPv6 address for a virtual server
Links to More Info: BT957993
Component: TMOS
Symptoms:
When creating a virtual server in the GUI with an IPv6 destination address and a port list (shared object) or a source address list (shared object), the system returns an error similar to:
0107028f:3: The destination (0.0.0.0) address and mask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) for virtual server (/Common/vs03-v6_dns) must be be the same type (IPv4 or IPv6).
Conditions:
-- Creating or updating a virtual server.
-- Attempting to use an IPv6 Host address with a Port List shared object or a Source Address List shared object.
Impact:
Unable to create/modify virtual server.
Workaround:
Create an Address List shared object with the IPv6 address in it and use that instead of the Host address.
957637-1 : Pfmand crash during bootup
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core during bootup on certain platforms.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
-- BIG-IP software version is v14.1.x, v15.1.x, or v16.1.x.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
956645-4 : Per-request policy execution may timeout.
Links to More Info: BT956645
Component: Access Policy Manager
Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.
Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.
Impact:
Some clients will fail to connect to their destination.
Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).
Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.
956133-2 : MAC address might be displayed as 'none' after upgrading.&start;
Links to More Info: BT956133
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.
Impact:
Traffic disrupted when the MAC address is set to 'none'.
Workaround:
N/A
956109-4 : Modifying a traffic-matching-criteria with a port-list during a full sync may result in an incorrect configuration on the sync target
Links to More Info: BT956109
Component: Local Traffic Manager
Symptoms:
In a device service cluster, changing a traffic-matching-criteria object's port configuration and then performing a full-sync will cause the sync target's traffic-matching-criteria ports to be modified incorrectly.
Once systems are in this state, further ConfigSyncs may result in these error messages:
err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 250 6869100131892804718 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
-- Two or more BIG-IPs in a DSC.
-- Using traffic-matching-criteria, and making changes.
Impact:
BIG-IP configurations are out of sync (even though they show "In Sync"). Affected virtual servers will process more traffic than configured.
Workaround:
On an affected system, perform one of the two procedures to correct MCPD's in-memory configuration:
1. Remove the traffic-matching criteria from all virtual servers (or only affected virtual servers, if known), and then re-add the traffic-matching criteria.
2. Save the configuration and then follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration.
tmsh save sys config
clsh touch /service/mcpd/forceload
clsh reboot
955953-5 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'
Links to More Info: BT955953
Component: TMOS
Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.
Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
953477-1 : Syncookie HW mode not cleared when modifying VLAN config.
Links to More Info: BT953477
Component: TMOS
Symptoms:
Changing VLAN configuration can cause BIG-IP get stuck in hardware syncookie mode.
Conditions:
- Changing VLAN configuration when vlan-based syncookies are active.
For a list of platforms that support hardware syncookie protection, see https://support.f5.com/csp/article/K14779
Impact:
Device is stuck in hardware syncookie mode and generates syncookies.
Workaround:
Run the following command:
tmsh restart sys service tmm
Impact of workaround: restarting tmm disrupts traffic.
952521-1 : Memory allocation error while creating an address list with a large range of IPv6 addresses&start;
Links to More Info: BT952521
Component: Advanced Firewall Manager
Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"
Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.
Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.
Workaround:
Use CIDR notation or multiple, smaller IP ranges.
950953-3 : Browser Challenges update file cannot be installed after upgrade&start;
Links to More Info: BT950953
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP, the Browser Challenges factory default update file cannot be installed, and you see this error:
Installation error: gpg: WARNING: unsafe ownership on homedir `/usr/share/live-update/share/gpg/browser_challenges_genesis_load'gpg: encrypted with 1024-bit ELG key, ID 7C3E3CE5, created 2007-03-20 "asm_sigfile_installer"gpg: Signature made Mon Aug 2
Conditions:
The new file that comes with the installation is ready to install
Impact:
New updated cannot be installed
Workaround:
There are 2 options:
1. download a new version of the update file (if exists)
2.
2.1 download a copy of that file from the machine to your locale machine
2.2 rename it :
> cp BrowserChallenges_20200722_072935.im BrowserChallenges_<CURRENT_DATE>_<CURRENT_TIME>.im
## the date and time are for tracking and the have to be in a specific format DATE : YYYYMMDD, TIME: HHMMSS
2.3 upload the file and install it manually from the LiveUpdate screen.
950305-5 : Analytics data not displayed for Pool Names
Links to More Info: BT950305
Component: Application Visibility and Reporting
Symptoms:
You cannot see reports (statistics->analytics->pool) when you choose to view by pool names.
Conditions:
This is encountered in the statistics screen.
Impact:
You can't see the statistics->analytics->pool report when you choose view by pool names.
950201-3 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Each of these workarounds have performance impact.
950153-3 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP /AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
950069-1 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"
Links to More Info: BT950069
Component: Global Traffic Manager (DNS)
Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.
Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols
Impact:
Unable to edit the record.
Workaround:
Two workarounds available:
1. Use zonerunner to delete the record and then recreate it with the desired RDATA value
2. Manually edit the bind zone file (see K7032)
949957-1 : RDP: Username is pre-filled with f5_apm* string after clicking on webtop resource on Mobile Clients (iOS & Android)
Links to More Info: BT949957
Component: Access Policy Manager
Symptoms:
When user connects to the virtual server using Browser on their iPhone or Android device, webtop displays RDP resource. When they click on it, if SSO is not enabled, Remote Desktop Client App pops up with username pre-filled with string starting with f5_apm.
Conditions:
-- APM Webtop is configured with Single Sign-on disabled RDP resource.
-- Access the RDP resource from iOS or Android using RDP client.
Impact:
Remote Desktop Client App pops up with username pre-filled with string starting with f5_apm.
Workaround:
User needs to clear the username field and enter the actual username.
949477-4 : NTLM RPC exception: Failed to verify checksum of the packet
Links to More Info: BT949477
Component: Access Policy Manager
Symptoms:
NTLM authentication fails with the error:
RPC exception: Failed to verify checksum of the packet.
Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.
Impact:
User authentication fails.
Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.
2. Disable encryption for nlad:
# vim /etc/bigstart/startup/nlad
change:
exec /usr/bin/${service} -use-log-tag 01620000
to:
exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no
3. Restart nlad to make the change effective, and to force the schannel to be re-established:
# bigstart restart nlad
949137-1 : Clusterd crash and vCMP guest failover
Links to More Info: BT949137
Component: Local Traffic Manager
Symptoms:
Clusterd crashes and a vCMP guest fails over.
Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.
Impact:
Memory corruption and clusterd can crash, causing failover.
Workaround:
None.
948985-3 : Workaround to address Nitrox 3 compression engine hang
Links to More Info: BT948985
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 compression engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250, and B2250.
You can check if your platform has nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable HTTP compression or use software compression.
948601-1 : File object checksum attribute is not updated when an external data-group file or external monitor file is edited from GU
Component: TMOS
Symptoms:
SHA1 checksum attribute/property of the file object is not persisted/published/propagated to the MCP datastore/GUI.
Conditions:
This could be observed when an external data-group file or external monitor file definition is edited from GUI.
Below mentioned is the workflow where the issue can be seen/replicated,
System ›› File Management : Data Group File List >> FILE
Edit the "definition" field of the file object & click update.
1.) edit sys file data-group "filename"
2.) list sys file data-group "filename"
Aforementioned commands can be used from TMOS shell to understand the correct behavior that is expected when the same is done from GUI
Impact:
You are unable to identify whether the file object was modified by just validating/comparing the file object's metadata/schema property i.e. "checksum SHA1"
Workaround:
None
948241-4 : Count Stateful anomalies based only on Device ID
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
948065-1 : DNS Responses egress with an incorrect source IP address.
Links to More Info: BT948065
Component: Local Traffic Manager
Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.
Conditions:
Large responses of ~2460 bytes from local BIND
Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.
Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.
Note: This workaround has limitations, as some records in 'Additional Section' are truncated.
947905-4 : Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails&start;
Links to More Info: BT947905
Component: TMOS
Symptoms:
Loading configuration process fails after an upgrade from 13.1.4, 14.1.4, or 15.1.1 to release 14.0.0, 15.0.0, 16.0.0 or 16.0.0.1.
The system posts errors similar to the following:
-- info tmsh[xxxx]: cli schema (15.1.1) has been loaded from schema data files.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (user-account.session_limit) : framework/SchemaCmd.cpp, line 825.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (system-settings.ssh_max_session_limit) : framework/SchemaCmd.cpp, line 825
-- emerg load_config_files[xxxx]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.1.
-- err mcpd[xxxx]: 01070422:3: Base configuration load failed.
-- Unexpected Error: "Can't load keyword definition (user-account.session_limit)".
-- Unexpected Error: "Can't load keyword definition (system-settings.ssh_max_session_limit)"
-- Syntax Error:(/config/bigip_user.conf at line: 10) "session-limit" unknown property
Conditions:
Upgrade from one of the following release:
-- v13.1.4 or later within the v13.1.x branch
-- v14.1.4 or later within the v14.1.x branch
-- v15.1.1 or later within the v15.1.x branch
to one of the following releases:
-- v14.0 through v14.1.3.1
-- v15.0 through v15.1.0.5
-- v16.0.0 and v16.0.0.1
Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status.
Workaround:
Although there is no workaround, you can avoid this issue by upgrading to the most recent maintenance or point release in v14.1.x, v15.1.x, or v16.x.
You can find a list of most current software releases in K5903: BIG-IP software support policy :: https://support.f5.com/csp/article/K5903
947745-3 : Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error
Links to More Info: BT947745
Component: Local Traffic Manager
Symptoms:
Tcp proxy does not ignore HUDEVT_CHILD_CONNECTED and gives an error message:
hud_tcp_serverside_handler/3676: 10.0.0.20.21 - 10.10.10.1.51147: unexpected serverside message HUDEVT_CHILD_CONNECTE
Conditions:
FTP profile is in use
Impact:
Logs entries in the log file
Workaround:
None
947613-2 : APM reset after upgrade and modify of LDAP Group Lookup&start;
Links to More Info: BT947613
Component: Access Policy Manager
Symptoms:
-- Per-Request Policy fails.
-- APM reset the connection.
Conditions:
Upgrade from 13.1.3.4 to 15.1.0.4 and modify the LDAP Group Lookup.
Impact:
APM resets the connection.
Workaround:
1. Create a new empty object with the same expression as the LDAP Group Lookup.
2. Restart the system:
bigstart restart tmm
947217-6 : Fix of ID722682 prevents GTM config load when the virtual server name contains a colon&start;
Links to More Info: BT947217
Component: Global Traffic Manager (DNS)
Symptoms:
GTM is unable to load the configuration.
Conditions:
-- GTM has been upgraded to a version with fix for ID722682 from a version that does not have the fix for ID722682
-- A GTM server has a name with no colon
-- That GTM server has a virtual server with colon in the name
-- That virtual server is added to a pool
Impact:
GTM config file cannot be loaded successfully after upgrade.
Workaround:
Edit bigip_gtm.conf manually to delete "\\" or replace colon ":" with other non-reserved char. such as "-".
945413-2 : Loop between keymgmtd and mcpd causes BIG-IP to be out of sync or in constant automatic config sync
Links to More Info: BT945413
Component: TMOS
Symptoms:
BIG-IP systems in a device group do not stay in sync if config sync is manual and constantly syncs if config sync is automatic.
The BIG-IP system constantly downloads the certificate bundle if the CA-bundle manager config includes a URL.
Conditions:
The CA-bundle manager is configured.
Impact:
The keymgmtd and mcpd process gets into a loop that causes constant config changes and if the ca-bundle-manager includes a URL, the BIG-IP system constantly downloads the bundle.
944381-2 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.
Links to More Info: BT944381
Component: Local Traffic Manager
Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.
Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.
Impact:
The handshake should fail but complete successfully
944173-4 : SSL monitor stuck does not change TLS version
Links to More Info: BT944173
Component: Local Traffic Manager
Symptoms:
The SSL monitor remains in the current TLS version and does not switch to another version when a server changes.
Conditions:
-- SSL monitor configured.
-- Server configuration changes from TLSv1.2 to TLSv1.
Impact:
Pool members marked down.
Workaround:
Use the In-TMM monitor.
943441-4 : Issues in verification of Bot Defense with F5 Anti-Bot Mobile SDK
Links to More Info: BT943441
Component: Application Security Manager
Symptoms:
Verification may be incomplete when using the F5 Anti-Bot Mobile SDK with the Bot Defense profile.
Conditions:
-- Using the Bot Defense profile together with the F5 Anti-Bot Mobile SDK.
-- Enabling the Mobile Applications section in the profile.
Impact:
Mobile application verification may be incomplete.
Workaround:
None
943109-4 : Mcpd crash when bulk deleting Bot Defense profiles
Links to More Info: BT943109
Component: TMOS
Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.
Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.
Impact:
Crash of mcpd causing failover.
Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.
942217-6 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
Links to More Info: BT942217
Component: Local Traffic Manager
Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
941773-1 : Video resolution mis-prediction
Links to More Info: BT941773
Component: Traffic Classification Engine
Symptoms:
Certain video traffic is not getting classified with high accuracy.
Conditions:
- Behavioral classifier for Classification Engine is enabled
Impact:
- Mis-predictions can lead to higher definition videos being categorized as low-definition videos and vice versa.
941765-1 : Video resolution mis-predictions
Links to More Info: BT941765
Component: Traffic Classification Engine
Symptoms:
BIG-IP's traffic playback resolution prediction is calculated on all individual connections of a client's video stream.
Conditions:
- Video streaming client downloads through BIG-IP
- Video is downloaded using multiple connections.
Impact:
- Mis-prediction in the video resolution.
940837-4 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.
Links to More Info: BT940837
Component: Local Traffic Manager
Symptoms:
The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node.
Conditions:
-- A node command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.
Impact:
With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node.
Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.
940733-5 : Downgrading a FIPS-enabled BIG-IP system or running big3d_install results in a system halt&start;
Links to More Info: K29290121, BT940733
Component: Global Traffic Manager (DNS)
Symptoms:
The system fails during the boot-up process, reports a libcrypto validation error, and the system halts. The console will show this error:
Power-up self-test failures:
OpenSSL: Integrity test failed for libcrypto.so
This occurs after one of the following:
-- Upgrading a FIPS-enabled BIG-IP system, booting to a volume running an earlier software version
-- running big3d_install from a BIG-IP GTM to an LTM
Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into an volume running an earlier version of the software.
Another way to encounter the issue is:
-- FIPS-licensed BIG-IP LTM.
-- BIG-IP DNS (GTM) device running a higher software version than the LTM.
-- Run big3d_install from GTM pointing to FIPS-licensed LTM.
Impact:
System boots to a halted state.
Workaround:
Before booting to the volume with the earlier version, delete /shared/bin/big3d.
Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified.
If the target software volume has already experienced this issue (the system boots to a halted state), follow the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL :: https://support.f5.com/csp/article/K25205233, in addition to deleting /shared/bin/big3d.
For additional information, see K29290121: Rollback after upgrade or big3d_install may cause FIPS to halt system on boot :: https://support.f5.com/csp/article/K29290121.
940225-4 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
939249-1 : iSeries LCD changes to secure mode after multiple reboots
Links to More Info: BT939249
Component: TMOS
Symptoms:
After repeatedly rebooting an iSeries platform, the LCD can become erroneously set to secure mode on its own, and you are unable to use the menus on the LCD.
Conditions:
-- Repeated reboots of the device.
-- The db lcd.showmenu value initially set to enable are required.
-- Other required conditions are not fully known.
Impact:
-- LCD becomes set to secure mode.
-- The bigdb variable lcd.showmenu is changed to 'disable'.
Workaround:
Run the commands:
tmsh modify sys db lcd.showmenu value disable
tmsh modify sys db lcd.showmenu value enable
This clears the secure mode of the LCD.
938545-1 : Oversize plugin Tcl object results can result in 0-length messages and plugin crash
Links to More Info: BT938545
Component: Local Traffic Manager
Symptoms:
Bd crashes.
Conditions:
-- ASM enabled.
-- iRule used.
-- Command arguments are greater than maximum MPI message size.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None.
938145-3 : DAG redirects packets to non-existent tmm
Links to More Info: BT938145
Component: TMOS
Symptoms:
-- Connections to self-IP addresses may fail.
-- SYNs packets arrive but are never directed to the Linux host.
Conditions:
-- Provision as vCMP dedicated host.
-- Create a self-IP address with appropriate allow-service.
Impact:
Repeated attempts to connect to the self-IP (e.g., via ssh) fail.
Workaround:
None
937649-4 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Links to More Info: BT937649
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
937573-1 : Connections drop in virtual server with Immediate Action On Service Down set to Drop
Links to More Info: BT937573
Component: Local Traffic Manager
Symptoms:
In a virtual server configured with Immediate Action On Service Down set to Drop and an iRule to pick a pool different from the one attached to the virtual server, if the default pool is attached in an offline state, connections are always dropped even when the default pool becomes available later.
Conditions:
- Virtual server configured with Immediate Action On Service Down set to Drop.
- An iRule selects a different pool from the one attached to the virtual server.
Impact:
Connections are silently dropped.
Workaround:
Change the virtual server's Immediate Action On Service Down setting to None.
937541-4 : Wrong display of signature references in violation details
Component: Application Security Manager
Symptoms:
The number '1' is added to the signature reference in violation details in the Request Log.
Conditions:
You click the '?' icon near signature name to view signature details and there are references for this signature
Impact:
The number 1 is shown before the link
937481-5 : Tomcat restarts with error java.lang.OutOfMemoryError
Links to More Info: BT937481
Component: TMOS
Symptoms:
In the GUI, while trying to list a large configuration, tomcat restarts with error java.lang.OutOfMemoryError: Java heap space due to a large read operation.
Conditions:
-- From the GUI, navigate to Local Traffic :: Pools :: Pool List.
-- The configuration contains approximately 10,000 objects (objects include pools, nodes, virtual servers, etc.).
Impact:
When the system attempts to list the large configuration, tomcat restarts, resulting in 503 error.
Workaround:
Use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process.
Impact of workaround: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Technical Support after considering the impact to Linux host memory resources.
-- Using a utility such as free or top, determine if you have enough free memory available to use this procedure.
For example, the following output from the free utility shows 686844 kilobytes available:
total used free shared buffers cachedMem:
16472868 15786024 686844 807340 827748 2543836
-/+ buffers/cache: 12414440 4058428
Swap: 1023996 0 1023996
-- View the current amount of memory allocated to the tomcat process by typing one of the following commands:
ps | grep " -client" | egrep -o Xmx'[0-9]{1,5}m'
The command output appears similar to the following example:
Xmx260m
Xmx260m
-- View the current value of the provision.tomcat.extramb database variable by typing the following command
tmsh list /sys db provision.tomcat.extramb
-- Set the provision.tomcat.extramb database variable to the desired amount of additional memory to be allocated using the following command syntax:
modify /sys db provision.tomcat.extramb value <MB>
-- If the device is part of a high availability (HA) configuration, the provision.tomcat.extramb database value should be synchronized to the peer devices from the command line. To run the ConfigSync process, use the following command syntax:
tmsh run /cm config-sync <sync_direction> <sync_group>
For example, the following command pushes the local device's configuration to remote devices in the Syncfailover device group:
tmsh run /cm config-sync to-group Syncfailover
-- Restart the tomcat process by typing the following command:
restart /sys service tomcat
936777-1 : Old local config is synced to other devices in the sync group.
Links to More Info: BT936777
Component: Global Traffic Manager (DNS)
Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.
Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.
Impact:
Config on other DNS/GTM devices in the sync group are lost.
Workaround:
You can use either of the following workarounds:
-- Make a small DNS/GTM configuration change before adding new devices to the sync group.
-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.